This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP New Zealand Day 2019"

From OWASP
Jump to: navigation, search
(Updated slide and video links for Radich presentation)
 
(91 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
__NOTOC__
 
__NOTOC__
 
<center>
 
<center>
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018 https://www.owasp.org/images/5/53/NZ_day_2018_web.jpg]<br><br>
+
[https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2019 https://www.owasp.org/images/e/e3/NZDay_2019_web_banner.jpg]<br><br>
 
'''21st and 22nd February 2019 - Auckland'''
 
'''21st and 22nd February 2019 - Auckland'''
 
</center>
 
</center>
 
----
 
----
  
= Introduction =
+
=Introduction=
  
 
==Introduction==
 
==Introduction==
Line 12: Line 12:
 
We are proud to announce the tenth OWASP New Zealand Day conference, to be held at the University of Auckland on Friday, February 22nd, 2019. OWASP New Zealand Day is a one-day conference dedicated to information security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.
 
We are proud to announce the tenth OWASP New Zealand Day conference, to be held at the University of Auckland on Friday, February 22nd, 2019. OWASP New Zealand Day is a one-day conference dedicated to information security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.
  
 +
There will be two streams throughout the day. The first stream will include introductory talks on application and information security topics, as well as on policy, compliance, and risk management. The second stream will primarily address deeper technical topics.
  
 
Who is it for?
 
Who is it for?
  
* Web Developers: There will be a choice of two streams in the morning. Talks in the first stream will include introductory talks to information security, while those in the second stream will address deeper technical topics. Afternoon sessions will cover offensive security in stream one, and continue with deeper technical topics in stream two
+
* Web Developers  
* Security Professionals and Enthusiasts: Technical sessions later in the day will showcase new and interesting attack and defence topics
+
* Security Professionals and Enthusiasts
 +
* Program and Project Managers
 +
* Business Analysts
 +
* Requirements Analysts
 +
* Software Testers
  
 
==Conference structure==
 
==Conference structure==
  
Date: Friday, 22 February 2019<br>
+
'''Date:''' Friday, 22 February 2019
Time: 9:30am - 6:00pm<br>
+
 
Cost: Free<br>
+
'''Time:''' 9:00am - 6:00pm
 +
 
 +
'''Cost: FREE'''
  
 
The main conference is on Friday, the 22nd of February, and will have two streams in both the morning and the afternoon:
 
The main conference is on Friday, the 22nd of February, and will have two streams in both the morning and the afternoon:
  
<!--
+
'''Stream One:'''
<table style="border:1px solid black;">
+
 
  <tr>
+
* Introductory Topics
      <td width="10%" style="text-align:center; border:1px solid black">Morning</td>
+
* Program Management, Policy, Compliance, Risk Management
      <td width="45%" style="border:1px solid black; padding: 0px 0px 0px 12px;">Introductory information security topics</td>
+
 
      <td width="45%" style="border:1px solid black; padding: 0px 0px 0px 12px;">Informational / Defensive</td>
+
'''Stream Two:'''
  </tr>
+
 
  <tr>
+
* Technical Topics
      <td width="10%" style="text-align:center; border:1px solid black;">Afternoon</td>
 
      <td width="45%" style="border:1px solid black; padding: 0px 0px 0px 12px;">Offensive Security</td>
 
      <td width="45%" style="border:1px solid black; padding: 0px 0px 0px 12px;">Informational / Defensive</td> 
 
  </tr>
 
</table>
 
-->
 
  
 
==Training==
 
==Training==
  
In addition to the main conference on Friday, we are pleased to offer opportunities for application security-related training on Thursday (21 February), at the same venue. The Call for Training is currently open, and details
+
In addition the main conference on Friday, we are pleased to be offer three training opportunities on Thursday, at the same venue. Course details, including registration, are as follows:
on the training sessions selected will appear below as they are finalised.
+
 
 +
=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Real_World_Penetration_Testing '''Real-World Penetration Testing''']===
 +
 
 +
'''Date:''' Thursday, 21 February 2019<br />
 +
'''Time:''' 8:45 a.m. - 5:30 p.m.<br />
 +
'''Format:''' Live online interaction with instructors; interactive Web-based lab exercises<br />
 +
'''Instructors:''' Vivek Ramachandran and Nishant Sharma<br />
 +
'''Instructors' Organisation:''' Pentester Academy<br />
 +
'''Registration Fee:''' $500.00<br />
 +
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' <strong>(Registration CLOSED)</strong>
 +
 
 +
=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Are_You_a_Secure_Code_Warrior '''Are You a Secure Code Warrior?'''] ===
 +
 
 +
'''Date:''' Thursday, 21 February 2019<br />
 +
'''Time:''' 8:45 a.m. - 12:30 p.m.<br />
 +
'''Instructor:''' Jaap Karan Singh<br />
 +
'''Instructor's Organisation:''' Secure Code Warrior<br />
 +
'''Registration Fee:''' $250.00<br />
 +
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' <strong>(Registration CLOSED)</strong>
 +
 
 +
=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Threat_Modelling_From_None_to_Done '''Threat Modelling: Getting from None to Done'''] ===
 +
 
 +
'''Date:''' Thursday, 21 February 2019<br />
 +
'''Time:''' 8:45 a.m. - 5:30 p.m.<br />
 +
'''Instructor:''' Dr. John DiLeo<br />
 +
'''Instructor's Organisation:''' OWASP New Zealand Chapter<br />
 +
'''Registration Fee:''' $500.00<br />
 +
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' <strong>(SOLD OUT)</strong>
 +
 
 +
<strong>Training registration closed at midnight on 14 February.</strong>
  
 
==General==
 
==General==
  
 
The tenth OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer the same facilities as those we used in 2018. Entry to the event will, as in the past, be free.
 
The tenth OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer the same facilities as those we used in 2018. Entry to the event will, as in the past, be free.
 
  
 
For any comments, feedback or observations, please don't hesitate to contact [mailto:[email protected] us].<br>
 
For any comments, feedback or observations, please don't hesitate to contact [mailto:[email protected] us].<br>
  
 
==Registration==
 
==Registration==
Registration is not yet open. Please join our low volume [https://lists.owasp.org/mailman/listinfo/owasp-newzealand mailing list] to be notified when registration opens and/or follow us on twitter [https://twitter.com/owaspnz @owaspnz]
+
Registration is now open. Visit [https://owaspnz2019.eventbrite.com EventBrite] to register.
 
 
<!--
 
Registration for the main conference day is now open: [https://owaspnz2018.eventbrite.com/ Conference Registration Here],
 
Follow us on twitter [https://twitter.com/owaspnz @owaspnz]
 
-->
 
 
 
There is no cost for the main conference day. Currently, we are planning to provide morning and afternoon tea; however, this is subject to meeting our sponsorship goals for the event. Spaces are limited, so we do ask that, if at any point you realise you will not be able to attend, you cancel your registration to make room for others.
 
  
<!--
+
Please join our low volume [https://lists.owasp.org/mailman/listinfo/owasp-newzealand mailing list] to be notified as further schedule information becomes available, and/or follow us on Twitter [https://twitter.com/owaspnz @owaspnz].
Training Registration is now open: [http://www.regonline.com/owaspnzday2017trainingandsponsorship Training Registration]
 
-->
 
  
<!--
+
There is no cost for the main conference day. Currently, we are planning to provide morning and afternoon tea; however, this is subject to meeting our sponsorship goals for the event. Spaces are limited, so we do ask that, if at any point you realise you will not be able to attend, you cancel your registration (i.e., "request a refund" in EventBrite) to make room for others.
Registration is now closed.
 
-->
 
  
 
==Important dates==
 
==Important dates==
  
* CFP submission deadline: 21st December 2018
+
{|
* CFT submission deadline: 21st December 2018
+
|-
* Conference Registration deadline: 14th February 2019
+
! scope="row" style="text-align: right;" |  CFP submission deadline:  
* Training Registration deadline:   14th February 2019
+
| 11th January 2019 <strong>- Submissions are now closed</strong>
* Training Day date:         21st February 2019
+
|-
* Conference Day date:           22nd February 2019
+
! scope="row" style="text-align: right;" | CFT submission deadline:  
 +
| 21st December 2018 <strong>- Submissions are now closed</strong>
 +
|-
 +
! scope="row" style="text-align: right;" | Training Day date:  
 +
| 21st February 2019
 +
|-
 +
! scope="row" style="text-align: right;" | Training Registration Deadline:  
 +
| 14th February 2019 <strong>- Registration is now closed</strong>
 +
|-
 +
! scope="row" style="text-align: right;" | Conference Day date:  
 +
| 22nd February 2019
 +
|-
 +
! scope="row" style="text-align: right;" | Conference Registration deadline:  
 +
| 22nd February 2019 (Same-day registration is permitted, if space is available)
 +
|}
  
 +
For those of you booking flights, ensure you can be at the venue by 8:30am. The conference will end by 6:00pm. However, we will have post conference drinks at a local drinking establishment for those interested. We are planning to hold a special event on Thursday evening for speakers, trainers, sponsors, and conference volunteers - more details on that to follow.
  
For those of you booking flights, ensure you can be at the venue by 9:00am. The conference will end by 6:00pm. However, we will have post conference drinks at a local drinking establishment for those interested. We are planning to hold a special event on Thursday evening for speakers, trainers, and conference volunteers - more details on that to follow.
+
==Places to eat & drink on the day==
  
 +
The University published a handy map (in 2018), to help you find places to eat around campus:
 +
[[File:Retail Map City Campus 2018 v2.pdf|frame Campus dining map]]
  
==Places to eat & drink on the day==
+
Some of the options available:
 
 
 
<ul>
 
<ul>
<li>Coffee cart and selection of snacks next to the reception on the ground floor, this is the closest but will probably have long lines</li>
+
<li>The Deli - Located on Level 1 of the Owen G. Glenn Building - This is closest, but will probably have long lines</li>
 
<li>Mojo Symonds - also on campus</li>
 
<li>Mojo Symonds - also on campus</li>
 
<li>Shakey Isles - coffee and food across the road on the corner of Symonds & Alfred St</li>
 
<li>Shakey Isles - coffee and food across the road on the corner of Symonds & Alfred St</li>
Line 106: Line 140:
 
   <td>
 
   <td>
 
The University of Auckland School of Business<br>
 
The University of Auckland School of Business<br>
Owen Glen Building<br>
+
Owen G. Glenn Building (OGGB)<br>
 
Address: 12 Grafton Road<br>
 
Address: 12 Grafton Road<br>
 
<br>
 
<br>
Line 127: Line 161:
 
==Conference Sponsors==
 
==Conference Sponsors==
  
'''Conference Host:'''
+
For more information on our Premier Sponsors, please visit our [[OWASP NZ Day 2019-About Our Sponsors|About Our Sponsors]] page
 +
 
 +
=== Conference Host ===
 
<table width="100%" border="0" cellspacing="1" cellpadding="1">
 
<table width="100%" border="0" cellspacing="1" cellpadding="1">
 
   <tr>
 
   <tr>
Line 135: Line 171:
 
----
 
----
  
'''Platinum Sponsors:'''
+
=== Platinum Sponsor ===
<table width="100%" border="0" cellspacing="7" cellpadding="0">
+
 
 +
<table align="center" width="100%" border="0" cellspacing="7" cellpadding="0">
 
   <tr>
 
   <tr>
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
     <td>&nbsp;</td>
+
     <td>[[File:Insomnia Logo-Updated.png|center|x130px|frameless|link=https://www.insomniasec.com|Logo-Insomnia Security]]</td>
    <td>&nbsp;</td>
 
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
 
   </tr>
 
   </tr>
Line 146: Line 182:
 
----
 
----
  
'''Gold Sponsors:'''
+
=== Gold Sponsors ===
 
<table width="100%" border="0" cellspacing="7" cellpadding="0">
 
<table width="100%" border="0" cellspacing="7" cellpadding="0">
 
   <tr>
 
   <tr>
<!-- Last year's sponsors -- commented out, to maintain formatting
+
    <td>[[File:Orion-Health-Logo 2019 Grey Orange RGB.png|center|x150px|frameless|link=https://www.orionhealth.com|Logo-Orion Health]]</td>  
    <td><center>[[File:Zx.png|link=http://www.zxsecurity.co.nz]]</center></td>
+
  <td>[[File:Quantum Security (strip)-02.png|center|x150px|frameless|link=https://www.quantumsecurity.co.nz|Logo-Quantum Security]]</td>
-->
+
     <td>[[File:SCW logo transparent.png|x150px|frameless|link=https://securecodewarrior.com|Logo-Secure Code Warrior]]</td>
     <td>&nbsp;</td>
+
     <td>[[File:ZX-Security-Logo--Black.png|center|frameless|x150px|link=https://zxsecurity.co.nz|Logo-ZX Security]]</td>
    <td>&nbsp;</td>
 
<!--
 
     <td><center>[[File:INSOMNIA.PNG|link=http://www.insomniasec.com]]</center></td>
 
-->
 
    <td>&nbsp;</td>
 
 
     <td>&nbsp;</td>
 
     <td>&nbsp;</td>
<!--
 
    <td><center>[[File:Aura_PBK_Colour.jpg|link=http://www.aurainfosec.com]]</center></td>
 
-->
 
 
   </tr>
 
   </tr>
 
</table>
 
</table>
 
----
 
----
  
'''Silver Sponsors:'''
+
=== Silver Sponsors ===
 
<table width="100%" border="0" cellspacing="7" cellpadding="0">
 
<table width="100%" border="0" cellspacing="7" cellpadding="0">
 
   <tr>
 
   <tr>
<!-- Last year's sponsors -- commented out, to maintain formatting
+
     <td align="center">
     <td><center>[[File:Quantum_Security_%28strip%29-02.png|link=http://www.quantumsecurity.co.nz]]</center></td>
+
'''Sponsoring Provider - Training Day Tea Breaks'''<br />
-->
+
[[File:Aura PBK Colour Panel.jpg|x150px|frameless|center|link=https://www.aurainfosec.com/|Logo-Aura Information Security]]
    <td>&nbsp;</td>
+
</td>
 
   </tr>
 
   </tr>
 
</table>
 
</table>
 
----
 
----
  
'''Supporting Sponsors:'''
+
=== Supporting Sponsors ===
 
<table width="100%" border="0" cellspacing="0" cellpadding="0">
 
<table width="100%" border="0" cellspacing="0" cellpadding="0">
 
   <tr>
 
   <tr>
<!-- Last year's sponsors -- commented out, to maintain formatting
+
     <td align="center">
     <td><center>[[File:BinaryMistLimited.png|center|150px|link=https://binarymist.io]]</center></td>
+
      [[File:BinaryMistLimited.png|x100px|frameless|link=https://binarymist.io/|Logo-Binary Mist Limited]]
-->
+
    </td>
     <td>&nbsp;</td>
+
    <td align="center">
     <td>&nbsp;</td>
+
      [[File:Logo-Pentester Lab.png|x100px|frameless|link=https://pentesterlab.com/|Logo-PentesterLab]]
<!-- Last year's sponsors -- commented out, to maintain formatting
+
     </td>
     <td><center>[[File:Atlassian.png|center|183px|link=https://www.atlassian.com/]]</center></td>
+
     <td align="center">
-->
+
      [[File:Privasec.png|x100px|frameless|link=https://privasec.com.au/|Logo-Privasec]]
 +
    </td>
 +
    <td align="center">
 +
      [[File:RedShield.png|frameless|link=https://www.redshield.co/|Logo-RedShield]]
 +
     </td>
 +
    <td>
 +
[[File:Zimbra-logo-color-282.png|x100px|frameless|link=https://www.zimbra.com/|Logo-Zimbra]]
 +
    </td>
 
   </tr>
 
   </tr>
 
</table>
 
</table>
 +
----
  
==Conference Committee==
+
Follow us [https://twitter.com/owaspnz on Twitter (@owaspnz)]
  
* John DiLeo -  Conference Chair, OWASP New Zealand Leader (Auckland)
+
[https://www.facebook.com/owaspnz OWASP New Zealand on Facebook]
* Brendan Seerup -  Sponsorships and Promotion
 
* Lech Janczewski - Associate Professor - University of Auckland School of Business
 
* YOU - We are looking for volunteers to help make this our most successful conference yet!
 
  
Please direct all enquiries to [email protected]
+
=Call for Volunteers=
  
OWASP NZ on Twitter (https://twitter.com/owaspnz)
+
<center>
 +
'''We're still looking for a few good men and women, to assist with conference preparations and to help things go smoothly during the event.'''
  
= Training =
+
Please contact John DiLeo ([mailto:[email protected] [email protected]]), if you're willing and able to help out.
==Training==
+
</center>
  
In addition to the main conference on Friday, we are pleased to provide opportunities for individuals/vendors to present training on Thursday, at the same venue. We are able to accommodate a maximum of four (4) concurrent training
+
==Conference Committee==
sessions. The Call for Training is currently open, and details will be provided here as selections are finalised. Training fees are $250 for half-day sessions, and $500 for full-day sessions.
 
  
<!-- Last year's training offering - commented out to preserve formatting
+
So, far, a fair few kind souls have stepped up to help out:
[https://binarymist.io/talk/owaspnzday-2018-workshop-building-security-into-your-development-team/ '''Building Security Into Your Development Teams''']
 
Date: Sun 04 February 2018<br />
 
Time: 9:00am - 5:30pm or part thereof<br />
 
[https://www.eventbrite.com/e/owasp-nz-day-interactive-workshop-building-security-into-your-development-teams-tickets-41266447054 Training Registration Page]
 
-->
 
  
<!--
+
* John DiLeo - Conference Chair, OWASP New Zealand Chapter Leader (Auckland)
Spaces going fast, so get in quick
+
* Lech Janczewski - Conference Host Liaison, on-site Health & Safety contact - Associate Professor, University of Auckland School of Business
-->
+
* Kirk Jackson - Video post-production, OWASP New Zealand Chapter Leader (Wellington)
 +
* Tess Brothersen
 +
* Austin Chamberlain
 +
* Teresa Chan
 +
* Anna Cupples
 +
* Paul Howarth
 +
* Toni James
 +
* Alex McClennan
 +
* Sam Penfold
 +
* Stephen Sherry
 +
* Anneke Smitheram
 +
* Anthony Vargo
 +
* Anya Yang
  
= Call For Presentations =
+
= Training - 21 Feb =
==Call For Presentations==
+
==Training==
  
'''The Call for Presentations is now open, and will close on Friday, 21st December.'''
+
In addition the main conference on Friday, we are pleased to be offer three training opportunities on Thursday, at the same venue. Course details, including registration, are as follows:
  
OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines, including
+
=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Real_World_Penetration_Testing '''Real-World Penetration Testing''']===
architects, Web developers and engineers, system administrators, penetration testers, policy specialists and more.
 
  
 +
'''Date:''' Thursday, 21 February 2019<br />
 +
'''Time:''' 8:45 a.m. - 5:30 p.m.<br />
 +
'''Format:''' Live online interaction with instructors; interactive Web-based lab exercises<br />
 +
'''Instructors:''' Vivek Ramachandran and Nishant Sharma<br />
 +
'''Instructors' Organisation:''' Pentester Academy<br />
 +
'''Registration Fee:''' $500.00<br />
 +
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' <strong>(Registration CLOSED)</strong>
  
We would like a variety of technical levels in the presentations submitted, corresponding to the three sections of the conference:
+
=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Are_You_a_Secure_Code_Warrior '''Are You a Secure Code Warrior?'''] ===
 
 
We would like a variety of technical levels in the presentations submitted, corresponding to the three focus areas of the conference:
 
  
Track One:
+
'''Date:''' Thursday, 21 February 2019<br />
 +
'''Time:''' 8:45 a.m. - 12:30 p.m.<br />
 +
'''Instructor:''' Jaap Karan Singh<br />
 +
'''Instructor's Organisation:''' Secure Code Warrior<br />
 +
'''Registration Fee:''' $250.00<br />
 +
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' <strong>(Registration CLOSED)</strong>
  
* Introductions to various Information Security topics, and the OWASP projects
+
=== [https://www.owasp.org/index.php/OWASP_NZ_Day_2019-Training-Threat_Modelling_From_None_to_Done '''Threat Modelling: Getting from None to Done'''] ===
* Policy, Compliance and Risk Management
 
  
Track Two:
+
'''Date:''' Thursday, 21 February 2019<br />
* Technical topics
+
'''Time:''' 8:45 a.m. - 5:30 p.m.<br />
 +
'''Instructor:''' Dr. John DiLeo<br />
 +
'''Instructor's Organisation:''' OWASP New Zealand Chapter<br />
 +
'''Registration Fee:''' $500.00<br />
 +
'''[https://owaspnz2019-training.eventbrite.com Training Registration Page]''' <strong>(SOLD OUT)</strong>
  
The introductory talks should appeal to an intermediate to experienced software developer, without requiring a solid grounding in application security or knowledge of the OWASP projects. These talks should be engaging, encourage developers to learn more about information security, and give them techniques that they can immediately return to work and apply to their jobs.
+
Spaces are going fast, so get in quickly!
  
