We are information security specialists.
We can test your systems, defend you against attackers and train your staff.

Information Security



    Penetration testing is one of our renowned core services. A penetration test involves attempting to attack and infiltrate your applications or networks the same way as a malicious individual. For every penetration test we carry out we apply a commonly used and industry standard formula. What makes us unique, however, is we also design an approach specific to your scenario. It means you can be sure that all your key business and security considerations relevant to the system being tested have been addressed.


    Red Team testing involves simulating an attack against your organisation as a whole, rather than restricting the scope to a given application or service. Red Teaming will challenge your systems, processes, 3rd parties and staff. We're experts in Red Teaming and the team loves it! They work incredibly hard to come up with outrageously creative ways to bypass your digital or human controls using genius hacking or sometimes cunning social engineering. You'll be blown away.


    Our specialist team will manually review all key and security critical components of your code as well as the application architecture and design. We're experts in secure coding and love getting stuck into code and design reviews. Our team has expert development and review experience in .NET (VB, C#, ASP), Ruby, JRuby, Ruby on Rails, Java, JSP, Applets, Servlets, PHP, AJAX, JavaScript, Python, Perl.


    Having a practical mobile device management strategy will keep your team connected, mobile and importantly your data secure. Securing your organisation’s infrastructure, systems and data has become increasingly difficult with the introduction of internet connected phones, portable smart devices and Bring Your Own Device (BYOD) policies.


    Wi-Fi networks are a key target for any attacker without the need for full physical access to your environment. We also find more and more "guest" networks being provided inside corporates today. Our Wi-Fi testing will identify your risk of unauthorised access to your networks, systems and of course your data.


    The Aura VSO (Virtual Security Officer) in general fulfils the functions and tasks of an organisational CISO (Chief Information Security Officer) and to some extent the tasks of an IT Security Manager, Risk and Compliance Manager and Privacy Officer. So it's pretty clever.


    There is no one thing that will solve all your IT Security issues. True security is achieved through a long-term, holistic approach. To help, we have developed a unique Complete Information Security Programme (CISP). This is a value-added, bundled, master service agreement which covers all of our point-in-time consulting services as well as our ongoing managed services.


    IMMEDIATE RESPONSE: If you're under attack now or have an urgent security incident then call 24/7 on +64 4 894 3755 and ask for the incident response team.


We will deliver to you a full explanation of issues and vulnerabilities. Yes that will be in easy to understand language. We’ll provide you with examples of how any vulnerabilities may be exploited and an outline of any potential impact(s). All vulnerabilities will be categorised with a threat level and we will recommend the very best way to mitigate your risk.

Our approach to helping you become secure or preventing and resolving incidents follows our unique belief that all results and deliverables should be transparent, easily understood and repeatable by your own staff. Where applicable our security specialists will provide you with additional context and understanding by assuming multiple personas during engagements to demonstrate how a system is likely to be attacked.

Managed Security Services


Defend with RedShield

The most secure place in the world to put any web-application is behind RedShield. Built on our massively scalable and functional F5 platform RedShield is a world-leading cloud web application. It provides DDoS defence and full WAF capabilities - and that's just for starters.

We have the unique ability to provide advanced shielding tailored to your website's unique vulnerabilities.

Our team live and breath the latest web attacks, we know how to recognise them, how to fix them in your code and how to shield you against them. We recommend you don't buy a web shielding service from anyone other then web security experts. That's what we are - and we are absolutely world class.

...

Scan with RedEye

RedEye is a managed scanning service, that can scan your information assets, internal and external, every day. RedEye ensures that you are notified on a regular basis about potential vulnerabilities in your systems through our web portal. Our knowledgeable staff are always on hand to make recommendations for prioritising, fixing and mitigating vulnnerabilities. RedEye provides you with a clear picture of your vulnerabilities over time.

...

Attack with BlackEye

There is no question that the combination of RedEye scanning and RedShield defence is the best possible protection available. So once we have these in place there's just one test left to carry out - we enter the mind of a hacker and launch a controlled 3DoS attack. We call it BlackEye.

By performing controlled 3DoS testing with transparency we can accurately measure and analyse how your systems will perform when subject to a malicious and uncontrolled attack.

In a real live DoS attack, excessive numbers of application and network requests are made to overwhelm your available system resources and cause interruption to normal service. In recent years, DoS attacks have become widely distributed in their source and highly diverse in nature, hence the term 3DoS, or Diverse Distributed Denial of Service (DDos).

...

Security Training



    Why are systems attacked, how are they attacked and who are the attackers? Do you have problems with passwords, pin codes, passphrases and phishing? This course focuses on why information security matters and how you can protect yourself and your business with effective operational security and creating sane security policies.


    Managing security correctly goes well beyond the technical; understanding the governance of information security is essential to managing information and security risks. This course focuses on the fundamentals of information security governance, risk and compliance concerns.


    These days websites are under constant attack and it's incredibly easy for a developer or administrator to make seemingly minor mistakes that have catastrophic consequences. In this two day course the latest attacks and defenses in use today will be explained and discussed. The course focuses on attendees gaining an understanding of the OWASP top ten with plenty of practical, hands on lab exercises attacking web applications using industry standard security testing tools and advice on mitigating those same attacks.


    Confused with all the three letter acronyms? RSA, DSA, AES, SHA, RC4, CBC, ECB…. During this course we will introduce fundamental cryptographic concepts, discuss details of the various algorithms and protocols including hashing, symmetric ciphers, public key cryptography and hybrid cryptographic systems. Also real world cryptographic systems with weakness will be discussed to highlight important decisions that need to be made when designing and implementing cryptography.

