Presentation Abstracts and Speaker Biographies - OWASP New Zealand Day 2020
Opening Keynote
The Abridged History of Application Security
Jim Manico - Manicode Security
Abstract
Application Security began in the early ’60s, where plaintext password storage, no password policy, poor access control, and other massive security problems were the norm. This talk with review the history of application security to help illustrate not just how much application security has gotten better, but also how the rate of positive change has been getting better as well. This fun ride through the history of application security will help inspire those who work in the very stressful security industry. Security professionals are often looking closely at failure and insecurity as part of their work, which can be exhausting on many levels. But when we step back and look at our sector historically, we can all see just how much things genuinely are getting better.
Track One - Introductory and Management Topics
Session One (10:05 - 12:30)
High-Speed Security
Nick von Dadelszen - Lateral Security
Abstract
One constant in IT is that things change. And the pace of change increases over time. Change introduces risk, so how do organisations manage their IT security risk in this environment of constant and fast paced change?
This talk delves into the issues posed by these changes for organisations and security teams in particular. It will cover concepts ranging from governance structures for dealing with change and risk, to technical change and current and emerging threats.
Speaker Biography
Nick is co-founder and technical director of Lateral Security. He has been working in the New Zealand Security industry since the late 90’s and in that time has worked with the majority of New Zealand large organisations and government agencies.
Nick manages the delivery of Lateral Security’s services, which includes deep technical services such as penetration testing and red teaming, as well as governance and advisory services. Nick still likes to get his hands dirty and is a key security advisor to some critical government agencies.
The Perimeter Has Been Shattered: Attacking and Defending Mobility and IoT on the Enterprise Network
Georgia Weidman - Bulb Security
Abstract
Mobility and the Internet of Things (IoT) have disrupted the corporate enterprise network on the scale that PCs disrupted mainframes in the 1980s. Yet most enterprises continue to approach security as if though there is still a hard perimeter with nothing but corporate-owned end points running against internal applications. Mobility, however, means employee-owned end points connecting over public carrier networks to cloud applications. Traditional perimeter security simply doesn’t address this. From mobile-based phishing to Bluetooth-based attacks, mobile and IoT have fundamentally changed the threat landscape. In this talk we will look at the modern threat landscape, the security controls currently available on the market (such as mobile threat defense and mobile application management), and provide real world examples of how they fall short under simulated attack. Finally, we will look at practical ways to improve enterprise security around mobile and IoT as well as cause the defensive products to evolve to be more robust.
Speaker Biography
Georgia Weidman is a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. She is a member of the CyberWatch Center’s National Visiting Committee, on the board of advisors at Cybrary, and an Adjunct Professor at UMUC and Tulane University. She is a New America Cybersecurity Policy Fellow. She has presented or conducted training around the world and is regularly featured internationally in print and on television. She authored Penetration Testing: A Hands-On Introduction to Hacking. Georgia founded the security consulting firm Bulb Security and was awarded a DARPA Cyber Fast Track grant for her work in mobile device security, culminating in the release of the Smartphone Pentest Framework. She founded Shevirah, whose products assess and manage the risk of mobile devices in the enterprise and is a graduate of the Mach37 cybersecurity accelerator. She was the 2015 Women’s Society of CyberJutsu Pentest Ninja. She holds a MS in computer science and CISSP, CEH, and OSCP certifications.
What’s the Worst That Could Happen?
Petra Smith - Aura Information Security
Abstract
From digital surveillance to technology-facilitated abuse to algorithmic bias, you don’t have to go far to find examples of how technology can cause real harm to real people. Technology can fail or be abused in ways its creators never anticipated, and have serious unintended consequences, especially for people who are already vulnerable, marginalised or persecuted.
When we’re making something for other people to use, we want to make sure it’s safe and secure. Threat modelling is a great way to discover how the thing we’re building could be misused, but it relies on our ability to imagine all the ways that someone could use it to cause harm. How can we be confident that we’re keeping people safe when they face threats that are literally unimaginable?
To answer “what could go wrong,” we need to go beyond the power of imagination and get out of our comfort zone. Aimed at developers, testers and everyone else involved in making things people use, this talk will introduce practical actions you can take to get to know your most vulnerable users, and offer strategies for creating things with their safety and security in mind.
