Presentation Abstracts and Speaker Biographies
OWASP New Zealand Day 2023
Conference Keynote
OWASP: Tracing the Journey of Web Application Security from Past to Future
Vandana Verma Sehgal - Chair, OWASP Global Board of Directors
Thursday, 10:05
Abstract
The Open Web Application Security Project (OWASP) has profoundly influenced the cybersecurity arena since its inception in 2001, primarily focusing on web application security. This talk outlines the evolution of OWASP, beginning with its establishment and early development of the influential OWASP Top Ten - a document identifying the most prevalent security risks to web applications. We then shift to a discussion of the present day, where OWASP has grown into a global entity, offering a variety of tools, documentation, and community resources that contribute significantly to cybersecurity best practices.
Finally, we delve into the future of OWASP, conjecturing its direction based on emerging trends in web applications and cybersecurity. This includes speculation on how OWASP will continue adapting to the evolving threat landscape and the growing complexity of web applications. Through this exploration, we illustrate how OWASP’s journey reflects the evolution of web application security itself and its increasing relevance in a digitally interconnected world.
Speaker Biography
Vandana Verma Sehgal is Security Leader at Snyk. She is a member and Chair of the OWASP Global Board of Directors. She has experience ranging from Application Security to Infrastructure and now dealing with Product Security. She also works in various communities towards diversity initiatives InfosecGirls & WoSec. She has been Keynote speaker / Speaker / Trainer at various public events, including Global OWASP AppSec events to BlackHat events to regional events like BSides events in India.
Vandana is a member of the Black Hat Asia Review Board as well as multiple other conferences including Grace Hopper India, OWASP AppSec USA to name a few. She is also one of the organiser of BSides Delhi.
She has been the recipient of multiple prestigious awards, like Cyber Security Woman of the Year Award 2020 by Cyber Sec Awards, Global cybersecurity influencer among IFSEC Global’s “Top Influencers inSecurity and Fire” Category for 2019, Cybersecurity Women of the year award by Women Cyberjutsu Society in the Category “Secure Coder.” She has also been listed as one of the top women leaders in this field of technology and cybersecurity in India, by Instasafe.
Accepted Talks
Presentations are listed below, in alphabetical order by title.
Breaking Mobile App Defenses with Frida and Reverse Engineering
Shofe Miraz - CyberCX
Track Two - Thursday, 14:25
View: Video (YouTube, 25:12); Slide Deck (PDF, 2.6MB)
Abstract
Mobile app testing can often be challenging, especially with built-in anti-tampering detection in place. Join us as we will explore the secrets for bypassing these checks and share practical tips for developers to make reverse engineering and tampering mobile application more difficult.
Description
Are you a mobile app developer interested in safeguarding your app from tampering and reverse engineering attempts? Or are you a security researcher curious about the latest techniques for bypassing anti-tampering libraries in modern mobile applications?
After evaluating several mobile applications built using Flutter and similar frameworks, we have noticed the use of anti-tampering libraries, particularly in financial applications, to detect and protect the app from running on modified or higher-privilege devices. While this approach may provide some assurance to companies/developers, it poses a challenge for security researchers who wish to analyze the application's security aspects. Bypassing these checks can also be time-consuming, due to the extensive checks performed by popular frameworks such as IOSSecuritySuite for iOS and Rootbear for Android.
In this presentation, we will discuss the difficulties of working with precompiled applications where the source code is not readily available. We will share reverse engineering techniques to identify the functions responsible for the anti-tampering and anti-root detection checks. Furthermore, we will attempt to bypass the checks with the use of a well-known dynamic instrumentation framework, Frida. The aim is to demonstrate that, with the appropriate tools and some patience, it is possible to overcome these protection mechanisms.
The talk will also provide developers with guidance on making these tampering/reverse engineering efforts more difficult. The primary message is that as it is feasible to bypass most checks with enough time and effort, adding complexity to the app’s security measures can discourage the competition.
A few technical aspects are present in this presentation such as the source code of these open-source detection libraries, assembly code, and a demo of the tools in action. While experience with mobile app testing is advantageous, it is not required for this talk.
Speaker Biography
Shofe Miraz works as a security consultant for CyberCX. He has four years of combined industry penetration testing experience, is particularly interested Web/Mobile application security, and loves sharing his knowledge with others. Outside of work, he actively co-organizes and presents in a Monthly Security meetup, "Hack And Learn," where he facilitates learning both hacking and defending using various tools and techniques.
Bypassing Anti-Virus using BadUSB
Cristian Cornea
(Remote Presentation)
Track Two - Thursday, 16:05
View: Video (YouTube, 29:20)
Abstract
During this presentation, we will look at how we can bypass most anti-virus detection using a payload embedded on a BadUSB device, resulting in a "silver bullet" for gaining initial access inside a victim network. A demo will be also included during the presentation.