This being an OWASP conference, the selection process for talks in Track One will give priority to those related to OWASP's Projects, Tools, and Guidance (check out the current [OWASP Project Inventory](https://www.owasp.org/index.php/Category:OWASP_Project#tab=Project_Inventory) for more information). If multiple submissions are received related to the same OWASP Project/Tool, preference will be given to speakers actively involved as leaders or members of the respective project teams.
+
Check-in desk will be located in the Level 0 lobby (outside the Case Study Rooms), and will open at 8:00 a.m.
  
Technical topics are running all day and should appeal to two audiences - experienced software security testers or researchers, and software developers who have a “OWASP Top Ten” level of understanding of web attacks and defences. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new.
+
Morning and afternoon tea breaks will be provided; lunch will be on your own.
  
We would also like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles.
+
=Conference - 22 Feb=
  
  
We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:
 
  
 
* Web application security
 
* Mobile security
 
* Cloud security
 
* Secure development
 
* Vulnerability analysis
 
* Threat modelling
 
* Application exploitation
 
* Exploitation techniques
 
* Threat and vulnerability countermeasures
 
* Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, Python, etc)
 
* Penetration Testing
 
* Browser and client security
 
* Application and solution architecture security
 
* PCI DSS
 
* Risk management
 
* Security concepts for C*Os, project managers and other non-technical attendees
 
* Privacy controls
 
 
<!--
 
The email subject must be "OWASP New Zealand 2017: CFP" and the email body must contain the following information/sections:
 
 
 
* Name and Surname
 
* Affiliation
 
* Telephone number
 
* Email address
 
* Short presenter bio
 
* Title of the contribution
 
* Type of contribution: Technical, Informative, Management
 
* Suggested length for the talk
 
* Short abstract (up to 500 words)
 
* List of the author's previous papers/articles/speeches on the same/similar topic (if any)
 
* If you are not from New Zealand, will your company support your travel/accommodation costs? - Yes/No
 
-->
 
 
The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.
 
 
 
PLEASE NOTE:
 
 
* Due to limited budget available, expenses for international speakers cannot be covered.
 
* If you are selected as a speaker, and your company is willing to cover travel and accommodation costs, the company will be recognised as a "Supporting Sponsor" of the event.
 
 
 
'''Thank you to all those who have submitted talks. The call for presentations has now closed.'''
 
 
Please submit your presentation [https://www.papercall.io/owaspnz2019 here].
 
 
<!--
 
Please submit the above information to all of the following: Denis Andzakovic ([email protected]), Kirk Jackson ([email protected]) and Kim Carter ([email protected]).
 
-->
 
 
<b>Submissions deadline: 21st December 2018</b>
 
 
Applicants will be notified in the following week after the deadline, whether they were successful or not.
 
<!--
 
= Call For Trainers =
 
== Call For Trainers ==
 
 
We are happy to announce that training will run on Thursday, 21 February 2019, the day before the OWASP NZ Day conference.
 
The training venue will be Level 0, Rooms: case rooms 1(005), 2(057), 3(055), and 4(009), kindly provided by the University of Auckland School of Business, in the same building as the OWASP NZ Day conference itself.
 
Classes can contain up to 69 students, with power for laptop usage and Wi-Fi. A wide range of half-day or full-day training proposals will be considered,
 
see the Call for Papers for a list of example topics.
 
 
If you are interested in running one of the training sessions, please contact John DiLeo with the following information:
 
 
 
* Trainer name
 
* Trainer organisation
 
* Telephone + email contact
 
* Short Trainer bio
 
* Training title
 
* Trainer requirements (e.g. a projector, whiteboard, etc)
 
* Trainee requirements (e.g. laptop, VMware/VirtualBox, etc)
 
* Training summary (less than 500 words)
 
* Target audience (e.g. testers, project managers, security managers, web developers, architects)
 
* Skill level required (Basic / Intermediate / Advanced)
 
* What attendees can expect to learn (key objectives)
 
* Short course outline
 
 
 
The fixed price per head for training will be $250 for a half-day session and $500 for a whole-day session. As this training is part of an OWASP event, part of the proceeds go back to OWASP. The split is as follows:
 
 
* 25% to OWASP Global - used for OWASP projects around the world
 
* 25% to OWASP NZ Day - used for NZ Day expenses
 
* 50% to the training provider.
 
 
 
<b>Submissions deadline: 21st December 2018</b>
 
 
Applicants will be notified in the following week after the deadline, whether they were successful or not.
 
 
 
= Call For Sponsorships =
 
==Call For Sponsorships==
 
 
OWASP New Zealand Day 2019 will be held in Auckland on the 22nd of February, 2019, and is a security conference entirely dedicated to application security.
 
The conference is once again being hosted by the University of Auckland with their support and assistance.
 
OWASP New Zealand Day 2019 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community.
 
OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2019 a free, compelling, and valuable experience for all attendees.
 
 
The sponsorship funds collected are to be used for things such as:
 
 
* Name tags - we feel that getting to know people within the New Zealand community is important, and name tags make that possible.
 
* Promotion - up to now our events are propagating by word of mouth. We would like to get to a wider audience by advertising our events.
 
* Printed Materials - printed materials will include brochures, tags and lanyards.
 
* Recognition items for speakers and trainers
 
* Morning and afternoon tea, to promote a congenial environment for networking among application security professionals
 
 
== Facts ==
 
 
Last year, the event was supported by seven sponsors and attracted more than 900 registrations. Plenty of constructive (and positive!) feedback from the audience was received and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018
 
 
The OWASP New Zealand community is strong, there are more than 500 people currently subscribed to the mailing-list. OWASP New Zealand Day is expected to attract between 900 and 1000 attendees this year.
 
 
OWASP regular attendees are IT project managers, IT security managers, IT security consultants, web application architects and developers, QA managers, QA testers and system administrators.
 
 
== Sponsorships  ==
 
 
There are three different levels of sponsorships for the OWASP New Zealand Day event:
 
 
 
<b>Supporting Sponsorship</b>: (Covering international speaker travel expenses, media coverage/article/promotion of the event)
 
 
 
Includes:
 
 
* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2019
 
 
 
<b>Silver Sponsorship</b>: 1750 NZD
 
 
Includes:
 
 
* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2019
 
* The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
 
* The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
 
 
 
<b>Gold Sponsorship</b>: 3000 NZD
 
 
Includes:
 
 
* The possibility to have a promotional banner or sign side stage in the main auditorium (to be provided by the sponsor, size subject to approval by the OWASP NZ Day Committee).
 
* The publication of the sponsor logo in the event site, in the agenda, on the handouts and in all the official communications with the attendees at the conference.
 
* The possibility to distribute the company brochures, CDs or other materials to the participants during the event.
 
* Publication of the sponsor logo on the OWASP New Zealand Chapter page - Sponsor logo on the OWASP NZ site prior and during the OWASP Day event - https://www.owasp.org/index.php/New_Zealand
 
* Publication of the sponsor logo on the event web site - https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018
 
 
 
Those who are interested in sponsoring OWASP New Zealand 2019 Conference can contact the [mailto:[email protected],[email protected] Conference Committee].<br>
 
 
 
= Presentation Schedule =
 
 
==Presentations==
 
==Presentations==
  
 
<center>
 
<center>
5th February 2018
+
===22nd February 2019===
 +
 
 
<table width="100%">
 
<table width="100%">
 
<tr>
 
<tr>
<td width="5%" valign="top" align="right">08:30</td>
+
<td valign="top" align="right">08:00</td>
<td colspan="3" style="background-color: #8595C2; text-align: center">Registration Opens</td>
+
<td colspan="3" style="background-color: #8595C2; text-align: center">Registration Opens - Main Foyer, Owen G. Glenn Building</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td width="7%" valign="top" align="right">09:30</td>
+
<td valign="top" align="right">09:00</td>
<td colspan="3" style="background-color: #B9C2DC; text-align: center">
+
<td colspan="3" style="background-color: #D98B66; text-align: center">
<b>Welcome to OWASP New Zealand Day 2018</b><br />
+
<b>Welcome to OWASP New Zealand Day 2019</b><br />
<i>Kirk Jackson, [https://binarymist.io Kim Carter], Nick Malcolm (OWASP Leaders), and Lech Janczewski (Associate Professor)</i>
+
<i>John DiLeo (Conference Chair), Kirk Jackson, and [https://binarymist.io Kim Carter] - OWASP NZ Chapter Leaders<br />Lech Janczewski (Conference Host) - Associate Professor, Univ. of Auckland</i><br />
 
+
[[Media:20190222--DiLeo-Opening_Session.pdf|Slides (PDF, 7.0 MB)]]
  
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td width="7%" valign="top" align="right"></td>
+
<td width="5%" valign="top" align="right">&nbsp;</td>
<td style="background-color: #EEE; text-align: center">
+
<td width="45%" style="background-color: #B9C2DC; text-align: center">
<b>Upstairs room</b>
+
  <strong>Upstairs Auditorium (Room 115)<br />Track One: Introductory / Management</strong>
 
</td>
 
</td>
<td width="7%" valign="top" align="right">09:45</td>
+
<td width="5%" valign="top" align="right">&nbsp;</td>
<td style="background-color: #EEE; text-align: center">
+
<td style="background-color: #B9C2DC; text-align: center">
'''Downstairs room'''
+
  <strong>Downstairs Auditorium (Room 098)<br />Track Two: Technical</strong>
 
</td>
 
</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td width="7%" valign="top" align="right"></td>
+
<td valign="top" align="right">09:20</td>
 
<td style="background-color: #EEE; text-align: center">
 
<td style="background-color: #EEE; text-align: center">
<b>Fear Itself</b><br />
+
<b>Exploiting Vulnerabilities from the OWASP Top 10: SQLi, XSS, XXE, File Injection</b><br />
<i>Laura Bell - SafeStack</i>
+
<i>David Waters and Kieran Molloy - Pushpay</i><br />
 +
[[Media:20190222--Waters Molloy-Exploiting Vulnerabilities.pdf|Slides (PDF, 789 kB)]] |
 +
[https://youtu.be/8TE_peh5Aas Video (YouTube)]
 
</td>
 
</td>
<td width="7%" valign="top" align="right">09:45</td>
+
<td valign="top" align="right">09:20</td>
 
<td style="background-color: #EEE; text-align: center">
 
<td style="background-color: #EEE; text-align: center">
<b>Offensive Defence</b><br />
+
<b>Virtual Patching: Does It Work?</b><br />
<i>Chris Berry - Aura Information Security</i><br/>
+
<i>Kirk Jackson - RedShield</i><br />
[[Media:2018-02-05-ChrisBerry.pdf|Slides: (PDF, 3.4mb)]]
+
[[Media:2019-02-22 - Virtual Patching Does it work - Print.pdf|Slides (PDF, 2.1 MB)]] |
[https://www.youtube.com/edit?o=U&video_id=-z4ID7Rh84E Video]
+
[https://youtu.be/6LqKLILNrko Video (YouTube)]
 
</td>
 
</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td width="7%" valign="top" align="right">10:20</td>
+
<td valign="top" align="right">10:10</td>
 
<td style="background-color: #B9C2DC; text-align: center">
 
<td style="background-color: #B9C2DC; text-align: center">
<b>Pizza Roulette</b><br />
+
<b>Threat Modelling When You've Never Done It Before</b><br />
<i>Catherine McIlvride and Fiona Sasse</i><br />
+
<i>Kade Morton - Quantum Security</i><br />
[[Media:2018-02-05-CatherineMcIlvrideFionaSasse.pdf|Slides: (PDF, 3.4mb)]]
+
[[Media:20190222--Morton-Threat Modelling-Complete.pdf|Slides (PDF, 5.7 MB)]] |
[https://www.youtube.com/watch?v=FUY-PgZqI3A Video]
+
[https://youtu.be/YeeIf63Thwc Video (YouTube)]
 
</td>
 
</td>
<td width="7%" valign="top" align="right">10:20</td>
+
<td valign="top" align="right">10:10</td>
 
<td style="background-color: #B9C2DC; text-align: center">
 
<td style="background-color: #B9C2DC; text-align: center">
<b>Auth* Infrastructure for Everyone</b><br />
+
<b>Cloud Catastrophes and How to Avoid Them</b><br />
<i>Ryan Kurte and Kirk Holloway</i><br />
+
<i>Michael Haworth - Insomnia Security</i><br />
[https://docs.google.com/presentation/d/11tFlGmRQUBJ5ns-8gxRDxL3J0rAkCgOVqAEGqwqxDLM/edit?usp=sharing Slides]
+
[[Media:20190222--Haworth-Cloud_Catastrophes.pdf|Slides (PDF, 666 kB)]] |
 +
[https://youtu.be/UqMUNFvnp_E Video (YouTube)]
 
</td>
 
</td>
  
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td width="7%" valign="top" align="right">10:55</td>
+
<td valign="top" align="right">10:45</td>
 
<td style="background-color: #EEE; text-align: center">
 
<td style="background-color: #EEE; text-align: center">
<b>Guarding the Pot of Gold while the Rainbow gets bigger</b><br />
+
<b>That Vulnerability Looks Quite Risky</b><br />
<i>Sarah Bennett and Patricia Ramsden - Xero</i><br />
+
<i>Peter Jakowetz - Quantum Security</i><br />
[https://www.youtube.com/watch?v=kh5q-79Boe8 Video]
+
[[Media:20190222--Jakowetz-Vulnerability Looks Quite Risky.pdf|Slides (PDF, 1.0 MB)]] |
 +
[https://youtu.be/NOed0M0Ec-c Video (YouTube)]
 
</td>
 
</td>
<td width="7%" valign="top" align="right">10:55</td>
+
<td rowspan="2" valign="top" align="right">10:45</td>
<td style="background-color: #EEE; text-align: center">
+
<td rowspan="2" style="background-color: #EEE; text-align: center">
<b>Bermudez - a honeypit designed to waste hacker's time</b><br />
+
<b>JWAT: Attacking JSON Web Tokens</b><br />
<i>Ian Welch and Kaishuo Yang</i><br />
+
<i>Louis Nyffenegger - Pentester Lab</i><br />
[https://www.youtube.com/watch?v=t5XBf4LApoo Video]
+
[[Media:20190222--Nyffenegger-JWAT.pdf|Slides (PDF, 3.5 MB)]] |
 +
[https://youtu.be/aYz8yPymyvk Video (YouTube)]
 
</td>
 
</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td width="7%" valign="top" align="right">11:30</td>
+
<td valign="top" align="right">11:20</td>
 
<td style="background-color: #B9C2DC; text-align: center">
 
<td style="background-color: #B9C2DC; text-align: center">
<b>Enough theory, how are websites getting hacked in real life?</b><br />
+
<b>Mob Learning Using the OWASP Top 10 and 30 Days of Security Testing</b><br />
<i>Declan Ingram - CERT</i><br/>
+
<i>Mike Clarke - Erudite Software</i><br />
[https://www.youtube.com/watch?v=WhYh-eUqxIA&t=137s Video]
+
[[Media:20190222--Clarke-Mob_Learning.pdf|Slides (PDF, 1.2 MB)]] |
</td>
+
[https://youtu.be/5YIdlFdKV00 Video (YouTube)]
<td width="7%" valign="top" align="right">11:30</td>
 
<td style="background-color: #B9C2DC; text-align: center">
 
<b>Rails Derailed</b><br />
 
<i>Tim Goddard</i><br />
 
[https://insomniasec.com/releases Slides]
 
[https://www.youtube.com/watch?v=fGlS6w2naN0 Video]
 
 
</td>
 
</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td width="7%" valign="top" align="right">12:05</td>
+
<td valign="top" align="right">11:40</td>
 
<td style="background-color: #EEE; text-align: center">
 
<td style="background-color: #EEE; text-align: center">
<b>Secure APIs: Road to Business Growth</b><br />
+
<b>How Can OWASP SAMM Help You Build More Secure Software?</b><br />
<i>Anupama Natarajan - Unisys New Zealand</i><br />
+
<i>Mohamed Hassan - Aura Information Security</i><br />
[[Media:2018-02-05-AnupamaNatarajan.pdf|Slides: (PDF, 719kb)]]
+
<i>Slides not yet available</i> | [https://youtu.be/AEBnmyzDSEo Video (YouTube)]
[https://www.youtube.com/watch?v=WIz6pS9L5l0 Video]
 
 
</td>
 
</td>
<td width="7%" valign="top" align="right">12:05</td>
+
<td valign="top" align="right">11:40</td>
<td style="background-color: #EEE; text-align: center">
+
<td style="background-color: #B9C2DC; text-align: center">
<b>Timing-Based Attacks in Web Applications</b><br />
+
<b>CTF: The Gateway Drug</b><br />
<i>Yappare</i><br />
+
<i>Toni James - Orion Health</i><br />
[[Media:2018-02-05-AhmadAshraff.pdf|Slides: (PDF, 7.7mb)]]
+
<i>Slides not yet available</i> | [https://youtu.be/B1CPimcoE7c Video (YouTube)]
 
</td>
 
</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td width="7%" valign="top" align="right">12:35</td>
+
<td valign="top" align="right">12:10</td>
 
<td colspan="3" style="background-color: #D98B66; text-align: center">
 
<td colspan="3" style="background-color: #D98B66; text-align: center">
 
<b>Break for Lunch</b><br />
 
<b>Break for Lunch</b><br />
Line 513: Line 409:
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td width="7%" valign="top" align="right">14:00</td>
+
<td valign="top" align="right">13:30</td>
 
<td style="background-color: #EEE; text-align: center">
 
<td style="background-color: #EEE; text-align: center">
<b>Developer's guide to Deserialization Attacks</b><br />
+
<b>NoHolidayChurchGenius: Password Security with 2020 Vision</b><br />
<i>Felix Shi</i>
+
<i>Antonio Radich - Quantum Security</i><br />
 +
[[Media:20190222--Radich-NoHolidayChurchGenius.pdf|Slides (PDF, 1.4 MB)]] |
 +
[https://www.youtube.com/watch?v=5AaOU5bC2fU Video (YouTube)]
 
</td>
 
</td>
<td width="7%" valign="top" align="right">14:00</td>
+
<td rowspan="2" valign="top" align="right">13:30</td>
<td style="background-color: #EEE; text-align: center">
+
<td rowspan="2" style="background-color: #EEE; text-align: center">
<b>IoT - How to fight the tyre fire</b><br />
+
<b>Security Regression Testing on OWASP ZAP Node API</b><br />
<i>Tom Isaacson</i><br />
+
<i>Kim Carter - BinaryMist</i><br />
[https://speakerdeck.com/parsley72/iot-how-to-fight-the-tyre-fire-1 Slides (speakerdeck)]
+
<i>Slides not yet available</i> | <i>Video not published, at presenter's request</i>
 
</td>
 
</td>
 
       </tr>
 
       </tr>
 
<tr>
 
<tr>
<td width="7%" valign="top" align="right">14:45</td>
+
<td valign="top" align="right">14:05</td>
 
