OWASP New Zealand Day 2015

Presentations

Speakers List

Kirk Jackson - Xero - Applying OWASP Top 10 to ASP.NET MVC projects

Abstract

What's the OWASP Top 10, and how do we defend against those threats? Advances in web platforms and frameworks make it easier to defend against common web attacks. By introducing the defences available in ASP.NET MVC we'll see how we can make our lives easier (and more secure!).

Speaker Bio

Kirk Jackson is Security Officer at Xero, and has presented at previous OWASP, Kiwicon and other developer conferences.

Francois Marier - Mozilla - Integrity protection for third-party JavaScript

Abstract

Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.

This is the motivation behing a new addition to the web platform being introduced by the W3C: sub-resource integrity (http://www.w3.org/TR/SRI/). Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.

Speaker Bio

Francois is a senior software engineer in the Mozilla Security & Privacy team where he spends his time working on new ways to protect Firefox users. By night, he contributes to Debian and other free software projects.

Adam Bell - Lateral Security - Defaced: An insight into methodologies, tools and motivations

Abstract

"The internet is a hostile place, particularly if you are a charitable organisation.

Websites are compromised and defaced on a daily basis and sometimes their owners need a little help getting to the bottom of what happened.

So what if your website has been compromised and is getting reports of abuse... How do you react? What can you do?

This talk will cover a recent incident response and investigation I carried out and describe how you, as the developer-in-charge of an all-in-one webhost can investigate and respond.

Based on a true story, this talk will describe the incident response methodology I used, take a look at some of the tools that the defacer had left behind and give an insight into the badguys mindset and motives."

Speaker Bio

Adam Bell once ate a jam sandwich. He lives in Auckland with his newly spawned hacker progeny and fears the day she learns to pop shell. By day he is a security consultant for a prominent boutique security company, by night he tries to remember what sleep is.

Pedro Worcel - Security-Assessment.com - CMS Hell

Abstract

We all know about Wordpress and its (in)security. What about other CMSes? What about NZ made ones?

Introducing 'droopescan', a plugin-based tool for scanning CMSs. In this talk we will see its effectiveness in identifying versions and plugins, and we will see how the landscape looks like for installations of two CMSs (Drupal & SilverStripe) in New Zealand.

Speaker Bio

Pedro is a security researcher for Security-Assessment.com, with more than five years of experience in IT. I have a strong background on web applications, and generally enjoy building and hacking software of all kinds.

Nick von Dadelszen - Lateral Security - Lazily Finding Holes Without Breaking The Law

Abstract

Why risk actively testing for security vulnerabilities in websites when a large amount of vulnerabilities can be passively found? Based on an event where a major security issue was found in a potential client's site just through passive browsing during a scoping exercise, we thought, why not always be scanning? So, enter some dodgy nickvd style code and quick fixes, a little more polished code from feabell, and you have a system that is continuously passively scanning everything you browse. The vulnerabilities just come to you. This is the true lazyman's way to find vulnerabilities, and could be used to check a large number of sites for some common issues in a quick and painless manner.

Speaker Bio

A regular in the NZ security industry, Nick has now clocked up his 15th year of penetration testing. With a full security team at Lateral Security to keep in check, his time is now more commonly spent in meetings and reviewing reports. However, he still loves to jump in and get his hands dirty, especially when it is something new and interesting. Origin: New Zealand

Benjamin Kearns - Lateral Security - Crypto 101: A "no crazy maths" guide to crypto vulnerabilities

Abstract

While less common that other types of security vulnerabilities encryption flaws can often have a very high impact. Some big applications, hardware and frameworks have been vulnerable to simple encryption flaws in recent years.

This talk with run you through a variety of crypto flaws which we've observed in web and mobile applications over the last couple of years.

It will show you how to exploit them and discuss how to protect yourself.

Speaker Bio

Ben works as a Security Consultant for Lateral Security. He has two and a half years of security experience which is backed by a further five years of IT experience, primarily spent developing web applications and administering Linux systems.

Chris Smith - Insomnia Security - PHP Magic Tricks: Type Juggling

Abstract

PHP is a magical language! Unfortunately, magic leads to unexpected behaviour and unexpected behaviour leads to security bugs. This talk will go over a specific magic trick that PHP performs as a loosely- and dynamically-typed language.

