This past Friday, Daniel Zollinger and I (Erica Anderson) took part in the annual migration of geeks to Auckland University for the OWASP Day conference. This conference has been run every year for a while now, and is a great opportunity to meet people from all walks of infosec. There are students, veterans, developers, testers, security consultants, academics, and folks who just want to learn a bit more about infosec.
Our favourite talks from OWASP NZ 2020
We took notes during the conference and thought we would give a shout out to some of the awesome speakers we saw at OWASP Day this year:
John Manicore, from Manticore Security, gave a fantastic overview of the history of testing tools, password storage, HTTPS, and a bunch of other areas of security that are usually quite painful for the every day security person. This context was a fantastic reminder to put aside those fatigued and jaded feelings and reignite that passion to keep pushing for good security practices.
Georgia Weidman, from Shevirah, gave wonderfully visual view of common enterprise, mobile, and operating system architectures. I personally am a very visual person, so seeing her diagrams helped me follow along with ease and understand more about (the disappearing) network perimeter and mobile security.
Petra Smith, from Aura Security, is a fantastic storyteller and took us through some stories about how technology can go wrong. We won't repeat them here as they are quite graphic; the important takeaway is to always perform threat modeling with a diverse, well-represented group for what people often refer to as "edge cases". Petra refers to these as "stress cases", which I think is a much better way to recognise these type of situation.
Karaitiana Taiuru gave a talk about considering māori cultural and ethical when creating technology. I linked the talk below, as there was so much in this talk that I learned (and this was my second time watching it!). The awareness of scuzzie (scamming cuzzie, māori targeted scams using Google Translate for phishing), use of names throughout a business and enterprise, even the whakapapa behind the new OWASP Day logo. If you missed his talk, take a look at some of his presentation materials on his website.
Chris Cormack did a infosec community favorite talk - the māori words for various infosec terms. His dad, Ian Cormack, creates these words and it is so neat to hear how they are created. Chris curated a thread with a few of these on Twitter here.
So what did SafeStack share?
We were thrilled to give two talks on the day, focused on areas that we hold dear - smaller (often fast paced organisations) and bringing security to application development life-cycles.
Daniel did a talk on the work he has been doing around embedding security in code reviews. He even created a handy resource that teams can print out and hang up in their dev pods, or take the question and embed them into their CI/CD platform (using things like Listo). You can grab a copy of the code review printable now and get started.
I did a talk about our recent blog series ’ Security When Smol’, and explained the data and reasoning behind the advice we are giving. A printable version of the asset list is also available in our learning nook if you are keen to help a small group close to your heart.
We’re excited to share that both of these talks were recorded, and we will be putting them up in the nook when they are up! Watch out for further updates both here and on social media.
Same time next year?
Like clockwork OWASP Day NZ will be run again on February 15-17th 2021, same place, same format. So grab a free(!) ticket, get your manager to approve some training, and get stuck in! Keep up to date with this and other OWASP NZ chapter meetings and events by joining their mailing list.
Finally, THANK YOU to the OWASP NZ Crew
As a conference organiser myself, I know what it takes to run a conference that (appears) to run like a well-oiled machine. Thanks to John and the rest of the OWASP crew for a fantastic time!
See ya'll next year!