<td style="background-color: #B9C2DC; text-align: center">
 
<td style="background-color: #B9C2DC; text-align: center">
<b>Finding the path to #DevSecOps nirvana</b><br />
+
<b>Sharing Is Caring: A Beginner's Guide to Security in the Cloud</b><br />
<i>Olly - Xero</i>
+
<i>Petra Smith - Aura Information Security</i><br />
 +
[[Media:20190222--Smith-Sharing Is Caring.pdf|Slides (PDF, 2.1 MB)]] |
 +
[https://youtu.be/DKRlnea2o00 Video (YouTube)]
 +
</td>
 +
</tr>
 +
<tr>
 +
<td valign="top" align="right">14:25</td>
 +
<td style="background-color: #EEE; text-align: center">
 +
<b>Eating the Elephant: Application Security When You Aren't a Startup</b><br />
 +
<i>Stephen Morgan - Westpac New Zealand</i><br />
 +
[[Media:20190222--Morgan-Eating the Elephant.pdf|Slides (PDF, 2.1 MB)]] |
 +
[https://youtu.be/rfK5bSvmdmw Video (YouTube)]
 
</td>
 
</td>
<td width="7%" valign="top" align="right">14:45</td>
+
<td valign="top" align="right">14:25</td>
 
<td style="background-color: #B9C2DC; text-align: center">
 
<td style="background-color: #B9C2DC; text-align: center">
<b>Thinking like an Attacker (Hacking your own organisation)</b><br />
+
<b>CI Can Make $$$ from Thin Air</b><br />
<i>Nick Le Mouton - drugs.com</i><br />
+
<i>Sajeeb Lohani - Privasec</i><br />
[https://speakerdeck.com/noodlesnz/thinking-like-an-attacker Slides (speakerdeck)]
+
<i>Slides and Video not published, at presenter's request</i>
[https://www.youtube.com/watch?v=fGlS6w2naN0 Video]
 
 
</td>
 
</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td width="7%" valign="top" align="right">15:00</td>
+
<td valign="top" align="right">15:00</td>
<td style="background-color: #EEE; text-align: center">
+
<td style="background-color: #B9C2DC; text-align: center">
<b>When Shoestrings Snap</b><br />
+
<b>What's In a Name? Law of Agency and Domain Name Registrations</b><br />
<i>Rory Shillington - VoltsAndBits</i><br />
+
<i>Judy Ting-Edwards - Ports of Auckland</i><br />
[[Media:2018-02-05-RoryShillington.pdf|Slides: (PDF, 7.3mb)]]
+
[[Media:20190222--Ting-Edwards-Whats_in_a_Name.pdf|Slides (PDF, 4.6 MB)]] |
[https://www.youtube.com/watch?v=ElbY05nfZ2M Video]
+
<i>Video not published, at presenter's request</i>
 
</td>
 
</td>
<td width="7%" valign="top" align="right">15:00</td>
+
<td valign="top" align="right">15:00</td>
 
<td style="background-color: #EEE; text-align: center">
 
<td style="background-color: #EEE; text-align: center">
<b>Evil Pickles: DoS Attacks Based on Object-Graph Engineering</b><br />
+
<b>Introduction to Building Secure Electron Applications</b><br />
<i>Jens Dietrich - Massey University</i><br />
+
<i>Nawaz Gayoom - Provoke Solutions</i><br />
[https://docs.google.com/presentation/d/1WSDq_k6z4rZeuZlvdYfNyS1IwJhVLH-gxUROi98qkL8/edit#slide=id.p Slides (google)]
+
[[Media:20190222--Gayoom-Secure_Electron_Apps.pdf|Slides (PDF, 587 kB)]] |
[https://www.youtube.com/watch?v=1q2rZyR17jU Video]
+
[https://youtu.be/6GNTbvNs0tc Video (YouTube)]
 
</td>
 
</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td width="7%" valign="top" align="right">15:30</td>
+
<td valign="top" align="right">15:30</td>
 
<td colspan="3" style="background-color: #D98B66; text-align: center">
 
<td colspan="3" style="background-color: #D98B66; text-align: center">
<b>Break for Afternoon Tea</b><br />
+
<b>Break for Afternoon Tea - Coffee / Tea Service Provided</b><br />
 
</td>
 
</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td width="7%" valign="top" align="right">16:00</td>
+
<td valign="top" align="right">16:00</td>
 
<td style="background-color: #EEE; text-align: center">
 
<td style="background-color: #EEE; text-align: center">
<b>Enough with XSS, let's talk about something else?</b><br />
+
<b>How Do I Content Security Policy?</b><br />
<i>Karan Sharma</i><br />
+
<i>Kirk Jackson - RedShield</i><br />
[[Media:2018-02-05-KaranSharma.pptx|Slides: (PPTX, 4mb)]]
+
[[Media:2019-02-22 - How do I Content Security Policy - Print.pdf|Slides (PDF, 1.6 MB)]] |
[https://www.youtube.com/watch?v=KbVWJcf2CRQ Video]
+
[https://youtu.be/tlCOd-zjdQM Video (YouTube)]
 
</td>
 
</td>
<td width="7%" valign="top" align="right">16:00</td>
+
<td valign="top" align="right">16:00</td>
 
<td style="background-color: #EEE; text-align: center">
 
<td style="background-color: #EEE; text-align: center">
<b>Secure development in Go</b><br />
+
<b>Hardening Your Docker Infrastructure</b><br />
<i>Dion Bramley</i><br />
+
<i>Kim Carter - BinaryMist</i><br />
[https://github.com/dionb/GoSecureDev Slides (github)]
+
<i>Slides not yet available</i> | <i>Video not published, at presenter's request</i>
[https://www.youtube.com/watch?v=4O2OShd-Su8 Video]
 
 
</td>
 
</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td width="7%" valign="top" align="right">16:35</td>
+
<td valign="top" align="right">16:50</td>
 
<td style="background-color: #B9C2DC; text-align: center">
 
<td style="background-color: #B9C2DC; text-align: center">
<b>Riding someone else’s wave with CSRF</b><br />
+
<b>OWASP Software Assurance Maturity Model (SAMM) 2.0</b><br />
<i>Sam Shute - Quantum Security</i><br />
+
<i>John DiLeo - Orion Health</i><br />
[[Media:2018-02-05-SamShute.pptx|Slides: (PPTX, 234kb)]]
+
[[Media:20190222--DiLeo-OWASP_SAMM_2.pdf|Slides (PDF, 7.1 MB)]] |
 +
[https://youtu.be/o-zoers_ckA Video (YouTube)]
 
</td>
 
</td>
<td width="7%" valign="top" align="right">16:35</td>
+
<td valign="top" align="right">16:50</td>
 
<td style="background-color: #B9C2DC; text-align: center">
 
<td style="background-color: #B9C2DC; text-align: center">
<b>Secure Your Programming Future!</b><br />
+
<b>Reverse Engineering Mobile Apps: Why, What, and the Hows</b><br />
<i>David Pearce</i><br />
+
<i>Karan Sharma</i><br />
[[Media:2018-02-05-DavidPearce.pdf|Slides: (PDF, 1.8mb)]]
+
Slides (PDF):
 +
[[Media:20190222--Sharma-Mobile App Reverse Engineering-Part1.pdf|Part 1 (4.8 MB)]],
 +
[[Media:20190222--Sharma-Mobile App Reverse Engineering-Part2.pdf|Part 2 (7.1 MB)]],
 +
[[Media:20190222--Sharma-Mobile App Reverse Engineering-Part3.pdf|Part 3 (6.2 MB)]] |
 +
[https://youtu.be/N6ffxIcz0L4 Video (YouTube)]
 
</td>
 
</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td width="7%" valign="top" align="right">17:10</td>
+
<td valign="top" align="right">17:25</td>
 
<td style="background-color: #EEE; text-align: center">
 
<td style="background-color: #EEE; text-align: center">
<b>Operation Luigi: How I hacked my friend without her noticing</b><br />
+
<b>Why 'Positive Security' Is the Next Software Security Game Changer, and How to Do It</b><br />
<i>Alex Hogue - Atlassian</i>
+
<i>Jaap Karan Singh - Secure Code Warrior</i><br />
 +
[[Media:20190222--Singh-Positive Security.pdf|Slides (PDF, 7.1 MB)]] |
 +
[https://youtu.be/kHYdM690hFM Video (YouTube)]
 
</td>
 
</td>
<td width="7%" valign="top" align="right">17:10</td>
+
<td valign="top" align="right">17:25</td>
 
<td style="background-color: #EEE; text-align: center">
 
<td style="background-color: #EEE; text-align: center">
<b>Handling Of A PCI Incident - PANs In The Database</b><br />
+
<b>Serverless Authentication with JWT</b><br />
<i>David Waters - Pushpay</i>
+
<i>Mehul Patel - Zimbra</i><br />
 +
[https://slides.com/rowdymehul/owaspnz2019 Slides (Slides.com)] |
 +
[https://youtu.be/TSGLddT_eG4 Video (YouTube)]
 
</td>
 
</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td width="7%" valign="top" align="right">17:50</td>
+
<td valign="top" align="right">18:00</td>
 
<td colspan="3" style="background-color: #B9C2DC; text-align: center">
 
<td colspan="3" style="background-color: #B9C2DC; text-align: center">
 
<b>Wrap Up</b><br />
 
<b>Wrap Up</b><br />
<i>Time to go out and socialise, for those interested</i>
+
<i>Time to go out and socialise, for those interested</i><br />
 +
[[Media:20190222--DiLeo-Closing_Session.pdf|Slides (PDF, 6.0 MB)]]
 
</td>
 
</td>
 
</tr>
 
</tr>
Line 613: Line 530:
 
</center>
 
</center>
  
= Speakers List =
+
= Abstracts and Bios =
==Speakers List==
+
 
 +
==Presentation Abstracts and Speaker Biographies==
  
===Laura Bell - SafeStack - Fear Itself===
+
==Track One - Morning (09:20 - 12:10)==
 +
 
 +
=== Exploiting Vulnerabilities from the OWASP Top 10: SQLi, XSS, XXE, File Injection ===
 
----
 
----
<b>Abstract</b>
+
=== David Waters and Kieran Molloy - Pushpay ===
  
Abstract: The world is a scary place right now. While the risk posed by security threats is high, there are many organisations and people for whom this is the least of their concerns.
+
==== Slide Deck (<i>not yet available</i>) ====
  
In a time of unsettled economies & governments, where there are more breaches each week than we would have once seen in a year... how can we change the way we enable and inspire security change to stop trying to scare the terrified and start trying to help.
+
==== [https://youtu.be/8TE_peh5Aas Presentation Video (YouTube)] ====
  
<b>Speaker Bio</b>
+
====Abstract====
  
With almost a decade of experience in software development and information security, Laura Bell specializes in bringing security survival skills, practices, and culture into fast paced organisations of every shape and size.
+
We will give a brief introduction to a selection of the OWASP Top 10 and then demonstrate the exploitation of each of these vulnerabilities using tools and hand crafted attacks. We will also demonstrate how a combination vulnerabilities can be chained together by an attacker.
  
An experienced conference speaker, trainer, and regular panel member, Laura has spoken at a range of events such as BlackHat USA, Velocity, OSCON, Kiwicon, Linux Conf AU, and Microsoft TechEd on the subjects of privacy, covert communications, agile security, and security mindset.
+
====Speaker Biographies====
  
As the co-author of "Agile Application Security" published by O'Reilly media, Laura is internationally recognised as a leader in her field.
+
David is a Senior Software Engineer/Tech Lead and one of the leaders of the Secure Coding Guild at Pushpay, David previously worked for 3 years in the security industry including 1 year in the Security Team at Google in London and draws on 20 years experience as a systems and web developer, primarily working in .NET, Java and JavaScript.
  
She is the founder and CEO of SafeStack, leading its operations from Auckland, New Zealand.
+
Kieran is a developer with an interest in security.
  
 +
=== Threat Modelling When You've Never Done It Before ===
 +
----
 +
=== Kade Morton - Quantum Security ===
  
===Chris Berry - Aura Information Security - Offensive Defence===
+
==== [[Media:20190222--Morton-Threat Modelling-Complete.pdf|Slide Deck (PDF, 6.7 MB)]] ====
 +
 
 +
==== [https://youtu.be/YeeIf63Thwc Presentation Video (YouTube)] ====
 +
 
 +
====Abstract====
 +
 
 +
Through the Mozilla Open Leaders program I mentored a project from Asuntos del Sur, a humans right group that operates across South America. This is the story of my crash course in basic threat modelling, and how that basic knowledge is now helping activists across South America.
 +
 
 +
====Speaker Biography====
 +
 
 +
Kade is a consultant with Quantum Security. When not doing information security stuff, he volunteers with Mozilla.
 +
 
 +
=== That Vulnerability Looks Quite Risky ===
 
----
 
----
<b>Abstract</b>
+
=== Peter Jakowetz - Quantum Security ===
 +
 
 +
==== Slide Deck (<i>not yet available</i>) ====
  
Frustrated by the ability to take over corporate networks by exploiting the same petty misconfigurations for the past several years, I want to expose blue teamer’s and dev’s to the current internal pen test strategies, which have proven consistently effective in going from no auth to domain admin.
+
==== [https://youtu.be/NOed0M0Ec-c Presentation Video (YouTube)] ====
  
<b>Speaker Bio</b>
+
====Abstract====
  
Chris is a Security Consultant at Aura Information Security with experience across a broad variety of domains and industries. He is owned by a cat.
+
Technical findings are great, and finding vulnerabilities in your software so you can fix them is key to ensuring safe and secure code. However what about those things you can’t fix? Do they seem too expensive or hard? This talk will discuss the best way to manage these issues using risk management.
  
 +
====Speaker Biography====
  
===Catherine McIlvride and Fiona Sasse - Pizza Roulette===
+
Peter is an electrical engineer turned security consultant from Wellington, NZ. Certified in many-a-thing, he spends a good chunk of time working on PCI, ISO and NZISM audits, and making security findings readable to senior management. In his spare time, he enjoys playing with open-source hardware and software, poking cars, and breaking things.
 +
 
 +
=== Mob Learning Using the OWASP Top 10 and 30 Days of Security Testing ===
 
----
 
----
<b>Abstract</b>
+
=== Mike Clarke - Erudite Software ===
 +
 
 +
==== [[Media:20190222--Clarke-Mob_Learning.pdf|Slide Deck (PDF, 1.2 MB)]] ====
 +
 
 +
==== [https://youtu.be/5YIdlFdKV00 Presentation Video (YouTube)] ====
  
Catherine and Fiona are security newbies in the world of bleepbloops. As their hunger for more knowledge on Security Testing grows, they attempt to chomp into the cyber realm of ordering pizza. Pull up a chair, grab a slice* and prepare yourself for a feast! *Disclaimer: Pizza will not be included.
+
====Abstract====
  
<b>Speaker Bio</b>
+
Not sure how to get started learning about security? Why not team up with a group of others in the same boat and learn together?
  
Catherine and Fiona are software testers who have been united by their passion for pizza and their curiosity for wearing black and whites hats. They hammer and chisel their way through interfaces, databases, and all other places to identify cracks and gaps. Now they face their next adventure roaming unfamiliar territory in the security space.
+
After learning the basics of the OWASP Top Ten, I took part in the '''30 Days of Security Testing''' challenge through WeTest with 100+ other software testers new to security. My talk is about how a small idea turned into an online workspace of over 100 people new to InfoSec, a series of great Meetups, and lessons learned along the way.
  
 +
====Speaker Biography====
  
===Ryan Kurte and Kirk Holloway - Auth* Infrastructure for Everyone===
+
I’ve always been interested in IT and fascinated by information security. I worked for the Royal New Zealand Navy as a Communications Warfare Specialist before trying my hand at software testing. I’m currently working for Erudite Software in Auckland, as the sole tester in a development team largely focused on healthcare software solutions. I’ve recently signed on as an organiser for WeTest Auckland, where we throw together Meetups and online challenges to learn about testing.
 +
 
 +
=== How Can OWASP SAMM Help You Build More Secure Software? ===
 
----
 
----
<b>Abstract</b>
+
=== Mohamed Hassan - Aura Information Security ===
 +
 
 +
==== Slide Deck (<i>not yet available</i>) ====
 +
 
 +
==== [https://youtu.be/AEBnmyzDSEo Presentation Video (YouTube)] ====
  
Auth(entication|orisation) is tough. We’re going to talk about how it’s usually done, the developer and user experience of auth*, and some things that often go wrong. Then we’re going pitch an idea that might, hopefully, maybe, help us all build safe exciting things.
+
====Abstract====
  
<b>Speaker Bio</b>
+
Have you ever wondered why you or your team keep having high and critical security vulnerabilities in your software? Why you didn't discover these vulnerabilities earlier than two weeks before going life? How penetration testing can be effective when you're changing your software every two weeks? Can security be easier? How can you embed security into your software life cycle? How do you know if security initiatives are paying off? This talk will answer these questions and more!
  
Ryan is an aspiring hardware whisperer and academic with an incurable side project problem.
+
====Speaker Biography====
  
Kirk builds tiny bits of content that go in bigger bits of content for your local internet box. Combined they form 5/8ths of a full stack developer.
+
Mohamed has been a penetration tester for more than six years. Mohamed has delivered security training to developers, in New Zealand and internationally. He also helps organisations embed more security into their software development lifecycle. In his free time, Mohamed likes to keep active and enjoy New Zealand’s landscape.
  
 +
==Track Two - Morning (09:20 - 12:10) ==
  
===Sarah Bennett and Patricia Ramsden - Xero - Guarding the Pot of Gold while the Rainbow gets bigger===
+
=== Virtual Patching: Does It Work? ===
 
----
 
----
<b>Abstract</b>
+
=== Kirk Jackson - RedShield ===
 +
 
 +
==== [[Media:2019-02-22 - Virtual Patching Does it work - Print.pdf|Slide Deck (PDF, 2.1 MB)]] ====
 +
 
 +
==== [https://youtu.be/6LqKLILNrko Presentation Video (YouTube)] ====
 +
 
 +
====Abstract====
  
We've all heard that as an industry we're severely outnumbered (defenders vs attackers). Many of us become a potential targets due to the type of market our company is in. The closer to money handling you are, the more attention you get therefore the more that ratio of defenders to attackers gets worse.
+
Writing secure applications is hard, and often vulnerabilities are found after your application has already been released to production.
We've seen our adversaries change over time as we've grown. We'll discuss how our hitting one million paid subscribers affected us in terms of security, and how the motives of attackers seem to change with the seasons.  
 
  
<b>Speaker Bio</b>
+
But what happens if you’re not able to fix the vulnerabilities quickly? Wouldn’t it be great if the someone else could secure your website for you?
  
TBD
+
====Speaker Biography====
  
 +
Kirk works at RedShield, leads the OWASP Wellington-area Meetup, and has previously helped organise the annual OWASP NZ Day in Auckland.
  
===Ian Welch and Kaishuo Yang - Bermudez: a honeypit designed to waste hacker's time===
+
Kirk worked as a Web developer before switching to the defence team - setting up Xero’s security practice, working as a pen tester, and in defence roles at several companies.
 +
 
 +
=== Cloud Catastrophes and How to Avoid Them ===
 
----
 
----
<b>Abstract</b>
+
=== Mike Haworth - Insomnia Security ===
 +
 
 +
==== Slide Deck (<i>not yet available</i>) ====
  
Small enterprises don’t have the human resources to deal with web attacks 24/7 although attacks can occur anytime. We describe a honeypit designed to entrap and slow attackers down giving time for a sysadmin to detect and respond to an attack.
+
==== [https://youtu.be/UqMUNFvnp_E Presentation Video (YouTube)] ====
  
<b>Speaker Bio</b>
+
====Abstract====
  
Ian works for Victoria University of Wellington (VUW) doing computer security teaching and research mostly related to honeypots (CaptureHPC) and more recently software-defined networks (Gasket and Baffle).  
+
Cloud and traditional infrastructure are different and sometimes the consequences of not changing mindset can be.. unpleasant.
  
Kai is a research assistant at Victoria University of Wellington (VUW). He developed Bermudez as part of his final year project last year and is working over summer on a security policy language for software-defined networks called Baffle.
+
====Speaker Biography====
  
 +
Mike is a Principal Consultant for Insomnia Security, based in Wellington. He likes pentesting most things, and is rubbish at writing bios.
  