Description
Agenda for the presentation:
- AMSI Bypass Development
- Execution Policy Bypass
- Payload Runner Development
- Deploying Attack using BadUSB
- Post-Exploitation Persistence
- DEMO
- Prevention
Speaker Biography
Cristian Cornea is a highly credentialed (OSCE | OSEP | OSWE | OSCP | CEH | CPTC | PenTest+ | eWPT | ECIH | CREST) InfoSec professional, providing pentesting and security consultation for clients all over the world: Australia, U.S., U.K., Middle East, Singapore, India, Central Africa, Europe. Trainer for U.S. Department of Defense, Slovenian National Bureau of Investigation, Polish Military CERT; Speaker @ Defcamp, HEK.SI, RST Con, HackTheZone, and Unbreakable; EC-Council Certified Ethical Hacker (CEH) Scheme Committee Member; InfoSec Writer on Medium
FOSSology: OSS for Open-Source License Compliance
Gaurav Mishra - Siemens
Shaheem Azmal M MD
Track Two - Friday, 11:30
View: Video (YouTube, 26:29); Slide Deck (PDF, 1.7 MB)
Abstract
FOSSology is an open-source license compliance software system and toolkit. The tool allows scanning, analysis, and reporting of license, copyright, export control, etc. The tool can enhance automation capabilities and can generate SBOM-like SPDX with the licensing and copyright information.
Description
FOSSology is an open-source license compliance software system and toolkit. As a toolkit, you can run automated license, copyright, and export control scans from the command line. As a system, a Web interface provides you with a compliance workflow. License, copyright and export control scanners are tools used in the workflow.
FOSSology is a reputed tool for Open Source license compliance and related tasks. The tool has advance capabilities to allow users and experts to analyze the results in a web UI. At the same time, tool has a robust set of CLI for interactions. Recently, the tool has enhanced its REST API to open possibilities for integration with other tools/pipelines.
We will be presenting and highlighting the features of FOSSology along with the REST API endpoints. The REST endpoints can be used as a starting point for any integration. We will also include a demo integration of license and copyright scanning using FOSSology in a CI environment.
After the talk, you will be able to analyze open source components, understand licenses and obligations used in it, and generate various reports. FOSSology supports creation of DEP5 format, SPDX RDF and Tag-Value format along with its own Word report and CLIXML reports.
Read more about FOSSology: https://fossology.org
Speaker Biographies
Gaurav Mishra has been working as a Research Professional at Siemens for over five years, and specifically in the license compliance space with the FOSSology OpenSource organization for the past five years. He is a maintainer and developer of the FOSSology, Atarashi, and Nirjas projects under the org. Gaurav has also mentored college students participating in Google Summer of Code since 2018, and underprivileged students with Katalyst NGO.
Shaheem Azmal M MD - No biography provided
Fantastic Cloud Security Mistakes and How to Find Them
Sarah Young - Microsoft
(Remote Presentation)
Track One - Thursday, 11:30
View: Video (YouTube, 28:12); Slide Deck (PDF, 4.2 MB)
Abstract
Many cloud security breaches start from implementation mistakes: whether it be bad coding practices, misconfiguration, etc. Before (best case) your security team or (worst case) an outside attacker finds them; how can you be proactive about finding and fixing common security mistakes?
Description
In this session, we will look at the most exploited cloud security mistakes and what you can do to prevent them from happening in your environment.
The talk's breakdown is as follows:
- Today's threat landscape
- Perception vs. reality
- Top security mistakes and remediation by area:
- Identity
- Endpoint management
- Apps
- Data Monitoring
Speaker Biography
Sarah Young is a Senior Cloud Security Advocate working at Microsoft. She has lived all over the place, but currently calls Melbourne home. Sarah has been working in cyber security since before it was cool, holds numerous industry qualifications has co-authored few Microsoft Press technical books. In 2019, Sarah won the Security Champion award at the Australian Women in Security Awards. She is an active supporter of both local and international security and cloud native communities. Sarah spends most of her spare time speaking at security conferences in various parts of the world, eating hipster brunches and high teas and spending a disproportionate amount of her income on her dogs.
From DevOps to DevSecOps
Karan Sharma - Wise Fox Security
Track One - Friday, 10:35
View: Video (YouTube, 42:17); Slide Deck (PDF, 10.8 MB)
Abstract
Are you struggling to balance security and agility in your organization? Join my talk on Implementing DevSecOps to learn practical tips and best practices for integrating security into your DevOps pipeline. Transform your organization's security posture and drive innovation with confidence.
Description
In today's rapidly evolving threat landscape, it's critical to integrate security into every stage of the development lifecycle. However, traditional security approaches can hinder agility and innovation. This is where DevSecOps comes in, providing a framework for building security into the DevOps pipeline. In this talk, I will share practical tips and best practices for implementing DevSecOps in your organization, including how to integrate security as code, use automated security tools, and conduct regular testing and reviews. Join me to learn how to transform your organization's security posture and drive innovation with confidence. Don't miss out on this essential topic for any modern organization.
We will cover topics such as:
- What is DevSecOps and its benefits?
