Schedule

09:00 AM

Troy Hunt
Troy Hunt

Internet Security Specialist

TRAINING: Hack Yourself First: How to go on the Cyber-Offence (2 days)

Hack Yourself First is all about building up defensive skills in developers. It looks at security from the attacker’s perspective and takes them through the steps necessary to exploit vulnerable software on the web so that they can experience hacking first hand.

09:00 AM

Eldar Marcussen
Eldar Marcussen

justanotherhacker.com

TRAINING: Bug Hunting Bootcamp - Discovering 0day (2 days)

The course is aimed at beginners and security professionals alike, a variety of targets to practice bug hunting skills on, the participant will find something suitable for their skill level. The course will cover manual and automated vulnerability hunting in web applications, source code, compiled binaries, exploit chaining...

09:00 AM

Aditya Gupta
Aditya Gupta

Founder at Attify

TRAINING: Android Application Security (1 day)

In this one day practical training course we will cover how we, as technology professionals can test for security issues which will enable us to build more secure Android applications.

09:00 AM

Troy Hunt
Troy Hunt

Internet Security Specialist

TRAINING: Hack Yourself First: How to go on the Cyber-Offence (2 days)

Hack Yourself First is all about building up defensive skills in developers. It looks at security from the attacker’s perspective and takes them through the steps necessary to exploit vulnerable software on the web so that they can experience hacking first hand.

09:00 AM

Eldar Marcussen
Eldar Marcussen

justanotherhacker.com

TRAINING: Bug Hunting Bootcamp - Discovering 0day (2 days)

The course is aimed at beginners and security professionals alike, a variety of targets to practice bug hunting skills on, the participant will find something suitable for their skill level. The course will cover manual and automated vulnerability hunting in web applications, source code, compiled binaries, exploit chaining...

09:00 AM

Aditya Gupta
Aditya Gupta

Founder at Attify

TRAINING: iOS Application Security (1 day)

iOS Application Security is a one day hands-on, practical training course for technology professionals that will teach you about the fundamentals of various iOS application security concepts. We will first identify various types of security issues in iOS applications and then see how those security issues could have been prevented.

09:30 AM

WORKSHOP: Defensive Secure Coding Tournament (entire day, room 4)

Competing in a practical defensive secure coding tournament where you will be given your technology stack of choice to complete a number of web security challenges.. Identify, solve and remediate OWASP Top 10 issues and more...

09:30 AM

Topaz A
Topaz A

Hack the Planet!

WORKSHOP: Lock Picking - Compromising Physical Security (entire day, open area)

Here you will have the opportunity to learn hands-on how the fundamental hardware of physical security operates and how it can be compromised. The lockpick table is a physical security demonstration and participation area...

09:30 AM

Edwin Kwan
Edwin Kwan

Software Security Team Lead @ Tyro

Tyro Payments: Securing Australia's Newest Bank (room 1)

In this talk, we'll cover Tyro's (Australia's Newest Bank) Secure Software Development Life Cycle journey and talk about foundation security decisions, sharing what worked well, what didn't work, why and what they are trying now.

09:30 AM

Daniel Grzelak
Daniel Grzelak

Head of Security @ Atlassian

Hacking AWS end-to-end (room 2)

All the things are and/or will be on AWS now, but the public state of the art AWS hacking techniques are some combination of searching Github for access keys and starting EC2 instances and mine Bitcoin. that's great, but it's not at all realistic and as always, there's a lot more to it. In this talk, we will cover AWS account reconnaissance, persistence, log disruption and much more...

10:30 AM

Nick Malcolm
Nick Malcolm

Security Consultant @ SafeStack

How to spot and stop a wolf in sheep's clothing - AKA Account Takeover (room 1)

Over 80% online breaches involve the use of weak or stolen passwords. It’s not new, but it works! This talk will discuss a threat of an account takeover threat. As well, as tools and techniques for detection and response within your own web applications.

