This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP New Zealand Day 2010"

From OWASP
Jump to: navigation, search
m
m
Line 7: Line 7:
 
The event attracted more than 150 attendees from all over the country. The conference has been structured in a single stream with seven talks covering multiple topics in the web application security area.
 
The event attracted more than 150 attendees from all over the country. The conference has been structured in a single stream with seven talks covering multiple topics in the web application security area.
  
For those people who missed the event or are interested in the conference material, the presentations have been published and can be downloaded from the [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009#tab=Presentations presentations] page.
+
For those people who missed the event or are interested in the conference material, the presentations have been published and can be downloaded from the [http://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009 page].
  
 
For any comments, feedback or observations, please don't hesitate to contact [mailto:[email protected] us].
 
For any comments, feedback or observations, please don't hesitate to contact [mailto:[email protected] us].
Line 95: Line 95:
 
====Speakers====
 
====Speakers====
  
==Dean Carter - Security-Assessment.com - "Where Worlds Collide" - PCI-DSS for OWASP practioners==
+
Speakers will be announced at the end of June 2010.
 
+
<br>
Payment Card Industry Data Security Standard (PCI DSS) has become a compliance requirement for many organisations. Due to its width and breadth the PCI-DSS poses many and varied challenges to an organisation. Achieving and maintaining compliance is not simply a technical issue – it relies heavily on people, policy and processes. This session aims to look at OWASP initiatives that can be related directly to the PCI-DSS.
+
<b>Please note that CFP is now open.</b>
 
 
The session will start with a very brief, high level overview of the PCI-DSS and then look closely how various OWASP initiatives can be leveraged in organisational compliance programs.
 
 
 
<b>Dean Carter</b>
 
 
 
Dean Carter leads the Security Advisory Services team within Security-Assessment.com .
 
 
 
Dean has been in the IT industry for 17 years during which time he has worked with a wide range of technologies, industries and companies.
 
For the past 7 of those 17 years Dean has spent the majority of his time specializing in information security consulting for financial organizations and telcos.
 
 
 
 
 
==Paul Craig – Security-Assessment.com - “Insecurity and the Internet”==
 
 
 
For the last 5 years I have spent 10 hours a day successfully breaking the internet. Networks, applications, services, it’s all insecure, hack-able and often completely vulnerable. Through my work at Security-Assessment.com I have pointed out critical security flaws in the majority of New Zealand organizations.  Hacking a multi-billion dollar New Zealand organization is actually not that hard.
 
This fact really troubles me, and I find myself asking the question: “Why is the internet insecure?”  It is after all 2009, not 1999.
 
Today I hope to answer that question and find out why the internet is, and will likely always remain insecure.
 
 
 
<b>Paul Craig</b>
 
 
 
Paul Craig is a principal security consultant at Security-Assessment.com in Auckland New Zealand, where he leads the penetration testing team. Paul is an active security researcher, published author, and a devoted hacker. Paul specializes in application penetration testing, and regularly speaks at security conferences around the globe.
 
 
 
 
==Brett Moore – Insomnia Security - “Vulnerabilities In Action”==
 
 
 
Common application vulnerabilities have been known  for years now, and developers have been  told about
 
the  threats  and  how  to  prevent  these  flaws.  Even  so, web  applications  are  still  been  developed  that  are
 
vulnerable to some of the oldest and most well known security flaws.
 
The aim of this presentation is to show the attendees how vulnerabilities are discovered and exploited in real
 
world  situations,  and  the  devastating  effect  that  a  flaw  can  have  on  the  security  of  an  application.  The
 
presentation  will  demonstrate  multiple  different  application  vulnerabilities  across  various  development
 
languages  and  operating  systems.  All  of  the  commonly  seen  vulnerabilities will  be  demonstrated,  aligned
 
with the OWASP top 10 rating system.
 
Attendees will be able  to  learn about  the  real dangers  that application vulnerabilities pose, by seeing  them
 
been exploited as they would in a real compromise situation. The demonstration will be done again a ‘virtual’
 
network of vulnerable systems  that will contain both  server and application  level  flaws, giving a  real world
 
insight to an application compromise.
 
 
 
<b>Brett Moore</b>
 
 
 
Having conducted vulnerability assessments, network reviews, and penetration  tests  for  the majority of  the
 
large companies in New Zealand, Insomnia founder Brett Moore brings with him over six years experience in
 
information  security. During  this  time, Brett has  also worked with  companies  such as SUN Microsystems,
 
Skype  Limited  and  Microsoft  Corporation  by  reporting  and  helping  to  fix  security  vulnerabilities  in  their
 
products. Brett has released numerous whitepapers and technical postings related to security  issues and has spoken
 
at  security  conferences  both  locally  and  overseas,  including BlackHat, Defcon,  Syscan,  Kiwicon, Ruxcon,
 
and the invitation only Microsoft internal security conference called BlueHat.
 