- Importance of security in DevOps
- Challenges while implementing DevSecOps
- How to overcome such challenges
- Integrating Security into DevOps Processes
- Best Practices for Implementing DevSecOps and more
Speaker Biography
Karan Sharma has been in this field for over 12 years. He has worked as a Pentester for NZ telcos, banks, health sectors and manufacturing companies. He now runs his own security consulting company called Wise Fox Security, that offers services in Offensive Security and DevSecOps space. He has also completed a few of the 'customary' certifications, including OSWE, OSCP, eWPTX and Certified DevSecOps Professional (CDP). Karan has spoken at a number of other security conferences. He has a YouTube channel you can subscribe to (Wise Fox Security). Other than InfoSec, Karan loves watching and playing football, loves evening runs with his dog and going to the gym.
How to Have Visibility and Security of Your CI/CD Ecosystem
Pramod Rana - Netskope
Track Two - Thursday, 10:55
View: Video (YouTube, 27:31)
Abstract
I will present how an organization can approach the visibility, and thus the security, OF their CI/CD ecosystem, some common attack areas - access controls, credentials hygiene, misconfiguration, etc. - and possible solutions. I will introduce CICDGuard, a graph-based CI/CD ecosystem visualizer and security analyzer.
Description
CI/CD platforms are an integral part of the overall software supply chain and it processes a lot of sensitive data, compromise of which can affect the entire organization. Security IN CI/CD is a well-discussed topic; security OF CI/CD deserves the same attention.
One of the challenges with security of CI/CD, like most areas of security, is the lack of visibility regarding what actually makes up the CI/CD ecosystem. Security starts with being aware of what needs to be secure.
In this talk, I will be presenting how an organization can approach the visibility, and thus the security OF their CI/CD ecosystem, along with some common attack areas like access controls, credentials hygiene, misconfiguration, etc., and their possible solutions.
I will introduce CICDGuard - a graph-based CI/CD ecosystem visualizer and security analyzer, which:
- Represents the entire CI/CD ecosystem in graph form, providing intuitive visibility and solving the awareness problem;
- Identifies common security flaws across supported technologies and provides industry best practices and guidelines for identified flaws; and
- Supports a variety of technologies - GitHub, GitHub Action, Jenkins, JFrog, Spinnaker, Drone
Speaker Biography
Pramod Rana is author of the following open-source projects:
- Omniscient - LetsMapYourNetwork: a graph-based asset management framework
- vPrioritizer - Art of Risk Prioritization: a risk prioritization framework
- sec-depend-aider - Dependabot pull request monitoring automation platform
He has presented at BlackHat, Defcon, nullcon, OWASP Global AppSec and GrayHat before.
He leads the application security team at Netskope, with a primary focus on integrating security controls in the development process and providing Security Testing-as-a-Service to other teams. He loves to understand new security practices and how to practically implement them.
Leverage OWASP Projects and Tools to Secure Your SDLC
Raafey Khan - CyberCX
Track One - Friday, 11:30
View: Video (YouTube, 25:23)
Abstract
OWASP has over 200 projects to help you build secure software. I'll be talking about one of my favourites - the Software Assurance Maturity Model (SAMM) - and how you can use other OWASP projects and tools to meet the requirements and mature your application security maturity.
Description
The OWASP Software Assurance Maturity Model (SAMM) is a great resource to understand your current application security maturity and what activities you need to undertake to mature your application security practices. In this talk, I'll provide a "how-to" guide on implementing these activities across the 5 SAMM domains using various other OWASP projects, tools and frameworks.
Speaker Biography
Raafey Khan is an eternal security optimist. His goal is to help organisations understand their cyber risk and why they should at least try to embed security into their development processes.
Raafey leads the Application Security team for CyberCX globally, with a focus on automating everything and making security simple for development teams.
MPT: Pentest in Action
Jyoti Raval - Harness
Track Two - Thursday, 11:30
View: Slide Deck (PDF, 478 KB)
Abstract
In ever evolving software development world, security is also becoming fast paced. Hence, each product going through the pentest cycle has to be managed effectively and efficiently. Managing multiple pentests and testers is important. A single pane of glass view for all of these with risk posture is helpful.
Description
Security penetration testing is becoming as necessary and as usual a practice as software testing. Most, if not all, organisations either have their own penetration testing team or they utilise third-party pentesters.
Imagine any fast-paced organisation developing multiple product lines and planning to release each of them from time to time. It becomes challenging for the organisation's security team to efficiently manage all of these pentest activities running and effectively produce security assessment reports and track them.
Because of such volume of work, the numbers of pentesters in organisations are increasing to keep up. Each pentester is doing multiple pentests. The next cycle of a previous pentest can get assigned to another pentester. Each pentesting cycle has issues and recurring issues. And above all, managing all these using Excel worksheets is nightmare.
A pentesting activity knowledge base is kind of must. A single-pane-of-glass view to all pentests running, and the issues identified, is a necessity for everyone involved in the security review cycle.
To solve these challenges, I have developed a solution called Managing Pentest (MPT): Pentest in Action.
MPT helps us solve various problems:
- Asset DB to know all organisation assets that are in pentest process. You can’t secure what you are not aware of!