===Declan Ingram - CERT - Enough theory, how are websites getting hacked in real life?===
+
=== JWAT: Attacking JSON Web Tokens ===
 
----
 
----
<b>Abstract</b>
+
=== Louis Nyffenegger - Pentester Lab ===
 +
 
 +
==== [[Media:20190222--Nyffenegger-JWAT.pdf|Slide Deck (3.5 MB)]] ====
  
Since opening in April 2017, CERT NZ has dealt with hundreds of hacked websites. In this talk I propose to step through a few case studies of what went wrong, and how to stop it from happening to your websites. This talk will be done specifically for OWASP day and won’t be used for other audiences.
+
==== [https://youtu.be/aYz8yPymyvk Presentation Video (YouTube)] ====
  
<b>Speaker Bio</b>
+
====Abstract====
  
Declan Ingram is the Manager of Operations for CERT NZ and leads the technical side of CERT NZ – including the Incident Response Team. He has worked for over 17 years in information security, with broad experience in both incident response and security testing.
+
Nowadays, JSON Web Tokens are everywhere. They are used as session tokens or just to pass data between applications or µservices. By design, JWT contains a high number of security and cryptography pitfalls. In this talk, we are going to learn how to exploit (with demos) some of those issues.
  
 +
====Speaker Biography====
  
===Tim Goddard - Rails Derailed===
+
Louis is a security engineer based in Melbourne, Australia. He performs pentest, architecture and code review. Louis is the founder of PentesterLab, a learning platform for Web penetration testing. Recently, Louis talked at OWASP AppSecDay Melbourne, and ran two workshops at DEF CON 26, in 2018.
 +
 
 +
=== CTF: The Gateway Drug ===
 
----
 
----
<b>Abstract</b>
+
=== Toni James - Orion Health ===
 +
 
 +
==== Slide Deck (<i>not yet available</i>) ====
 +
 
 +
==== [https://youtu.be/B1CPimcoE7c Presentation Video (YouTube)] ====
  
Modern web application frameworks provide a lot of protections by default, but no protection is absolute. We explore common, severe security issues in Ruby on Rails applications, why they still occur despite its attempts to protect us.
+
====Abstract====
  
<b>Speaker Bio</b>
+
I can't stop thinking about it, I can't wait for the next one, it keeps me up late at night, and I always want more. Flags that is! A how-to and where-to-start with Capture the Flag competitions, accompanied by a casual discourse about imposter syndrome, sexism in tech, and pondering the harsh realities of vim (not really, I never use vim, I'd never be able to get out of it). Followed by a live walkthrough of my favourite CTF challenges, the ones I think would entice other devs and wanna-be hackers to give it a try. "The first one's free."
  
Tim (pruby) moved two years ago from being a useful human being and building web applications, to the more haphazard world of tearing them apart. He applies his development background and knowledge to review applications from the ground-up, using the code to inform an efficient approach to security testing.
+
====Speaker Biography====
  
 +
Toni is a snowboarder turned software engineer, with an addiction to security. She's won a few scholarships in her quest to get more women into tech and she's really good at supporting others to do 'all the things'. A firm believer in ‘you need to see it to be it,’ she puts herself out there to enable others to step up and challenge the status quo. She/Her. [https://twitter.com/_tonijames @_tonijames]
  
===Anupama Natarajan - Unisys New Zealand - Secure APIs: Road to Business Growth===
+
==Track One - Afternoon 1 (13:30 - 15:30) ==
 +
 
 +
=== NoHolidayChurchGenius: Password Security with 2020 Vision ===
 
----
 
----
<b>Abstract</b>
+
=== Antonio Radich - Quantum Security ===
  
Security must never be an afterthought. API Security is key for all modern digital businesses and secure APIs provide more confidence to the consumers. Come and learn the art of detecting underprotected APIs and how to secure them.
+
==== [[Media:20190222--Radich-NoHolidayChurchGenius.pdf|Slide Deck (PDF, 1.4 MB)]] ====
  
<b>Speaker Bio</b>
+
==== [https://www.youtube.com/watch?v=5AaOU5bC2fU Presentation Video (YouTube)] ====
  
I am a Software Professional with over 15 years experience in designing and developing Web, Data Warehouse, Business Intelligence and Mobile solutions. I am a Microsoft Certified Trainer (MCT) and really passionate in sharing knowledge. I love solving complex business problems for my clients with innovative solutions using Microsoft Technologies and use that experience in my trainings and presentations. I share tried and tested examples which people can start use in their organisations immediately.
+
====Abstract====
  
 +
This season's passwords are now in fashion, similar to last year's, with one difference. Passwords are a staple in the developer toolkit. Developers follow guidelines put out by NIST or the GCSB. Users are ‘efficient’. With everyone striving for the minimum, we can already see "Winter (2019) is coming…"
  
===Yappare - Timing Based Attacks in Web Applications===
+
====Speaker Biography====
 +
 
 +
Antonio has been with Quantum Security, as a Security Consultant performing penetration tests and security audits, for two years. He is interested in red teaming, post exploitation, and general security on an organisation level.
 +
 
 +
=== Sharing Is Caring: A Beginner's Guide to Security in the Cloud ===
 
----
 
----
<b>Abstract</b>
+
=== Petra Smith - Aura Information Security ===
 +
 
 +
==== Slide Deck (<i>not yet available</i>) ====
  
Timing-based attacks are deadly but often overlooked. Pentesters often miss such attacks when testing web applications.
+
==== [https://youtu.be/DKRlnea2o00 Presentation Video (YouTube)] ====
  
By the end of the talk, the audience will learn ways to identify timing-based webapp vulnerabilities through careful manual and automated analysis of response generation times.
+
====Abstract====
  
<b>Speaker Bio</b>
+
Thinking of moving your applications to the cloud? How do you make sure they stay secure? This fast, fun, beginner-friendly session will demystify cloud security, introduce you to the most common cloud security models, and help you to choose the model that’s right for you.
  
I was a Chemical Engineering graduate but have interest in application security. 7+ years in penetration testing industry and 5 years in bug bounty scene and currently at top leaderboard of Bugcrowd. Involving in these two areas of ‘hacking’ environment, expose me with various ways of identifying web vulnerabilities.
+
====Speaker Biography====
  
 +
Petra grew up wanting to be Sailor Mercury – the awkward blue-haired one from Sailor Moon who used computers to protect the world from evil. Now she’s a purple-team security consultant at Aura Information Security, which you have to admit is pretty close. She loves to teach people to pick locks, and gets kind of ranty about privacy, trust, and making digital spaces safe and inclusive for everyone.
  
===Felix Shi - Developer's guide to Deserialization Attacks===
+
=== Eating the Elephant: Application Security When You Aren't a Startup ===
 
----
 
----
<b>Abstract</b>
+
=== Stephen Morgan - Westpac New Zealand ===
 +
 
 +
==== Slide Deck (<i>not yet available</i>) ====
  
A beginner friendly talk on deserialization attacks, targeted towards webapp devs and QA engineers. Heavy emphasis on explaining the attack vectors, the technical/business impact, and how to test for it.
+
==== [https://youtu.be/rfK5bSvmdmw Presentation Video (YouTube)] ====
  
There will be demos in some popular languages/frameworks - namely Python, Java, and C#.
+
====Abstract====
  
<b>Speaker Bio</b>
+
DevSecOps, AppSec Engineers, and Continuous Integration Security are a panacea, but how do older institutions with many legacy systems and technical debt even begin to tackle agile application security practices? We will explore ways that you can start working with your developers write secure code.
  
Felix works in the security space at an online accounting software company named Xero. He joined in 2014 and his day job involves securing and breaking internally developed products. Before Xero he spent his previous years as a developer, and has been dabbling in the information security scene in Wellington.
+
====Speaker Biography====
  
 +
Stephen is an Information Security Consultant at Westpac New Zealand where he wrangles Pen Testers, reviews codes, and diminishes his rapport with developers. He has worn many hats including those of a Customs Officer, Penetration Tester, Java Developer, and (cough) IT Auditor.
  
===Tom Isaacson - IoT: How to fight the tyre fire===
+
=== What's In a Name? Law of Agency and Domain Name Registrations ===
 
----
 
----
<b>Abstract</b>
+
=== Judy Ting-Edwards - Ports of Auckland ===
  
Everyone knows that IoT is a tyre fire but what can we do to start putting it out? Take a quick tour through the new OWASP IoT Top 10 and some other (personal) examples of how not to do IoT.
+
==== [[Media:20190222--Ting-Edwards-Whats_in_a_Name.pdf|Slide Deck (PDF, 4.6 MB)]] ====
  
<b>Speaker Bio</b>
+
==== <i>Presentation Video not available, at presenter's request</i> ====
  
I’ve been an embedded developer for 20 years. I haven’t bothered learning web development because I still think the internet is a passing fad, but I’ve been forced to think about security after we added networking to our products.
+
====Abstract====
  
 +
Have you ever hired Web developers to make a Web site for you, but then find out that you don’t actually own the domain name when you checked on Whois? Find out why this is the case and how we (maybe) should be doing domain name registrations, by taking a leaf from the law of agency’s book.
  
===Olly - Xero - Finding the path to #DevSecOps nirvana===
+
====Speaker Biography====
 +
 
 +
Judy has been registering domain names since 2013 when she was a junior lawyer for a stingy boss. She has recently changed careers to work in infosec, with a special interest in policy and appsec. As a part of a recent web hygiene audit, she discovered inconsistencies in how web devs register domain names in the industry and would like to see the industry come together with a best practice guideline. Risk management has been a constant in both her careers and she is always open to discussions on policies to embrace technology and reduce risks for the business at the same time.
 +
 
 +
==Track Two - Afternoon 1 (13:30 - 15:30)==
 +
 
 +
=== Security Regression Testing on OWASP ZAP Node API ===
 
----
 
----
<b>Abstract</b>
+
=== Kim Carter - BinaryMist ===
  
A talk about my experiences automating security infrastructure in AWS at Xero. The end goal, things to consider in a security context, the 80/20 rule, convincing people and how to get started. Buzzwords include: DevOps, DevSecOps, AWS, Cloud, CI/CD, “.* as code”.
+
==== Slide Deck (<i>not yet available</i>) ====
  
<b>Speaker Bio</b>
+
==== <i>Presentation Video not available, at presenter's request</i> ====
  
Oliver is a Graduate Security Engineer at Xero where he helps build and deploy security infrastructure into AWS focusing on automation and repeatability. He is a contributor to Security Monkey, Netflix’s open source AWS security auditing tool.
+
====Abstract====
  
 +
The OWASP ZAP HTTP intercepting proxy is useful for manually attacking your Web apps and APIs. Now, we have the official Node API to programatically drive ZAP to regression test our creations. I’ll show you how to build a fully featured security regression testing CLI, consumable by your CI/nightly builds.
  
===Nick Le Mouton - drugs.com - Thinking like an Attacker (Hacking your own organisation)===
+
====Speaker Biography====
 +
 
 +
Kim is a Technologist / Engineer, Information Security Professional, Entrepreneur, and the founder of BinaryMist Ltd. He is one of the OWASP NZ Chapter leaders and a Certified Scrum Master. Facilitator, mentor and motivator of cross functional, self managing teams. With a solid 17 years of commercial industry experience across many domains, Kim enjoys teaching others how to apply information security to their Agile processes, bringing the security focus up front where it’s the cheapest to implement, increasing profit and reducing costs. Co-organiser of the Christchurch Hacker Con, International trainer, speaker, published author, and Software Engineering Radio podcast host, focusing on software and network architecture, Web development and engineering, and information security. Kim is also a regular blog poster. Kim loves designing and creating robust software and networks, breaking software and networks, then fixing them and helping organisations increase productivity.
 +
 
 +
=== CI Can Make $$$ from Thin Air ===
 
----
 
----
<b>Abstract</b>
+
=== Sajeeb Lohani - Privasec ===
  
Often as developers we think like defenders. We identify vulns (SQLi, XSS etc) and patch them. How often do we think, how far could an attacker get by using this vuln? What could they do?
+
==== Slide Deck (<i>not yet available</i>) ====
  
It’s easier to get non security buy-in if you can provide a working exploit to show how serious a vuln is.
+
==== <i>Presentation Video not available, at presenter's request</i> ====
  
<b>Speaker Bio</b>
+
====Abstract====
  
I started my career as a developer and for the last 20 years I’ve moved more and more into the security space. I’m currently the CTO for Drugs.com, but spend a lot of time reading through legacy code and identifying areas of concern/exploiting vulnerabilities.
+
This talk covers how people can utilise free tools, outside of their intended use case, in a malicious way. Using TravisCI as an example, we will look into what essentially can become a distributed super computer, to mine bitcoins and distributed denial of service attacks free of any cost whatsoever.
  
 +
====Speaker Biography====
  
===Rory Shillington - VoltsAndBits - When Shoestrings Snap===
+
Sajeeb is a penetration tester at Privasec, with years of prior development experience. Having graduated from Monash University with a Bachelor of Software Engineering (Honours) in 2017, Sajeeb remains passionate about contributing to and improving cyber security research. Sajeeb gives back regularly to the Melbourne cyber security community by founding the Monash Cyber Security Club, presenting at SecTalks, and mentoring at the Australian Women in Security Network (AWSN) Cadets workshops. Sajeeb also runs initiatives which attempt to responsibly disclose security issues within open source software projects, making the world of software ‘more secure’.
 +
 
 +
=== Introduction to Building Secure Electron Applications ===
 
----
 
----
<b>Abstract</b>
+
=== Nawaz Gayoom - Provoke Solutions ===
 +
 
 +
==== [[Media:20190222--Gayoom-Secure_Electron_Apps.pdf|Slide Deck (PDF, 587 kB)]] ====
 +
 
 +
==== [https://youtu.be/6GNTbvNs0tc Presentation Video (YouTube)] ====
  
Have you ever fed a sheep to a wolf? Every day, charities, non-profit organisations and small businesses get devoured by online threats. Let’s take a look at what’s happening both at the keyboard and IRL/AFK.
+
====Abstract====
  
<b>Speaker Bio</b>
+
Electron is a popular framework for building desktop apps and is used by many prominent companies today. To build a production-ready Electron app, there are certain security considerations we need to take into account, if we are loading any external content on it.
  
Rory Shillington is an electrical engineer trying to save polar bears by day, and a jack of all admins by night.
+
====Speaker Biography====
  
When not designing, testing and breaking solar inverters, he helps a small handful of clients navigate the minefields of the internet while keeping their websites patched (arrr). He has a strong passion for computer security with a number of years of hands-on experience, and a tendency of venturing questionable distances to solve other people’s problems. He also maintains a number of hobby and community websites.
+
Nawaz is a software developer at Provoke Solutions mostly working on web applications for the past 3 years. In this digital age with increasingly complex systems, it is a personal passion of mine to keep information secure and accessible. Apart from enjoying researching about security and sharing things that I learn along the way while in projects for my clients I do spend some (probably a little more than that) time watching Netflix as well. Other things I like doing include singing, surfing and sampling food.
  
 +
==Track One - Afternoon 2 (16:00 - 18:00)==
  
===Jens Dietrich - Massey University - Evil Pickles: DoS Attacks Based on Object-Graph Engineering===
+
=== How Do I Content Security Policy? ===
 
----
 
----
<b>Abstract</b>
+
=== Kirk Jackson - RedShield ===
  
Evil pickles is a new type of degradation of service attack inspired by billion laughs. It exploits the object serialisation interface present in most modern languages (such as Java, C#, Ruby), and can be used to exhaust resources including CPU time, stack and heap memory of the systems attacked.
+
==== [[Media:2019-02-22 - How do I Content Security Policy - Print.pdf|Slide Deck (PDF, 1.6 MB)]] ====
  
<b>Speaker Bio</b>
+
==== [https://youtu.be/tlCOd-zjdQM Presentation Video (YouTube)] ====
  
Jens is an Associate Professor at Massey University Turitea Palmerston North. Jens has a MSc in Mathematics and a PhD in Computer Science from the University of Leipzig. After graduating in 1996, he worked as a software consultant, participating in some of the first large-scale enterprise-level projects that used object-oriented programming (Smalltalk and later Java) and agile principles. Clients he worked for include Mercedes-Benz, Volkswagen and some of the largest German banks. He moved to Namibia in 1999, working for a development aid agency to establish a computing curriculum at the local university of applied science. He continued with freelance consulting work for European and US clients during this time, and started several open source projects. In 2003 he moved to New Zealand to take up a position at Massey. Jens’ research interest are in the areas of software modularisation, evolution and static analysis for bug and vulnerability detection. He currently leads a National Science Challenge project on program analysis, and his research on fast algorithms for static analysis of large Java programs has been supported by several rounds of funding by Oracle Incl (through Oracle Labs Brisbane). Jens is executive member of Software Innovation NZ (SI^NZ) and member of the ACM.
+
====Abstract====
  
 +
Content Security Policy (CSP) helps you secure your Web site, by declaring which javascript and resources it uses. This means that XSS attacks will be greatly limited.
  
===Karan Sharma - Enough with XSS, let's talk about something else?===
+
However, setting up CSP on an existing Web site is hard. We’ll discuss an easy approach that you can follow to set up CSP.
 +
 
 +
====Speaker Biography====
 +
 
 +
Kirk works at RedShield, leads the OWASP Wellington-area Meetup, and has previously helped organise the annual OWASP NZ Day in Auckland.
 +
 
 +
Kirk worked as a Web developer before switching to the defence team - setting up Xero’s security practice, working as a pen tester, and in defence roles at several companies.
 +
 
 +
=== OWASP Software Assurance Maturity Model (SAMM) 2.0 ===
 
----
 
----
<b>Abstract</b>
+
=== John DiLeo - Orion Health ===
 +
 
 +
==== [[Media:20190222--DiLeo-OWASP_SAMM_2.pdf|Slide Deck (PDF, 7.1 MB)]] ====
 +
 
 +
==== [https://youtu.be/o-zoers_ckA Presentation Video (YouTube)] ====
  
I think it is time to lift our game and think beyond classic vulns such as XSS, CSRF, Dir Traversal, SQLi and talk about recent web vulns which are becoming more and more common and being exploited in the wild these days like IDOR, XXE, SSRF, DOM Clobbering, RPO and Insecure Cryptographic Storage.
+
====Abstract====
  
<b>Speaker Bio</b>
+
The OWASP SAMM Project Team recently release a Beta version of SAMM 2.0, which is currently open for comment. The model provides a framework for assessing the maturity of an organisation’s software assurance program, and identifying areas for future emphasis in improving the security of their development practices. This talk will provide an overview of the model, the benefits that can be realised by organisations utilising the model, and the process for assessing the maturity of the organisation’s software assurance program.
  
Working as a Security Consultant at one of the leading financial institute of NZ. Very passionate about web app security and have been doing it for over 6 years. Love building and breaking stuff especially web apps and IoT stuff. I spend my days testing web apps and network infrastructure for vulnerabilities and then help mitigate what I find.
+
====Speaker Biography====
  
Like to code in node.js on embedded devices and love building Web of Things oppose to Internet of Things (no pun intended).
+
John is one of the co-leaders of the OWASP New Zealand Chapter. He moved to Auckland, from the United States, in 2017, and now works as Orion Health's Application Security Architect. John's focus is on developing and managing enterprise-wide Software Assurance Programmes, including the assessment of the organisation's maturity and building a roadmap to improve. This led him to join the core team of the OWASP SAMM project, where he helped to create the new model.
  
 +
Before moving into application security, John worked as a solution architect, a Web development lead, and in developing discrete-event simulations of distributed systems. Along the way, he's also worked as a college instructor, trainer, and general IT consultant.
  
===Dion Bramley - Secure development in Go===
+
=== Why 'Positive Security' Is the Next Software Security Game Changer, and How to Do It ===
 
----
 
----
<b>Abstract</b>
+
=== Jaap Karan Singh - Secure Code Warrior ===
 +
 
 +
==== Slide Deck (<i>not yet available</i>) ====
 +
 
 +
==== [https://youtu.be/kHYdM690hFM Presentation Video (YouTube)] ====
 +
 
 +
====Abstract====
  
Google loves Go, and they claim it makes secure development much easier for people who aren’t teams of seasoned security experts. But what makes it so special? Why should you choose Go for your next secure API project? How to do secure Go. And why it can be a really terrible option for some projects
+
A 2017 report based on 400,000 application scans reported that only 30% passed the OWASP Top 10 policy. This presentation showcases the principles and practice of “positive security” and explains why it is an important game changer that will substantially improve application security.
  
