This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP New Zealand Day 2019"
(Created page with "a") (Tag: Visual edit) |
John dileo (talk | contribs) |
||
Line 1: | Line 1: | ||
− | a | + | __NOTOC__ |
+ | <center> | ||
+ | [https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018 https://www.owasp.org/images/5/53/NZ_day_2018_web.jpg]<br><br> | ||
+ | '''21st and 22nd February 2019 - Auckland''' | ||
+ | </center> | ||
+ | ---- | ||
+ | |||
+ | = This page is still under construction (content copied from 2018 pages, and some not yet updated) = | ||
+ | |||
+ | = Introduction = | ||
+ | ==Introduction== | ||
+ | We are proud to announce the tenth OWASP New Zealand Day conference, to be held at the University of Auckland on Friday, February 22nd, 2019. OWASP New Zealand Day is a one-day conference dedicated to information security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications. | ||
+ | |||
+ | |||
+ | Who is it for? | ||
+ | |||
+ | * Web Developers: There will be a choice of two streams in the morning. Talks in the first stream will include introductory talks to information security, while those in the second stream will address deeper technical topics. Afternoon sessions will cover offensive security in stream one, and continue with deeper technical topics in stream two | ||
+ | * Security Professionals and Enthusiasts: Technical sessions later in the day will showcase new and interesting attack and defence topics | ||
+ | |||
+ | ==Conference structure== | ||
+ | |||
+ | Date: Friday, 22 February 2019<br> | ||
+ | Time: 9:30am - 6:00pm<br> | ||
+ | Cost: Free<br> | ||
+ | |||
+ | The main conference is on Friday, the 22nd of February, and will have two streams in both the morning and the afternoon: | ||
+ | |||
+ | <!-- | ||
+ | <table style="border:1px solid black;"> | ||
+ | <tr> | ||
+ | <td width="10%" style="text-align:center; border:1px solid black">Morning</td> | ||
+ | <td width="45%" style="border:1px solid black; padding: 0px 0px 0px 12px;">Introductory information security topics</td> | ||
+ | <td width="45%" style="border:1px solid black; padding: 0px 0px 0px 12px;">Informational / Defensive</td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td width="10%" style="text-align:center; border:1px solid black;">Afternoon</td> | ||
+ | <td width="45%" style="border:1px solid black; padding: 0px 0px 0px 12px;">Offensive Security</td> | ||
+ | <td width="45%" style="border:1px solid black; padding: 0px 0px 0px 12px;">Informational / Defensive</td> | ||
+ | </tr> | ||
+ | </table> | ||
+ | --> | ||
+ | |||
+ | ==Training== | ||
+ | |||
+ | In addition to the main conference on Friday, we are pleased to offer opportunities for application security-related training on Thursday (21 February), at the same venue. The Call for Training is currently open, and details | ||
+ | on the training sessions selected will appear below as they are finalised. | ||
+ | |||
+ | ==General== | ||
+ | |||
+ | The tenth OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer the same facilities as those we used in 2018. Entry to the event will, as in the past, be free. | ||
+ | |||
+ | |||
+ | For any comments, feedback or observations, please don't hesitate to contact [mailto:[email protected] us].<br> | ||
+ | |||
+ | ==Registration== | ||
+ | Registration is not yet open. Please join our low volume [https://lists.owasp.org/mailman/listinfo/owasp-newzealand mailing list] to be notified when registration opens and/or follow us on twitter [https://twitter.com/owaspnz @owaspnz] | ||
+ | |||
+ | <!-- | ||
+ | Registration for the main conference day is now open: [https://owaspnz2018.eventbrite.com/ Conference Registration Here], | ||
+ | Follow us on twitter [https://twitter.com/owaspnz @owaspnz] | ||
+ | --> | ||
+ | |||
+ | There is no cost for the main conference day. Currently, we are planning to provide morning and afternoon tea; however, this is subject to meeting our sponsorship goals for the event. Spaces are limited, so we do ask that, if at any point you realise you will not be able to attend, you cancel your registration to make room for others. | ||
+ | |||
+ | <!-- | ||
+ | Training Registration is now open: [http://www.regonline.com/owaspnzday2017trainingandsponsorship Training Registration] | ||
+ | --> | ||
+ | |||
+ | <!-- | ||
+ | Registration is now closed. | ||
+ | --> | ||
+ | |||
+ | ==Important dates== | ||
+ | |||
+ | * CFP submission deadline: 21st December 2018 | ||
+ | * CFT submission deadline: 21st December 2018 | ||
+ | * Conference Registration deadline: 14th February 2019 | ||
+ | * Training Registration deadline: 14th February 2019 | ||
+ | * Training Day date: 21st February 2019 | ||
+ | * Conference Day date: 22nd February 2019 | ||
+ | |||
+ | |||
+ | For those of you booking flights, ensure you can be at the venue by 9:00am. The conference will end by 6:00pm. However, we will have post conference drinks at a local drinking establishment for those interested. We are planning to hold a special event on Thursday evening for speakers, trainers, and conference volunteers - more details on that to follow. | ||
+ | |||
+ | |||
+ | ==Places to eat & drink on the day== | ||
+ | |||
+ | <ul> | ||
+ | <li>Coffee cart and selection of snacks next to the reception on the ground floor, this is the closest but will probably have long lines</li> | ||
+ | <li>Mojo Symonds - also on campus</li> | ||
+ | <li>Shakey Isles - coffee and food across the road on the corner of Symonds & Alfred St</li> | ||
+ | <li>The CBD - walk up and over Albert Park to get to the CBD with many great food options</li> | ||
+ | <ul> | ||
+ | <li>Fort Street has burgers, kebabs, and KFC</li> | ||
+ | <li>High Street & Lorne Street have lots of little cafes and restaurants</li> | ||
+ | </ul> | ||
+ | <li>Subway, Starbucks, St. Pierre's Sushi & Pita Pit - walk up Symonds Street</li> | ||
+ | <li>Vulture’s Lane is a popular pub with the InfoSec crowd, there are more seats downstairs</li> | ||
+ | <li>The Bluestone Room - also a popular pub just across Queen St</li> | ||
+ | </ul> | ||
+ | |||
+ | ==Conference Venue== | ||
+ | |||
+ | <table width="100%"> | ||
+ | <tr> | ||
+ | <td> | ||
+ | The University of Auckland School of Business<br> | ||
+ | Owen Glen Building<br> | ||
+ | Address: 12 Grafton Road<br> | ||
+ | <br> | ||
+ | Stream One: Level 1<br> | ||
+ | Room: 115 (Fisher & Paykel Auditorium)<br> | ||
+ | <br> | ||
+ | Stream Two: Level 0<br> | ||
+ | Room: 098<br> | ||
+ | <br> | ||
+ | Auckland<br> | ||
+ | New Zealand<br> | ||
+ | [https://www.google.com/maps/place/Owen+G+Glenn+Building+12+Grafton+Road/@-36.8528203,174.770224,17z/data=!4m6!1m3!3m2!1s0x0000000000000000:0x0205ad91287ba364!2sUniversity+of+Auckland+Graduate+School+of+Enterprise!3m1!1s0x0000000000000000:0xc9d224e5921a6690 Map] | ||
+ | </td> | ||
+ | <td> | ||
+ | [[Image:073_AUBiz_10Apr08small.jpg]] [[Image:OWASPNZDayLectureTheatre.jpg]] | ||
+ | </td> | ||
+ | </tr> | ||
+ | </table> | ||
+ | |||
+ | ==Conference Sponsors== | ||
+ | |||
+ | '''Conference Host:''' | ||
+ | <table width="100%" border="0" cellspacing="1" cellpadding="1"> | ||
+ | <tr> | ||
+ | <td valign="bottom" width="100%"><center>[http://www.auckland.ac.nz/ https://www.owasp.org/images/f/f8/AuckUni.png]</center></td> | ||
+ | </tr> | ||
+ | </table> | ||
+ | ---- | ||
+ | |||
+ | '''Platinum Sponsors:''' | ||
+ | <table width="100%" border="0" cellspacing="7" cellpadding="0"> | ||
+ | <tr> | ||
+ | <td> </td> | ||
+ | <td> </td> | ||
+ | <td> </td> | ||
+ | <td> </td> | ||
+ | </tr> | ||
+ | </table> | ||
+ | ---- | ||
+ | |||
+ | '''Gold Sponsors:''' | ||