- Tracking each pentest
- Pentesting activity knowledge which comprises of what particular let say application does, or the purpose of hardware that we are testing
- When the next pentester takes over the testing all they have to do is view the asset and associated information, which is already there
- Time taken for each pentest
- Real time tracking of activity
- Issue status
- Common issues that are observed
Why MPT? MPT also provides security pentest analytics, which helps us not only track and view everything in single pane of glass but also:
- Finding improvement areas to boost pen tester productivity
- Understand the current risk posture
- Understand recurring issues
- Average amount of time taken for each pentest vs. asset size
- Average high/medium/low fixing time
- Most num of vulnerabilities fixed in a year
- Class of new vulnerabilities coming
- Developer trends
- Open findings
- Critical assessments
- Asset health
- Top pentester reported findings
- Average busy time for each pentester
Speaker Biography
Jyoti Raval works as Staff Product Security Engineer at Harness. She is responsible for securing product end-to-end and involved in various phases of security life cycle. She is author of the Phishing Simulation Assessment and MPT tools, and has presented at Defcon, BlackHat, Nullcon, HITB, and Infosec Girls. She also heads OWASP Pune chapter.
Managing Bug Bounty Programs: A learning journey
Cat Salanguit - Lightspeed
Track One - Thursday, 15:30
View: Video (YouTube, 22:47); Slide Deck (PDF, 13.6 MB)
Description
Our systems will be hacked. This is the only reasonable cybersecurity prediction we can make. If we are at risk of being hacked, the best scenario would be to be hacked by friendly forces so we can plug the hole immediately. This will render the vulnerability useless for malicious attackers. How can we find these vulnerabilities faster?
The answer is simple: Ask those who see something to say something.
At our organisation, we saw the importance of understanding the most significant threats facing the cloud environment. We’ve asked security researchers on the Internet for help and invited them to test us and let us know what they find, through a responsible way of submitting their security findings to us. Since many people are testing our application, we launched a bug bounty program to reward security researchers with monetary rewards for their efforts in reporting security issues to us.
Speaker Biography
Cat Salanguit works at Lightspeed and she's currently looking after the company's Application Security and managing their Bug Bounty programs. She worked in the security consulting space as a Pentester before joining Lightspeed. Cat is passionate to help folks get one step closer to doing what they want to do securely. Outside work, you can find Cat indulging in activities that fuel her creativity and curiosity. She is a dedicated cat lover. On the side, she enjoys reading books, drinking iced coffee, hiking, travelling the world, and chasing sunsets.
OWASP Top 10 Overview
Kirk Jackson - Lightspeed / OWASP NZ
Track One - Thursday, 10:55
View: Video (YouTube, 26:34); Slide Deck (PDF, 1.1 MB)
Abstract
The OWASP Top 10 is a flagship project for the OWASP foundation, and the first thing people think of.
This talk will introduce you to the OWASP Top 10 and get you excited about the rest of the day!
Speaker Biography
Kirk Jackson works at Lightspeed, co-leads the OWASP Wellington meetup and has previously helped organise the annual OWASP NZ Day in Auckland.
Kirk worked as a web developer before switching to the defence team - setting up Xero’s security practice, working as a pen tester, and in defence roles at several companies. Mastodon: @kirk@pageofwords.com
Privacy by Design: A standard approach in software development?
Chris Esther - Konpura
Track Two - Friday, 10:00
View: Video (YouTube, 32:04); Slide Deck (PDF, 9.6 MB)
Abstract
How should we approach the privacy of personal information when designing new software systems? In this session, we will review the concept of Privacy by Design, developed by Ann Cavoukian, and examine the recent associated ISO 31700 standard, using an example software system.
Description
In February, the International Standards Organisation (ISO) published ISO 31700, which provides a standardised approach to Privacy by Design (PbD). In this session, we will review the concept of PbD and examine what contribution the ISO standard provides. We will use a real-world example application to illustrate the PbD principles.
Speaker Biography
Chris Esther has significant experience in software development and information security, gained within the financial services, media and digital, and consulting sectors. He has held senior technology and information security roles in London and New Zealand. Chris has provided security architecture, PCI DSS, ISO 27001, BCP, and privacy advisory to a wide range of commercial and government organisations in New Zealand.
Protecting Pipelines: Secure software delivery using the OWASP CI/CD Top Ten
Julian Simpson - SafeAdvisory
Track Two - Friday, 14:25
View: Video (YouTube, 23:58); Slide Deck (PDF, 6.0 MB)
Abstract
When they work well, CI/CD pipelines have been a game changer for delivering software to users. This talk covers the evolution of pipelines from their humble beginnings, how we get them wrong, and how to secure your CI/CD systems and pipelines so they deliver exactly what you want, and no more.
Description
It's amazing what we can do these days with CI/CD pipelines. They've eliminated a lot of technical gruntwork and allowed teams to deliver like never before.
What we don't celebrate so much is what a choice target CI/CD systems are for insider and external threat actors. Some systems make it too easy to subvert pipelines and convince them to do bad things. In this talk, we’ll cover:
- The origins of CI, and some of the origins of CI/CD in software projects from the turn of the century until 2020;
- Why all the pipelines are YAML these days, and what a good enterprise CI/CD pipeline can look like, including security tools; and
- How to think about the security of your pipelines and CI/CD systems, using OWASP CI/CD Top 10.