<b>Speaker Bio</b>
+
====Speaker Biography====
  
I have been working in software since 2012 using a wide range of languages. Currently I work at Spalk Ltd (yuck, sports) as a senior engineer building APIs and streaming services, and teaching interns. I studied a combination of computer science and computer engineering at UoA for 5 years. Sometimes I do free security and (engineering) design consulting for startups and charities. Hobbies include theatre, gaming, and helping people be awesome.
+
Jaap Karan Singh is the Co-Founder and Chief Singh of Secure Code Warrior, a global security company that makes software development better and more secure. After security testing at BAE Systems in Australia, Jaap moved from hacking Web applications to educating developers on how to protect their own applications. Jaap has delivered training on web application security concepts and run workshops at Australian financial and telecommunications organisations in Australia. He specialises in Javascript technologies such as HTML5, Node, Express and Mongo. He recently created and delivered a course on hacking and protecting modern Javascript applications at OWASP AppSec EU 2016.
  
 +
== Track Two - Afternoon 2 (16:00 - 18:00)==
  
===Sam Shute - Quantum Security - Riding someone else’s wave with CSRF===
+
=== Hardening Your Docker Infrastructure ===
 
----
 
----
<b>Abstract</b>
+
=== Kim Carter - BinaryMist ===
 +
 
 +
==== Slide Deck (<i>not yet available</i>) ====
 +
 
 +
==== <i>Presentation Video not available, at presenter's request</i> ====
  
Cross-site request forgery is one of the common vulnerabilities we are seeing in pen tests. It can be used to create or delete accounts, escalate privileges, and perform other actions. This talk will cover what it is, common issues and how to properly defend against it.
+
====Abstract====
  
<b>Speaker Bio</b>
+
The security defaults of Docker are designed to get you up and running (“just work”) quickly, rather than being the most secure. There are many default configurations that can be improved upon. In this talk we’ll walk through improving the security of Docker hosts, containers, networking, and deployments.
  
Sam is a security consultant with Quantum Security. While relatively new to the security industry he spent the last 7 years studying various security topics at the University of Waikato. Sam has been an organiser and challenge developer of the New Zealand Cyber Security Challenge for the last 3 years. His areas of interest include behavioral biometrics, the physical/digital security overlap and breaking IoT devices.
+
====Speaker Biography====
  
 +
Kim is a Technologist / Engineer, Information Security Professional, Entrepreneur, and the founder of BinaryMist Ltd. He is one of the OWASP NZ Chapter leaders and a Certified Scrum Master. Facilitator, mentor and motivator of cross functional, self managing teams. With a solid 17 years of commercial industry experience across many domains, Kim enjoys teaching others how to apply information security to their Agile processes, bringing the security focus up front where it’s the cheapest to implement, increasing profit and reducing costs. Co-organiser of the Christchurch Hacker Con, International trainer, speaker, published author, and Software Engineering Radio podcast host, focusing on software and network architecture, Web development and engineering, and information security. Kim is also a regular blog poster. Kim loves designing and creating robust software and networks, breaking software and networks, then fixing them and helping organisations increase productivity.
  
===David Pearce - Secure Your Programming Future!===
+
=== Reverse Engineering Mobile Apps: Why, What, and the Hows ===
 
----
 
----
<b>Abstract</b>
+
=== Karan Sharma ===
 +
 
 +
==== Slide Deck (<i>not yet available</i>) ====
  
Can programming languages help us write secure code? It’s an age-old question. New languages come and go, but don’t often seem that different. But wait! You haven’t seen anything like Whiley before. Forget about type checking. This is a whole new level. You might think the demo is faked. It’s not.
+
==== [https://youtu.be/N6ffxIcz0L4 Presentation Video (YouTube)] ====
  
<b>Speaker Bio</b>
+
====Abstract====
  
David graduated with a PhD from Imperial College London in 2005, and took up a lecturer position at Victoria University of Wellington, NZ. David’s PhD thesis was on efficient algorithms for pointer analysis of C, and his techniques have since been incorporated into GCC. His interests are in programming languages, compilers and static analysis. Since 2009, he has been developing the Whiley Programming Language which is designed specifically to simplify program verification. David has previously interned at Bell Labs, New Jersey, where he worked on compilers for FPGAs; and also at IBM Hursely, UK, where he worked with the AspectJ development team on profiling systems.
+
I’d like to talk about why Reverse Engineering mobile apps is important for an organisation, what can you discover while reversing an app and how can you apply those lessons to add an additional layer of defense while building your future apps.
  
 +
====Speaker Biography====
  
===Alex Hogue - Atlassian - Operation Luigi: How I hacked my friend without her noticing===
+
Karan started his career as a network engineer before moving into information security field 8 years ago. He is working as a security consultant for one of the leading financial institutes of NZ. He has a true passion for breaking & fixing web/mobile apps. He enjoy doing app reversing in his free time and love sharing his knowledge with others.
 +
 
 +
=== Serverless Authentication with JWT ===
 
----
 
----
<b>Abstract</b>
+
=== Mehul Patel ===
 +
 
 +
==== [https://slides.com/rowdymehul/owaspnz2019 Slide Deck (Slides.com)] ====
 +
 
 +
==== [https://youtu.be/TSGLddT_eG4 Presentation Video (YouTube)] ====
 +
 
 +
====Abstract====
 +
 
 +
Authentication is one of the big parts of every application. Security is always something that is changing and evolving. In this talk, I will cover what JSON Web Tokens (JWTs) are and why using JWTs in your applications when it comes to security is awesome.
 +
 
 +
====Speaker Biography====
 +
 
 +
Mehul is an engineer who loves digging into technology, and public speaker currently living in India. His interests range from technology to innovation. He is also interested in Web development, writing, and safe programming.
 +
 
 +
Mehul holds a Masters in Computers Science and has been working and contributing towards the open source community in all ways he can. He is a social guy, loves to interacting with new people, traveling, playing cricket, He can dance like crazy!!!
 +
 
 +
Currently, Mehul is an Engineer at Zimbra, Ambassador at Auth0, Mentor at Mozilla Reps and Campus Advisory Committee at Mozilla and Founder/Organizer of Google Developer Group - Nashik. Moreover, He is the initiator of Rust Hacks - the super safe system programming language of course and co-founder of Infinite Defense Foundation (IDF).
 +
 
 +
=Call for Sponsorships=
 +
 
 +
==Call For Sponsorships==
 +
 
 +
OWASP New Zealand Day 2019 will be held in Auckland on the 22nd of February, 2019, and is a security conference entirely dedicated to application security.
 +
The conference is once again being hosted by the University of Auckland with their support and assistance.
 +
OWASP New Zealand Day 2019 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community.
 +
OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2019 a free, compelling, and valuable experience for all attendees.
 +
 
 +
The sponsorship funds collected are to be used for things such as:
 +
 
 +
* Venue - Room use and on-site management fees
 +
* Name tags - We feel that getting to know people within the New Zealand community is important, and name tags make that possible
 +
* Promotion - We would like to reach a wider audience, by utilising paid advertising for the event
 +
* Printed Materials - Printed materials will include program information, room signs, and lanyards
 +
* Recognition items for speakers and trainers
 +
* Morning and afternoon tea, to promote a congenial environment for networking among application security professionals
 +
 
 +
== Facts ==
 +
 
 +
Last year, the event was supported by seven sponsors and attracted more than 700 registrations. Plenty of constructive (and positive!) feedback from the audience was received, and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018
 +
 
 +
The OWASP New Zealand community is strong, with more than 500 people currently subscribed to the mailing list ([https://lists.owasp.org/mailman/listinfo/owasp-newzealand sign up]). OWASP New Zealand Day is expected to attract between 900 and 1000 attendees this year.
 +
 
 +
OWASP regular attendees are IT project managers, IT security managers, IT security consultants, Web application architects and developers, QA managers, QA testers and system administrators.
 +
 
 +
== How to Become a Sponsor ==
 +
 
 +
All financial matters related to the conference, including Sponsorship Agreements and payments, are handled through the OWASP Foundation. To express interest in supporting the conference as a sponsor, please [mailto:[email protected],[email protected] contact us by email].
 +
 
 +
== Premium Sponsorship Packages ==
 +
 
 +
{| class="wikitable"
 +
|-
 +
!  !! &nbsp;<br />Platinum !! &nbsp;<br />Gold !! &nbsp;<br />Silver !! &nbsp;<br />Bronze !! A La Carte<br />(See Below)
 +
|-
 +
! scope="row" style="text-align: left;" | Enrolment Limit
 +
| style="text-align: center;" | 2
 +
| style="text-align: center;" | 6
 +
| style="text-align: center;" | --
 +
| style="text-align: center;" | --
 +
| style="text-align: center; font-style: italic;" | Varies
 +
|-
 +
! scope="row" style="text-align: left;" | General Rate
 +
| style="text-align: center;" | $5,000
 +
| style="text-align: center;" | $3,000
 +
| style="text-align: center;" | $1,750
 +
| style="text-align: center;" | $1,000
 +
| style="text-align: center;" | Varies
 +
|-
 +
! scope="row" style="text-align: left;" | OWASP [https://www.owasp.org/index.php/Corporate_Membership Corporate Member] Rate
 +
| style="text-align: center;" |  $4,250
 +
| style="text-align: center;" |  $2,550
 +
| style="text-align: center;" |  $1,500
 +
| style="text-align: center;" |  $850
 +
| style="text-align: center;" | N/A
 +
|-
 +
! scope="row" style="text-align: left;" | A La Carte Sponsorship Discount
 +
| style="text-align: center;" |  15%
 +
| style="text-align: center;" |  10%
 +
| style="text-align: center;" |  5%
 +
| style="text-align: center;" |  --
 +
| style="text-align: center;" | --
 +
|-
 +
! scope="row" style="text-align: left;" | Banner in Conference Lobby (see notes)
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center;" |  No
 +
| style="text-align: center;" |  No
 +
| style="text-align: center;" |  No
 +
| style="text-align: center; font-weight: bold; font-style: italic;" |  Varies
 +
|-
 +
! scope="row" style="text-align: left;" | Banner at Side of Stage (see notes)
 +
| style="text-align: center; font-weight: bold;" |  Yes (2)
 +
| style="text-align: center; font-weight: bold;" |  Yes (1)
 +
| style="text-align: center;" |  No
 +
| style="text-align: center;" |  No
 +
| style="text-align: center;" |  No
 +
|-
 +
! scope="row" style="text-align: left;" | Logo on Attendee Badges
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center;" |  No
 +
| style="text-align: center;" |  No
 +
| style="text-align: center; font-weight: bold; font-style: italic;" |  Varies
 +
|-
 +
! scope="row" style="text-align: left;" | Logo on Room Signs
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center;" |  No
 +
| style="text-align: center; font-weight: bold; font-style: italic;" |  Varies
 +
|-
 +
! scope="row" style="text-align: left;" | Company Description on Conference Web Page
 +
| style="text-align: center; font-weight: bold;" |  150 words
 +
| style="text-align: center; font-weight: bold;" |  100 words
 +
| style="text-align: center; font-weight: bold;" |  50 words
 +
| style="text-align: center;" |  No
 +
| style="text-align: center; font-weight: bold; font-style: italic;" |  Varies
 +
|-
 +
! scope="row" style="text-align: left;" | Pre-Conference Reception Tickets
 +
| style="text-align: center; font-weight: bold;" |  4
 +
| style="text-align: center; font-weight: bold;" |  3
 +
| style="text-align: center; font-weight: bold;" |  2
 +
| style="text-align: center;" |  1
 +
| style="text-align: center; font-weight: bold; font-style: italic;" |  Varies
 +
|-
 +
! scope="row" style="text-align: left;" | Logo on Conference Tote Bags
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center;" |  No
 +
| style="text-align: center; font-weight: bold; font-style: italic;" |  Varies
 +
|-
 +
! scope="row" style="text-align: left;" | Mention in Pre-Event Publicity
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center; font-weight: bold; " |  Yes
 +
| style="text-align: center;" |  Yes
 +
| style="text-align: center; font-weight: bold; font-style: italic;" |  Varies
 +
|-
 +
! scope="row" style="text-align: left;" | Logo on Conference Web Site
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
|-
 +
! scope="row" style="text-align: left;" | Recognition during Opening/Closing Sessions
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
| style="text-align: center; font-weight: bold;" |  Yes
 +
|-
 +
! scope="row" style="text-align: left;" | Promotional Items in Conference Tote Bags (see notes)
 +
| style="text-align: center; font-weight: bold;" |  Yes (up to 3)
 +
| style="text-align: center; font-weight: bold;" |  Yes (up to 2)
 +
| style="text-align: center; font-weight: bold;" |  Yes (1)
 +
| style="text-align: center; font-weight: bold;" |  Yes (1)
 +
| style="text-align: center; font-weight: bold; font-style: italic;" |  Varies
 +
|}
 +
 
 +
== A La Carte Sponsorship Opportunities ==
 +
 
 +
=== 1. Morning and Afternoon Tea Breaks - Conference Day ===
 +
 
 +
'''Sponsorships Available:''' Four (4)
 +
 
 +
'''General Rate:''' $4,500
 +
 
 +
'''Benefits:'''
 +
 
 +
* Opportunity to display your company's banner in the conference lobby (see notes below) throughout the day of the conference
 +
* Recognition as sponsoring provider, on signs displayed on service tables during tea breaks
 +
* Sponsor logo printed on attendee badges
 +
* Sponsor logo printed on Room Signs
 +
* Single-colour sponsor logo imprinted on conference tote bags
 +
* Sponsor logo displayed on conference Web page, alongside Platinum Sponsors
 +
* Opportunity to include 150-word company description in '''About Our Sponsors''' section of conference Web page
 +
* Written recognition as a leading sponsor, in pre-event publicity communications
 +
* Visual and verbal recognition of sponsor at opening and closing sessions of conference
 +
 
 +
=== 2. Pre-Conference Reception ===
 +
 
 +
On the Thursday evening, the OWASP New Zealand Day Committee will host a reception for speakers, trainers, conference volunteers, and Premier Sponsors. The event will be held at an establishment near the conference venue.
 +
 
 +
'''Sponsorships Available:''' Two (2)
 +
 
 +
'''General Rate:''' $2,000
 +
 
 +
'''Benefits:'''
 +
 
 +
* Opportunity to display your company's banner at the reception venue (see notes below) during the reception
 +
* Opportunity to address reception attendees, as "hosting" sponsor of reception
 +
* Recognition as sponsoring provider, on signs displayed on service tables/bars during reception
 +
* Sponsor logo printed on Room Signs
 +
* Single-colour sponsor logo imprinted on conference tote bags
 +
* Sponsor logo displayed on conference Web page, alongside Silver Sponsors
 +
* Opportunity to include 100-word company description in '''About Our Sponsors''' section of conference Web page
 +
* Written recognition as a leading sponsor, in pre-event publicity communications
 +
* Visual and verbal recognition of sponsor at opening and closing sessions of conference
 +
 
 +
=== 3. Conference Tote Bags for Attendees ===
 +
 
 +
'''Sponsorships Available:''' One (1)
 +
 
 +
'''General Rate:''' $1,800
 +
 
 +
'''Benefits:'''
 +
 
 +
* Single-colour sponsor logo printed on the Conference Tote Bags, along with those of Platinum, Gold, and Silver Sponsors
 +
* Sponsor logo printed on Room Signs
 +
* Sponsor logo displayed on conference Web page
 +
* Opportunity to include 50-word company description in '''About Our Sponsors''' section of conference Web page
 +
* Visual and verbal recognition of sponsor at opening and closing sessions of conference
 +
 
 +
=== 4. Lanyards for Attendee Badges ===
 +
 
 +
'''Sponsorships Available:''' One (1)
 +
 
 +
'''General Rate:''' $1,800
 +
 
 +
'''Benefits:'''
 +
 
 +
* Single-colour sponsor logo printed on the Attendee Lanyards, along with the OWASP logo
 +
* Sponsor logo printed on Room Signs
 +
* Sponsor logo displayed on conference Web page
 +
* Opportunity to include 50-word company description in '''About Our Sponsors''' section of conference Web page
 +
* Visual and verbal recognition of sponsor at opening and closing sessions of conference
 +
 
 +
=== 5. Speaker Gifts ===
 +
 
 +
'''Sponsorships Available:''' One (1)
 +
 
 +
'''General Rate:''' $1,500
 +
 
 +
'''Benefits:'''
 +
 
 +
* Sponsor logo printed on Room Signs
 +
* Single-colour sponsor logo imprinted on conference tote bags
 +
* Sponsor logo displayed on conference Web page, alongside Silver Sponsors
 +
* Opportunity to include 50-word company description in '''About Our Sponsors''' section of conference Web page
 +
* Written recognition as a leading sponsor, in pre-event publicity communications
 +
* Visual and verbal recognition of sponsor at opening and closing sessions of conference
 +
 
 +
=== 6. Morning and Afternoon Tea Breaks - Training Day ===
 +
 
 +
'''Sponsorships Available:''' Two (2) '''--Funded, no longer available'''
 +
 
 +
'''General Rate:''' $750
 +
 
 +
'''Benefits:'''
 +
 
 +
* Opportunity to display your company's banner in the training facility lobby (see notes below) throughout the training day
 +
* Recognition as sponsoring provider, on signs displayed on service tables during training day tea breaks
 +
* Sponsor logo displayed on conference Web page, alongside Bronze Sponsors
 +
* Visual and verbal recognition of sponsor at opening and closing sessions of conference
 +
 
 +
=== 7. International Travel Support ===
 +
 
 +
As part of the submission process for presentations, prospective presenters from outside New Zealand are given the opportunity to indicate if they will need travel support to be able to attend OWASP New Zealand Day. Each International Travel Support sponsorship is intended to provide a maximum of $2,500 for one international presenter's travel expenses related to attending, and presenting at, the conference. Supported travel expenses may include: return airfare from the airport nearest the presenter's residence to Auckland, two nights' accommodation in a lodging near the conference venue, and return shuttle transportation between the Auckland airport and the accommodation.
 +
 
 +
'''Sponsorships Available:''' No Limit
 +
 
 +
'''General Rate:''' $2,500
 +
 
 +
'''Benefits:'''
 +
 
 +
* Sponsor logo displayed on conference Web page, alongside Gold Sponsors
 +
* Opportunity to include 100-word company description in '''About Our Sponsors''' section of conference Web page
 +
* Opportunity for sponsor representative to introduce sponsored presenter
 +
* Written recognition as a leading sponsor, in pre-event publicity communications
 +
* Visual and verbal recognition of sponsor at opening and closing sessions of conference
 +
 
 +
=== 8. Diversity Fund ===
 +
 
 +
The OWASP New Zealand Day Diversity and Financial Aid Fund has been established to provide financial assistance to students at New Zealand universities. Each Diversity Fund sponsorship is intended to cover travel expenses for one New Zealand student, from  outside the Auckland area, who will be attending or presenting at the conference. Each Diversity Fund support recipient will receive funding for return airfare from their nearest domestic airport to Auckland International Airport, two night's accommodation in a lodging near the conference venue, and return shuttle transportation between the airport and the accommodation.
 +
 
 +
'''Sponsorships Available:''' No Limit
 +
 
 +
'''General Rate:''' $750
 +
 
 +
'''Benefits:'''
 +
 
 +
* Sponsor logo displayed on conference Web page, as a Diversity Fund Sponsor
 +
* Visual and verbal recognition of sponsor at opening and closing sessions of conference
 +
 
 +
=== 9. Door Prizes ===
 +
 
 +
At the closing session of the conference, the OWASP New Zealand Day Committee will conduct a series of random drawings, awarding donated items to attendees, who must be present to win. There is no minimum or maximum value required for donated items, nor is the number of items provided subject to any limit. It is recommended that items provided be of interest to the conference's target audience, rather than of a generic nature.
 +
 
 +
'''Sponsorships Available:''' No Limit
  
My friend gave me permission to “hack all her stuff” and this is my story. It’s about what I tried, what worked, my many flubs, and how easy it is to compromise Non Paranoid People TM.
+
'''General Rate:''' In-Kind Donation
  
<b>Speaker Bio</b>
+
'''Benefits:'''
  
Alex is your conference speaker, your best friend, and your sweet mango boy. Alex fell off the back of a gently glowing ute 17 years ago, and now haunts the Earth in corporeal form. Critics have called him “aggressively wonky”. He does incident detection and response at Atlassian, which is kiiinda like being an adult. Catch him scratching out MEMBERS ONLY signs into MEMERS ONLY.
+
* Verbal recognition, at the time of the prize drawing, as the donor of the prize
  
 +
=== 10. Other Supporting Sponsorships ===
  
===David Waters - Pushpay - Handling Of A PCI Incident - PANs In The Database===
+
If your company would like to provide special items to attendees, funding for paid promotional advertising for the event, or other items that we haven't yet thought of, you are welcome to contact us to discuss your ideas.
----
+
 
<b>Abstract</b>
+
'''Sponsorships Available:''' No Limit
 +
 
 +
'''General Rate:''' In-Kind Donation
 +
 
 +
'''Benefits:'''
 +
 
 +
* Sponsor logo displayed on conference Web page, as a Supporting Sponsor
 +
* Visual and verbal recognition of sponsor at opening and closing sessions of conference
 +
 
 +
== Notes ==  
 +
 
 +
''' Sponsor Logos:'''
 +
 
 +
* Logos are to be provided by the respective sponsors, as digital files (JPEG and PNG preferred)
 +
* Logos provided should be full colour
 +
* For lanyards and tote bags (including Platinum/Gold/Silver Sponsors), a single-colour version of the logo should also be provided, in a separate file. If a single-colour version of the logo is not provided by the sponsor, the OWASP New Zealand Day Committee reserves the right to electronically convert the full-colour logo to a single-colour version, or omit the sponsor's logo from the imprinted items if that proves infeasible.
  