+ | <table width="100%" border="0" cellspacing="7" cellpadding="0"> | ||
+ | <tr> | ||
+ | <!-- Last year's sponsors -- commented out, to maintain formatting | ||
+ | <td><center>[[File:Zx.png|link=http://www.zxsecurity.co.nz]]</center></td> | ||
+ | --> | ||
+ | <td> </td> | ||
+ | <td> </td> | ||
+ | <!-- | ||
+ | <td><center>[[File:INSOMNIA.PNG|link=http://www.insomniasec.com]]</center></td> | ||
+ | --> | ||
+ | <td> </td> | ||
+ | <td> </td> | ||
+ | <!-- | ||
+ | <td><center>[[File:Aura_PBK_Colour.jpg|link=http://www.aurainfosec.com]]</center></td> | ||
+ | --> | ||
+ | </tr> | ||
+ | </table> | ||
+ | ---- | ||
+ | |||
+ | '''Silver Sponsors:''' | ||
+ | <table width="100%" border="0" cellspacing="7" cellpadding="0"> | ||
+ | <tr> | ||
+ | <!-- Last year's sponsors -- commented out, to maintain formatting | ||
+ | <td><center>[[File:Quantum_Security_%28strip%29-02.png|link=http://www.quantumsecurity.co.nz]]</center></td> | ||
+ | --> | ||
+ | <td> </td> | ||
+ | </tr> | ||
+ | </table> | ||
+ | ---- | ||
+ | |||
+ | '''Supporting Sponsors:''' | ||
+ | <table width="100%" border="0" cellspacing="0" cellpadding="0"> | ||
+ | <tr> | ||
+ | <!-- Last year's sponsors -- commented out, to maintain formatting | ||
+ | <td><center>[[File:BinaryMistLimited.png|center|150px|link=https://binarymist.io]]</center></td> | ||
+ | --> | ||
+ | <td> </td> | ||
+ | <td> </td> | ||
+ | <!-- Last year's sponsors -- commented out, to maintain formatting | ||
+ | <td><center>[[File:Atlassian.png|center|183px|link=https://www.atlassian.com/]]</center></td> | ||
+ | --> | ||
+ | </tr> | ||
+ | </table> | ||
+ | |||
+ | ==Conference Committee== | ||
+ | |||
+ | * John DiLeo - Conference Chair, OWASP New Zealand Leader (Auckland) | ||
+ | * Brendan Seerup - Sponsorships and Promotion | ||
+ | * Lech Janczewski - Associate Professor - University of Auckland School of Business | ||
+ | * YOU - We are looking for volunteers to help make this our most successful conference yet! | ||
+ | |||
+ | Please direct all enquiries to [email protected] | ||
+ | |||
+ | OWASP NZ on Twitter (https://twitter.com/owaspnz) | ||
+ | |||
+ | = Training = | ||
+ | ==Training== | ||
+ | |||
+ | In addition to the main conference on Friday, we are pleased to provide opportunities for individuals/vendors to present training on Thursday, at the same venue. We are able to accommodate a maximum of four (4) concurrent training | ||
+ | sessions. The Call for Training is currently open, and details will be provided here as selections are finalised. Training fees are $250 for half-day sessions, and $500 for full-day sessions. | ||
+ | |||
+ | <!-- Last year's training offering - commented out to preserve formatting | ||
+ | [https://binarymist.io/talk/owaspnzday-2018-workshop-building-security-into-your-development-team/ '''Building Security Into Your Development Teams'''] | ||
+ | Date: Sun 04 February 2018<br /> | ||
+ | Time: 9:00am - 5:30pm or part thereof<br /> | ||
+ | [https://www.eventbrite.com/e/owasp-nz-day-interactive-workshop-building-security-into-your-development-teams-tickets-41266447054 Training Registration Page] | ||
+ | --> | ||
+ | |||
+ | <!-- | ||
+ | Spaces going fast, so get in quick | ||
+ | --> | ||
+ | |||
+ | = Call For Presentations = | ||
+ | ==Call For Presentations== | ||
+ | |||
+ | '''The Call for Presentations is now open, and will close on Friday, 21st December.''' | ||
+ | |||
+ | OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines, including | ||
+ | architects, Web developers and engineers, system administrators, penetration testers, policy specialists and more. | ||
+ | |||
+ | |||
+ | We would like a variety of technical levels in the presentations submitted, corresponding to the three sections of the conference: | ||
+ | |||
+ | * Introductions to various Information Security topics, and the OWASP projects | ||
+ | * Technical topics | ||
+ | * Policy, Compliance and Risk Management | ||
+ | |||
+ | |||
+ | The introductory talks should appeal to an intermediate to experienced software developer, without a solid grounding in application security or knowledge of the OWASP projects. These talks should be engaging, encourage developers to learn more about information security, and give them techniques that they can immediately return to work and apply to their jobs. | ||
+ | |||
+ | Technical topics are running all day and should appeal to two audiences - experienced software security testers or researchers, and software developers who have a “OWASP Top Ten” level of understanding of web attacks and defences. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new. | ||
+ | |||
+ | We would also like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles. | ||
+ | |||
+ | |||
+ | We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to: | ||
+ | |||
+ | |||
+ | * Web application security | ||
+ | * Mobile security | ||
+ | * Cloud security | ||
+ | * Secure development | ||
+ | * Vulnerability analysis | ||
+ | * Threat modelling | ||
+ | * Application exploitation | ||
+ | * Exploitation techniques | ||
+ | * Threat and vulnerability countermeasures | ||
+ | * Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, Python, etc) | ||
+ | * Penetration Testing | ||
+ | * Browser and client security | ||
+ | * Application and solution architecture security | ||
+ | * PCI DSS | ||
+ | * Risk management | ||
+ | * Security concepts for C*Os, project managers and other non-technical attendees | ||
+ | * Privacy controls | ||
+ | |||
+ | <!-- | ||
+ | The email subject must be "OWASP New Zealand 2017: CFP" and the email body must contain the following information/sections: | ||
+ | |||
+ | |||
+ | * Name and Surname | ||
+ | * Affiliation | ||
+ | * Telephone number | ||
+ | * Email address | ||
+ | * Short presenter bio | ||
+ | * Title of the contribution | ||
+ | * Type of contribution: Technical, Informative, Management | ||
+ | * Suggested length for the talk | ||
+ | * Short abstract (up to 500 words) | ||
+ | * List of the author's previous papers/articles/speeches on the same/similar topic (if any) | ||
+ | * If you are not from New Zealand, will your company support your travel/accommodation costs? - Yes/No | ||
+ | --> | ||
+ | |||
+ | The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation. | ||
+ | |||
+ | |||
+ | PLEASE NOTE: | ||
+ | |||
+ | * Due to limited budget available, expenses for international speakers cannot be covered. | ||
+ | * If you are selected as a speaker, and your company is willing to cover travel and accommodation costs, the company will be recognised as a "Supporting Sponsor" of the event. | ||
+ | |||
+ | |||
+ | '''Thank you to all those who have submitted talks. The call for presentations has now closed.''' | ||
+ | |||
+ | Please submit your presentation [https://www.papercall.io/owaspnz2019 here]. | ||
+ | |||
+ | <!-- | ||
+ | Please submit the above information to all of the following: Denis Andzakovic ([email protected]), Kirk Jackson ([email protected]) and Kim Carter ([email protected]). | ||
+ | --> | ||
+ | |||
+ | <b>Submissions deadline: 21st December 2018</b> | ||
+ | |||
+ | Applicants will be notified in the following week after the deadline, whether they were successful or not. | ||
+ | <!-- | ||
+ | = Call For Trainers = | ||
+ | == Call For Trainers == | ||
+ | |||
+ | We are happy to announce that training will run on Thursday, 21 February 2019, the day before the OWASP NZ Day conference. | ||
+ | The training venue will be Level 0, Rooms: case rooms 1(005), 2(057), 3(055), and 4(009), kindly provided by the University of Auckland School of Business, in the same building as the OWASP NZ Day conference itself. | ||