Speaker Biography
Petra grew up wanting to be Sailor Mercury – the nerdy blue-haired one who used computers to protect the world from cosmic evil. Now she’s a #purpleteam cybersecurity consultant at Aura Information Security, which is pretty close. She gets kind of ranty about privacy, trust, and making digital spaces safe and inclusive for everyone.
Session Two (13:30 - 15:30)
Māori Cultural and Ethical Considerations in Information Security
Karaitiana Taiuru
Abstract
If you are in government, this presentation will satisfy Treaty of Waitangi considerations; if you want to be respectful of Māori culture this presentation is for you; If you are just curious, this is a good presentation to listen to; if you are a commercial company looking to secure Iwi and Māori clientele, this presentation will give you lots of great ideas.
It is important to state here that just because someone is Māori, it does not mean they were brought up Māori and understand Māori culture and language etc. Some Māori who were brought up Māori chose to simply ignore it and assimilate into modern society.
The hardest part about speaking about Māori cultural ethics and digital security is not to offer too much information on vulnerabilities that can be used against Māori by unethical security practitioners and in reverse by unethical Māori security people back in the law-abiding security community.
It is my intention to briefly touch on multiple topics to give you an idea of some of the ethical issues. More so, a number of ethical issues I have witnessed and anticipate will be common in the near future.
Biometric security, Artificial Intelligence, Big Data, Algorithms, DNA storage, Databases with names, data storage in the cloud are all new areas that have an impact on Māori culture and beliefs.
Speaker Biography
Ngāi Tahu, Ngāti Kahungunu, Ngāti Rārua.
Karaitiana Taiuru was immersed with traditional Māori knowledge from birth and spent his whole career in the digital sector. He uses traditional knowledge to express and highlight ethical considerations in technology and cyber safety issues.
Karaitiana is currently in his third year of a PhD researching customary beliefs and ownership of gene research and the impacts technology such as AI will have.
Karaitiana Taiuru JP, GDID, MMIL (Distinction), MInstD *STEAM Māori
Mūrere me te haumarutanga
Chris Cormack - Catalyst IT
Abstract
In a reprise of my kiwicon talk in 2018, I will attempt to introduce some of the te reo Māori words for infosec concepts as well as explaining how/why those words were chosen.
Speaker Biography
Chris Cormack (Kāi Tahu, Waitaha, Kāti Māmoe) is Technical Lead Koha Team at Catalyst IT in Wellington. He has a BSc in Computer Science and a BA in Mathematics and Māori Studies. He was the lead developer of the original version of Koha, an open source, fully featured, scalable library management system, and believes in Free Software and allowing users the freedom to innovate.
Small, but fierce (but still small)
Erica Anderson (@Sputina) - SafeStack
Abstract
Most of us volunteer or work closely with small groups. These are the local community groups, the side gigs, the small family businesses, the weekend projects. These groups are small but mighty. They use data, technology, and systems to provide us a service to make our communities better places. We need them to exist; and we also need them to be secure. This talk is going to focus on the few, free steps that any small group can take to level up their security, the stories and reasoning behind them, and give you some mana for dispelling the security misconceptions that come with being small.
Speaker Biography
Her twitter bio says “info sec, cat, and ketchup enthusiast” which summarises her quite nicely. Erica is a space cadet (and principal security consultant) for SafeStack and leads their Wellington presence. She also causes general mayhem with Kiwicon, Kawaiicon, and (previously) BSides Wellington.
Keeping Up with the Joneses: Security from a Developer’s Perspective
Toni James - Lateral Security
Abstract
A real life story about staying Sane and Secure when you’re working on the bleeding edge of web application development. Guaranteed to be filled with laughter, tears, anger, and awe at the incessant challenges developers face to build a modern product for millions of users, with as few vulnerabilities as possible, all while “Keeping up with the Joneses”.
This talk is designed to breed empathy for the developers that are faced with far more than just writing secure code. It will highlight the things we can do as a security community to empathise and assist developers facing a variety of pressures on a daily basis. Delivered with concrete options for developers, companies, and aspiring security professionals.