 
 
 
 
==Roberto Suggi Liverani / Nick Freeman – Security-Assessment.com - “Exploiting Firefox Extensions”==
 
 
 
Firefox extensions are popular, well-established and used by millions of people around the world. Some of
 
these extensions are recommended by the Mozilla community, and are implicitly trusted by the masses.
 
 
Little is known about Firefox extensions from a security perspective and our research intends to fill this gap.
 
The talk is divided in two parts: theory and practice. First, we will explore the security model of Firefox
 
extensions and present a security testing methodology. Next, we will illustrate how we applied the theory and
 
discovered severe vulnerabilities in the most popular and recommended Firefox extensions. Examples of
 
exploits will also be demonstrated.
 
 
After this talk, attendees will have gained a better understanding of the security implications, threats and
 
risks of using and deploying Firefox extensions. Security professionals and auditors will be able to use our
 
material as a security testing framework when auditing Firefox extensions.
 
 
 
<b>Roberto Suggi Liverani</b> 
 
 
 
Roberto Suggi Liverani is a senior security consultant for Security-Assessment.com. He is the founder and
 
leader of the OWASP (Open Web Application Security Project) in New Zealand.  Roberto has worked with
 
companies such as Google, Oracle and Opera by reporting and helping to fix security vulnerabilities in their
 
products. Roberto is the co-author of the most recent OWASP Testing Guide and has spoken at various
 
security conferences around the globe.
 
 
 
<b>Nick Freeman</b> 
 
 
 
Nick Freeman is a security consultant at Security-Assessment.com, based in Auckland, New Zealand. After
 
a couple of years of building systems for companies he has turned to breaking them instead, and spends his
 
spare time searching for shells and the ultimate combination of whisky and bacon.
 
 
 
 
 
==Nick von Dadelszen – Lateral Security - “Testing Web Services”==
 
 
 
Web Services are now a major component of many organisation's online presence.  This could be in the form of AJAX-type consumer websites where more processing is being passed to the browser, or in corporate/governemtn b2b information-sharing environments.  This talk will focus on how to properly test web services, what to look for, and some of the tips and tricks picked up through my testing of these types of systems.
 
 
 
<b>Nick von Dadelszen</b>
 
 
 
Nick von Dadelszen has managed successful security teams for two previous employers and is now a co-founder and director of Lateral Security, responsible for technical delivery of projects.  Nick has been performing penetration testing in New Zealand for the last 10 years and in that time he has worked with the majority of New Zealand's largest organisations including government, financial and telecommunications sectors.
 
 
 
 
 
==Mark Piper - Catalyst IT Ltd - “Application Bug Chaining”==
 
 
 
As the number of useful, un-authenticated application bugs dwindles in 2009, the number of practical 'chained' exploits is growing.
 
 
 
Often, during development, it is very easy for developers (and penetration testers) to focus on individual bugs within an application. While these bugs may be serious, they are often difficult to exploit practically. This talk will explore various conditions that may be found within web applications to allow the 'chaining' of application bugs to produce reliable and practical exploits.
 
 
 
A real world case study of how exploiting chaining can work will be discussed, dissected and demonstrated to the audience.
 
 
 
<b>Mark Piper</b>
 
 
 
Currently working as a Linux Guy for Catalyst IT Ltd. Mark has a passion for all things related to caffeine, UNIX and security.
 
 
 
In the past Mark has been both a UNIX Administrator and Principal Security Consultant assisting and advising a large number of organizations across New Zealand with regards to security. He has also presented at a number of conferences including the OWASP conference in Australia and OWASP evenings in New Zealand. 
 
 
 
Mark is often called upon as a trusted advisor to various public and private sector organizations regarding the practical, real world threats they face.
 
 
 
 
 
==Andy Prow / Kirk Jackson - Aura Software Security / Xero - “XSS – The Gloves are Off”==
 
 
 
XSS (Cross-site Scripting) is still one of the most common web-attacks used today.
 
Whether hidden in websites that have been vulnerable like Twitter, Facebook, MSN,
 
Hotmail and Amazon, or in PDFs or Flash, XSS attacks are out in the wild. Just in
 
May of this year we saw Gumblar (a.k.a. Grumblar, Martuz, JSRedir) which hit the
 
top-web-infections lists around the globe – one of its growth techniques was good
 
old XSS.
 
 
The key message of this presentation -“You’ve heard of XSS and you’ve followed
 
the “OWASP XSS Prevention Cheat Sheet” to protect your code, but do you really
 
understand each protection step, and does it really matter if you miss one?”
 
 
To help answer this question in an easily understandable way this presentation is
 
not just another “XSS talk”, but more of a “Gloves are Off” battle between good
 
and bad. Andy takes the “bad-guy” role with XSS attacks, Kirk is the “good-guy”
 
defender, locking down his .Net website. Who will win?
 