This talk isn't tool-specific, but examples will be shown in tools like Azure DevOps or Buildkite. We'll share some the example pipelines for attendees to refer to later.
Speaker Biography
Julian Simpson used to be all about getting software across the last mile into production. Now that nobody so much as blinks while deploying several times a day, Julian is all about securing that software and the tools we use to spin it.
Accordingly, Julian is a security consultant for Safe Advisory, specialising in DevSecOps and cloud security. Previously Julian has been (in no particular order) a Systems Administrator, DevOps Consultant, Jack of All Trades at startups, in New Zealand, UK, USA, and Sweden. Julian lives in Auckland and likes getting out on 2 wheels at the weekend.
Revamping OWASP DevSecOps Guidelines
Milan Singh Thakur
(Remote Presentation)
Track One - Friday, 13:30
View: Video (YouTube)
Abstract
This talk will present a deep dive into the revamped OWASP DevSecOps Guidelines. Revolutionise your Cyber Security strategy with OWASP DevSecOps - the game-changing approach that seamlessly integrates security into every stage of software development. Don't settle for less, upgrade to DevSecOps now!
Description
The OWASP DevSecOps Guidelines project provides a comprehensive set of best practices for integrating security into the DevOps process. This is essential because traditional security measures are often insufficient to protect modern software systems that are deployed frequently and rapidly. By following these guidelines, organizations can better manage risk, reduce vulnerabilities, and ultimately build more secure software. It is crucial for every organization to understand and implement DevSecOps because the cost of a data breach can be devastating - not only in terms of financial loss but also damage to reputation and customer trust. A strong DevSecOps strategy can help organizations prevent breaches before they occur, giving them a competitive advantage and peace of mind.
Speaker Biography
Milan Singh Thakur is an active member of the cyber security community and has made significant contributions to the field. He is a frequent speaker at industry conferences and has written extensively on topics such as DevSecOps, cloud security, and threat modelling. Milan is also an active contributor to the OWASP community, a non-profit organization dedicated to improving software security.
As part of his work with OWASP, Milan has contributed to several important initiatives, including the DevSecOps Guidelines project. He has also served as a mentor to emerging cyber security professionals and is committed to promoting knowledge sharing and collaboration within the industry.
Overall, Milan's contributions to the cyber security domain have been significant and far-reaching. He is a trusted thought leader in the field and is highly respected by his peers for his expertise, dedication, and commitment to excellence.
Securing REST API Endpoints (or, How to avoid another Optus)
James Cooper
Track One - Thursday, 13:30
View: Video (YouTube, 47:47); Slide Deck (PDF, 681 KB)
Abstract
Optus and their customers had a very bad time in 2022, with a massive data breach resulting in PII and ID documents released into the wild. This happened because a REST API was not properly secured. We’ll talk about the practical steps you can take to prevent this from happening to you.
Description
In September 2022, the major Australian telco Optus suffered a significant data breach. Initial reports suggested records for as many as 10 million customers (more than one-third of Australia’s total population) leaked. In the end, Optus got lucky, and the so-called hacker only leaked 10,000 records before getting spooked by the intense focus on the incident and abandoning their attempts to monetise the data. Nevertheless, the risk of the rest being leaked remained, forcing a massive effort from ID issuers to reissue passports, driver's licences, and other PII documents.
This was not just another typical data breach that was forgotten in a week - it had a broad impact in Australia and suddenly shifted thinking in other organisations. The whole affair was undoubtedly costly to Optus, both financially and reputationally. The most embarrassing part, though, is that the data were supposedly scraped from an API endpoint that should have been secured but wasn't. This talk will briefly speculate on why that might have been, and then describe various high-level technical and cultural approaches you can use to guard against something like this happening to your organisation.
The purpose of this talk is NOT to embarrass Optus or its staff. Rather, the point is for all of us to learn what went wrong and (more importantly) do our best to avoid repeating the same mistake(s). This talk is aimed primarily at Web developers relatively new to thinking about security - especially those working on REST APIs - and managers keen to help their team avoid making similar mistakes. There should be something for just about everyone interested in web application security, however.
Speaker Biography
James Cooper holds a Ph.D. in Computer Science, and currently works as a Security Developer at Cosive New Zealand. There, he spends most of his time working on Web applications such as Phishfeeder, with occasional side-lines in other tasks like developing third-party MISP integrations with customers' products or debating the merits of various programming languages and paradigms. He also spends too much time in the InfoSecNZ Slack and making Simpsons references.
The "A" in AppSec Stands for "Agile"
Fadzayi (Fadz) Chiwandire - CyberCX
(Remote Presentation)
Track One - Friday, 15:30
View: Video (YouTube, 21:19)
Abstract
It's time to embrace agile methodologies in AppSec! By integrating security into every step of your SDLC, you can quickly detect and respond to vulnerabilities and improve your security posture. Not only will you ensure security, but also enhance collaboration between development and security teams.