Speaker Biography
Toni is a snowboarder turned software engineer turned security consultant. She’s won a few scholarships in her quest to get more women into tech and her superpower is supporting others to do ‘all the things’. She’s a firm believer in ‘you need to see it to be it’ and puts herself out there so others will step up and challenge the status quo.
Session Three (16:00 - 18:00)
Same-origin policy: The Core of Web Security
Kirk Jackson - RedShield & Co-Leader, OWASP New Zealand Chapter
Abstract
The “same-origin policy” is a loosely defined set of rules that has evolved over the years since javascript was first introduced in 1995.
In this talk, Kirk will explain how origins work in your web browser, and why they are the fundamental protection against attacks like cross-site request forgery.
Along the way we’ll look at how you can leverage the same-origin policy to protect data on your site, and how you can bend it to your will to allow functionality to be hosted on multiple urls – such as cross-origin resource sharing (CORS), PostMessage and JSONP.
Speaker Biography
Kirk Jackson works at RedShield, leads OWASP Wellington meetup and has previously helped organise the annual OWASP NZ Day in Auckland.
Kirk worked as a web developer before switching to the defence team - setting up Xero’s security practice, working as a pen tester, and in defence roles at several companies.
Fighting an Uneven Battle: Simplicity versus Complexity in Web App Security
Sergey Ozernikov - ATTACK
Abstract
The more complex a system is, the harder it is to secure it. This is one of the fundamental security principles. But how does that relate to the web applications world? Economy of scale, modern frameworks, multiple levels of abstraction and proliferation of high level programming languages make our life simpler. But do they make it more secure? What design choices to make to streamline development and also maintain security? How to peek under a shiny disguise and make your own judgement about the security of a product or framework? In this talk we’ll explore these questions and decision making process when designing web solutions from both engineering and security perspectives. Add a sprinkle of DevOps and Cloud into the bowl and we’re in for a crazy ride towards the world of the unknown.
Speaker Biography
Sergey has over 10 years of experience in information security. Over the last few years he has been working as a security consultant in both internal and external facing roles. He has particular interest in web application security, focusing on breaking online applications as well as helping building secure ones.
PCI-DSS-WTF?
Peter Jakowetz - Ministry of Justice
Abstract
The PCI-DSS standard is a pretty big document, and contains a lot of information, but what does a developer need to know from there to get their job done?
This talk discusses the following:
- Summary of what’s in the PCI-DSS
- Summary of why it’s important, and that it is really just a minimum standard for good practice
- How it compares to other standards
- What the different acronyms mean (SAQ, AOC, ROC etc)
- What are the key bits for developers
- What testing can developers do to make this work for them
- What can be automated by developers to make this work for them
- How do you benefit by meeting the standard
Speaker Biography
I’m Peter Jakowetz, a security architect based in Wellington, NZ. I enjoy finding the simple solution to problems, and breaking things down into understandable chunks. When I’m not at work, i’m usually busy in the garage working on my 1968 MG Midget, renovating the house, gardening, or helping light concerts for local choirs.
Track Two - Technical Topics
Session One (10:05 - 12:30)
A Pentester’s Guide to Automating Security
Benjamin Kearns (pipeline) - Lateral Security
Abstract
The best time to find application security vulnerabilities is while you’re still working on the relevant code. This talk will cover a number of semi-automated techniques you can use to identify security vulnerabilities early, and catch any regressions later down the track.
For anybody also responsible for infrastructure, this talk will briefly cover some ideas on how to automate the hardening of systems and implementing security infrastructure.
Speaker Biography
Hi, I’m pipeline. I’m a reformed Rails developer originally from Christchurch. For the last 7 years, I’ve been breaking all manner of things for Lateral Security in Wellington. In my spare time I like to build things which make breaking things easier. Then I test them on unsuspecting bug bounties.
Improving Identity Management with W3C Verifiable Credentials
David Chadwick - University of Kent
Abstract
The W3C Verifiable Credentials Data Model was published as a Proposed Recommendation in September 2019, and it places the user at the centre of identity eco-systems.
Users receives their VCs from issuers, they store their VCs locally in digital wallets on their devices, and then present their VCs to service providers when required, in order to access its protected resources.