 
 
<b>Andy Prow</b>
 
 
 
Andy has15 years commercial experience in Software Development from
 
companies including IBM, Vodafone, Telecom and Ericssons, in roles including
 
lead software developer, technical architect and development manager. Andy is
 
the Managing Director of the Aura group which he started in 2001. Aura Software
 
Security Ltd provides IT Security Consulting and Penetration Testing to major NZ
 
companies and agencies including the NZ Police, MFAT, Fidelity Life, Xero, TAB and
 
several banks. Aura provides overseas pen-testing to both Ausy and UK companies.
 
 
 
<b>Kirk Jackson</b>
 
 
 
Kirk Jackson is a Senior Developer and is the IT Security Officer at Xero
 
(www.xero.com). Kirks is also involved in the Microsoft development community,
 
runs the Wellington .NET Users Group, presents nationwide and has presented at
 
Microsoft TechEd the past 4 years. Kirk is an ASP.NET MVP, and occasionally blogs
 
at http://pageofwords.com
 
 
 
 
 
<br><br>
 
<b>Please note that CFP is now closed.</b>
 
  
 
====Call For Sponsorships (CLOSED)====
 
====Call For Sponsorships (CLOSED)====
Line 259: Line 116:
  
  
Those who are interested in sponsoring OWASP New Zealand 2009 Conference can contact the [mailto:[email protected] OWASP New Zealand Board].<br>
+
Those who are interested in sponsoring OWASP New Zealand 2010 Conference can contact the [mailto:[email protected] OWASP New Zealand Board].<br>
 
Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.
 
Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.
  
 
<table width="100%" border="2" cellspacing="0" cellpadding="0">
 
<table width="100%" border="2" cellspacing="0" cellpadding="0">
 
   <tr>
 
   <tr>
     <td bordercolor="#FF6600" bgcolor="#FFFFFF" valign="top"><div align="center"><paypal>OWASP New Zealand Day 2009</paypal></div></td>
+
     <td bordercolor="#FF6600" bgcolor="#FFFFFF" valign="top"><div align="center"><paypal>OWASP New Zealand Day 2010</paypal></div></td>
 
   </tr>
 
   </tr>
 
</table>
 
</table>
Line 271: Line 128:
  
 
OWASP solicit contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the [mailto:[email protected] OWASP New Zealand Board].<br>
 
OWASP solicit contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the [mailto:[email protected] OWASP New Zealand Board].<br>
The email subject must be “OWASP New Zealand 2009: CFP” and  the email body must contains the following information/sections:
+
The email subject must be “OWASP New Zealand 2010: CFP” and  the email body must contains the following information/sections:
  
 
* Name and Surname
 
* Name and Surname
Line 282: Line 139:
 
* Type of contribution: Technical or Informative   
 
* Type of contribution: Technical or Informative   
 
* Abstract (max one A4 style page)
 
* Abstract (max one A4 style page)
* Why the contribution is relevant for OWASP New Zealand 2009
+
* Why the contribution is relevant for OWASP New Zealand 2010
 +
* If you are not from New Zealand, will your company support your expenses - Yes/No
  
 
The submission will be reviewed by the OWASP New Zealand Board and the most interesting ones will be selected and invited for presentation.
 
The submission will be reviewed by the OWASP New Zealand Board and the most interesting ones will be selected and invited for presentation.
Line 343: Line 201:
 
====Conference Committee====
 
====Conference Committee====
  
'''OWASP New Zealand Day 2009 Organising Committees:'''
+
'''OWASP New Zealand Day 2010 Organising Committees:'''
  
 
* Roberto Suggi Liverani – OWASP New Zealand Leader
 
* Roberto Suggi Liverani – OWASP New Zealand Leader

Revision as of 04:41, 28 April 2010

Introduction

Introduction

The OWASP New Zealand Day has been the first all day security conference dedicated to web application security in New Zealand. The event attracted more than 150 attendees from all over the country. The conference has been structured in a single stream with seven talks covering multiple topics in the web application security area.

For those people who missed the event or are interested in the conference material, the presentations have been published and can be downloaded from the page.

For any comments, feedback or observations, please don't hesitate to contact us.

Again, big thanks to the sponsors, the speakers and the conference committee for their contributions and support to the organisation of the event.