Description
The apparent cultural divide between application security engineers and developers has sparked great debate around the controversial topic of whether embedding security is a potential blocker to the software development lifecycle.
In this session, we explore the beauty of integrating agile methodologies with application security to effectively reduce the amount of software released with known vulnerabilities. Both these concepts initially require more of a cultural shift within any organisation before implementing processes and technology, understanding that security engineers are enablers and not blockers aiming to bake security into the SDLC process without affecting deployments negatively.
Most importantly, the goal is to effect each change and embed security in each of the SDLC phases in small bite chunks, making sure each step is well crafted, customised and perfected before moving on to the next step after all the whole process is a jungle gym and not a vertical ladder.
Speaker Biography
Fadzayi (Fadz) Chiwandire is an Application Security Consultant and Penetration Tester at CyberCX in Perth, Australia. She is also a co-host of the WestCoast Cyber podcast. She comes from a software engineering background in which she specialised in FinTech for close to a decade, assisting financial institutions to build user experience-driven software. In 2018, Fadzayi Founded DIV:A Initiative, a non-profit initiative dedicated to empowering young girls between the ages of 8 and 18 years from South Africa's disadvantaged communities with coding skills, in order to address the industry's gender imbalance.
The Art of Cyber Espionage: Unleashing the power of SCADA and ICS hacking
Shahmeer Amir - Younite
(Remote Presentation)
Track Two - Friday, 15:30
View: Video (YouTube, 30:57)
Abstract
In today's digital age, the use of SCADA and ICS systems is widespread across various industries such as oil and gas, energy, manufacturing, transportation, and many others. These systems provide essential functionality in monitoring and controlling critical infrastructure, making them a target.
Description
This presentation will provide a practical understanding of SCADA and ICS hacking techniques and the steps that organizations can take to protect themselves from attacks. The session will begin with an overview of SCADA and ICS systems, their components, and their importance in critical infrastructure.
The presentation will then move on to explore the techniques used by attackers to compromise these systems. This will include live demonstrations of attacks that manipulate the systems to cause physical damage, disrupt operations, and steal data. Attendees will be able to see firsthand the power of SCADA and ICS hacking, and how attackers can use these techniques to penetrate even the most secure systems.
The session will also cover the steps that organizations can take to harden their SCADA and ICS systems against attacks. Attendees will learn how to identify vulnerabilities and implement best practices to secure their systems. We will explore different types of attacks, including advanced persistent threats (APTs), and the strategies that can be used to detect and respond to them.
Speaker Biography
Shahmeer Amir is a world-renowned Ethical Hacker and the 3rd most accomplished bug hunter who has helped over 400 Fortune companies, including Facebook, Microsoft, Yahoo, and Twitter, resolve critical security issues in their systems. He has founded multiple entrepreneurial ventures in the field of Cyber Security, and currently leads three startups in four countries.
As the CEO of Younite, Shahmeer's premier company is working on next-generation audio-video communication technologies. He is also the CEO of Veiliux, Asia's first mainstream Cyber Security startup present in the Asia Pacific, UAE, and the UK. Authiun, another startup, is a complete passwordless authentication solution for the 21st century.
Shahmeer is the Cyber Security Advisor to the Ministry of Finance Government of Pakistan, involved in multiple projects regarding Deep Sea Tracking, Digital Transformation of Legislation, and Digitization of Pakistani Cultural Content. He is also a member of Forbes Technology Council.
As an Engineer and a Cyber Security professional with relevant certifications from renowned organizations like EC-Council, Mile2, and SANS. Shahmeer is currently looking at the Blockchain technology for his doctorate. He has authored three books, including Bug Bounty Hunting Essentials, and a dozen research papers.
Shahmeer is a highly sought-after keynote speaker on Cyber Security, Blockchain, and other technologies, having been invited to over 80 conferences globally. including Blackhat, GiSec, FIC, AEC Alberta, Hackfest and many more. He has also been accepted at multiple prestigious academic institutions in their entrepreneurship programs, including Stanford. As a CTO of companies, Shahmeer has learned to code in 25 languages and read code in 35, making him an expert in multiple technologies.
The Automation Threat Landscape: The evolution of BOTs and fraud
Guy Brown - Fastly
Track Two - Thursday, 13:30
View: Video (YouTube, 50:15)
Abstract
BOTs have evolved to become one of the hardest problems to solve in security. I will highlight use-cases for automation, against some well known e-commerce platforms, and demonstrate the real-world tools used by threat actors today to conduct account takeover and fraud.
Description
Every application on the Internet has an automation problem - only the difference is the level of sophistication of the automated threat. Whether it's something as simple as a vulnerability scanner or a more sophisticated bad actor crafting a tool to target your application, organisations are forced to put some security controls in place to mitigate the threat and reduce the risk of fraud and account takeover.
As BOTs have become more sophisticated it is harder to distinguish between traffic from a real human and traffic from automation crafted by a skilful bad actor. The result is often that websites will resort to crude measures like CAPTCHA to attempt to prove someone is human - something that bad actors can easily bypass and resulting in a terrible user experience for everyone else.
