Profile picture
Jason Danner
@jpdanner
, 133 tweets, 70 min read Read on Twitter
Must be #OWASPNZ time...
@owaspnz
I'm modifying my #OWASPNZ sticker to "GOT OW" - so I can use it to query where the fuck @ow is.
Team @aerorocknz at #OWASPNZ
@pikelet
Kicking off #OWASPNZ!
Its John kicking off #OWASPNZ with all the infoz
What is this @owaspnz thing when we're not conferencing?
#OWASPNZ

Well...
Yay #OWASPNZ sponsors!

You are neat!
Many thanks to the #OWASPNZ volunteers!
Health & Safety TL;DR: if anything goes wrong call Lech.

#OWASPNZ
Now @binarymist is introducing our first speakers
#OWASPNZ
First speaker from @pushpaytech talking about the @owaspnz top 10.

Complete with Te Reo intro!
#OWASPNZ
Kicking it off with some XSS.
#OWASPNZ
Using BeEF to create dummy login prompts and steal creds. Some good XSS
#OWASPNZ
How to mitigate XSS?
#OWASPNZ
Next up, Cross Site Request Forgery
#OWASPNZ
CSRF requires active mitigation
#OWASPNZ
Now, our powers combine to form...
#OWASPNZ
You know they're hacking now because of the 💀.
#OWASPNZ
How do we mitigate?

Basically, the same as XSS and CSRF. As you'd imagine.

#OWASPNZ
New entrant into the. @owasp Top 10 M
XXE = Xml eXternal Entity
#OWASPNZ
Let's demo!
#OWASPNZ
Now attempting the million lol attack.

Basically ends up DoSing the machine he's presenting on. Genius!

#OWASPNZ
Why is the @owasp map not only completely missing New Zealand, but also half of Australia for some reason?!

Who has one of those @LastWeekTonight NZ map stickers?

#OWASPNZ
How to mitigate XXE:
#OWASPNZ
Now talking about File Injection
#OWASPNZ
🎶 Uploading a file! Uploading a file! 🎶

🎶 Definitely not doing anything dodgy just uploading an innocent file! 🎶

#OWASPNZ
How to mitigate file injection:
#OWASPNZ
Now talking about SQLi and little Bobby Tables.

Just because you're using NoSQL database doesn't mean you have No SQL injection...

#OWASPNZ
Now haxoring with SQLmap
#OWASPNZ
This seems fine.

#OWASPNZ
Supposedly this is a stock photo but...

That sure looks A LOT like @petegoo...

#OWASPNZ
Now talking about Threat Modelling with Kade.
#OWASPNZ
Can I haz threat model?

#OWASPNZ
Mozilla Open Source Leaders
#OWASPNZ
Kade was helping some folks and they asked about Threat Modelling.
#OWASPNZ
Basic Thread Modelling based on Microsoft's STRIDE.

What are you building?
What can go wrong?
What are you going to do about it?

#OWASPNZ
Some definitions
#OWASPNZ
When we put it all together... It can get a bit nihilistic.

#OWASPNZ
What is threat modelling?
#OWASPNZ
What product were the mentees building?
#OWASPNZ
What did they come up with initially?
#OWASPNZ
This is all pretty high level, we need to go lower.
#OWASPNZ
What could go wrong?
#OWASPNZ
What is STRIDE and why is @BillGates rapping?

#OWASPNZ
Repudiation is a tough one
#OWASPNZ
So these are our threats
#OWASPNZ
What are we going to do about it?
#OWASPNZ
What to do about spoofing?
#OWASPNZ
What do we do about tampering?
#OWASPNZ
What are we doing about repudiation?
Not much.
#OWASPNZ
What are we doing about information disclosure?

#OWASPNZ
What are we doing about denial of service?
#OWASPNZ
What are we doing about escalation of privileges?
#OWASPNZ
Where does this put us?
#OWASPNZ
How do we take this further?