The trick is type juggling, a set of rules that PHP enacts when trying to compare different types together. Given the different possible ways you might want to compare different data, you'd expect there to be some unexpected behaviour in there. You'd be right. And, given the importance of the comparison operator for enforcing security controls, you'd expect that to lead to some tasty bugs. You'd be right.

You will be introduced to PHP's various type juggling rules and how you might want to exploit them in security-critical areas of modern applications. We'll also look at a few publicized bugs that exploit this functionality and then finish off on how you can avoid exposing yourself to these issues. It'll be as easy as 'abc' == 0, I promise.

Speaker Bio

Chris is a consultant for Insomnia Security where he breaks other peoples stuff and writes reports about it. Previously a Linux sysadmin and polyglot developer, he now exacts his revenge on technologies that have wronged him.

Andrew Kampjes and Mike Haworth - nil and Aura - Surprise Features in Your Favourite Framework

Abstract

Modern web frameworks allow developers to be productive, however they are feature rich and not every feature is well understood. Some of these features can work in unexpected ways and can be leveraged by attackers. This talk will look at some of the gotchas in popular frameworks. We'll also look at the ways popular features such as social logins can go wrong.

Speaker Bio

Andrew Kampjes enjoys getting under the hood of Rails and playing with its quirks. He also gets a sick satisfaction finding security flaws in other’s code.

Mike Haworth is a Principal Security Consultant for AuraInfoSec, he spends his days doing everything from Red Team engagements to Code Reviews.

Jamie Anderson - SafeStack - Thinking Securely: Practical Advice for Developers

Abstract

If there’s one lesson that we can learn from 2014, it’s that security needs to become a priority for any web-based application. The challenge for developers is that they don’t think the same way that security professional do. They don’t see the holes until it’s too late.

As someone who has experienced both sides of the story, I have found a few ways to help to bridge this gap. In this talk I will share my story as well as a few tips and tricks I've learned along the way so that developers like me can think more securely and write more secure software.

Speaker Bio

Jamie has spent a decade and a half writing software, ranging from desktop software to back-end services to web-based applications. He has recently joined the information security community and is now a secure development specialist for SafeStack.

Andrew Kelly - Insomnia Security Group Ltd - The Fall and Rise of InfoSec

Abstract

A talk with a beginning, a middle ... and a 'will it ever end?' at the end. A light-hearted, albeit with a serious message somewhere, skip and jump through three decades of collected wisdom and anecdotes on the 'fall' of InfoSec with the rise of viruses, worms, etc., in the 80's and 90's - and its subsequent 'rise' again in the 2000's due to hacking and similar nefarious activities now being 'accepted' as mainstream. Changing attitudes in the last 30 years - but not changes in music and fashion - will be covered; alongside some ideas on how you can use such changes to your advantage in your own careers and/or organisations. All this by a man who (he claims) has done the hard yards: All nine of them!

Speaker Bio

Andrew is the Operations Manager for Insomnia Security, and a man in the twilight years of his working life. 2015 marks his 27th in Computer Security, Data Security, IT Security, Cyber Security and/or Information Security (and his 30th in IT), and he reckons he's fogotten more than he ever knew about most things - including InfoSec. Andrew now spends most of the short ime left to him now reminiscing about the old days, wallowing in past glories ... and wondering why kids today just don't understand.

Aloysius Cheang - Cloud Security Alliance - Securing the Cloud to the Internet of Things

Abstract

CSA's Software Defined Perimeter (SDP), a next generation security architecture for virtual private clouds, hardened SaaS, BYOD and Internet of Things (IOT), is explained. CSA is disrupting network security by making networks dark and adapting innovations from top secret systems. We will deep dive into the reference architecture, review enterprise implementations and discuss the future of SDP and IOT through the looking glass of the CSA.

Speaker Bio

Aloysius Cheang is Managing Director APAC of Cloud Security Alliance. He also heads up the Standards Secretariat. Aloysius brings to the CSA extensive experience gained from running business units and multi-million enterprise security and technology programs for Global 500 organizations worldwide in his previous roles as a global CSO for a leading Telco and as APAC practice leaders for leading management consulting firms. He is an active community leader, having founded and mentored various information security projects, forums, groups and associations in Singapore and globally. He is also active in standardization and was most recently a co-editor for ISO/IEC 27032 “Guidelines for Cybersecurity”. Aloysius holds a B. Sc (Hons) and Master’s degrees in Computer Science from the National University of Singapore with professional certifications such as CISA, CISSP and GCIH. His views are valued by global media such as Times, Wall Street Journal and CIO Magazine as a trusted independent source of specialist opinion over the last 15 years.