This talk will walk through the timeline of how BOTs have evolved to become one of the hardest problems to solve in security. Mapping to the OWASP Automated Threat handbook, I will highlight use-cases for automation against some well known e-commerce platforms, and demonstrate the real world tools used by threat actors today to conduct account takeover and fraud.
Speaker Biography
Guy Brown has over 25 years' experience in the IT industry, including 20 years as a dedicated Security professional in the Australia Pacific region. He has gained a large amount of experience across the Application Security, Network Security, Automated Threats, and the DDoS landscape.
Guy has been helping large enterprise and government organisations secure their digital assets across on-prem, cloud, and hybrid cloud environments as companies embark on digital transformation projects.
The Enigmatic Eight: A cryptic tale of influential women in cyber security
Toni James - Salesforce
Track One - Friday, 10:00
View: Video (YouTube, 27:41)
Abstract
This talk will highlight influential women in cyber security history, but this isn't your usual list of women in tech. They are unique pioneers who truly contributed to information security in remarkable ways, with very little recognition and delivered in the style of a Murder Mystery graphic novel.
Description
Prologue: An Invitation to the Manor
On a foggy evening, and the edge of a small village, stood a grand, old manor. Eight envelopes adorned with intricate calligraphy found their way to the hands of eight exceptional women. Each invitation bore the same cryptic message:
Join us at Cypher Manor to unravel a murder most mysterious.
As the clock struck eight, the women arrived, and the grand hall echoed with whispers of introductions. Little did they know that they were about to embark on a thrilling journey through the enigmatic world of cyber security.
Intrigued? Join us as we delve into the feats and accomplishments of eight historic heroines, all while they search for clues to solve the Murder Mystery at Cypher Manor.
Speaker Biography
Toni James is an accomplished security engineer, consultant, software engineer, conference organiser, committee member and speaker. With a passion for increasing the representation of women and minorities in the tech industry, she focuses on encouraging young women and career changers to join her in challenging the status quo and breaking down barriers. Outside of work, Toni is an avid snowboarder, mountain biker, and hiker enjoying her life with her family and dogs in the Korowai mountains in the South Island of New Zealand.
The Many Sins of Web3
Stephen Morgan
Track Two - Friday, 10:35
View: Video (YouTube, 48:36); Slide Deck (PDF, 6.0 MB)
Abstract
This may shock you, but...did you know that many of the assertions made by blockchain advocates weren't entirely accurate?!? Let us cherry pick the worst security offenses from a retired cryptocurrency early adopter.
Description
Whether it is the future of finance or a technological Wolpertinger,‡ blockchain and its dependencies sure made a splash in the last few years. Amongst the many promises were how secure the technology was, but what is "security" in the context of cryptocurrencies and what can we learn from the sector as developers and security practitioners in fiat-land? If this thing is so secure, then why is my bridge wiped, and all my apes gone? This talk will explore both the obvious (self-custody, immutability, pseudo-anonymity) and less obvious (UX, programming language design) issues with blockchain broadly from a technological angle, without all the societal posturing and misappropriation of client funds.
‡https://en.wikipedia.org/wiki/Wolpertinger
Speaker Biography
Stephen Morgan is a Security Engineer/Consultant largely within the fintech industry. He enjoys long walks on the beach and getting Security teams to fund Application Security.
Thoughts on Threat Modelling
John DiLeo - IriusRisk / OWASP NZ
Track One - Friday, 14:25
View: Video (YouTube, 31:28); Slide Deck (PDF, 1.3 MB)
Abstract
As an Application Security Consultant, I've had numerous opportunities over the years, to present training and talks on threat modelling. Over the years, my thinking has evolved, and I've focused on using threat modeling as a source of "consequential" security requirements - security features our applications require as a consequence of including a functional capability specified by or on behalf of our users.
The approach I teach and facilitate is based on Adam Shostack's "Four Questions," but has been expanded and (I think) clarified. In this talk, I'll briefly touch on the "Five Ws" (Why, What, When, Where, and Who) of threat modelling, then present an overview of my "Seven Questions" approach to modelling.
Speaker Biography
John DiLeo is the Auckland-area leader of the OWASP New Zealand Chapter. He heads up iriusRisk's Solution Architecture team for the Asia/Pacific (APAC) Region, providing support and guidance to customers in launching, managing, and maturing their enterprise threat modelling programs. Until recently, John led the Application Security Services team at Datacom, and previously served as the internal Application Security Architect at two Auckland-based companies.
Before turning to full-time roles in application security, John was active as a Java enterprise architect and Web application developer. In earlier lives, John has been a full-time professor, and had specialised in developing discrete-event simulations of large distributed systems, in a variety of languages.
John is on the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, leads the OWASP State of AppSec Survey Project, and is a member of the OWASP Education and Training Committee.
Understanding and Securing Cloud Resources using a Layered Approach
Ruskin Dantra - Amazon Web Services
Ratan Kumar - Amazon Web Services
Track Two - Friday, 13:30
View: Video (YouTube, 51:46); Slide Deck (PDF, 1.6 MB)
Abstract
Securing your resources in the cloud starts simple although with an ever-changing threat landscape, it soon gets complicated. We'll take you through a series of exercises to help you understand how you can secure cloud resources from a networking and connectivity perspective using a layered approach.