#OWASPNZ
If you know nothing (about threat modelling) just remember these 3 things:
#OWASPNZ
Some resources if you want to model. Your threats, that is...
#OWASPNZ
Next up: That Vulnerability Looks Quite Risky

#OWASPNZ
What is risk management?

What are risks?

#OWASPNZ
Why should we care about risks?

#OWASPNZ
Threat modelling vs risk assessment
#OWASPNZ
For example:
#OWASPNZ
What is the risk here?
#OWASPNZ
What other info?

What drives this risk?

What might this lead to?

#OWASPNZ
What can we do about that?

How do we fix it?

#OWASPNZ
Some good info about controls:
#OWASPNZ
Moar controls
#OWASPNZ
How do we score risks?
#OWASPNZ
Rating chart.

How to figure out if these risks matter.

#OWASPNZ
Things to think about:

#OWASPNZ
Some recommendations:
#OWASPNZ
Or... Do nothing. 🤷‍♂️

#OWASPNZ
Summary so far:

#OWASPNZ
A new example:

#OWASPNZ
What are the risks?

#OWASPNZ
Food for thought.

#OWASPNZ
In summary:
#OWASPNZ
What not to do?

Don't make it painful. Just make sure you follow the process.

#OWASPNZ
Now we're talking about password security with 2020 vision.
#OWASPNZ
Its Antonio!
#OWASPNZ
Why do we care about passwords?
#OWASPNZ
What we're talking about.

#OWASPNZ
The password trends of today aren't great...

Thanks @troyhunt for the stats!

#OWASPNZ
How did we end up in this awful state?

Blame NIST.

#OWASPNZ
🤨
#OWASPNZ
Guessing passwords is basically math.

More entropy (randomness) makes the math harder/longer to calculate.

#OWASPNZ
What is hash?

#OWASPNZ
Am I storing passwords correctly?

Can anyone see it in plaintext?
No - excellent!
Yes - this is bad, very bad.

#OWASPNZ
How are users outsmarting us by making bad passwords with the old password rules?

Simple patterns.

Password reuse.

#OWASPNZ
People reduce the randomness.

We can use lots of computing power to crack passwords.

#OWASPNZ
How do we attack user passwords?

We make some smart assumptions

#OWASPNZ
More easy assumptions

#OWASPNZ
How do we create better passwords?

Longer is always better.

#OWASPNZ
How do we remember long passwords?Passphrases and password managers!

#OWASPNZ
Let's analyse the strength of the passphrase of this talk.

#OWASPNZ
What about password managers?

#OWASPNZ
How the government will ACTUALLY get your password:
#OWASPNZ
2FA is critical for admin accounts and great for everyone else

#OWASPNZ
Don't bother with password expiry.

#OWASPNZ
Some other quick advice.

#OWASPNZ
Conclusions:
- use longer passwords
- use a password manager
- use Multi-Factor authentication

Talk about this stuff!

#OWASPNZ
Thanks Antonio!

#OWASPNZ
Now its @petrajane talking about a beginners guide to security in the cloud

#OWASPNZ
Clouds are cool!
@petrajane #OWASPNZ
Who is @petrajane?

She's fucking awesome, that's who.

#OWASPNZ
Let's get our head in the clouds!

@petrajane #OWASPNZ
What is the cloud?

Not just other peoples' computers - its a whole platform that enables unparalleled flexibility & scalability.

@petrajane #OWASPNZ
The power of the cloud isn't about what you have but rather about what you can do with it.

@petrajane #OWASPNZ
Is the cloud secure?

It depends on the security of the provider but also how well you've secured your OWN side of the environment

@petrajane #OWASPNZ
Who is responsible for security?

All of us! We're all responsible for different aspects of security.

@petrajane #OWASPNZ
Perimeter security model:
@petrajane #OWASPNZ
Cloud uses shared responsibility model

Orange might be the service provider responsibility in the IaaS model.