Are you storing credit card numbers in your database when you’re not meant to? Would you know? We will be briefly cover PCI, and telling the story of the discovery of PANs in our pipeline. Then describe the full journey from discovery, to recovery to future prevention.
+
'''Sponsor Banners:'''
  
<b>Speaker Bio</b>
+
* Lobby and stage-side banners are to be provided by the respective sponsors, must be free-standing, and their size is subject to approval by the OWASP New Zealand Day Committee.
 +
* The conference venue includes two tracks, conducted in separate auditoriums; Platinum Sponsors may display one banner to the side of each auditorium's stage; Gold Sponsors may display a banner to the side of the stage in one auditorium. Gold Sponsors may express an auditorium preference, but final locations are at the discretion of the OWASP New Zealand Day Committee.
 +
* There will be a maximum of four (4) sponsor banners displayed in each auditorium, with placement priority given to Platinum Sponsors.
  
David is a Senior Software Engineer/Tech Lead and one of the leaders of the Secure Coding Guild at Pushpay, David previously worked for 3 years in the security industry including 1 year in the Security Team at Google in London and draws on 19 years experience as a systems and web developer, primarily working in .NET, Java and JavaScript.
+
'''Promotional Items:'''
  
= Diversity fund =
+
* Printed materials are limited in dimensions to A4 size - either a single sheet, printed on one or both sides; or a single A3 sheet, folded in half
==Diversity and Financial Aid fund==
+
* Small imprinted items are also acceptable - pens, stress balls, USB keys, fidget spinners, etc.
 +
* Design of printed materials and imprinted items are subject to approval by OWASP New Zealand Day Committee
 +
* '''RECRUITMENT:''' In addition to the promotional item allowances included in Premium Sponsorship Packages, any sponsor may provide one A5-size card with information on ''actual current'' vacancies for which candidates are actively being sought
  
'''The Diversity and Financial Aid assistance fund has now closed. If you find yourself stuck and need assistance, please get in touch with [email protected] and we'll see what we can do.'''
+
'''All amounts listed are in New Zealand dollars (NZD)'''
  
[We have unashamedly followed the model adopted by the nz.js(con) team with their fund. Many thanks to Jen and the team!]
+
= Diversity Fund =
  
Due to the support of our lovely sponsors, we have some additional funding available to help people from around New Zealand attend the OWASP NZ Day that would find it hard to otherwise attend. In particular, we welcome applications from women, people of colour, LGBTIQ and all others. You all deserve to be able to learn more about security, and we’ll do our darndest to help make that happen!
+
==Diversity and Financial Aid fund==
  
Our funds are limited, and we’ll be reviewing applications every two weeks starting in December. Submit your applications soon, so we can approve them early and you’ll be in several review cycles!
+
Thanks to the generous support of our lovely sponsors, we have some funding available to help people from around New Zealand attend the OWASP NZ Day, who would otherwise find it hard to attend. In particular, we welcome applications from women, people of colour, LGBTIQ, and all others. You all deserve to be able to learn more about security, and we’ll do our best to help make that happen!
 +
 
 +
Our funds are limited, and we’ll be reviewing applications every week, starting at the end of January. Submit your application soon, so we can approve them promptly, and you’ll be in several review cycles!
  
 
Process:
 
Process:
  
* Fill out our [https://docs.google.com/forms/d/e/1FAIpQLSeTPgNCXb-3FIKetzBtTSwe1IXYckmADCK5sXPdiWRu8mdI6g/viewform application form]
+
* Fill out our [https://docs.google.com/forms/d/e/1FAIpQLSfl4I38Z3ke5H8gYL7KmG9pVY8qIZe3kO5YH_ykALJyvq894w/viewform Application Form]
* We will review and approve applications each two weeks. The next review date is in Dec 2017.  
+
* We will review and approve applications each week. The first reviews will be completed by 29 January.  
 
* We will contact all applicants and let them know the result of the review.
 
* We will contact all applicants and let them know the result of the review.
 
* Successful applicants will be contacted to help sort things out.
 
* Successful applicants will be contacted to help sort things out.
Line 901: Line 1,249:
  
 
* We are biased towards (but not exclusively for) diverse applicants.
 
* We are biased towards (but not exclusively for) diverse applicants.
* We do attempt to maximise cost efficiency and will aim to get as many people to OWASP with our limited funds.
+
* We do attempt to maximise cost efficiency and will aim to get as many people to OWASP as possible, with our limited funds.
  
 
Each successful recipient can choose whether to be kept anonymous (in which case only the OWASP NZ committee will know the details of your funding), or to be put in touch with the supporting company whose sponsorship is going towards your attendance. We think some of our sponsors may enjoy the opportunity to chat with you on the day talk about your experiences and plans for the future, but that’s totally optional and up to you.
 
Each successful recipient can choose whether to be kept anonymous (in which case only the OWASP NZ committee will know the details of your funding), or to be put in touch with the supporting company whose sponsorship is going towards your attendance. We think some of our sponsors may enjoy the opportunity to chat with you on the day talk about your experiences and plans for the future, but that’s totally optional and up to you.
  
If you have any questions, feel free to drop us an email: nick.[email protected] | [email protected] | kim.carter@owasp.org
+
If you have any questions, feel free to drop us an email: john.dileo@owasp.org
  
 
= Code of Conduct =
 
= Code of Conduct =
 
==Code of Conduct==
 
==Code of Conduct==
  
We want to make the OWASP NZ Day a welcoming environment for all attendees. To that end, we would like to remind you of OWASP's anti-harassment policy: [https://www.owasp.org/index.php/Governance/Conference_Policies].
+
We want to make the OWASP NZ Day a welcoming environment for all attendees. To that end, we would like to remind you that all activities associated with this event are subject to OWASP's [https://www.owasp.org/index.php/Governance/Conference_Policies Conference Policies]. At their core, these policies are intended to promote and maintain an inclusive, welcoming environment for all participants - actions detrimental to that environment are unwelcome.
  
 
Speakers, trainers and sponsors have all been reminded of these policies, and are expected to abide by them like all attendees.
 
Speakers, trainers and sponsors have all been reminded of these policies, and are expected to abide by them like all attendees.
  
If you have any concerns during the day, please seek out Kirk, Nick or Kim. We will make ourselves visible at the start of the day so you know what we look like.
+
If you have any concerns during the day, please seek out John, Austin, or Brendan. We will make ourselves visible at the start of the day, so you know what we look like.
 +
 
 +
=Call for Presentations - CLOSED =
 +
 
 +
==Call for Presentations==
 +
 
 +
'''UPDATE: The Call for Presentations is now CLOSED.''' The committee is reviewing the proposals received, and will be notifying submitters of their selection status shortly.
 +
 
 +
OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines, including
 +
architects, Web developers and engineers, system administrators, penetration testers, policy specialists and more.
 +
 
 +
We would like a variety of technical levels in the presentations submitted, corresponding to the three focus areas of the conference:
 +
 
 +
Track One:
 +
 
 +
* Introductions to various Information Security topics, and the OWASP projects
 +
* Policy, Compliance and Risk Management
 +
 
 +
Track Two:
 +
* Technical topics
 +
 
 +
Introductory talks should appeal to an intermediate to experienced software developer, without requiring a solid grounding in application security or knowledge of OWASP projects. These talks should be engaging, encourage developers to learn more about information security, and give them techniques that they can immediately return to work and apply to their jobs.
 +
 
 +
This being an OWASP conference, the selection process for talks in Track One will give priority to those related to OWASP's Projects, Tools, and Guidance (check out the current [OWASP Project Inventory](https://www.owasp.org/index.php/Category:OWASP_Project#tab=Project_Inventory) for more information). If multiple submissions are received related to the same OWASP Project/Tool, preference will be given to speakers actively involved as leaders or members of the respective project teams.
 +
 
 +
Technical topics are running all day and should appeal to two audiences - experienced software security testers or researchers, and software developers who have a “OWASP Top Ten” level of understanding of web attacks and defences. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new.
 +
 
 +
We would also like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles.
 +
 
 +
We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:
 +
 
 +
* Web application security
 +
* Mobile security
 +
* Cloud security
 +
* Secure development
 +
* Vulnerability analysis
 +
* Threat modelling
 +
* Application exploitation
 +
* Exploitation techniques
 +
* Threat and vulnerability countermeasures
 +
* Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, Python, etc)
 +
* Penetration Testing
 +
* Browser and client security
 +
* Application and solution architecture security
 +
* PCI DSS
 +
* Risk management
 +
* Security concepts for C*Os, project managers and other non-technical attendees
 +
* Privacy controls
 +
 
 +
The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.
 +
 
 +
PLEASE NOTE:
 +
 
 +
* Due to limited funds availability, the conference budget does not include a plan to cover expenses for international speakers. However, if sponsorship funds are received for this purpose, we will issue a call for support applications from those outside New Zealand who have submitted proposals. Please indicate in the "additional information" section, whether you would be able to present without such support.
 +
* If you are selected as a speaker, and your company is willing to cover travel and accommodation costs, the company will be recognised as a "Supporting Sponsor" of the event.
 +
 
 +
Please submit your presentation on [https://www.papercall.io/owaspnz2019 PaperCall].
 +
 
 +
<b>Submission Deadline: Friday, 11th January 2019 (NOW CLOSED)</b>
 +
 
 +
Applicants will be notified in the following week after the deadline, whether they were successful or not.
 +
 
 +
= Call For Trainers - CLOSED =
 +
== Call For Trainers ==
 +
 
 +
'''The Call for Trainers is now closed. Trainers selected to present training have been contacted, and details are now being finalised.'''
 +
 
 +
We are happy to announce that training will run on Thursday, 21 February 2019, the day before the OWASP NZ Day conference.
 +
The training venue will be Level 0, Rooms: case rooms 1(005), 2(057), 3(055), and 4(009), kindly provided by the University of Auckland School of Business, in the same building as the OWASP NZ Day conference itself.
 +
Classes can contain up to 69 students, with power for laptop usage and Wi-Fi. A wide range of half-day or full-day training proposals will be considered,
 +
see the Call for Papers for a list of example topics.
 +
 
 +
If you are interested in running one of the training sessions, please contact John DiLeo ([mailto:[email protected] [email protected]]) with the following information:
 +
 
 +
* Trainer name
 +
* Trainer organisation
 +
* Telephone + email contact
 +
* Short Trainer bio
 +
* Training title
 +
* Trainer requirements (e.g. a projector, whiteboard, etc)
 +
* Trainee requirements (e.g. laptop, VMware/VirtualBox, etc)
 +
* Training summary (less than 500 words)
 +
* Target audience (e.g. testers, project managers, security managers, web developers, architects)
 +
* Skill level required (Basic / Intermediate / Advanced)
 +
* What attendees can expect to learn (key objectives)
 +
* Short course outline
 +
 
 +
The fixed price per head for training will be $250 for a half-day session and $500 for a whole-day session. As this training is part of an OWASP event, part of the proceeds go back to OWASP. The split is as follows:
 +
 
 +
* 25% to OWASP Global - used for OWASP projects around the world
 +
* 25% to OWASP NZ Day - used for NZ Day expenses
 +
* 50% to the training provider.
 +
 
 +
<b>Submission Deadline: Friday, 21st December 2018</b>
 +
 
 +
Applicants will be notified in the following week after the deadline, whether they were successful or not.
  
 
<headertabs></headertabs>
 
<headertabs></headertabs>
  
 
[[Category:OWASP AppSec Conference]]
 
[[Category:OWASP AppSec Conference]]

Latest revision as of 02:32, 11 March 2019

NZDay_2019_web_banner.jpg

21st and 22nd February 2019 - Auckland


Introduction

We are proud to announce the tenth OWASP New Zealand Day conference, to be held at the University of Auckland on Friday, February 22nd, 2019. OWASP New Zealand Day is a one-day conference dedicated to information security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.

There will be two streams throughout the day. The first stream will include introductory talks on application and information security topics, as well as on policy, compliance, and risk management. The second stream will primarily address deeper technical topics.

Who is it for?

  • Web Developers
  • Security Professionals and Enthusiasts
  • Program and Project Managers
  • Business Analysts
  • Requirements Analysts
  • Software Testers

Conference structure

Date: Friday, 22 February 2019

Time: 9:00am - 6:00pm

Cost: FREE

The main conference is on Friday, the 22nd of February, and will have two streams in both the morning and the afternoon:

Stream One:

  • Introductory Topics
  • Program Management, Policy, Compliance, Risk Management

Stream Two:

  • Technical Topics

Training

In addition the main conference on Friday, we are pleased to be offer three training opportunities on Thursday, at the same venue. Course details, including registration, are as follows:

Real-World Penetration Testing

Date: Thursday, 21 February 2019
Time: 8:45 a.m. - 5:30 p.m.
Format: Live online interaction with instructors; interactive Web-based lab exercises
Instructors: Vivek Ramachandran and Nishant Sharma
Instructors' Organisation: Pentester Academy
Registration Fee: $500.00
Training Registration Page (Registration CLOSED)

Are You a Secure Code Warrior?

Date: Thursday, 21 February 2019
Time: 8:45 a.m. - 12:30 p.m.
Instructor: Jaap Karan Singh
Instructor's Organisation: Secure Code Warrior
Registration Fee: $250.00
Training Registration Page (Registration CLOSED)

Threat Modelling: Getting from None to Done

Date: Thursday, 21 February 2019
Time: 8:45 a.m. - 5:30 p.m.
Instructor: Dr. John DiLeo
Instructor's Organisation: OWASP New Zealand Chapter
Registration Fee: $500.00
Training Registration Page (SOLD OUT)

Training registration closed at midnight on 14 February.

General

The tenth OWASP New Zealand Day will be happening thanks to the support provided by the University of Auckland, which will kindly offer the same facilities as those we used in 2018. Entry to the event will, as in the past, be free.

For any comments, feedback or observations, please don't hesitate to contact us.

Registration

Registration is now open. Visit EventBrite to register.

Please join our low volume mailing list to be notified as further schedule information becomes available, and/or follow us on Twitter @owaspnz.

There is no cost for the main conference day. Currently, we are planning to provide morning and afternoon tea; however, this is subject to meeting our sponsorship goals for the event. Spaces are limited, so we do ask that, if at any point you realise you will not be able to attend, you cancel your registration (i.e., "request a refund" in EventBrite) to make room for others.

Important dates

CFP submission deadline: 11th January 2019 - Submissions are now closed
CFT submission deadline: 21st December 2018 - Submissions are now closed
Training Day date: 21st February 2019
Training Registration Deadline: 14th February 2019 - Registration is now closed
Conference Day date: 22nd February 2019
Conference Registration deadline: 22nd February 2019 (Same-day registration is permitted, if space is available)

For those of you booking flights, ensure you can be at the venue by 8:30am. The conference will end by 6:00pm. However, we will have post conference drinks at a local drinking establishment for those interested. We are planning to hold a special event on Thursday evening for speakers, trainers, sponsors, and conference volunteers - more details on that to follow.

Places to eat & drink on the day

The University published a handy map (in 2018), to help you find places to eat around campus: File:Retail Map City Campus 2018 v2.pdf

Some of the options available:

  • The Deli - Located on Level 1 of the Owen G. Glenn Building - This is closest, but will probably have long lines
  • Mojo Symonds - also on campus
  • Shakey Isles - coffee and food across the road on the corner of Symonds & Alfred St
  • The CBD - walk up and over Albert Park to get to the CBD with many great food options
    • Fort Street has burgers, kebabs, and KFC
    • High Street & Lorne Street have lots of little cafes and restaurants
  • Subway, Starbucks, St. Pierre's Sushi & Pita Pit - walk up Symonds Street
  • Vulture’s Lane is a popular pub with the InfoSec crowd, there are more seats downstairs
  • The Bluestone Room - also a popular pub just across Queen St

Conference Venue

The University of Auckland School of Business
Owen G. Glenn Building (OGGB)
Address: 12 Grafton Road

Stream One: Level 1
Room: 115 (Fisher & Paykel Auditorium)

Stream Two: Level 0
Room: 098

Auckland
New Zealand
Map

073 AUBiz 10Apr08small.jpg OWASPNZDayLectureTheatre.jpg

Conference Sponsors

For more information on our Premier Sponsors, please visit our About Our Sponsors page

Conference Host

AuckUni.png

Platinum Sponsor

 
Logo-Insomnia Security
 

Gold Sponsors

Logo-Orion Health
Logo-Quantum Security
Logo-Secure Code Warrior
Logo-ZX Security
 

Silver Sponsors

Sponsoring Provider - Training Day Tea Breaks

Logo-Aura Information Security

Supporting Sponsors

     Logo-Binary Mist Limited
     Logo-PentesterLab
      Logo-Privasec
     Logo-RedShield

Logo-Zimbra


Follow us on Twitter (@owaspnz)

OWASP New Zealand on Facebook

We're still looking for a few good men and women, to assist with conference preparations and to help things go smoothly during the event.

Please contact John DiLeo ([email protected]), if you're willing and able to help out.

Conference Committee

So, far, a fair few kind souls have stepped up to help out:

  • John DiLeo - Conference Chair, OWASP New Zealand Chapter Leader (Auckland)
  • Lech Janczewski - Conference Host Liaison, on-site Health & Safety contact - Associate Professor, University of Auckland School of Business
  • Kirk Jackson - Video post-production, OWASP New Zealand Chapter Leader (Wellington)
  • Tess Brothersen
  • Austin Chamberlain
  • Teresa Chan
  • Anna Cupples
  • Paul Howarth
  • Toni James
  • Alex McClennan
  • Sam Penfold
  • Stephen Sherry
  • Anneke Smitheram
  • Anthony Vargo
  • Anya Yang

Training

In addition the main conference on Friday, we are pleased to be offer three training opportunities on Thursday, at the same venue. Course details, including registration, are as follows:

Real-World Penetration Testing

Date: Thursday, 21 February 2019
Time: 8:45 a.m. - 5:30 p.m.
Format: Live online interaction with instructors; interactive Web-based lab exercises
Instructors: Vivek Ramachandran and Nishant Sharma
Instructors' Organisation: Pentester Academy
Registration Fee: $500.00
Training Registration Page (Registration CLOSED)

Are You a Secure Code Warrior?