Description
As cloud adoption accelerates across the industry, building a secure network in the cloud remains one of the top priorities. In this talk, you'll learn about architecture approach and how multiple layers of security controls can be defined to build a resilient, secure and scalable network in the cloud. At the end of this talk you will walk away with an understanding of the differences between identity, resource and endpoint policies, how they work together and how you can debug and diagnose any issues.
Speaker Biographies
Ruskin Dantra has been in the technology space for 18 years and is a software engineer by trade. He has spent most of his career in the application development space using C++ and C# developing WinForms and XAML applications and then moving to web applications using ASP.NET and React. He started his cloud journey just under a decade ago when he launched his first VM in AWS (an EC2 instance). He currently works at AWS in Auckland as a Senior Solutions Architect helping customers accelerate their cloud journey. His passions are software engineering and networking.
Ratan Kumar - No biography provided
Waiter, There's a CVE in My SOUP
Kevin Alcock - Seequent
Track One - Thursday, 16:05
View: Video (YouTube, 30:31); Slide Deck (PDF, 4.3 MB)
Abstract
'SOUP' stands for "software of unknown provenance." This is software in your code base that has not been created under your development process. This talk is about finding known security vulnerabilities in these introduced packages and will include a brief demonstration of how this can be done in the development pipeline.
Description
'SOUP' stands for software of unknown (or uncertain) provenance (or pedigree), and is a term often used in the context of safety-critical and safety-involved systems such as medical software. SOUP is software that has not been developed with a known software development process or methodology, or which has unknown or no safety-related properties.†
This will be an introductory-level technical talk on introducing Software Composition Analysis (SCA) into the development pipeline. There will be a brief demo.
†https://en.wikipedia.org/wiki/Software_of_unknown_pedigree
Speaker Biography
Kevin Alcock helps run the Christchurch branch of ISIG. He has been programming for a living since 1986 (yes, longer than most of you have been alive) after studying at what is now known as Ara Institute of Canterbury. In those 30-plus years he spent of lot of his time in Enterprise, Financial systems with mobile/internet applications. 2016 he became an Offensive Security Certified Professional (OSCP). He is the founder and principal consultant at Katipo Information Security.
What Could Possibly Go Wrong in a Kubernetes Cluster?
William Koh - WithSecure
Track Two - Thursday, 15:30
View: Video (YouTube, 31:44); Slide Deck (PDF, 1.9 MB)
Abstract
Dive into the hidden perils of Kubernetes (K8S) in this talk to unravel security pitfalls and master the art of safeguarding your container orchestration. Join us to explore the realm of Kubernetes, learn best practices, and protect your cluster against nasty threats.
Description
"Hey, client X. We are now the cluster admin of your Kubernetes cluster. Do you maybe have some time for us to walk you through the assessment?"
Kubernetes (K8S) is getting more attention in recent years, due to its fantastic features and supports in driving CI/CD pipelines for organisations and its ability to orchestrate containers. An attacker has multiple ways to attack a K8S cluster, mainly through misconfigurations such as in role based access controls (RBAC) or network policies or vulnerabilities in the containers.
In this talk, we will reveal activities going on behind the scene in a K8S cluster review from the perspective of an attacker and will show-case this in various demonstrations. Common threats and attack vectors that could be found in various cluster environments, such as managed and self-managed, will also be dissected and explained to you. The talk will be concluded with some of the established ways that you can use to secure a cluster environment.
Want to secure your K8S cluster? See you there!
Speaker Biography
William Koh is a Security Consultant from WithSecure Singapore, specialising in penetration testing, Kubernetes and Container security, and is certified as OSCP, CKA, and CKS. He has experience in supporting and leading multiple offensive security engagements across application, network, and cloud security. In his free time, William likes exploring new technologies by setting up his own test environment for technical deep dives. He has also delivered training and workshops at conferences such as Bsides Singapore, SinCon Reloaded 2023 and Australian Cyber Conference Canberra 2023.
What Happens When a Meteor Takes Out My Data Centre?
Peter Jakowetz - PrivSec Consulting
Track One - Thursday, 14:25
View: Video (YouTube, 26:28); Slide Deck (PDF, 490 KB)
Abstract
Resilience is a concept often discussed, but often not well understood. There are a wide range of tools that engineers can use to improve the availability of their service. You should leave this talk with a better understanding of concepts such as DR, HA, RPO, RTO and BCP.
Description
In this talk, we'll discuss several key concepts around resiliency in IT.
Specifically, this talk will address:
- disaster recovery (DR);
- high availability (HA);
- backups;
- business continuity; and
- load balancing.
It will highlight the similarities and differences between these concepts, how they link together, and how they are used in real-world scenarios.
Speaker Biography
Peter Jakowetz runs a security consultancy in Wellington, providing GRC and Penetration testing services. When not providing assurance to organisations throughout the country, he can often be found hanging out with his kid, going for walks with his dog, Tui, or procrastinating over the 100 unfinished projects in his garage.