VCs are privacy protecting: they support selective disclosure and least privileges, and they make it much easier for issuers and service providers to comply with GDPR.
This presentation will introduce the concept of VCs to the audience, and show how they overcome many of the deficiencies in today’s federated identity management systems. The presentation will also show how VCs can be combined with the W3C Web Authentication recommendation (FIDO2) in order to provide strong authentication and strong authorisation on the web. Our implementation completely removes the need for usernames and passwords, thereby making identity management systems more secure and less susceptible to identity theft.
Speaker Biography
David has been Professor of Information Systems Security at the University of Kent for 15 years, specialising in authorisation, access control, identity management, trust management and PKI. For the last two years he has been a co-author of the W3C Verifiable Credentials Data Model proposed recommendation, and together with colleagues from the University of Toulouse, built a prototype Verifiable Credentials identity eco-system using an enhanced FIDO protocol. He is currently being funded by Innovate UK to convert the prototype into a commercial minimum viable product to launch via a new university spin-out, Verifiable Credentials Ltd (www.verifiablecredentials.info).
Scanning Your Container Images using Anchore
Vince Sesto - Foodstuffs North Island
Abstract
I would like to show the audience how easy it is to start using the Open Source version of Anchore to start scanning Docker images for vulnerabilities. My presentation will cover the following details:
- Why should you be scanning your Docker images
- Introducing Anchore for image scanning
- Set up and installation of Anchore API and CLI
- How to scan your images for vulnerabilities
- Some interesting finds I have made when using Anchore
Speaker Biography
DevOps Engineer, Endurance Athlete and Author. I am currently writing a book for Packt Publishing on Docker and am currently writing a specific chapter just on security aspects on Docker. I currently work as a DevOps Engineer at Foodstuffs North Island and have been working in Technology for over 10 years in both Australia and New Zealand. I have written 3 books previously and do a lot of Journalistic writing on Medium.com.
https://www.linkedin.com/in/vincesesto/
Teaching an Old Dog New Tricks
Brett Moore - Insomnia Security Specialists
Abstract
Brett will go over a handful of bugs Insomnia Security has uncovered over the last few years which are interesting, becoming more common, and provide an insight into some of the application layer vulnerabilities that applications are vulnerable to; beyond XSS and SQLi. This will include code extracts, explanations and walk-through of various bugs, and several demos of these in action.
Speaker Biography
Brett has been working in IT security since last century, and if his memory holds out, he will prove that being in management hasn’t completely ruined his technical abilities.
Session Two (13:30 - 15:30)
Wyh Ranmdnoses Mattres
Frans Lategan - Aura Information Security
Abstract
Computers are deterministic, i.e. predictable, yet need randomness for tasks such as key generation, games of chance and jitter. Various mathematical algorithmic generators are used as sources of randomness, but they are not all equal - some can be broken. Although this is generally known, many of the details are left as “exercises for the reader”, or require exclusive access to the outputs (no missing values).
This talk shows how easy it is to “break” the nextInt() function of java.util.Random (many examples can be found on the Internet).
But wait, there is more! This talk also shows how to predict the output from the nextInt(n) function, (usually left as an exercise for the reader), even when some captured values are missing (such as when some other pesky users are also interacting with the site, or you don’t get to see the other players’ cards…) There will be code and demos.
Speaker Biography
Frans Lategan is a principal security consultant with Aura Information Security. He used to be a developer, worried about privacy before privacy was a thing (to the point of getting a Ph.D. in Privacy on the Internet back in 2002), and has been known to let the “magic smoke” escape from electronics at times. He has not yet managed to capture the magic smoke and put it back into the chips it came from to make them work again. His key areas of expertise are penetration testing, security consulting, cryptography and source code review. He has assessed systems ranging from small mobile applications to Wi-Fi networks and large corporate networks to ATM security, as well as multiple web applications. He has a passion for all areas of cybersecurity. His soldering skills are poor.
Web App Attacks of the Modern World
Karan Sharma
Abstract
Web application technologies evolve day by day and so does the attack surface. In this talk I’d like to cover the latest web attacks that are making noise and are being exploited in the wild. Come join me in this talk to learn about HTTP Desync, SSRF, JWT , Web cache poisoning attacks and others.