Date: Thursday, 21 February 2019
Time: 8:45 a.m. - 12:30 p.m.
Instructor: Jaap Karan Singh
Instructor's Organisation: Secure Code Warrior
Registration Fee: $250.00
Training Registration Page (Registration CLOSED)

Threat Modelling: Getting from None to Done

Date: Thursday, 21 February 2019
Time: 8:45 a.m. - 5:30 p.m.
Instructor: Dr. John DiLeo
Instructor's Organisation: OWASP New Zealand Chapter
Registration Fee: $500.00
Training Registration Page (SOLD OUT)

Spaces are going fast, so get in quickly!

Check-in desk will be located in the Level 0 lobby (outside the Case Study Rooms), and will open at 8:00 a.m.

Morning and afternoon tea breaks will be provided; lunch will be on your own.

Presentations

22nd February 2019

08:00 Registration Opens - Main Foyer, Owen G. Glenn Building
09:00

Welcome to OWASP New Zealand Day 2019
John DiLeo (Conference Chair), Kirk Jackson, and Kim Carter - OWASP NZ Chapter Leaders
Lech Janczewski (Conference Host) - Associate Professor, Univ. of Auckland

Slides (PDF, 7.0 MB)

 

Upstairs Auditorium (Room 115)
Track One: Introductory / Management

 

Downstairs Auditorium (Room 098)
Track Two: Technical

09:20

Exploiting Vulnerabilities from the OWASP Top 10: SQLi, XSS, XXE, File Injection
David Waters and Kieran Molloy - Pushpay
Slides (PDF, 789 kB) | Video (YouTube)

09:20

Virtual Patching: Does It Work?
Kirk Jackson - RedShield
Slides (PDF, 2.1 MB) | Video (YouTube)

10:10

Threat Modelling When You've Never Done It Before
Kade Morton - Quantum Security
Slides (PDF, 5.7 MB) | Video (YouTube)

10:10

Cloud Catastrophes and How to Avoid Them
Michael Haworth - Insomnia Security
Slides (PDF, 666 kB) | Video (YouTube)

10:45

That Vulnerability Looks Quite Risky
Peter Jakowetz - Quantum Security
Slides (PDF, 1.0 MB) | Video (YouTube)

10:45

JWAT: Attacking JSON Web Tokens
Louis Nyffenegger - Pentester Lab
Slides (PDF, 3.5 MB) | Video (YouTube)

11:20

Mob Learning Using the OWASP Top 10 and 30 Days of Security Testing
Mike Clarke - Erudite Software
Slides (PDF, 1.2 MB) | Video (YouTube)

11:40

How Can OWASP SAMM Help You Build More Secure Software?
Mohamed Hassan - Aura Information Security
Slides not yet available | Video (YouTube)

11:40

CTF: The Gateway Drug
Toni James - Orion Health
Slides not yet available | Video (YouTube)

12:10

Break for Lunch

13:30

NoHolidayChurchGenius: Password Security with 2020 Vision
Antonio Radich - Quantum Security
Slides (PDF, 1.4 MB) | Video (YouTube)

13:30

Security Regression Testing on OWASP ZAP Node API
Kim Carter - BinaryMist
Slides not yet available | Video not published, at presenter's request

14:05

Sharing Is Caring: A Beginner's Guide to Security in the Cloud
Petra Smith - Aura Information Security
Slides (PDF, 2.1 MB) | Video (YouTube)

14:25

Eating the Elephant: Application Security When You Aren't a Startup
Stephen Morgan - Westpac New Zealand
Slides (PDF, 2.1 MB) | Video (YouTube)

14:25

CI Can Make $$$ from Thin Air
Sajeeb Lohani - Privasec
Slides and Video not published, at presenter's request

15:00

What's In a Name? Law of Agency and Domain Name Registrations
Judy Ting-Edwards - Ports of Auckland
Slides (PDF, 4.6 MB) | Video not published, at presenter's request

15:00

Introduction to Building Secure Electron Applications
Nawaz Gayoom - Provoke Solutions
Slides (PDF, 587 kB) | Video (YouTube)

15:30

Break for Afternoon Tea - Coffee / Tea Service Provided

16:00

How Do I Content Security Policy?
Kirk Jackson - RedShield
Slides (PDF, 1.6 MB) | Video (YouTube)

16:00

Hardening Your Docker Infrastructure
Kim Carter - BinaryMist
Slides not yet available | Video not published, at presenter's request

16:50

OWASP Software Assurance Maturity Model (SAMM) 2.0
John DiLeo - Orion Health
Slides (PDF, 7.1 MB) | Video (YouTube)

16:50

Reverse Engineering Mobile Apps: Why, What, and the Hows
Karan Sharma
Slides (PDF): Part 1 (4.8 MB), Part 2 (7.1 MB), Part 3 (6.2 MB) | Video (YouTube)

17:25

Why 'Positive Security' Is the Next Software Security Game Changer, and How to Do It
Jaap Karan Singh - Secure Code Warrior
Slides (PDF, 7.1 MB) | Video (YouTube)

17:25

Serverless Authentication with JWT
Mehul Patel - Zimbra
Slides (Slides.com) | Video (YouTube)

18:00

Wrap Up
Time to go out and socialise, for those interested
Slides (PDF, 6.0 MB)

Presentation Abstracts and Speaker Biographies

Track One - Morning (09:20 - 12:10)

Exploiting Vulnerabilities from the OWASP Top 10: SQLi, XSS, XXE, File Injection


David Waters and Kieran Molloy - Pushpay

Slide Deck (not yet available)

Presentation Video (YouTube)

Abstract

We will give a brief introduction to a selection of the OWASP Top 10 and then demonstrate the exploitation of each of these vulnerabilities using tools and hand crafted attacks. We will also demonstrate how a combination vulnerabilities can be chained together by an attacker.

Speaker Biographies

David is a Senior Software Engineer/Tech Lead and one of the leaders of the Secure Coding Guild at Pushpay, David previously worked for 3 years in the security industry including 1 year in the Security Team at Google in London and draws on 20 years experience as a systems and web developer, primarily working in .NET, Java and JavaScript.

Kieran is a developer with an interest in security.

Threat Modelling When You've Never Done It Before


Kade Morton - Quantum Security

Slide Deck (PDF, 6.7 MB)

Presentation Video (YouTube)

Abstract

Through the Mozilla Open Leaders program I mentored a project from Asuntos del Sur, a humans right group that operates across South America. This is the story of my crash course in basic threat modelling, and how that basic knowledge is now helping activists across South America.

Speaker Biography

Kade is a consultant with Quantum Security. When not doing information security stuff, he volunteers with Mozilla.

That Vulnerability Looks Quite Risky


Peter Jakowetz - Quantum Security

Slide Deck (not yet available)

Presentation Video (YouTube)

Abstract

Technical findings are great, and finding vulnerabilities in your software so you can fix them is key to ensuring safe and secure code. However what about those things you can’t fix? Do they seem too expensive or hard? This talk will discuss the best way to manage these issues using risk management.

Speaker Biography

Peter is an electrical engineer turned security consultant from Wellington, NZ. Certified in many-a-thing, he spends a good chunk of time working on PCI, ISO and NZISM audits, and making security findings readable to senior management. In his spare time, he enjoys playing with open-source hardware and software, poking cars, and breaking things.

Mob Learning Using the OWASP Top 10 and 30 Days of Security Testing


Mike Clarke - Erudite Software

Slide Deck (PDF, 1.2 MB)

Presentation Video (YouTube)

Abstract

Not sure how to get started learning about security? Why not team up with a group of others in the same boat and learn together?

After learning the basics of the OWASP Top Ten, I took part in the 30 Days of Security Testing challenge through WeTest with 100+ other software testers new to security. My talk is about how a small idea turned into an online workspace of over 100 people new to InfoSec, a series of great Meetups, and lessons learned along the way.

Speaker Biography

I’ve always been interested in IT and fascinated by information security. I worked for the Royal New Zealand Navy as a Communications Warfare Specialist before trying my hand at software testing. I’m currently working for Erudite Software in Auckland, as the sole tester in a development team largely focused on healthcare software solutions. I’ve recently signed on as an organiser for WeTest Auckland, where we throw together Meetups and online challenges to learn about testing.

How Can OWASP SAMM Help You Build More Secure Software?


Mohamed Hassan - Aura Information Security

Slide Deck (not yet available)

Presentation Video (YouTube)

Abstract

Have you ever wondered why you or your team keep having high and critical security vulnerabilities in your software? Why you didn't discover these vulnerabilities earlier than two weeks before going life? How penetration testing can be effective when you're changing your software every two weeks? Can security be easier? How can you embed security into your software life cycle? How do you know if security initiatives are paying off? This talk will answer these questions and more!

Speaker Biography

Mohamed has been a penetration tester for more than six years. Mohamed has delivered security training to developers, in New Zealand and internationally. He also helps organisations embed more security into their software development lifecycle. In his free time, Mohamed likes to keep active and enjoy New Zealand’s landscape.

Track Two - Morning (09:20 - 12:10)

Virtual Patching: Does It Work?


Kirk Jackson - RedShield

Slide Deck (PDF, 2.1 MB)

Presentation Video (YouTube)

Abstract

Writing secure applications is hard, and often vulnerabilities are found after your application has already been released to production.

But what happens if you’re not able to fix the vulnerabilities quickly? Wouldn’t it be great if the someone else could secure your website for you?

Speaker Biography

Kirk works at RedShield, leads the OWASP Wellington-area Meetup, and has previously helped organise the annual OWASP NZ Day in Auckland.

Kirk worked as a Web developer before switching to the defence team - setting up Xero’s security practice, working as a pen tester, and in defence roles at several companies.

Cloud Catastrophes and How to Avoid Them


Mike Haworth - Insomnia Security

Slide Deck (not yet available)

Presentation Video (YouTube)

Abstract

Cloud and traditional infrastructure are different and sometimes the consequences of not changing mindset can be.. unpleasant.

Speaker Biography

Mike is a Principal Consultant for Insomnia Security, based in Wellington. He likes pentesting most things, and is rubbish at writing bios.

JWAT: Attacking JSON Web Tokens


Louis Nyffenegger - Pentester Lab

Slide Deck (3.5 MB)

Presentation Video (YouTube)

Abstract

Nowadays, JSON Web Tokens are everywhere. They are used as session tokens or just to pass data between applications or µservices. By design, JWT contains a high number of security and cryptography pitfalls. In this talk, we are going to learn how to exploit (with demos) some of those issues.

Speaker Biography

Louis is a security engineer based in Melbourne, Australia. He performs pentest, architecture and code review. Louis is the founder of PentesterLab, a learning platform for Web penetration testing. Recently, Louis talked at OWASP AppSecDay Melbourne, and ran two workshops at DEF CON 26, in 2018.

CTF: The Gateway Drug


Toni James - Orion Health

Slide Deck (not yet available)

Presentation Video (YouTube)

Abstract

I can't stop thinking about it, I can't wait for the next one, it keeps me up late at night, and I always want more. Flags that is! A how-to and where-to-start with Capture the Flag competitions, accompanied by a casual discourse about imposter syndrome, sexism in tech, and pondering the harsh realities of vim (not really, I never use vim, I'd never be able to get out of it). Followed by a live walkthrough of my favourite CTF challenges, the ones I think would entice other devs and wanna-be hackers to give it a try. "The first one's free."

Speaker Biography

Toni is a snowboarder turned software engineer, with an addiction to security. She's won a few scholarships in her quest to get more women into tech and she's really good at supporting others to do 'all the things'. A firm believer in ‘you need to see it to be it,’ she puts herself out there to enable others to step up and challenge the status quo. She/Her. @_tonijames

Track One - Afternoon 1 (13:30 - 15:30)

NoHolidayChurchGenius: Password Security with 2020 Vision


Antonio Radich - Quantum Security

Slide Deck (PDF, 1.4 MB)

Presentation Video (YouTube)

Abstract

This season's passwords are now in fashion, similar to last year's, with one difference. Passwords are a staple in the developer toolkit. Developers follow guidelines put out by NIST or the GCSB. Users are ‘efficient’. With everyone striving for the minimum, we can already see "Winter (2019) is coming…"

Speaker Biography

Antonio has been with Quantum Security, as a Security Consultant performing penetration tests and security audits, for two years. He is interested in red teaming, post exploitation, and general security on an organisation level.

Sharing Is Caring: A Beginner's Guide to Security in the Cloud


Petra Smith - Aura Information Security

Slide Deck (not yet available)

Presentation Video (YouTube)

Abstract

Thinking of moving your applications to the cloud? How do you make sure they stay secure? This fast, fun, beginner-friendly session will demystify cloud security, introduce you to the most common cloud security models, and help you to choose the model that’s right for you.

Speaker Biography

Petra grew up wanting to be Sailor Mercury – the awkward blue-haired one from Sailor Moon who used computers to protect the world from evil. Now she’s a purple-team security consultant at Aura Information Security, which you have to admit is pretty close. She loves to teach people to pick locks, and gets kind of ranty about privacy, trust, and making digital spaces safe and inclusive for everyone.

Eating the Elephant: Application Security When You Aren't a Startup


Stephen Morgan - Westpac New Zealand

Slide Deck (not yet available)

Presentation Video (YouTube)

Abstract

DevSecOps, AppSec Engineers, and Continuous Integration Security are a panacea, but how do older institutions with many legacy systems and technical debt even begin to tackle agile application security practices? We will explore ways that you can start working with your developers write secure code.

Speaker Biography

Stephen is an Information Security Consultant at Westpac New Zealand where he wrangles Pen Testers, reviews codes, and diminishes his rapport with developers. He has worn many hats including those of a Customs Officer, Penetration Tester, Java Developer, and (cough) IT Auditor.

What's In a Name? Law of Agency and Domain Name Registrations


Judy Ting-Edwards - Ports of Auckland

Slide Deck (PDF, 4.6 MB)

Presentation Video not available, at presenter's request

Abstract

Have you ever hired Web developers to make a Web site for you, but then find out that you don’t actually own the domain name when you checked on Whois? Find out why this is the case and how we (maybe) should be doing domain name registrations, by taking a leaf from the law of agency’s book.

Speaker Biography

Judy has been registering domain names since 2013 when she was a junior lawyer for a stingy boss. She has recently changed careers to work in infosec, with a special interest in policy and appsec. As a part of a recent web hygiene audit, she discovered inconsistencies in how web devs register domain names in the industry and would like to see the industry come together with a best practice guideline. Risk management has been a constant in both her careers and she is always open to discussions on policies to embrace technology and reduce risks for the business at the same time.

Track Two - Afternoon 1 (13:30 - 15:30)

Security Regression Testing on OWASP ZAP Node API


Kim Carter - BinaryMist

Slide Deck (not yet available)

Presentation Video not available, at presenter's request

Abstract

The OWASP ZAP HTTP intercepting proxy is useful for manually attacking your Web apps and APIs. Now, we have the official Node API to programatically drive ZAP to regression test our creations. I’ll show you how to build a fully featured security regression testing CLI, consumable by your CI/nightly builds.

Speaker Biography

Kim is a Technologist / Engineer, Information Security Professional, Entrepreneur, and the founder of BinaryMist Ltd. He is one of the OWASP NZ Chapter leaders and a Certified Scrum Master. Facilitator, mentor and motivator of cross functional, self managing teams. With a solid 17 years of commercial industry experience across many domains, Kim enjoys teaching others how to apply information security to their Agile processes, bringing the security focus up front where it’s the cheapest to implement, increasing profit and reducing costs. Co-organiser of the Christchurch Hacker Con, International trainer, speaker, published author, and Software Engineering Radio podcast host, focusing on software and network architecture, Web development and engineering, and information security. Kim is also a regular blog poster. Kim loves designing and creating robust software and networks, breaking software and networks, then fixing them and helping organisations increase productivity.

CI Can Make $$$ from Thin Air


Sajeeb Lohani - Privasec

Slide Deck (not yet available)

Presentation Video not available, at presenter's request

Abstract

This talk covers how people can utilise free tools, outside of their intended use case, in a malicious way. Using TravisCI as an example, we will look into what essentially can become a distributed super computer, to mine bitcoins and distributed denial of service attacks free of any cost whatsoever.

Speaker Biography

Sajeeb is a penetration tester at Privasec, with years of prior development experience. Having graduated from Monash University with a Bachelor of Software Engineering (Honours) in 2017, Sajeeb remains passionate about contributing to and improving cyber security research. Sajeeb gives back regularly to the Melbourne cyber security community by founding the Monash Cyber Security Club, presenting at SecTalks, and mentoring at the Australian Women in Security Network (AWSN) Cadets workshops. Sajeeb also runs initiatives which attempt to responsibly disclose security issues within open source software projects, making the world of software ‘more secure’.

Introduction to Building Secure Electron Applications


Nawaz Gayoom - Provoke Solutions

Slide Deck (PDF, 587 kB)

Presentation Video (YouTube)

Abstract

Electron is a popular framework for building desktop apps and is used by many prominent companies today. To build a production-ready Electron app, there are certain security considerations we need to take into account, if we are loading any external content on it.

Speaker Biography

Nawaz is a software developer at Provoke Solutions mostly working on web applications for the past 3 years. In this digital age with increasingly complex systems, it is a personal passion of mine to keep information secure and accessible. Apart from enjoying researching about security and sharing things that I learn along the way while in projects for my clients I do spend some (probably a little more than that) time watching Netflix as well. Other things I like doing include singing, surfing and sampling food.

Track One - Afternoon 2 (16:00 - 18:00)

How Do I Content Security Policy?


Kirk Jackson - RedShield

Slide Deck (PDF, 1.6 MB)

Presentation Video (YouTube)

Abstract

Content Security Policy (CSP) helps you secure your Web site, by declaring which javascript and resources it uses. This means that XSS attacks will be greatly limited.

However, setting up CSP on an existing Web site is hard. We’ll discuss an easy approach that you can follow to set up CSP.

Speaker Biography

Kirk works at RedShield, leads the OWASP Wellington-area Meetup, and has previously helped organise the annual OWASP NZ Day in Auckland.

Kirk worked as a Web developer before switching to the defence team - setting up Xero’s security practice, working as a pen tester, and in defence roles at several companies.

OWASP Software Assurance Maturity Model (SAMM) 2.0


John DiLeo - Orion Health

Slide Deck (PDF, 7.1 MB)

Presentation Video (YouTube)

Abstract

The OWASP SAMM Project Team recently release a Beta version of SAMM 2.0, which is currently open for comment. The model provides a framework for assessing the maturity of an organisation’s software assurance program, and identifying areas for future emphasis in improving the security of their development practices. This talk will provide an overview of the model, the benefits that can be realised by organisations utilising the model, and the process for assessing the maturity of the organisation’s software assurance program.

Speaker Biography

John is one of the co-leaders of the OWASP New Zealand Chapter. He moved to Auckland, from the United States, in 2017, and now works as Orion Health's Application Security Architect. John's focus is on developing and managing enterprise-wide Software Assurance Programmes, including the assessment of the organisation's maturity and building a roadmap to improve. This led him to join the core team of the OWASP SAMM project, where he helped to create the new model.

Before moving into application security, John worked as a solution architect, a Web development lead, and in developing discrete-event simulations of distributed systems. Along the way, he's also worked as a college instructor, trainer, and general IT consultant.

Why 'Positive Security' Is the Next Software Security Game Changer, and How to Do It


Jaap Karan Singh - Secure Code Warrior

Slide Deck (not yet available)

Presentation Video (YouTube)

Abstract

A 2017 report based on 400,000 application scans reported that only 30% passed the OWASP Top 10 policy. This presentation showcases the principles and practice of “positive security” and explains why it is an important game changer that will substantially improve application security.

Speaker Biography

Jaap Karan Singh is the Co-Founder and Chief Singh of Secure Code Warrior, a global security company that makes software development better and more secure. After security testing at BAE Systems in Australia, Jaap moved from hacking Web applications to educating developers on how to protect their own applications. Jaap has delivered training on web application security concepts and run workshops at Australian financial and telecommunications organisations in Australia. He specialises in Javascript technologies such as HTML5, Node, Express and Mongo. He recently created and delivered a course on hacking and protecting modern Javascript applications at OWASP AppSec EU 2016.