+ | Classes can contain up to 69 students, with power for laptop usage and Wi-Fi. A wide range of half-day or full-day training proposals will be considered, | ||
+ | see the Call for Papers for a list of example topics. | ||
+ | |||
+ | If you are interested in running one of the training sessions, please contact John DiLeo with the following information: | ||
+ | |||
+ | |||
+ | * Trainer name | ||
+ | * Trainer organisation | ||
+ | * Telephone + email contact | ||
+ | * Short Trainer bio | ||
+ | * Training title | ||
+ | * Trainer requirements (e.g. a projector, whiteboard, etc) | ||
+ | * Trainee requirements (e.g. laptop, VMware/VirtualBox, etc) | ||
+ | * Training summary (less than 500 words) | ||
+ | * Target audience (e.g. testers, project managers, security managers, web developers, architects) | ||
+ | * Skill level required (Basic / Intermediate / Advanced) | ||
+ | * What attendees can expect to learn (key objectives) | ||
+ | * Short course outline | ||
+ | |||
+ | |||
+ | The fixed price per head for training will be $250 for a half-day session and $500 for a whole-day session. As this training is part of an OWASP event, part of the proceeds go back to OWASP. The split is as follows: | ||
+ | |||
+ | * 25% to OWASP Global - used for OWASP projects around the world | ||
+ | * 25% to OWASP NZ Day - used for NZ Day expenses | ||
+ | * 50% to the training provider. | ||
+ | |||
+ | |||
+ | <b>Submissions deadline: 21st December 2018</b> | ||
+ | |||
+ | Applicants will be notified in the following week after the deadline, whether they were successful or not. | ||
+ | |||
+ | |||
+ | = Call For Sponsorships = | ||
+ | ==Call For Sponsorships== | ||
+ | |||
+ | OWASP New Zealand Day 2019 will be held in Auckland on the 22nd of February, 2019, and is a security conference entirely dedicated to application security. | ||
+ | The conference is once again being hosted by the University of Auckland with their support and assistance. | ||
+ | OWASP New Zealand Day 2019 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community. | ||
+ | OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2019 a free, compelling, and valuable experience for all attendees. | ||
+ | |||
+ | The sponsorship funds collected are to be used for things such as: | ||
+ | |||
+ | * Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible. | ||
+ | * Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events. | ||
+ | * Printed Materials - printed materials will include brochures, tags and lanyards. | ||
+ | * Recognition items for speakers and trainers | ||
+ | * Morning and afternoon tea, to promote a congenial environment for networking among application security professionals | ||
+ | |||
+ | == Facts == | ||
+ | |||
+ | Last year, the event was supported by seven sponsors and attracted more than 900 registrations. Plenty of constructive (and positive!) feedback from the audience was received and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018 | ||
+ | |||
+ | The OWASP New Zealand community is strong, there are more than 500 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract between 900 and 1000 attendees this year. | ||
+ | |||
+ | OWASP regular attendees are IT project managers, IT security managers, IT security consultants, web application architects and developers, QA managers, QA testers and system administrators. | ||
+ | |||
+ | == Sponsorships == | ||
+ | |||
+ | There are three different levels of sponsorships for the OWASP New Zealand Day event: | ||
+ | |||
+ | |||
+ | <b>Supporting Sponsorship</b>: (Covering international speaker travel expenses, media coverage/article/promotion of the event) | ||
+ | |||
+ | Includes: | ||
+ | |||
+ | * Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2019 | ||
+ | |||
+ | |||
+ | <b>Silver Sponsorship</b>: 1750 NZD | ||
+ | |||
+ | Includes: | ||
+ | |||
+ | * Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2019 | ||
+ | * The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference. | ||
+ | * The possibility to distribute the company brochures, CDs or other materials to the participants during the event. | ||
+ | |||
+ | |||
+ | <b>Gold Sponsorship</b>: 3000 NZD | ||
+ | |||
+ | Includes: | ||
+ | |||
+ | * The possibility to have a promotional banner or sign side stage in the main auditorium (to be provided by the sponsor, size subject to approval by the OWASP NZ Day Committee). | ||
+ | * The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference. | ||
+ | * The possibility to distribute the company brochures, CDs or other materials to the participants during the event. | ||
+ | * Publication of the sponsor logo on the OWASP New Zealand Chapter page - Sponsor logo on the OWASP NZ site prior and during the OWASP Day event - https://www.owasp.org/index.php/New_Zealand | ||
+ | * Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018 | ||
+ | |||
+ | |||
+ | Those who are interested in sponsoring OWASP New Zealand 2019 Conference can contact the [mailto:[email protected],[email protected] Conference Committee].<br> | ||
+ | |||
+ | |||
+ | = Presentation Schedule = | ||
+ | ==Presentations== | ||
+ | |||
+ | <center> | ||
+ | 5th February 2018 | ||
+ | <table width="100%"> | ||
+ | <tr> | ||
+ | <td width="5%" valign="top" align="right">08:30</td> | ||
+ | <td colspan="3" style="background-color: #8595C2; text-align: center">Registration Opens</td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td width="7%" valign="top" align="right">09:30</td> | ||
+ | <td colspan="3" style="background-color: #B9C2DC; text-align: center"> | ||
+ | <b>Welcome to OWASP New Zealand Day 2018</b><br /> | ||
+ | <i>Kirk Jackson, [https://binarymist.io Kim Carter], Nick Malcolm (OWASP Leaders), and Lech Janczewski (Associate Professor)</i> | ||
+ | |||
+ | |||
+ | </tr> | ||
+ | <tr> | ||
+ | <td width="7%" valign="top" align="right"></td> | ||
+ | <td style="background-color: #EEE; text-align: center"> | ||
+ | <b>Upstairs room</b> | ||
+ | </td> | ||
+ | <td width="7%" valign="top" align="right">09:45</td> | ||
+ | <td style="background-color: #EEE; text-align: center"> | ||
+ | '''Downstairs room''' | ||
+ | </td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td width="7%" valign="top" align="right"></td> | ||
+ | <td style="background-color: #EEE; text-align: center"> | ||
+ | <b>Fear Itself</b><br /> | ||
+ | <i>Laura Bell - SafeStack</i> | ||
+ | </td> | ||
+ | <td width="7%" valign="top" align="right">09:45</td> | ||
+ | <td style="background-color: #EEE; text-align: center"> | ||
+ | <b>Offensive Defence</b><br /> | ||
+ | <i>Chris Berry - Aura Information Security</i><br/> | ||
+ | [[Media:2018-02-05-ChrisBerry.pdf|Slides: (PDF, 3.4mb)]] | ||
+ | [https://www.youtube.com/edit?o=U&video_id=-z4ID7Rh84E Video] | ||
+ | </td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td width="7%" valign="top" align="right">10:20</td> | ||
+ | <td style="background-color: #B9C2DC; text-align: center"> | ||
+ | <b>Pizza Roulette</b><br /> | ||
+ | <i>Catherine McIlvride and Fiona Sasse</i><br /> | ||
+ | [[Media:2018-02-05-CatherineMcIlvrideFionaSasse.pdf|Slides: (PDF, 3.4mb)]] | ||
+ | [https://www.youtube.com/watch?v=FUY-PgZqI3A Video] | ||
+ | </td> | ||
+ | <td width="7%" valign="top" align="right">10:20</td> | ||
+ | <td style="background-color: #B9C2DC; text-align: center"> | ||
+ | <b>Auth* Infrastructure for Everyone</b><br /> | ||
+ | <i>Ryan Kurte and Kirk Holloway</i><br /> | ||
+ | [https://docs.google.com/presentation/d/11tFlGmRQUBJ5ns-8gxRDxL3J0rAkCgOVqAEGqwqxDLM/edit?usp=sharing Slides] | ||