Speaker Biography
Karan works as a pen tester for one of the leading telcos of NZ. He’s been in the security industry for more than 9 years. He has a true passion for breaking & fixing web and mobile apps. He enjoys doing web/mobile application security research in his free time and love sharing his knowledge with others. If you want to shout things at him, he’s @R00T on Twitter.
Use OSINT to Keep Up with AWS
Oliver (Olly) Ewert
Abstract
How do you control access to a deluge of new AWS features and services? Which Actions are just usability tweaks, which will let you publish a database snapshot to the world? Whitelist and “slow innovation” or blacklist and “hope nothing bad happens”? The missing tool for keeping up!
With re:invent just before Christmas and a tonne of new features and services, how are security teams meant to keep up with a deluge of new things to control access to? Is this extra Action just an extension of an existing feature, or will it inadvertently give developers the ability to publish a database snapshot to the world? In lieu of AWS actually publishing useful information needed to make access control decisions for new features and services in one central place, we built a tool that leverages Open-Source data sources published by AWS to collate relevant information into a consumable format. This talk will cover a little about how we find and consume OSINT from AWS to programatically learn about new features and services, how we turn that into usable intelligence and finally how you can use the output to help secure your AWS environment.
Speaker Biography
Security Engineer and Open Source contributor, Olly has spent the last 5 years wrangling security in AWS and knows the pain of trying to strike the balance between giving developers freedom to use the best tools while not running the risk of accidentally exposing critical assets to the world.
Session Three (16:00 - 18:00)
Security in our code reviews? Check!
Daniel Zollinger - SafeStack
Abstract
These days, many teams have rolled mandatory code reviews into their build pipeline. But every team reviews code differently. Worse, every team member reviews every merge request differently. Could your team be catching bugs sooner and with more consistency?
Code reviews can be a powerful security tool with the help of the humble checklist. We’ll look at what makes a good checklist, how easy it can be to get it wrong, and how to introduce one to your team’s workflow without making your colleagues hate you. And you’ll get a code review checklist you can adapt to your own team’s needs.
Speaker Biography
Daniel is a Security Consultant for SafeStack. Despite 15 years in development and ops, he somehow remains an optimist. He loves a hot take, thinks checklists are cool, and would love to hear about your code review process. No, really.
A Recipe for Password Storage: Add Salt to Taste
Nick Malcolm - Aura Information Security
Abstract
Storing passwords is as simple as following a recipe when developers use their frameworks, but there are sometimes choices to make when it comes to ingredients and amounts. Argon, PBKDF2? What’s a Salt? How many rounds?
Join me on this cooking-themed presentation on password storage!
Every time a website gets breached you hope to hear “your password was salted and hashed” instead of “your passwords were stored in plain text” - but what does that actually mean, and why is it a good thing?
Wash your hands, don your apron, and join me for as we follow the recipe for storing passwords safely. We’ll learn a bit about cryptography and one-way functions (that’s the hash!), how to source good ingredients (bcrypt, scrypt, argon, oh my!), why adding a pinch of salt helps, how many times must we stir the mix, and what happens if we miss a step? In the face of an attacker, will our delicious password loaf rise to the occasion, or will it fall flat in disappointment and despair?!
Speaker Biography
Nick specialises in Application Security and works as a consultant at Aura Information Security in Wellington. He runs secure developer training and gets embedded in development teams to offer security advice. He regularly presents at meetups and conferences, including OWASP Day 2017, AppSec AU 2017, and CyberCon AU 2018.
Self-Service SSH Certificates
Jeremy Stott
Abstract
SSH is the trustworthy hammer relied on for decades to remotely connect to computers. Even pushing/pulling code to Github uses SSH. But how do you manage access for everyone on all your servers? (well,… not just anyone)
This talk will show how SSH certificates solve pain points in growing teams!
SSH certificates are an under-utilised feature of OpenSSH, but they offer a fantastic method to solve some pain points of growing teams and growing infrastructure.