10:30 AM

Lilly Ryan
Lilly Ryan

Software and systems engineer

WORKSHOP: Build your own end-to-end encrypted chat server (2 hours, room 2)

Do you collaborate a lot? Are you exchanging sensitive information frequently with your friends and co-workers? Do you share work secrets over Slack? Do you want to do more about your privacy? If you answered 'yes' to any of these, get yourself along to this workshop and learn how to do these things better, without a third-party company sitting in the middle.

10:30 AM

Aditya Gupta
Aditya Gupta

Founder at Attify

The Security of IoT Devices - Tools, Techniques and the Mindset (room 3)

In this talk, we will look at IoT devices from various industries (healthcare, smart home automation and more) and explore the methodologies you could employ to start identifying security issues in those devices.

11:30 AM

Felix Shi
Felix Shi

Security Specialist at Xero

Developer's Guide to XSS (room 1)

An introductory talk on Cross Site Scripting, targeted towards web application developers and QA engineers (no prior experience required!). 

11:30 AM

Kirk Jackson
Kirk Jackson

Security Researcher @ RedShield

Let me fix that for you! (room 3)

Learn how to dynamically patch legacy applications or applications that no longer have source code available. We will show how ModSecurity works, including patching some OWASP Top 10 vulnerabilities using ModSecurity rules and node.js. We will discuss how to fix complex business logic flaws, by writing javascript code running in node.js, that allows you to rewrite traffic to and from your website, track the state of users, sessions and requests...

01:30 PM

Andrew Bienert
Andrew Bienert

A Security Architect @ SEEK

Lessons Learned: Wrangling Security and Identity across 80 AWS Accounts (room 1)

In this talk I will focus on the topic of identity and access management for API's in a multi-account world and discuss the considerations and implications. I will present a multi-account architecture and strategy that may offer others ideas of where to start...

01:30 PM

Pamela O’Shea
Pamela O’Shea

SQLi is my last name

WORKSHOP: Introduction to Software Defined Radio (SDR) (2 hours, room 2)

Now, for less than $20 anyone can listen to the airwaves! In this workshop, we will look at what is around us in the airwaves, including your data centre pagers, airplanes...

01:30 PM

Louis Nyffenegger
Louis Nyffenegger

Founder at PentesterLab

WORKSHOP: Finding needles in haystacks (2 hours, room 3)

Code reviews can be intimidating, but they are often the best way to find vulnerabilities that will be missed during traditional testing. In this hands-on session, we will provide you with the methodologies and techniques to get started and some examples of both trivial and non-trivial bugs...

02:30 PM

Jen Zajac
Jen Zajac

Lead frontend dev at Catalyst

Sensible defaults for client-side security (room 1)

When starting a new web application project, what are the foundations that you should establish to ensure your JavaScript, HTML and CSS is going to be secure? Thinking about CSP, session token storage, how much you can trust a given input early can save a lot of rework later!

04:00 PM

Troy Hunt
Troy Hunt

Internet Security Specialist

Lessons from a Billion Breached Records (room 1)

In this talk, I’ll share the lessons learned from working with billions of publicly dumped records as a result of major data breaches. The talk sheds light on how this class of adversary operates and the weaknesses within organisations they continually manage to exploit. It’s a unique inside look at security from a very real world and very actionable perspective.

04:00 PM

Olli Jarva
Olli Jarva

Solutions Architect @ Synopsys

Build Security and Quality In - Software Security Strategy with BSIMM (room 2)

In this talk, we are looking in to how to marry software security activities to strategy so you can build a viable security program. this talk will focus on commonly observed software security activities, prescriptive vs. descriptive models, how to get organisation to move away from penetrate and patch/test-it-in mentality...

04:00 PM

Brendan Scarvell
Brendan Scarvell

Can cook 2 min noodles in 1 min 57 sec

Phwned (room 3)

The Grandstream GXV3275 is an Android based VOIP video phone. Analysis of the phone shipped with an early firmware version identified a wide variety of vulnerabilities, all leading to remote code execution as root. In this talk we will walk through a range of common OWASP vulnerabilities found in the phone...