+ | </td> | ||
+ | |||
+ | </tr> | ||
+ | <tr> | ||
+ | <td width="7%" valign="top" align="right">10:55</td> | ||
+ | <td style="background-color: #EEE; text-align: center"> | ||
+ | <b>Guarding the Pot of Gold while the Rainbow gets bigger</b><br /> | ||
+ | <i>Sarah Bennett and Patricia Ramsden - Xero</i><br /> | ||
+ | [https://www.youtube.com/watch?v=kh5q-79Boe8 Video] | ||
+ | </td> | ||
+ | <td width="7%" valign="top" align="right">10:55</td> | ||
+ | <td style="background-color: #EEE; text-align: center"> | ||
+ | <b>Bermudez - a honeypit designed to waste hacker's time</b><br /> | ||
+ | <i>Ian Welch and Kaishuo Yang</i><br /> | ||
+ | [https://www.youtube.com/watch?v=t5XBf4LApoo Video] | ||
+ | </td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td width="7%" valign="top" align="right">11:30</td> | ||
+ | <td style="background-color: #B9C2DC; text-align: center"> | ||
+ | <b>Enough theory, how are websites getting hacked in real life?</b><br /> | ||
+ | <i>Declan Ingram - CERT</i><br/> | ||
+ | [https://www.youtube.com/watch?v=WhYh-eUqxIA&t=137s Video] | ||
+ | </td> | ||
+ | <td width="7%" valign="top" align="right">11:30</td> | ||
+ | <td style="background-color: #B9C2DC; text-align: center"> | ||
+ | <b>Rails Derailed</b><br /> | ||
+ | <i>Tim Goddard</i><br /> | ||
+ | [https://insomniasec.com/releases Slides] | ||
+ | [https://www.youtube.com/watch?v=fGlS6w2naN0 Video] | ||
+ | </td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td width="7%" valign="top" align="right">12:05</td> | ||
+ | <td style="background-color: #EEE; text-align: center"> | ||
+ | <b>Secure APIs: Road to Business Growth</b><br /> | ||
+ | <i>Anupama Natarajan - Unisys New Zealand</i><br /> | ||
+ | [[Media:2018-02-05-AnupamaNatarajan.pdf|Slides: (PDF, 719kb)]] | ||
+ | [https://www.youtube.com/watch?v=WIz6pS9L5l0 Video] | ||
+ | </td> | ||
+ | <td width="7%" valign="top" align="right">12:05</td> | ||
+ | <td style="background-color: #EEE; text-align: center"> | ||
+ | <b>Timing-Based Attacks in Web Applications</b><br /> | ||
+ | <i>Yappare</i><br /> | ||
+ | [[Media:2018-02-05-AhmadAshraff.pdf|Slides: (PDF, 7.7mb)]] | ||
+ | </td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td width="7%" valign="top" align="right">12:35</td> | ||
+ | <td colspan="3" style="background-color: #D98B66; text-align: center"> | ||
+ | <b>Break for Lunch</b><br /> | ||
+ | </td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td width="7%" valign="top" align="right">14:00</td> | ||
+ | <td style="background-color: #EEE; text-align: center"> | ||
+ | <b>Developer's guide to Deserialization Attacks</b><br /> | ||
+ | <i>Felix Shi</i> | ||
+ | </td> | ||
+ | <td width="7%" valign="top" align="right">14:00</td> | ||
+ | <td style="background-color: #EEE; text-align: center"> | ||
+ | <b>IoT - How to fight the tyre fire</b><br /> | ||
+ | <i>Tom Isaacson</i><br /> | ||
+ | [https://speakerdeck.com/parsley72/iot-how-to-fight-the-tyre-fire-1 Slides (speakerdeck)] | ||
+ | </td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td width="7%" valign="top" align="right">14:45</td> | ||
+ | <td style="background-color: #B9C2DC; text-align: center"> | ||
+ | <b>Finding the path to #DevSecOps nirvana</b><br /> | ||
+ | <i>Olly - Xero</i> | ||
+ | </td> | ||
+ | <td width="7%" valign="top" align="right">14:45</td> | ||
+ | <td style="background-color: #B9C2DC; text-align: center"> | ||
+ | <b>Thinking like an Attacker (Hacking your own organisation)</b><br /> | ||
+ | <i>Nick Le Mouton - drugs.com</i><br /> | ||
+ | [https://speakerdeck.com/noodlesnz/thinking-like-an-attacker Slides (speakerdeck)] | ||
+ | [https://www.youtube.com/watch?v=fGlS6w2naN0 Video] | ||
+ | </td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td width="7%" valign="top" align="right">15:00</td> | ||
+ | <td style="background-color: #EEE; text-align: center"> | ||
+ | <b>When Shoestrings Snap</b><br /> | ||
+ | <i>Rory Shillington - VoltsAndBits</i><br /> | ||
+ | [[Media:2018-02-05-RoryShillington.pdf|Slides: (PDF, 7.3mb)]] | ||
+ | [https://www.youtube.com/watch?v=ElbY05nfZ2M Video] | ||
+ | </td> | ||
+ | <td width="7%" valign="top" align="right">15:00</td> | ||
+ | <td style="background-color: #EEE; text-align: center"> | ||
+ | <b>Evil Pickles: DoS Attacks Based on Object-Graph Engineering</b><br /> | ||
+ | <i>Jens Dietrich - Massey University</i><br /> | ||
+ | [https://docs.google.com/presentation/d/1WSDq_k6z4rZeuZlvdYfNyS1IwJhVLH-gxUROi98qkL8/edit#slide=id.p Slides (google)] | ||
+ | [https://www.youtube.com/watch?v=1q2rZyR17jU Video] | ||
+ | </td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td width="7%" valign="top" align="right">15:30</td> | ||
+ | <td colspan="3" style="background-color: #D98B66; text-align: center"> | ||
+ | <b>Break for Afternoon Tea</b><br /> | ||
+ | </td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td width="7%" valign="top" align="right">16:00</td> | ||
+ | <td style="background-color: #EEE; text-align: center"> | ||
+ | <b>Enough with XSS, let's talk about something else?</b><br /> | ||
+ | <i>Karan Sharma</i><br /> | ||
+ | [[Media:2018-02-05-KaranSharma.pptx|Slides: (PPTX, 4mb)]] | ||
+ | [https://www.youtube.com/watch?v=KbVWJcf2CRQ Video] | ||
+ | </td> | ||
+ | <td width="7%" valign="top" align="right">16:00</td> | ||
+ | <td style="background-color: #EEE; text-align: center"> | ||
+ | <b>Secure development in Go</b><br /> | ||
+ | <i>Dion Bramley</i><br /> | ||
+ | [https://github.com/dionb/GoSecureDev Slides (github)] | ||
+ | [https://www.youtube.com/watch?v=4O2OShd-Su8 Video] | ||
+ | </td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td width="7%" valign="top" align="right">16:35</td> | ||
+ | <td style="background-color: #B9C2DC; text-align: center"> | ||
+ | <b>Riding someone else’s wave with CSRF</b><br /> | ||
+ | <i>Sam Shute - Quantum Security</i><br /> | ||
+ | [[Media:2018-02-05-SamShute.pptx|Slides: (PPTX, 234kb)]] | ||
+ | </td> | ||
+ | <td width="7%" valign="top" align="right">16:35</td> | ||
+ | <td style="background-color: #B9C2DC; text-align: center"> | ||
+ | <b>Secure Your Programming Future!</b><br /> | ||
+ | <i>David Pearce</i><br /> | ||
+ | [[Media:2018-02-05-DavidPearce.pdf|Slides: (PDF, 1.8mb)]] | ||
+ | </td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td width="7%" valign="top" align="right">17:10</td> | ||
+ | <td style="background-color: #EEE; text-align: center"> | ||
+ | <b>Operation Luigi: How I hacked my friend without her noticing</b><br /> | ||
+ | <i>Alex Hogue - Atlassian</i> | ||
+ | </td> | ||
+ | <td width="7%" valign="top" align="right">17:10</td> | ||
+ | <td style="background-color: #EEE; text-align: center"> | ||
+ | <b>Handling Of A PCI Incident - PANs In The Database</b><br /> | ||
+ | <i>David Waters - Pushpay</i> | ||
+ | </td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td width="7%" valign="top" align="right">17:50</td> | ||
+ | <td colspan="3" style="background-color: #B9C2DC; text-align: center"> | ||
+ | <b>Wrap Up</b><br /> | ||
+ | <i>Time to go out and socialise, for those interested</i> | ||
+ | </td> | ||
+ | </tr> | ||
+ | </table> | ||
+ | </center> | ||
+ | |||
+ | = Speakers List = | ||
+ | ==Speakers List== | ||
+ | |||
+ | ===Laura Bell - SafeStack - Fear Itself=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | Abstract: The world is a scary place right now. While the risk posed by security threats is high, there are many organisations and people for whom this is the least of their concerns. | ||
+ | |||