Hosts only trust a single public key of a trusted certificate authority instead of keys from every developer (and let’s be honest, several who are no longer working at your company :uhoh:). SSH certificates expire (this is good), and can also tell SSH what you can or can’t do with your session. The can even help mint a new user on a brand new trusting host, or enable sudo.
Similarly clients can trust a single public key of a trusted certificate authority for host keys, and not need to constantly remove entries in your ~/.authorized_hosts file when a host changes their key (and verify the new fingerprint… right… right..?).
Nobody wants more (any?) PKI to manage, so a scalable self-service method is presented using existing and new open source software to let people in large teams onboard themselves safely.
Speaker Biography
Jeremy is a software engineer, with a focus on security. Most recently working at Vend as a security operations engineer for a few years. He has a slightly suspicious history of remotely triggering access control buttons, (not) building spark gap transmitters, and breaking fuel discount barcodes. Jeremy has a background in software engineering, electronics and dabbles a little bit in the mad scientific arts.
Track Three - OWASP Projects and Tools
Session One (10:05 - 12:30)
OWASP Top 10 Overview
Kirk Jackson - RedShield & Co-Leader, OWASP New Zealand Chapter
Abstract
The OWASP Top 10 is the flagship project for the OWASP foundation, and the first thing people think of.
This talk will introduce you to the OWASP Top 10 and get you excited about the rest of the day!
Speaker Biography
Kirk Jackson works at RedShield, leads OWASP Wellington meetup and has previously helped organise the annual OWASP NZ Day in Auckland.
Kirk worked as a web developer before switching to the defence team - setting up Xero’s security practice, working as a pen tester, and in defence roles at several companies.
Building Secure Mobile Apps: You don’t have to learn it the hard way!
Sven Schleier - Co-Leader, OWASP MSTG and MASVS Projects
Abstract
Do you ever wanted to know what attacks against a mobile app you should be concerned about, e.g. is it possible to bypass Touch ID? In this talk I will make a deep dive into the security of Apps, and then head off into some nice mobile hacking demos. Want to secure your mobile app? See you there!
Speaker Biography
Sven made several stops at big consultant companies and small boutique firms in Germany and Singapore and became specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications during the whole SDLC. Besides his day job Sven is one of the core project leaders and authors of the OWASP Mobile Security Testing Guide and OWASP Mobile Application Security Verification Standard and has created the OWASP Mobile Hacking Playground. Sven loves to share what he has learned by giving talks and workshops about Mobile and Web Application Security worldwide to different audiences, ranging from developers to students and penetration testers.
https://www.linkedin.com/in/sven-schleier-98259194/
https://twitter.com/bsd_daemon
Session Two (13:30 - 15:30)
OWASP Project Overviews: Top Ten, ASVS, Proactive Controls, Java Encoder, HTML Sanitizer
Jim Manico - Co-Leader, OWASP Application Security Verification Standard (ASVS) and Proactive Controls Projects
Abstract
Speaker Biography
Session Three (16:00 - 18:00)
OWASP SAMM2: Your Dynamic Software Security Journey
John Ellingsworth - Co-Author, OWASP SAMM Project
Abstract
OWASP SAMM (https://owaspsamm.org) is the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture.
Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance will have a significant impact on the organization. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements.
OWASP Software Assurance Maturity Model (SAMM) gives you a structural and measurable framework to do just that. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organization.
In this talk, we give an overview of the new release of the SAMM model. After 10 years since its first conception, it was important to align it with today’s development practices. We will cover a number of topics in the talk:
- (i) the core structure of the model, which was redesigned and extended to align with modern development practices,
- (ii) the measurement model which was set up to cover both coverage and quality and
- (iii) the new security practice streams where the SAMM activities are grouped in maturity levels. We will demonstrate the new SAMM2 toolbox to measure the maturity of an example DevOps team and how you can create a roadmap of activities
Speaker Biography
John is a security principal at a Fortune 1000 company, where he helps software development teams build and deliver secure enterprise solutions. When not delivering secure software solutions, he can be found hanging out with his family, often outdoors, and probably scaling mountains. John is the chapter leader of OWASP Maine, and on the core team for the OWASP Software Assurance Maturity Model (SAMM) Project.