@petrajane #OWASPNZ
Slightly different responsibility for SaaS model.

But there are always parts you're responsible for.

@petrajane #OWASPNZ
How do we stay safe?

Its up to you. It's your responsibility to make the right decisions to choose the correct provider.

@petrajane #OWASPNZ
To pick s provider, first work out what you need.

@petrajane #OWASPNZ
Do your homework on the providers.

@petrajane #OWASPNZ
Build your cloud 🏰!
@petrajane #OWASPNZ
Observe your cloud to ensure its all operating as it should.

@petrajane #OWASPNZ
Cloud security is:

- a shared responsibility
- about trust, not control
- an ongoing commitment
- easier with a good plan

Awesome talk @petrajane!
#OWASPNZ
Now we're talking about eating 🐘s with Stephen
#OWASPNZ
About Stephen:

#OWASPNZ
How do you apply these new good things when you're 40?

The business, that is...

#OWASPNZ
Application security engineers are pretty cool.

#OWASPNZ
What else is good?

That thing, apparently.

#OWASPNZ
The awful reality: we can automate everything but people will still let us down.

Not everything needs to be automated.

Not everything needs to be DevOps.

#OWASPNZ
"If you take anything away today, it's how valuable having a security person attending team stand ups is"

#OWASPNZ
Increase visibility for secure development.

#OWASPNZ
Lessons learned:

#OWASPNZ
Thanks Stephen!

Special shout out to Agile Application Security by @lady_nerd (and others)! ❤️

#OWASPNZ
Now @judyofcare is talking about what's in a name? Law of agency and domain name registrations.

No photos! I'll tweets the bits I can. 😊

#OWASPNZ
Learning about @judyofcare. She's a security engineer at the Ports of Auckland and an ex lawyer.

She's pretty awesome!

#OWASPNZ
"If you're going to take a picture, take a picture of this slide as it doesn't exist anywhere else."
@judyofcare #OWASPNZ
Its @judyofcare's best practice for domain name registrant contacts
#OWASPNZ
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jason Danner
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#OWASPNZ

More from @jpdanner see all

Profile picture
Jason Danner
@jpdanner
Ready for #Kiwicon Day 2!

This will be an interesting angle... I blame @rafaelmagu

@kiwicon
I have JUST discovered that the #Kiwicon screens are rear projection.

@kiwicon
Now @Metlstorm is (finally) thanking the sponsors.

Starting with @InternetNZ!

#Kiwicon
Read 370 tweets
Profile picture
Jason Danner
@jpdanner
"If you're sitting in the front row beware your eyebrows. Apparently they're not 'pyrotechnics' they're 'flame-fans'"
@Metlstorm

#Kiwicon
Interpretive dancing from @Metlstorm

#Kiwicon
Now its @mjg59 talking about what fun you can have with electric scooters!

#Kiwicon
Read 263 tweets
Profile picture
Jason Danner
@jpdanner
Its nearly #purplecon time with @kanocarra!
Front row with some of the #purplecon krew.

Almost showtime!

@pikelet @hipsterjazzbo
Some ace haikus.