+ | In a time of unsettled economies & governments, where there are more breaches each week than we would have once seen in a year... how can we change the way we enable and inspire security change to stop trying to scare the terrified and start trying to help. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | With almost a decade of experience in software development and information security, Laura Bell specializes in bringing security survival skills, practices, and culture into fast paced organisations of every shape and size. | ||
+ | |||
+ | An experienced conference speaker, trainer, and regular panel member, Laura has spoken at a range of events such as BlackHat USA, Velocity, OSCON, Kiwicon, Linux Conf AU, and Microsoft TechEd on the subjects of privacy, covert communications, agile security, and security mindset. | ||
+ | |||
+ | As the co-author of "Agile Application Security" published by O'Reilly media, Laura is internationally recognised as a leader in her field. | ||
+ | |||
+ | She is the founder and CEO of SafeStack, leading its operations from Auckland, New Zealand. | ||
+ | |||
+ | |||
+ | ===Chris Berry - Aura Information Security - Offensive Defence=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | Frustrated by the ability to take over corporate networks by exploiting the same petty misconfigurations for the past several years, I want to expose blue teamer’s and dev’s to the current internal pen test strategies, which have proven consistently effective in going from no auth to domain admin. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | Chris is a Security Consultant at Aura Information Security with experience across a broad variety of domains and industries. He is owned by a cat. | ||
+ | |||
+ | |||
+ | ===Catherine McIlvride and Fiona Sasse - Pizza Roulette=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | Catherine and Fiona are security newbies in the world of bleepbloops. As their hunger for more knowledge on Security Testing grows, they attempt to chomp into the cyber realm of ordering pizza. Pull up a chair, grab a slice* and prepare yourself for a feast! *Disclaimer: Pizza will not be included. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | Catherine and Fiona are software testers who have been united by their passion for pizza and their curiosity for wearing black and whites hats. They hammer and chisel their way through interfaces, databases, and all other places to identify cracks and gaps. Now they face their next adventure roaming unfamiliar territory in the security space. | ||
+ | |||
+ | |||
+ | ===Ryan Kurte and Kirk Holloway - Auth* Infrastructure for Everyone=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | Auth(entication|orisation) is tough. We’re going to talk about how it’s usually done, the developer and user experience of auth*, and some things that often go wrong. Then we’re going pitch an idea that might, hopefully, maybe, help us all build safe exciting things. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | Ryan is an aspiring hardware whisperer and academic with an incurable side project problem. | ||
+ | |||
+ | Kirk builds tiny bits of content that go in bigger bits of content for your local internet box. Combined they form 5/8ths of a full stack developer. | ||
+ | |||
+ | |||
+ | ===Sarah Bennett and Patricia Ramsden - Xero - Guarding the Pot of Gold while the Rainbow gets bigger=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | We've all heard that as an industry we're severely outnumbered (defenders vs attackers). Many of us become a potential targets due to the type of market our company is in. The closer to money handling you are, the more attention you get therefore the more that ratio of defenders to attackers gets worse. | ||
+ | We've seen our adversaries change over time as we've grown. We'll discuss how our hitting one million paid subscribers affected us in terms of security, and how the motives of attackers seem to change with the seasons. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | TBD | ||
+ | |||
+ | |||
+ | ===Ian Welch and Kaishuo Yang - Bermudez: a honeypit designed to waste hacker's time=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | Small enterprises don’t have the human resources to deal with web attacks 24/7 although attacks can occur anytime. We describe a honeypit designed to entrap and slow attackers down giving time for a sysadmin to detect and respond to an attack. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | Ian works for Victoria University of Wellington (VUW) doing computer security teaching and research mostly related to honeypots (CaptureHPC) and more recently software-defined networks (Gasket and Baffle). | ||
+ | |||
+ | Kai is a research assistant at Victoria University of Wellington (VUW). He developed Bermudez as part of his final year project last year and is working over summer on a security policy language for software-defined networks called Baffle. | ||
+ | |||
+ | |||
+ | ===Declan Ingram - CERT - Enough theory, how are websites getting hacked in real life?=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | Since opening in April 2017, CERT NZ has dealt with hundreds of hacked websites. In this talk I propose to step through a few case studies of what went wrong, and how to stop it from happening to your websites. This talk will be done specifically for OWASP day and won’t be used for other audiences. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | Declan Ingram is the Manager of Operations for CERT NZ and leads the technical side of CERT NZ – including the Incident Response Team. He has worked for over 17 years in information security, with broad experience in both incident response and security testing. | ||
+ | |||
+ | |||
+ | ===Tim Goddard - Rails Derailed=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | Modern web application frameworks provide a lot of protections by default, but no protection is absolute. We explore common, severe security issues in Ruby on Rails applications, why they still occur despite its attempts to protect us. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | Tim (pruby) moved two years ago from being a useful human being and building web applications, to the more haphazard world of tearing them apart. He applies his development background and knowledge to review applications from the ground-up, using the code to inform an efficient approach to security testing. | ||
+ | |||
+ | |||
+ | ===Anupama Natarajan - Unisys New Zealand - Secure APIs: Road to Business Growth=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | Security must never be an afterthought. API Security is key for all modern digital businesses and secure APIs provide more confidence to the consumers. Come and learn the art of detecting underprotected APIs and how to secure them. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | I am a Software Professional with over 15 years experience in designing and developing Web, Data Warehouse, Business Intelligence and Mobile solutions. I am a Microsoft Certified Trainer (MCT) and really passionate in sharing knowledge. I love solving complex business problems for my clients with innovative solutions using Microsoft Technologies and use that experience in my trainings and presentations. I share tried and tested examples which people can start use in their organisations immediately. | ||
+ | |||
+ | |||
+ | ===Yappare - Timing Based Attacks in Web Applications=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | Timing-based attacks are deadly but often overlooked. Pentesters often miss such attacks when testing web applications. | ||
+ | |||