Presentations

08:30
Registration
09:00
Welcome to OWASP New Zealand Day 2009
Roberto Suggi Liverani / Lech Janczewski - Security-Assessment.com / The University of Auckland
09:15
Keynote: Insecurity and the Internet - pptx
Paul Craig - Security-Assessment.com
9:50
Vulnerabilities In Action
Brett Moore - Insomnia Security
10:40
Coffee Break
11:10
Testing Web Services - pdf
Nick von Dadelszen – Lateral Security
12:00
Lunch Break
13:30
Exploiting Firefox Extensions - pptx
Roberto Suggi Liverani / Nick Freeman - Security-Assessment.com
14:15
Application Bug Chaining - pdf
Mark Piper - Catalyst IT Ltd
15:00
 Snackie Break
15:30
"Where Worlds Collide" - PCI-DSS for OWASP practioners - ppt
Dean Carter - Security-Assessment.com
16:15
XSS – The Gloves are Off - pptx
Andy Prow / Kirk Jackson - Aura Software Security / Xero
17:00
Panel Discussion/Conclusion

Speakers

Speakers will be announced at the end of June 2010.
Please note that CFP is now open.

Call For Sponsorships (CLOSED)

The aims of OWASP - New Zealand community is to guarantee access to the conference for free in order to allow for wide participation and empower the community itself. As so the OWASP - New Zealand community encourages Industries, Research Institutions and Individuals to sponsor their activities and events.

Two types of sponsorships are available:

  • Silver sponsorship: 1500 NZD

- Publication of the sponsor logo on the event web site (top of this page)

  • Gold Sponsorship: 3500 NZD

- The publication of the sponsor logo in the event site, in the agenda, on the flyers, brochure and in all the official communications with the attendees at the conference.
- The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
- Sponsor dedicated space at the conference (sponsor booth) to show products/services to the attendees during coffee breaks, lunch and snack breaks.


Those who are interested in sponsoring OWASP New Zealand 2010 Conference can contact the OWASP New Zealand Board.
Sponsors can also make us of the following PayPal button to make payments. Donations are also more than welcome from the NZ community.

<paypal>OWASP New Zealand Day 2010</paypal>

Call for Paper (OPEN) and review process

OWASP solicit contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the OWASP New Zealand Board.
The email subject must be “OWASP New Zealand 2010: CFP” and the email body must contains the following information/sections:

  • Name and Surname
  • Affiliation
  • Address
  • Telephone number
  • Email address
  • List of the author’s previous papers/articles/speeches on the same topics
  • Title of the contribution
  • Type of contribution: Technical or Informative
  • Abstract (max one A4 style page)
  • Why the contribution is relevant for OWASP New Zealand 2010
  • If you are not from New Zealand, will your company support your expenses - Yes/No

The submission will be reviewed by the OWASP New Zealand Board and the most interesting ones will be selected and invited for presentation.

Due to limited budget available, expenses for international speakers cannot be covered. If your company is willing to cover travel and accomodation costs, the company will become "Support Sponsor" of the event.

Conference

Conference Venue

The University of Auckland Business School
Owen G Glenn Building
Room: OGGB 260-073 (OGGB4)
Address: 12 Grafton Road
Auckland
New Zealand
Map

Auckland business school small2.jpg Room hall.jpg

Topics

The OWASP Days have always offered a forum for discussion and exchange of ideas among researchers and practitioners who present their experiences and discuss issues related to Web Application Security from a higher level to a technical point of view.

Conference topics include, but are not limited to:

  • OWASP Project Presentation (i.e Tool Updates/Project Status etc)
  • Threat modelling of web applications
  • Privacy Concerns with Applications and Data Storage
  • Vulnerability analysis of web applications (code review, pentest, static analysis, scanning)
  • Baseline or Metrics for Application Security
  • Countermeasures for web application vulnerabilities
  • Web application security
  • Platform or language (e.g. Java, .NET) security features that help secure web applications
  • Secure application development
  • How to use databases securely in web applications
  • Security of Service Oriented Architectures
  • Access control in web applications
  • Web services security
  • Browser security
  • PCI


Conference structure and schedule

OWASP New Zealand Day 2010 will be all day Conference. The conference aims to provide a workshop-like atmosphere in which contributions can be presented and then time is allowed for constructive discussion of their results and processes.

It will be structured in a single stream. During the conference two coffee breaks (one in the morning and one in the afternoon) and the lunch are in program. These might be offered by the sponsors.

The detailed agenda of the conference will be available on the web site before the event.

Conference dates

  • CFP close: 15th June 2010
  • Contributions submission deadline: 25th June 2010
  • Registration deadline: 20th June 2010
  • Conference Agenda due: 20th June 2010
  • Conference date: 13th July 2010

Conference Committee

OWASP New Zealand Day 2010 Organising Committees:

  • Roberto Suggi Liverani – OWASP New Zealand Leader
  • Rob Munro – OWASP New Zealand Evangelist
  • Lech Janczewski - Associate Professor - University of Auckland

Conference Sponsors

University_of_Auckland_crest_small.png
Nz_information_security_forum.png
Department of Computer Science
ICT and Department of Information Systems and Operations Management
  

Gold Sponsors:

     
     

Silver Sponsors:

     
     
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_New_Zealand_Day_2010&oldid=82463"