And a @mangopdf
#purplecon
Read 128 tweets

Related threads

Profile picture
Helene von Bismarck
@HeleneBismarck
I‘ve spent this week in London because I am writing a short history of the Anglo-German #Königswinter Conference from 1949-2019. A story of Anglo-German dialogue and reconciliation. To be published&distributed at this year‘s conference in April. Here are a few spoilers.Thread 👇
History of #Königswinter @SMcDonaldFCO @CWilsonFCO @buchsteiner @BGALondon @GregHands @ClaudMajor @NvOndarza @annemcelvoy @annakatrein @NikGowing @GiselaStuart @n_roettgen @KishwerFalkner @tom_nuttall @vickyford @GregClarkMP @SeemaMalhotra1 @simon_green @simon @RobinNiblett
Königswinter was originally conceived by the German private citizen and wife of an industrialist Lilo Milchsack (later made a dame), with the help of Sir Robert Birley, educational advisor to the British Control Commission in Germany after WWII. 1
Read 15 tweets
Profile picture
Tara Ann Thieke
@TaraAnnThieke
So in service of #SmallBusinessSaturday & localism, here's a thread of my favorite used & independent bookstores around the country, some thoughts on what makes them great, plus a few some observations on which communities are most strongly supporting book culture.
Before beginning, please note I haven't visited every bookstore in the country, but I have visited quite a lot. My criteria is strange and I've never quite put it all into words, yet perhaps it will become apparent to those familiar with some of these spots.
#30: Yes Books, Portland ME. A terrific mess of a store, my only regret is that despite multiple visits I'm still afraid to move around some of the piles of books which crowd the aisles. They're steep, the books are weird, the art bizarre, I like it very much.
Read 41 tweets
Profile picture
Sursdik
@SURSDIK
JOHN KERRY DEEP STATE
OLD PALS: Robert Mueller Was John Kerry’s High School Lacrosse Captain
bigleaguepolitics.com/old-pals-rober…
JOHN KERRY DEEP STATE
John Kerry's and Valerie Jarrett's Family Ties to Iran
israelnationalnews.com/Blogs/Message.…
JOHN KERRY DEEP STATE
The Sordid Family History of John Forbes Kerry
renegadetribune.com/sordid-family-…
Read 35 tweets
Profile picture
wenig Worte
@wenig_worte
#Köthen: Der Verstorbene hat einen Schlag ins Gesicht (an der Lippe feststellbar) bekommen, ging danach zu Boden und verstarb an einem #Herzinfarkt. Rechtsmedizin hat keinen Hinweis auf Tritte, sonstige Schläge, Messerstiche.

PK zur Tathergang auf @ntvde jetzt.
Im Netz verbreitete Audio-Datei mit angeblichem "Totschlagen" von der Zeugin selbst gegenüber Polizei weitgehend relativiert.

Nicht, dass das für die Hetzer, Neonazis oder #AfD eine Rolle spielen würde.

#Köthen
Schwere Herzkrankheit des Verstorbenen seit Geburt, mehrere Herzoperationen danach, versagensbereites Herz durch das es jederzeit zu einem Herzinfarkt kommen konnte.

Ob jemand strafrechtlich verantwortlich ist für den Herzinfarkt, ist im Ermittlungsverfahren.

#Köthen #PK
Read 3 tweets
Profile picture
Andrés Diplotti
@adiplotti
A partir de este momento, @adiplotti se pone a leer en compañía de Grimlock.
Obsérvese como Grimlock mira el libro con desconfianza.
Previously, on Tr*nscrepuscul*ar:

Recordemos que el libro anterior terminó cuando el Alguacil, ese semipersonaje que funcionaba como un títere del autor dentro de la ficción, se unió al títere vivo simbiótico conocido como el trapo.
Read 278 tweets
Profile picture
Eketi Edima Ette
@eketiette
Are you one of those people who's looked back on 2017 and convinced yourself that you haven't achieved anything? Worried about catching up with your mates who seem to have done much better?

Let me tell you a story about #time.

A thread 👇
A long #time ago, back when I was about twelve or thirteen years old, my parents travelled to Uyo.

Before leaving, my mother asked me to prepare Edikang ikong soup so she and my father would eat when they returned.
When I was finished with the soup, it was supposed to look something like this:

*photo credit: waiter foodies.
Read 32 tweets

Trending hashtags

#Prestitute #SignOfTheTimes #BadWordSat #LisaPage #oxímoron #TravelBan #PeaceThroughStrength #Alpha #USARendition #Harris #Soros #Anon #MuseMon #Swim #QDrops #DSMinion #Köthen #SaudiLobby #KremlinBot #Election2016 #stair #Doubtful #TuesdayThoughts #FBIChief #GNTM
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!