+ | By the end of the talk, the audience will learn ways to identify timing-based webapp vulnerabilities through careful manual and automated analysis of response generation times. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | I was a Chemical Engineering graduate but have interest in application security. 7+ years in penetration testing industry and 5 years in bug bounty scene and currently at top leaderboard of Bugcrowd. Involving in these two areas of ‘hacking’ environment, expose me with various ways of identifying web vulnerabilities. | ||
+ | |||
+ | |||
+ | ===Felix Shi - Developer's guide to Deserialization Attacks=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | A beginner friendly talk on deserialization attacks, targeted towards webapp devs and QA engineers. Heavy emphasis on explaining the attack vectors, the technical/business impact, and how to test for it. | ||
+ | |||
+ | There will be demos in some popular languages/frameworks - namely Python, Java, and C#. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | Felix works in the security space at an online accounting software company named Xero. He joined in 2014 and his day job involves securing and breaking internally developed products. Before Xero he spent his previous years as a developer, and has been dabbling in the information security scene in Wellington. | ||
+ | |||
+ | |||
+ | ===Tom Isaacson - IoT: How to fight the tyre fire=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | Everyone knows that IoT is a tyre fire but what can we do to start putting it out? Take a quick tour through the new OWASP IoT Top 10 and some other (personal) examples of how not to do IoT. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | I’ve been an embedded developer for 20 years. I haven’t bothered learning web development because I still think the internet is a passing fad, but I’ve been forced to think about security after we added networking to our products. | ||
+ | |||
+ | |||
+ | ===Olly - Xero - Finding the path to #DevSecOps nirvana=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | A talk about my experiences automating security infrastructure in AWS at Xero. The end goal, things to consider in a security context, the 80/20 rule, convincing people and how to get started. Buzzwords include: DevOps, DevSecOps, AWS, Cloud, CI/CD, “.* as code”. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | Oliver is a Graduate Security Engineer at Xero where he helps build and deploy security infrastructure into AWS focusing on automation and repeatability. He is a contributor to Security Monkey, Netflix’s open source AWS security auditing tool. | ||
+ | |||
+ | |||
+ | ===Nick Le Mouton - drugs.com - Thinking like an Attacker (Hacking your own organisation)=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | Often as developers we think like defenders. We identify vulns (SQLi, XSS etc) and patch them. How often do we think, how far could an attacker get by using this vuln? What could they do? | ||
+ | |||
+ | It’s easier to get non security buy-in if you can provide a working exploit to show how serious a vuln is. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | I started my career as a developer and for the last 20 years I’ve moved more and more into the security space. I’m currently the CTO for Drugs.com, but spend a lot of time reading through legacy code and identifying areas of concern/exploiting vulnerabilities. | ||
+ | |||
+ | |||
+ | ===Rory Shillington - VoltsAndBits - When Shoestrings Snap=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | Have you ever fed a sheep to a wolf? Every day, charities, non-profit organisations and small businesses get devoured by online threats. Let’s take a look at what’s happening both at the keyboard and IRL/AFK. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | Rory Shillington is an electrical engineer trying to save polar bears by day, and a jack of all admins by night. | ||
+ | |||
+ | When not designing, testing and breaking solar inverters, he helps a small handful of clients navigate the minefields of the internet while keeping their websites patched (arrr). He has a strong passion for computer security with a number of years of hands-on experience, and a tendency of venturing questionable distances to solve other people’s problems. He also maintains a number of hobby and community websites. | ||
+ | |||
+ | |||
+ | ===Jens Dietrich - Massey University - Evil Pickles: DoS Attacks Based on Object-Graph Engineering=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | Evil pickles is a new type of degradation of service attack inspired by billion laughs. It exploits the object serialisation interface present in most modern languages (such as Java, C#, Ruby), and can be used to exhaust resources including CPU time, stack and heap memory of the systems attacked. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | Jens is an Associate Professor at Massey University Turitea Palmerston North. Jens has a MSc in Mathematics and a PhD in Computer Science from the University of Leipzig. After graduating in 1996, he worked as a software consultant, participating in some of the first large-scale enterprise-level projects that used object-oriented programming (Smalltalk and later Java) and agile principles. Clients he worked for include Mercedes-Benz, Volkswagen and some of the largest German banks. He moved to Namibia in 1999, working for a development aid agency to establish a computing curriculum at the local university of applied science. He continued with freelance consulting work for European and US clients during this time, and started several open source projects. In 2003 he moved to New Zealand to take up a position at Massey. Jens’ research interest are in the areas of software modularisation, evolution and static analysis for bug and vulnerability detection. He currently leads a National Science Challenge project on program analysis, and his research on fast algorithms for static analysis of large Java programs has been supported by several rounds of funding by Oracle Incl (through Oracle Labs Brisbane). Jens is executive member of Software Innovation NZ (SI^NZ) and member of the ACM. | ||
+ | |||
+ | |||
+ | ===Karan Sharma - Enough with XSS, let's talk about something else?=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | I think it is time to lift our game and think beyond classic vulns such as XSS, CSRF, Dir Traversal, SQLi and talk about recent web vulns which are becoming more and more common and being exploited in the wild these days like IDOR, XXE, SSRF, DOM Clobbering, RPO and Insecure Cryptographic Storage. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | Working as a Security Consultant at one of the leading financial institute of NZ. Very passionate about web app security and have been doing it for over 6 years. Love building and breaking stuff especially web apps and IoT stuff. I spend my days testing web apps and network infrastructure for vulnerabilities and then help mitigate what I find. | ||
+ | |||
+ | Like to code in node.js on embedded devices and love building Web of Things oppose to Internet of Things (no pun intended). | ||
+ | |||
+ | |||
