Secure your Cyber, 24 & 25 Aug 2019

Speakers and topics

As well as the activities, we also have these great talks lined up for you. Come and learn from some of the most interesting people in NZ security!

History of hacking in NZ

Simon Howard, ZX Security

Has there been hacking in New Zealand? What happened to the people involved? Simon will talk about the history of security in New Zealand and how we’ve got to where we are now.

Simon Howard runs ZX Security, a penetration testing firm based in Wellington. Simon also co-founded and assists with running Australasia’s largest hacker conference, Kiwicon (similar to Kawaiicon but less cute). Simon and his team spend their days testing the security of their customers networks, applications and people.

What’s in a name?

Joanna Rubi, Spark NZ

slides video

So what’s in a name? That which we call a security role by any other name would sound as sweet. When people think of Security, most people would think of physical security, and if they watch Mr Robot, they would exclaim hackers! But how about the others in between the security guards and the red-team. It takes a village to better the security posture of a business or a product, so who are the other knights in the round table sharpening their keyboards to safeguard New Zealand from wolves in sheep’s clothing. Let’s unravel the other champions in the army that protect the fort.

Nature loving, barefoot exploring, culture craving, adrenaline searching, violin plant playing, guinea pig mother making, solo backpacking, and code crunching Elohim believing dudette! Apart from all that jazz, I am that person who gets excited in Process Improvement, Big Data, and Cyber Security problem solving, creating solutions with a focus on efficiency and usability, doing so with a customer-centric mindset while living the agile life with my team! Follow me on @geeitsjo

The Pentesting Process - Don’t do crimes

Toni James, Lateral Security


What does a Penetration Tester actually do? tldr: We get paid to hack, but there are some rules of engagement that you MUST follow.

The goal of this session is to provide an understanding of how to approach a penetration test, otherwise known as an offensive engagement, like a bug bounty. This includes the preparation, testing, and follow up which will provide a structured process and critical skills on how to break down overwhelming problems into manageable paths and have fun along the way.

Toni is a snowboarder turned Software Engineer turned Security Consultant. She’s won a few scholarships in her quest to get more women into tech and she’s really good at supporting others to do ‘all the things’. A firm believer in ‘you need to see it to be it,’ she puts herself out there to enable others to step up and challenge the status quo. She/Her.

@_tonijames LinkedIn

Trust (& how the internet works)

Alex Nikolova, Aura Information Security

slides video

You think “networking” is all about talking to strangers wearing suits while trying not to get distracted by the free buffet and anxious thoughts of future unemployed self? Not the kind of networking I’m into! This talk will be about TCP/IP, OSI, DHCP, DNS, HTTP, SSL/TLS, CSRF, SOP, CORS, and a bunch more three- and four-letter acronyms you may think you know all about (but in fact don’t). I.e. what technologies enable you to enter a URL or search term in your browser address bar and instantly see funny bird (don’t like cats, sorry not sorry) videos.

They call her Alex, but she is The Socially Awkward Penguin. She felt very awkward writing a bio in third person, so instead she quoted herself:

“I didn’t do a PhD. I suck at PhDs. I started a PhD project… three times. By the time I got to write my thesis I was bored already. But hey, I love arguing over problems no one ever cared or will ever care about.

I don’t do bug bounties. I suck at bug bounties. I tried looking for bugs… three times. By the time I decided on a bounty program I was bored already. But hey, I love breaking web apps that give me shells.

I don’t do gym. I suck at gymming. I tried going to the gym… three times. By the time I decided on an exercise I was bored already. But hey, I love punching people.”


Don’t Trust User Input

Kirk Jackson, RedShield

slides video

So many of the security issues you’ll see this weekend are caused by trusting user input. We will discuss what SQLi and XSS are, how the root causes of both is trusting input and using it in an “execution” context and an introduction into ways of mitigating those attacks.

Henlo! I am a blue haired software engineer with a devSecOps bend. Outside of work you’ll catch me buying too many soft toys for a person in their twenties, posting lots of photos of my cat to social media and/or drinking a sour beer.

Authentication, authorisation, logging and alerting

Anupurna Kaw, Vodafone NZ


In this session we will discuss how important visibility is to securing your systems, and the fundamental role that authentication and authorisation play in guarding access to our sensitive data.

Anu has been in the Security industry for more than 16 years now. One of her passions is to mentor. She is actively involved in mentoring the next gen of security professionals through “Project Wednesday” cyber security meetup, Linkedin and Vodafone Grad Programme. She was one of the finalists (technical) in Women in ICT Awards 2019 (NZ).


Algorithms, cryptography and protocols

Kate Pearce, Trade Me

slides video

A surprising amount of security is actually based on maths. But don’t worry, we won’t talk about maths in this talk!

We will discuss the places that cryptography is important in the internet, the current contenders for “best practice”, and why you should stand on the shoulders of giants rather than building it yourself.

Security in “the cloud”

Erica Anderson

slides video

In this session we will discuss the differences when you are securing your applications and data when you move them to “the cloud”.

Her twitter bio (@sputina) says “infosec, cat, and ketchup enthusiast” which summarises her quite nicely. Erica currently works as an IT security contractor, and has had a range of experience in infosec - She has been a consultant, tester, engineer, analyst, instructor, and incident responder. She also causes general mayhem with Kiwicon, Kawaiicon, Code Club Aotearoa, and BSides Wellington.

Threat Modelling and Risk Assessment

Chloe Ashford, Quantum Security

slides video

In this talk we will discuss how threat modelling is used as a tool for risk management. While you won’t need to understand a huge risk framework, we will introduce you to the following ideas:

Chloe is a Security Consultant from Quantum Security based in Wellington. Her focus is on risk management, security assurance activities and Certification & Accreditation for government. She cross-trained into security after completing a psychology degree and is particularly interested in encouraging diversity in IT.

Security Considerations for Mobile Apps and APIs

Dr John DiLeo, OWASP New Zealand Chapter - Auckland

slides video

In these two days we have covered a lot of aspects of security. How do we apply what we’ve learnt to buildling a secure Mobile Application and API?

John is one of the co-leaders of the OWASP New Zealand Chapter. He moved to Auckland, from the United States, in 2017, and now works as Orion Health’s Application Security Architect.

John’s focus is on developing and managing enterprise-wide Software Assurance Programmes, including the assessment of the organisation’s maturity and building a roadmap to improve. This led him to join the core team of the OWASP SAMM project, where he helped to create SAMM 2.0. John is also co-leader of the OWASP Application Security Curriculum Project.

Before moving into application security, John worked as a solution architect, a Web development lead, and in developing discrete-event simulations of distributed systems. Along the way, he’s also worked as a college instructor, trainer, and general IT consultant.

Going further in AppSec

Panel session:
Dax Roberts, Weltec slides video
Erica Anderson
Ian Welch, Victoria University
Toni James, Lateral Security

In this session we’ll discuss places you can learn more about security, and some options for what you can do next. Bring your questions!