Track Two - Afternoon 2 (16:00 - 18:00)

Hardening Your Docker Infrastructure


Kim Carter - BinaryMist

Slide Deck (not yet available)

Presentation Video not available, at presenter's request

Abstract

The security defaults of Docker are designed to get you up and running (“just work”) quickly, rather than being the most secure. There are many default configurations that can be improved upon. In this talk we’ll walk through improving the security of Docker hosts, containers, networking, and deployments.

Speaker Biography

Kim is a Technologist / Engineer, Information Security Professional, Entrepreneur, and the founder of BinaryMist Ltd. He is one of the OWASP NZ Chapter leaders and a Certified Scrum Master. Facilitator, mentor and motivator of cross functional, self managing teams. With a solid 17 years of commercial industry experience across many domains, Kim enjoys teaching others how to apply information security to their Agile processes, bringing the security focus up front where it’s the cheapest to implement, increasing profit and reducing costs. Co-organiser of the Christchurch Hacker Con, International trainer, speaker, published author, and Software Engineering Radio podcast host, focusing on software and network architecture, Web development and engineering, and information security. Kim is also a regular blog poster. Kim loves designing and creating robust software and networks, breaking software and networks, then fixing them and helping organisations increase productivity.

Reverse Engineering Mobile Apps: Why, What, and the Hows


Karan Sharma

Slide Deck (not yet available)

Presentation Video (YouTube)

Abstract

I’d like to talk about why Reverse Engineering mobile apps is important for an organisation, what can you discover while reversing an app and how can you apply those lessons to add an additional layer of defense while building your future apps.

Speaker Biography

Karan started his career as a network engineer before moving into information security field 8 years ago. He is working as a security consultant for one of the leading financial institutes of NZ. He has a true passion for breaking & fixing web/mobile apps. He enjoy doing app reversing in his free time and love sharing his knowledge with others.

Serverless Authentication with JWT


Mehul Patel

Slide Deck (Slides.com)

Presentation Video (YouTube)

Abstract

Authentication is one of the big parts of every application. Security is always something that is changing and evolving. In this talk, I will cover what JSON Web Tokens (JWTs) are and why using JWTs in your applications when it comes to security is awesome.

Speaker Biography

Mehul is an engineer who loves digging into technology, and public speaker currently living in India. His interests range from technology to innovation. He is also interested in Web development, writing, and safe programming.

Mehul holds a Masters in Computers Science and has been working and contributing towards the open source community in all ways he can. He is a social guy, loves to interacting with new people, traveling, playing cricket, He can dance like crazy!!!

Currently, Mehul is an Engineer at Zimbra, Ambassador at Auth0, Mentor at Mozilla Reps and Campus Advisory Committee at Mozilla and Founder/Organizer of Google Developer Group - Nashik. Moreover, He is the initiator of Rust Hacks - the super safe system programming language of course and co-founder of Infinite Defense Foundation (IDF).

Call For Sponsorships

OWASP New Zealand Day 2019 will be held in Auckland on the 22nd of February, 2019, and is a security conference entirely dedicated to application security. The conference is once again being hosted by the University of Auckland with their support and assistance. OWASP New Zealand Day 2019 is a free event, but requires sponsor support to help be an instructive and quality event for the New Zealand community. OWASP is strictly not for profit. The sponsorship money will be used to help make OWASP New Zealand Day 2019 a free, compelling, and valuable experience for all attendees.

The sponsorship funds collected are to be used for things such as:

  • Venue - Room use and on-site management fees
  • Name tags - We feel that getting to know people within the New Zealand community is important, and name tags make that possible
  • Promotion - We would like to reach a wider audience, by utilising paid advertising for the event
  • Printed Materials - Printed materials will include program information, room signs, and lanyards
  • Recognition items for speakers and trainers
  • Morning and afternoon tea, to promote a congenial environment for networking among application security professionals

Facts

Last year, the event was supported by seven sponsors and attracted more than 700 registrations. Plenty of constructive (and positive!) feedback from the audience was received, and we are using this to make the conference more appealing to more people. For more information on the last New Zealand Day event, please visit: https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2018

The OWASP New Zealand community is strong, with more than 500 people currently subscribed to the mailing list (sign up). OWASP New Zealand Day is expected to attract between 900 and 1000 attendees this year.

OWASP regular attendees are IT project managers, IT security managers, IT security consultants, Web application architects and developers, QA managers, QA testers and system administrators.

How to Become a Sponsor

All financial matters related to the conference, including Sponsorship Agreements and payments, are handled through the OWASP Foundation. To express interest in supporting the conference as a sponsor, please contact us by email.

Premium Sponsorship Packages

 
Platinum
 
Gold
 
Silver
 
Bronze
A La Carte
(See Below)
Enrolment Limit 2 6 -- -- Varies
General Rate $5,000 $3,000 $1,750 $1,000 Varies
OWASP Corporate Member Rate $4,250 $2,550 $1,500 $850 N/A
A La Carte Sponsorship Discount 15% 10% 5% -- --
Banner in Conference Lobby (see notes) Yes No No No Varies
Banner at Side of Stage (see notes) Yes (2) Yes (1) No No No
Logo on Attendee Badges Yes Yes No No Varies
Logo on Room Signs Yes Yes Yes No Varies
Company Description on Conference Web Page 150 words 100 words 50 words No Varies
Pre-Conference Reception Tickets 4 3 2 1 Varies
Logo on Conference Tote Bags Yes Yes Yes No Varies
Mention in Pre-Event Publicity Yes Yes Yes Yes Varies
Logo on Conference Web Site Yes Yes Yes Yes Yes
Recognition during Opening/Closing Sessions Yes Yes Yes Yes Yes
Promotional Items in Conference Tote Bags (see notes) Yes (up to 3) Yes (up to 2) Yes (1) Yes (1) Varies

A La Carte Sponsorship Opportunities

1. Morning and Afternoon Tea Breaks - Conference Day

Sponsorships Available: Four (4)

General Rate: $4,500

Benefits:

  • Opportunity to display your company's banner in the conference lobby (see notes below) throughout the day of the conference
  • Recognition as sponsoring provider, on signs displayed on service tables during tea breaks
  • Sponsor logo printed on attendee badges
  • Sponsor logo printed on Room Signs
  • Single-colour sponsor logo imprinted on conference tote bags
  • Sponsor logo displayed on conference Web page, alongside Platinum Sponsors
  • Opportunity to include 150-word company description in About Our Sponsors section of conference Web page
  • Written recognition as a leading sponsor, in pre-event publicity communications
  • Visual and verbal recognition of sponsor at opening and closing sessions of conference

2. Pre-Conference Reception

On the Thursday evening, the OWASP New Zealand Day Committee will host a reception for speakers, trainers, conference volunteers, and Premier Sponsors. The event will be held at an establishment near the conference venue.

Sponsorships Available: Two (2)

General Rate: $2,000

Benefits:

  • Opportunity to display your company's banner at the reception venue (see notes below) during the reception
  • Opportunity to address reception attendees, as "hosting" sponsor of reception
  • Recognition as sponsoring provider, on signs displayed on service tables/bars during reception
  • Sponsor logo printed on Room Signs
  • Single-colour sponsor logo imprinted on conference tote bags
  • Sponsor logo displayed on conference Web page, alongside Silver Sponsors
  • Opportunity to include 100-word company description in About Our Sponsors section of conference Web page
  • Written recognition as a leading sponsor, in pre-event publicity communications
  • Visual and verbal recognition of sponsor at opening and closing sessions of conference

3. Conference Tote Bags for Attendees

Sponsorships Available: One (1)

General Rate: $1,800

Benefits:

  • Single-colour sponsor logo printed on the Conference Tote Bags, along with those of Platinum, Gold, and Silver Sponsors
  • Sponsor logo printed on Room Signs
  • Sponsor logo displayed on conference Web page
  • Opportunity to include 50-word company description in About Our Sponsors section of conference Web page
  • Visual and verbal recognition of sponsor at opening and closing sessions of conference

4. Lanyards for Attendee Badges

Sponsorships Available: One (1)

General Rate: $1,800

Benefits:

  • Single-colour sponsor logo printed on the Attendee Lanyards, along with the OWASP logo
  • Sponsor logo printed on Room Signs
  • Sponsor logo displayed on conference Web page
  • Opportunity to include 50-word company description in About Our Sponsors section of conference Web page
  • Visual and verbal recognition of sponsor at opening and closing sessions of conference

5. Speaker Gifts

Sponsorships Available: One (1)

General Rate: $1,500

Benefits:

  • Sponsor logo printed on Room Signs
  • Single-colour sponsor logo imprinted on conference tote bags
  • Sponsor logo displayed on conference Web page, alongside Silver Sponsors
  • Opportunity to include 50-word company description in About Our Sponsors section of conference Web page
  • Written recognition as a leading sponsor, in pre-event publicity communications
  • Visual and verbal recognition of sponsor at opening and closing sessions of conference

6. Morning and Afternoon Tea Breaks - Training Day

Sponsorships Available: Two (2) --Funded, no longer available

General Rate: $750

Benefits:

  • Opportunity to display your company's banner in the training facility lobby (see notes below) throughout the training day
  • Recognition as sponsoring provider, on signs displayed on service tables during training day tea breaks
  • Sponsor logo displayed on conference Web page, alongside Bronze Sponsors
  • Visual and verbal recognition of sponsor at opening and closing sessions of conference

7. International Travel Support

As part of the submission process for presentations, prospective presenters from outside New Zealand are given the opportunity to indicate if they will need travel support to be able to attend OWASP New Zealand Day. Each International Travel Support sponsorship is intended to provide a maximum of $2,500 for one international presenter's travel expenses related to attending, and presenting at, the conference. Supported travel expenses may include: return airfare from the airport nearest the presenter's residence to Auckland, two nights' accommodation in a lodging near the conference venue, and return shuttle transportation between the Auckland airport and the accommodation.

Sponsorships Available: No Limit

General Rate: $2,500

Benefits:

  • Sponsor logo displayed on conference Web page, alongside Gold Sponsors
  • Opportunity to include 100-word company description in About Our Sponsors section of conference Web page
  • Opportunity for sponsor representative to introduce sponsored presenter
  • Written recognition as a leading sponsor, in pre-event publicity communications
  • Visual and verbal recognition of sponsor at opening and closing sessions of conference

8. Diversity Fund

The OWASP New Zealand Day Diversity and Financial Aid Fund has been established to provide financial assistance to students at New Zealand universities. Each Diversity Fund sponsorship is intended to cover travel expenses for one New Zealand student, from outside the Auckland area, who will be attending or presenting at the conference. Each Diversity Fund support recipient will receive funding for return airfare from their nearest domestic airport to Auckland International Airport, two night's accommodation in a lodging near the conference venue, and return shuttle transportation between the airport and the accommodation.

Sponsorships Available: No Limit

General Rate: $750

Benefits:

  • Sponsor logo displayed on conference Web page, as a Diversity Fund Sponsor
  • Visual and verbal recognition of sponsor at opening and closing sessions of conference

9. Door Prizes

At the closing session of the conference, the OWASP New Zealand Day Committee will conduct a series of random drawings, awarding donated items to attendees, who must be present to win. There is no minimum or maximum value required for donated items, nor is the number of items provided subject to any limit. It is recommended that items provided be of interest to the conference's target audience, rather than of a generic nature.

Sponsorships Available: No Limit

General Rate: In-Kind Donation

Benefits:

  • Verbal recognition, at the time of the prize drawing, as the donor of the prize

10. Other Supporting Sponsorships

If your company would like to provide special items to attendees, funding for paid promotional advertising for the event, or other items that we haven't yet thought of, you are welcome to contact us to discuss your ideas.

Sponsorships Available: No Limit

General Rate: In-Kind Donation

Benefits:

  • Sponsor logo displayed on conference Web page, as a Supporting Sponsor
  • Visual and verbal recognition of sponsor at opening and closing sessions of conference

Notes

Sponsor Logos:

  • Logos are to be provided by the respective sponsors, as digital files (JPEG and PNG preferred)
  • Logos provided should be full colour
  • For lanyards and tote bags (including Platinum/Gold/Silver Sponsors), a single-colour version of the logo should also be provided, in a separate file. If a single-colour version of the logo is not provided by the sponsor, the OWASP New Zealand Day Committee reserves the right to electronically convert the full-colour logo to a single-colour version, or omit the sponsor's logo from the imprinted items if that proves infeasible.

Sponsor Banners:

  • Lobby and stage-side banners are to be provided by the respective sponsors, must be free-standing, and their size is subject to approval by the OWASP New Zealand Day Committee.
  • The conference venue includes two tracks, conducted in separate auditoriums; Platinum Sponsors may display one banner to the side of each auditorium's stage; Gold Sponsors may display a banner to the side of the stage in one auditorium. Gold Sponsors may express an auditorium preference, but final locations are at the discretion of the OWASP New Zealand Day Committee.
  • There will be a maximum of four (4) sponsor banners displayed in each auditorium, with placement priority given to Platinum Sponsors.

Promotional Items:

  • Printed materials are limited in dimensions to A4 size - either a single sheet, printed on one or both sides; or a single A3 sheet, folded in half
  • Small imprinted items are also acceptable - pens, stress balls, USB keys, fidget spinners, etc.
  • Design of printed materials and imprinted items are subject to approval by OWASP New Zealand Day Committee
  • RECRUITMENT: In addition to the promotional item allowances included in Premium Sponsorship Packages, any sponsor may provide one A5-size card with information on actual current vacancies for which candidates are actively being sought

All amounts listed are in New Zealand dollars (NZD)

Diversity and Financial Aid fund

Thanks to the generous support of our lovely sponsors, we have some funding available to help people from around New Zealand attend the OWASP NZ Day, who would otherwise find it hard to attend. In particular, we welcome applications from women, people of colour, LGBTIQ, and all others. You all deserve to be able to learn more about security, and we’ll do our best to help make that happen!

Our funds are limited, and we’ll be reviewing applications every week, starting at the end of January. Submit your application soon, so we can approve them promptly, and you’ll be in several review cycles!

Process:

  • Fill out our Application Form
  • We will review and approve applications each week. The first reviews will be completed by 29 January.
  • We will contact all applicants and let them know the result of the review.
  • Successful applicants will be contacted to help sort things out.

We use the following criteria to help us decide who gets approved:

  • We are biased towards (but not exclusively for) diverse applicants.
  • We do attempt to maximise cost efficiency and will aim to get as many people to OWASP as possible, with our limited funds.

Each successful recipient can choose whether to be kept anonymous (in which case only the OWASP NZ committee will know the details of your funding), or to be put in touch with the supporting company whose sponsorship is going towards your attendance. We think some of our sponsors may enjoy the opportunity to chat with you on the day talk about your experiences and plans for the future, but that’s totally optional and up to you.

If you have any questions, feel free to drop us an email: [email protected]

Code of Conduct

We want to make the OWASP NZ Day a welcoming environment for all attendees. To that end, we would like to remind you that all activities associated with this event are subject to OWASP's Conference Policies. At their core, these policies are intended to promote and maintain an inclusive, welcoming environment for all participants - actions detrimental to that environment are unwelcome.

Speakers, trainers and sponsors have all been reminded of these policies, and are expected to abide by them like all attendees.

If you have any concerns during the day, please seek out John, Austin, or Brendan. We will make ourselves visible at the start of the day, so you know what we look like.

Call for Presentations

UPDATE: The Call for Presentations is now CLOSED. The committee is reviewing the proposals received, and will be notifying submitters of their selection status shortly.

OWASP New Zealand Day conferences attract a high quality of speakers from a variety of security disciplines, including architects, Web developers and engineers, system administrators, penetration testers, policy specialists and more.

We would like a variety of technical levels in the presentations submitted, corresponding to the three focus areas of the conference:

Track One:

  • Introductions to various Information Security topics, and the OWASP projects
  • Policy, Compliance and Risk Management

Track Two:

  • Technical topics

Introductory talks should appeal to an intermediate to experienced software developer, without requiring a solid grounding in application security or knowledge of OWASP projects. These talks should be engaging, encourage developers to learn more about information security, and give them techniques that they can immediately return to work and apply to their jobs.

This being an OWASP conference, the selection process for talks in Track One will give priority to those related to OWASP's Projects, Tools, and Guidance (check out the current [OWASP Project Inventory](https://www.owasp.org/index.php/Category:OWASP_Project#tab=Project_Inventory) for more information). If multiple submissions are received related to the same OWASP Project/Tool, preference will be given to speakers actively involved as leaders or members of the respective project teams.

Technical topics are running all day and should appeal to two audiences - experienced software security testers or researchers, and software developers who have a “OWASP Top Ten” level of understanding of web attacks and defences. You could present a lightning, short or long talk on something you have researched, developed yourself, or learnt in your travels. Ideally the topics will have technical depth or novelty so that the majority of attendees learn something new.

We would also like to invite talks that will appeal to those interested in the various non-technical topics that are important in our industry. These talks could focus on the development of policies, dealing with compliance obligations, managing risks within an enterprise, or other issues that could appeal to those in management roles.

We encourage presentations to have a strong component on fixing and prevention of security issues. We are looking for presentations on a wide variety of security topics, including but not limited to:

  • Web application security
  • Mobile security
  • Cloud security
  • Secure development
  • Vulnerability analysis
  • Threat modelling
  • Application exploitation
  • Exploitation techniques
  • Threat and vulnerability countermeasures
  • Platform or language security (JavaScript, NodeJS, .NET, Java, RoR, Python, etc)
  • Penetration Testing
  • Browser and client security
  • Application and solution architecture security
  • PCI DSS
  • Risk management
  • Security concepts for C*Os, project managers and other non-technical attendees
  • Privacy controls

The submission will be reviewed by the OWASP New Zealand Day conference committee and the highest voted talks will be selected and invited for presentation.

PLEASE NOTE:

  • Due to limited funds availability, the conference budget does not include a plan to cover expenses for international speakers. However, if sponsorship funds are received for this purpose, we will issue a call for support applications from those outside New Zealand who have submitted proposals. Please indicate in the "additional information" section, whether you would be able to present without such support.
  • If you are selected as a speaker, and your company is willing to cover travel and accommodation costs, the company will be recognised as a "Supporting Sponsor" of the event.

Please submit your presentation on PaperCall.

Submission Deadline: Friday, 11th January 2019 (NOW CLOSED)

Applicants will be notified in the following week after the deadline, whether they were successful or not.

Call For Trainers

The Call for Trainers is now closed. Trainers selected to present training have been contacted, and details are now being finalised.

We are happy to announce that training will run on Thursday, 21 February 2019, the day before the OWASP NZ Day conference. The training venue will be Level 0, Rooms: case rooms 1(005), 2(057), 3(055), and 4(009), kindly provided by the University of Auckland School of Business, in the same building as the OWASP NZ Day conference itself. Classes can contain up to 69 students, with power for laptop usage and Wi-Fi. A wide range of half-day or full-day training proposals will be considered, see the Call for Papers for a list of example topics.

If you are interested in running one of the training sessions, please contact John DiLeo ([email protected]) with the following information:

  • Trainer name
  • Trainer organisation
  • Telephone + email contact
  • Short Trainer bio
  • Training title
  • Trainer requirements (e.g. a projector, whiteboard, etc)
  • Trainee requirements (e.g. laptop, VMware/VirtualBox, etc)
  • Training summary (less than 500 words)
  • Target audience (e.g. testers, project managers, security managers, web developers, architects)
  • Skill level required (Basic / Intermediate / Advanced)
  • What attendees can expect to learn (key objectives)
  • Short course outline

The fixed price per head for training will be $250 for a half-day session and $500 for a whole-day session. As this training is part of an OWASP event, part of the proceeds go back to OWASP. The split is as follows:

  • 25% to OWASP Global - used for OWASP projects around the world
  • 25% to OWASP NZ Day - used for NZ Day expenses
  • 50% to the training provider.

Submission Deadline: Friday, 21st December 2018

Applicants will be notified in the following week after the deadline, whether they were successful or not.