+ | ===Dion Bramley - Secure development in Go=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | Google loves Go, and they claim it makes secure development much easier for people who aren’t teams of seasoned security experts. But what makes it so special? Why should you choose Go for your next secure API project? How to do secure Go. And why it can be a really terrible option for some projects | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | I have been working in software since 2012 using a wide range of languages. Currently I work at Spalk Ltd (yuck, sports) as a senior engineer building APIs and streaming services, and teaching interns. I studied a combination of computer science and computer engineering at UoA for 5 years. Sometimes I do free security and (engineering) design consulting for startups and charities. Hobbies include theatre, gaming, and helping people be awesome. | ||
+ | |||
+ | |||
+ | ===Sam Shute - Quantum Security - Riding someone else’s wave with CSRF=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | Cross-site request forgery is one of the common vulnerabilities we are seeing in pen tests. It can be used to create or delete accounts, escalate privileges, and perform other actions. This talk will cover what it is, common issues and how to properly defend against it. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | Sam is a security consultant with Quantum Security. While relatively new to the security industry he spent the last 7 years studying various security topics at the University of Waikato. Sam has been an organiser and challenge developer of the New Zealand Cyber Security Challenge for the last 3 years. His areas of interest include behavioral biometrics, the physical/digital security overlap and breaking IoT devices. | ||
+ | |||
+ | |||
+ | ===David Pearce - Secure Your Programming Future!=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | Can programming languages help us write secure code? It’s an age-old question. New languages come and go, but don’t often seem that different. But wait! You haven’t seen anything like Whiley before. Forget about type checking. This is a whole new level. You might think the demo is faked. It’s not. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | David graduated with a PhD from Imperial College London in 2005, and took up a lecturer position at Victoria University of Wellington, NZ. David’s PhD thesis was on efficient algorithms for pointer analysis of C, and his techniques have since been incorporated into GCC. His interests are in programming languages, compilers and static analysis. Since 2009, he has been developing the Whiley Programming Language which is designed specifically to simplify program verification. David has previously interned at Bell Labs, New Jersey, where he worked on compilers for FPGAs; and also at IBM Hursely, UK, where he worked with the AspectJ development team on profiling systems. | ||
+ | |||
+ | |||
+ | ===Alex Hogue - Atlassian - Operation Luigi: How I hacked my friend without her noticing=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | My friend gave me permission to “hack all her stuff” and this is my story. It’s about what I tried, what worked, my many flubs, and how easy it is to compromise Non Paranoid People TM. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | Alex is your conference speaker, your best friend, and your sweet mango boy. Alex fell off the back of a gently glowing ute 17 years ago, and now haunts the Earth in corporeal form. Critics have called him “aggressively wonky”. He does incident detection and response at Atlassian, which is kiiinda like being an adult. Catch him scratching out MEMBERS ONLY signs into MEMERS ONLY. | ||
+ | |||
+ | |||
+ | ===David Waters - Pushpay - Handling Of A PCI Incident - PANs In The Database=== | ||
+ | ---- | ||
+ | <b>Abstract</b> | ||
+ | |||
+ | Are you storing credit card numbers in your database when you’re not meant to? Would you know? We will be briefly cover PCI, and telling the story of the discovery of PANs in our pipeline. Then describe the full journey from discovery, to recovery to future prevention. | ||
+ | |||
+ | <b>Speaker Bio</b> | ||
+ | |||
+ | David is a Senior Software Engineer/Tech Lead and one of the leaders of the Secure Coding Guild at Pushpay, David previously worked for 3 years in the security industry including 1 year in the Security Team at Google in London and draws on 19 years experience as a systems and web developer, primarily working in .NET, Java and JavaScript. | ||
+ | |||
+ | = Diversity fund = | ||
+ | ==Diversity and Financial Aid fund== | ||
+ | |||
+ | '''The Diversity and Financial Aid assistance fund has now closed. If you find yourself stuck and need assistance, please get in touch with [email protected] and we'll see what we can do.''' | ||
+ | |||
+ | [We have unashamedly followed the model adopted by the nz.js(con) team with their fund. Many thanks to Jen and the team!] | ||
+ | |||
+ | Due to the support of our lovely sponsors, we have some additional funding available to help people from around New Zealand attend the OWASP NZ Day that would find it hard to otherwise attend. In particular, we welcome applications from women, people of colour, LGBTIQ and all others. You all deserve to be able to learn more about security, and we’ll do our darndest to help make that happen! | ||
+ | |||
+ | Our funds are limited, and we’ll be reviewing applications every two weeks starting in December. Submit your applications soon, so we can approve them early and you’ll be in several review cycles! | ||
+ | |||
+ | Process: | ||
+ | |||
+ | * Fill out our [https://docs.google.com/forms/d/e/1FAIpQLSeTPgNCXb-3FIKetzBtTSwe1IXYckmADCK5sXPdiWRu8mdI6g/viewform application form] | ||
+ | * We will review and approve applications each two weeks. The next review date is in Dec 2017. | ||
+ | * We will contact all applicants and let them know the result of the review. | ||
+ | * Successful applicants will be contacted to help sort things out. | ||
+ | |||
+ | We use the following criteria to help us decide who gets approved: | ||
+ | |||
+ | * We are biased towards (but not exclusively for) diverse applicants. | ||
+ | * We do attempt to maximise cost efficiency and will aim to get as many people to OWASP with our limited funds. | ||
+ | |||
+ | Each successful recipient can choose whether to be kept anonymous (in which case only the OWASP NZ committee will know the details of your funding), or to be put in touch with the supporting company whose sponsorship is going towards your attendance. We think some of our sponsors may enjoy the opportunity to chat with you on the day talk about your experiences and plans for the future, but that’s totally optional and up to you. | ||
+ | |||
+ | If you have any questions, feel free to drop us an email: [email protected] | [email protected] | [email protected] | ||
+ | |||
+ | = Code of Conduct = | ||
+ | ==Code of Conduct== | ||
+ | |||
+ | We want to make the OWASP NZ Day a welcoming environment for all attendees. To that end, we would like to remind you of OWASP's anti-harassment policy: [https://www.owasp.org/index.php/Governance/Conference_Policies]. | ||
+ | |||
+ | Speakers, trainers and sponsors have all been reminded of these policies, and are expected to abide by them like all attendees. | ||
+ | |||
+ | If you have any concerns during the day, please seek out Kirk, Nick or Kim. We will make ourselves visible at the start of the day so you know what we look like. | ||
+ | |||
+ | <headertabs></headertabs> | ||
+ | |||
+ | [[Category:OWASP AppSec Conference]] |
Revision as of 22:41, 8 November 2018
This page is still under construction (content copied from 2018 pages, and some not yet updated)
Introduction
Introduction
We are proud to announce the tenth OWASP New Zealand Day conference, to be held at the University of Auckland on Friday, February 22nd, 2019. OWASP New Zealand Day is a one-day conference dedicated to information security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.
