Speakers and topics
We have these great talks lined up for you. Come and learn from some of the most interesting people in NZ security!
History of hacking in NZ
Simon Howard, ZX Security
Has there been hacking in New Zealand? What happened to the people involved? Simon will talk about the history of security in New Zealand and how we’ve got to where we are now.
This is an updated version of Simon’s presentation at the first security.ac.nz conference, in 2019.
Simon Howard runs ZX Security, a penetration testing firm based in Wellington. Simon also co-founded Australasia’s largest hacker conference, Kiwicon (similar to Kawaiicon but less cute). Simon and his team spend their days testing the security of their customers’ networks, applications and people.
Looking for Trouble in the Right Places: Bug Bounties and You
Sana Oshika, Pulse Security
Before I entered the world of security, I was a software developer with no experience hacking things, no knowledge of hacking tools, and had never seen a bug bounty before. Regardless, I found a security vulnerability in a product by one of the largest tech companies in the world, your favourite search engine (not Bing).
This presentation will talk you through the security issue I found in Google, how I found it, and how I got paid for it. Along the way, I’ll tell you about the skills I picked up that took me from writing software to the dark side of breaking it. I’ll dispel some of the myths surrounding bug bounties and hacking for a living. And by the end, you’ll discover that you too can start hunting for trouble and get paid for it.
Sana Oshika is a Junior Security Consultant at Pulse Security, where she spends her days breaking sites and apps for clients. Previously, she was a DevOps engineer and software developer who has consulted and worked at a variety of SaaS companies across New Zealand and Australia. She got her start in security by poking around other peoples’ websites and asking “What happens if I do this?” a few too many times. Sana took the scenic route into the tech industry.
Leveraging OWASP Projects and Tools to Build Secure Software
Dr. John DiLeo, OWASP New Zealand Chapter
The Open Web Application Security Project (OWASP) boasts nearly 200 active Projects, whose volunteers have developed tools and resources covering nearly every aspect of application security and software assurance. The challenge lies in knowing what they are, where to find them, and how they can help.
John will present a brief overview of an array of interesting and useful OWASP Projects, including the current Flagship Projects, with insights into how each can be used to improve the security of software.
Dr. John DiLeo hosts the OWASP New Zealand Chapter’s Auckland Meetup, and chairs the annual OWASP New Zealamd Day conference. He’s one the core team of the OWASP SAMM project, where he helped to create SAMM 2.0. John is also Vice Chair of OWASP’s Education and Training Committee, and regularly presents at global OWASP conferences and security conferences in New Zealand.
Before moving into application security, John worked as a solution architect, a Web development lead, and in developing discrete-event simulations of distributed systems. Along the way, he’s also worked as a college instructor, trainer, and general IT consultant. @gr4ybeard LinkedIn
The Incident Response Plan that Saved Christmas
Petra Smith, Sharesies
It’s Christmas Day. You’re floating serenely in the coral sea surrounding a real live tropical desert island…when, suddenly, you’re having a too-close encounter with deadly wildlife. What do you do? Just follow your Incident Response Plan, of course!†
Don’t have an Incident Response Plan? No worries. I’ll take you through how to make a plan to help you navigate the shark-infested waters of a security incident with less stress, and get back to business - or living your best tropical mermaid life - quicker.
If your team’s worst-case scenario plan is to hope it never happens, this talk is for you. I’ll show you why you should prepare for the worst, and how anyone can make a plan that works.
† Based on a true story
Petra Smith is a professional opinion-haver and security culture specialist who is on a mission to make information security accessible to everyone. She has a point and she’s getting to it.
Workshop - Application Threat Modelling
John DiLeo, Datacom
This workshop offers an interactive introduction to Application Threat Modeling and its use as a technique for identifying consequential (“Yes, and…”) security requirements. After addressing the “Five Ws of Threat Modelling,” John will present his “Seven Questions” approach (adapted from Shostack’s “Four Questions”) to developing a model. Through a series of small-group and whole-group exercises, we’ll develop an initial threat model for a ‘typical’ single-page web application.
Dr. John DiLeo leads the Application Security Services team at Datacom, hosts the OWASP New Zealand Chapter’s Auckland Meetup, and chairs the annual OWASP New Zealamd Day conference. He moved to Auckland, from the United States, in 2017. Before joining Datacom, John was the Application Security Architect at Orion Health, then at Air New Zealand.
John’s focus is on developing and managing enterprise-wide Software Assurance Programmes, including the assessment of the organisation’s maturity and building a roadmap to improve. This led him to join the core team of the OWASP SAMM project, where he helped to create SAMM 2.0. John is also Vice Chair of OWASP’s Education and Training Committee, and regularly presents at global OWASP conferences and security conferences in New Zealand.
Before moving into application security, John worked as a solution architect, a Web development lead, and in developing discrete-event simulations of distributed systems. Along the way, he’s also worked as a college instructor, trainer, and general IT consultant. @gr4ybeard LinkedIn
Careers in AppSec
Karan Sharma, Wise Fox Security
This talk will focus on what different types of career paths are available in Cybersecurity and how you can prepare yourself to land a job of your dreams. I will also cover how possessing general IT skills set a great foundation for your InfoSec career. I would also love to answer any questions that you might have after or during the talk as this is supposed to be an interactive presentation.
Karan Sharma has been in this field for over 12 years. He has worked as a Pentester for NZ telcos, banks, health sectors and manufacturing companies. He now runs his own security consulting company called Wise Fox Security, that offers services in Offensive Security and DevSecOps space. He has also completed a few of the ‘customary’ certifications, including OSWE, OSCP, eWPTX and Certified DevSecOps Professional (CDP). He has also spoken at a number of other security conferences. Other than InfoSec, Karan loves watching and playing football, loves evening runs with his dog and has a great weakness for a nice Coffee and Almond Croissants. Tweet me at @W1S3F0X.
Going Further in AppSec
Panel session: Panelists TBC
In this session we’ll discuss places you can learn more about security, and some options for what you can do next. Bring your questions!