Chris Esther - Confide Ltd - Joined up PCI DSS : A systematic approach to PCI DSS v3 compliance

Abstract

In this presentation I will eschew the list of requirements approach to compliance and will reframe the PCI DSS using a systems approach to provide a holistic view of its requirements. The key processes and their linkages will be identified, including:

• Scoping
• Vulnerability management
• Configuration management
• Change management
• Development
• Testing

Similarly the core information required by PCI DSS will be identified and relationships between them discussed, including:

• Cardholder data flow diagram
• Network diagram
• Configuration Management Database

If you are new to PCI DSS it should provide a solid foundation for understanding it. For those already being embraced by PCI DSS it may provide another perspective that should help when managing the increased evidential requirements of PCI DSS V3.

Speaker Bio

Developer background, qualified lawyer, QSA. Currently providing advisory and compliance services to commercial and government organisations focusing on PCI DSS and privacy.

Carlos Cordero - Security among those who keep your secrets: comparing security in a top competitive intelligence services

Abstract

Firm A is the Latin American equivalent of IDC, Gartner, or Forrester but Peruvian. Firm B started as a top New Zealand market research firm and is now part of a top 5 multinational market research corporation. Both companies provide research services to enterprise corporations, Firm A to practically every well know IT vendor which operates in Latin America and Firm B to New Zealand and Australian corporation in the Financial, FMCG, Telecom, Media, and other critical industries. Therefore, both firms hold commercially sensitive information about the goals, intentions, activities, and plans of their clients. Both also have contracts with some of said clients to protect such information.

Speaker Bio

Carlos is a commercial and intelligence practitioner in the IT industry and a full member of the IITP despite not having a computer science degree but a business management one. Prior to New Zealand, founding partner of an intelligence firm which counts as clients vendors such as Microsoft, Intel, Oracle, IBM, HP, Dell, Telefonica, Telmex, AT&T, Siemens, to name a few. Also was an elected leader of the Peruvian equivalent to NZ Tech.

James Healy - Stoic Limited, apprentice at SafeStack - Handling Vulnerability Disclosure in New Zealand

Abstract

As a security researcher, reporting security issues to businesses and organisations can sometimes get dicey. As a company you need a disclosure policy in place, and a plan for what happens post-disclosure.. Especially if you've just had your private emails and photo's from 2011's Christmas do (oh dear..) posted on Twitter. This talk applies to companies of all sizes and addresses planning, right through to patching and publication.

Speaker Bio

James researched malware and packers during his teen years before moving onto web application security and development. For the past year he's been a C# developer at CourierPost and recently started an apprenticeship at SafeStack. He's also a freelance developer pretending to be from a large company called Stoic Ltd when in fact it's just him making websites. He enjoys beer and coffee. You should probably buy him one of those. James is also a little weirded out writing a bio in third-person.

Training Day

We are happy to announce that training will run on Thursday the 26th of February 2015, the day before the OWASP Day conference. The courses will be running from 9:00 AM sharp to 5:00PM. The training venues will be auditoriums kindly provided by the University of Auckland, in the same building as the OWASP Day conference itself. Due to popular demand, we are now sold out!

Details are as follows:

Training Abstract - Bootstrapping Agile Security

Agile development is often seen as a delicate balance of ritual and roles allowing for rapid development, continuous deployment and the expansion of the post-it note industry. Security is often seen as a lumbering giant of process, governance and technology allowing for increased control, reduced risk and the expansion of the technology vendor industry.

What if you could merge the two?

The world of security is changing to meet the needs of agile software development. Organisations around the world are coming up with tools, techniques and processes to make security a continuous presence to support developers. This hands on, fast-paced course will not only give students a solid grounding in how to bring security into agile software development life-cycles, but also give a range of tools, techniques and practical skills to make it happen.

Trainer Bio - Laura Bell

Laura Bell is the founder and lead consultant at SafeStack, a specialist New Zealand agile security firm. With almost a decade of experience in software development and information security, Laura specialises in bringing security practices and culture into organisations of every shape and size. Her recent research into agile security practices has generated a set of tools and processes that can enable the management of security risk without compromising innovation or speed.

Registration

Is now closed.