Who is it for?
- Web Developers: There will be a choice of two streams in the morning. Talks in the first stream will include introductory talks to information security, while those in the second stream will address deeper technical topics. Afternoon sessions will cover offensive security in stream one, and continue with deeper technical topics in stream two
- Security Professionals and Enthusiasts: Technical sessions later in the day will showcase new and interesting attack and defence topics
Conference structure
Date: Friday, 22 February 2019
Time: 9:30am - 6:00pm
Cost: Free
The main conference is on Friday, the 22nd of February, and will have two streams in both the morning and the afternoon:
Training
In addition to the main conference on Friday, we are pleased to offer opportunities for application security-related training on Thursday (21 February), at the same venue. The Call for Training is currently open, and details on the training sessions selected will appear below as they are finalised.
General
The tenth OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer the same facilities as those we used in 2018. Entry to the event will, as in the past, be free.
For any comments, feedback or observations, please don't hesitate to contact us.
Registration
Registration is not yet open. Please join our low volume mailing list to be notified when registration opens and/or follow us on twitter @owaspnz
There is no cost for the main conference day. Currently, we are planning to provide morning and afternoon tea; however, this is subject to meeting our sponsorship goals for the event. Spaces are limited, so we do ask that, if at any point you realise you will not be able to attend, you cancel your registration to make room for others.
Important dates
- CFP submission deadline: 21st December 2018
- CFT submission deadline: 21st December 2018
- Conference Registration deadline: 14th February 2019
- Training Registration deadline: 14th February 2019
- Training Day date: 21st February 2019
- Conference Day date: 22nd February 2019
For those of you booking flights, ensure you can be at the venue by 9:00am. The conference will end by 6:00pm. However, we will have post conference drinks at a local drinking establishment for those interested. We are planning to hold a special event on Thursday evening for speakers, trainers, and conference volunteers - more details on that to follow.
Places to eat & drink on the day
- Coffee cart and selection of snacks next to the reception on the ground floor, this is the closest but will probably have long lines
- Mojo Symonds - also on campus
- Shakey Isles - coffee and food across the road on the corner of Symonds & Alfred St
- The CBD - walk up and over Albert Park to get to the CBD with many great food options
- Fort Street has burgers, kebabs, and KFC
- High Street & Lorne Street have lots of little cafes and restaurants
- Subway, Starbucks, St. Pierre's Sushi & Pita Pit - walk up Symonds Street
- Vulture’s Lane is a popular pub with the InfoSec crowd, there are more seats downstairs
- The Bluestone Room - also a popular pub just across Queen St
Conference Venue
The University of Auckland School of Business |
Conference Sponsors
Conference Host:
Platinum Sponsors:
Gold Sponsors:
Silver Sponsors:
Supporting Sponsors:
Conference Committee
- John DiLeo - Conference Chair, OWASP New Zealand Leader (Auckland)
- Brendan Seerup - Sponsorships and Promotion
- Lech Janczewski - Associate Professor - University of Auckland School of Business
- YOU - We are looking for volunteers to help make this our most successful conference yet!
Please direct all enquiries to [email protected]
OWASP NZ on Twitter (https://twitter.com/owaspnz)
Training
Training
In addition to the main conference on Friday, we are pleased to provide opportunities for individuals/vendors to present training on Thursday, at the same venue. We are able to accommodate a maximum of four (4) concurrent training sessions. The Call for Training is currently open, and details will be provided here as selections are finalised. Training fees are $250 for half-day sessions, and $500 for full-day sessions.
Call For Presentations
Call For Presentations
The Call for Presentations is now open, and will close on Friday, 21st December.
OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines, including architects, Web developers and engineers, system administrators, penetration testers, policy specialists and more.
We would like a variety of technical levels in the presentations submitted, corresponding to the three sections of the conference:
- Introductions to various Information Security topics, and the OWASP projects
- Technical topics
- Policy, Compliance and Risk Management
The introductory talks should appeal to an intermediate to experienced software developer, without a solid grounding in application security or knowledge of the OWASP projects. These talks should be engaging, encourage developers to learn more about information security, and give them techniques that they can immediately return to work and apply to their jobs.
Technical topics are running all day and should appeal to two audiences - experienced software security testers or researchers, and software developers who have a “OWASP Top Ten” level of understanding of web attacks and defences. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new.
We would also like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles.
We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:
- Web application security
- Mobile security
- Cloud security
- Secure development
- Vulnerability analysis
- Threat modelling
- Application exploitation
- Exploitation techniques
- Threat and vulnerability countermeasures
- Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, Python, etc)
- Penetration Testing
- Browser and client security
- Application and solution architecture security
- PCI DSS
- Risk management
- Security concepts for C*Os, project managers and other non-technical attendees
- Privacy controls
The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.
PLEASE NOTE:
- Due to limited budget available, expenses for international speakers cannot be covered.
- If you are selected as a speaker, and your company is willing to cover travel and accommodation costs, the company will be recognised as a "Supporting Sponsor" of the event.
Thank you to all those who have submitted talks. The call for presentations has now closed.
Please submit your presentation here.
Submissions deadline: 21st December 2018
Applicants will be notified in the following week after the deadline, whether they were successful or not.