  • We pride ourselves
  • on excellence
  • each and every project
  • each and every client

About us

Who we are

Aura Information Security is one of New Zealand’s leading and fastest growing information security consulting companies offering penetration testing, security reviews and secure development training.

Our customers include many of New Zealand’s largest government agencies as well as local and international banks and corporates.

Our team consists of experts across a spectrum of Information Technology. We hold some of the top security qualifications in the industry and have tested many large scale applications, systems and infrastructure both locally and internationally.

The Management Team


Andy Prow

Chief Executive Officer


Mark Keegan

Practice Manager, New Zealand


Graeme Neilson

CISO / Head of Research


Scott Fletcher

Principal Consultant, Australia


Sam Pickles

Chief Technology Officer


Peter Bailey

Service Delivery Manager


Ben Robinson

Chief Operating Officer

Our team have presented research at international infosec conferences worldwide including
Blackhat, CanSecWest, h3HC, Troopers, Ruxcon and Kiwicon.

Research & Development

Whitepapers & Presentations

Our specialists are committed to providing the best possible service. They are constantly researching new methods and developing custom tools to assist in our engagements. This dedication to ongoing process improvement means you have our assurance that your systems will be both resilient and robust should they be subject to a malicious attack.

  • Application Security On the Front Line

    — May 2014 | Sam Pickles

    Aura's Sam Pickles presents his experiences defending real world web applications from attacks. Sam discusses all the different types of attacks and presents techniques to protect your systems from these attacks.

    poc code
  • [POC] CVE-2014-0196: Linux kernel pty layer race condition memory corruption (local root exploit)

    — 13 May 2014 | Matthew Daley

    Aura's Matthew Daley has published a slightly-less-than-POC privilege escalation exploit for Linux kernels >= v3.14-rc1. View the associated CVE and read the discussion of the bug.

    poc code
  • The Three Billion Dollar App

    — 19 March 2014 | Vladimir Wolstencroft

    Aura's Vladimir Wolstencroft presents his research, "The 3 Billion Dollar App", at the Troopers infosec conference in Germany.

    Mobile social applications are proliferating through our society and are starting to take the lime light away from traditional social networks such as Facebook. Younger people especially, are moving towards applications such as WhatsApp and SnapChat. Incumbent companies are eager to exploit this new user base and are willing to offer billions to purchase these apps. Clearly the value is driven by access to this user base and the ability to collect information about users or deliver ads direct to users. But do we need to spend billions to gain access to this user base? What if we don’t need to spend anything….what if there was a way to deliver content to all the users just by using the app…? This talk details what is possible after reverse engineering the SnapChat app and will show how you don’t have to spend billions of dollars to deliver content to SnapChat users.

    YouTube Video
  • TechEd Australia 2013: Hack-Ed Develop Your Security Spidey Sense

    — 6th September 2013 | Andy Prow and Kirk Jackson (Xero)

    Andy and Kirk take their infamous Hack-Ed series over to Aussie to see if they can knock some security spidey-sense into the Aussies at Microsoft TechEd on the Gold Coast... Good luck with that!

  • Bluevox: Attacking One Time Passwords at 1100Hz

    — 19th November 2012 | Graeme Neilson and Shingirayi Padya

    Graeme Neilson and Shingirayi Padya presented at Kiwicon 6 about cracking Audio One Time passwords.

  • Demonic Possession of Browsers. BeEF Issue #666

    — 19th November 2012 | Mike Haworth

    Mike Haworth presented Demonic Possession of Browsers BeEF Issue #666 at Kiwicon 6

  • X-Excess: WebApps meet Native Apps

    — 7th November 2011 | Mike Haworth and Kirk Jackson

    Mike Haworth and Aura associate Kirk Jackson talked at Kiwicon 5 about issues where the boundary between web apps and native apps gets blurry.

  • Hack-Ed: Boost your defenses!

    — 24th August 2011 | Andy Prow and Kirk Jackson

    Andy Prow and Kirk Jackson presented at Microsoft Tech-Ed NZ 2011 - the largest tech conference in New Zealand. They have compiled a "Cheat Sheet" of defenses for the common web risks for ASP.NET, MVC and SharePoint developers.

  • File Upload Considerations

    — 7th July 2011 | Kirk Jackson

    Kirk Jackson presented at OWASP New Zealand Day 2011 on File Upload Considerations.

  • Cloud Security Policies

    — 4th May 2011 | Andy Prow

    Andy Prow gave a presentation at the Cloud Security Summit on what's happening in the Cloud Infrastructure as a Service (IaaS) space, including the pros and cons of using a Cloud provider and the security implications and risks. He also explained how to mitigate these risks by implementing specific cloud security policies.

  • Feeling Insecure about your Web Testing?

    — 30th March 2011 | Scott Fletcher

    cott Fletcher presented at the Australia & New Zealand Testing Board on 30 March 2011 on beginner testing strategies for five of the OWASP Top Ten web security threats. These strategies will help testers ensure the security of web applications.

  • Tales from the Crypt0

    — 1th March 2011 | Graeme Neilson and Kirk Jackson

    Graeme Neilson presented with Kirk Jackson from Xero on cryptography at the OWASP Day New Zealand 15th July 2010.

    Does the thought of SSL, HTTPS and S/MIME make you squeamish?Does PKI make you want to scream? Does encrypting data at rest make you want to bury yourself alive?

    Cryptography is an important part of most web applications these days, and developers and admins need to understand how, why and when to employ the best and appropriate techniques to secure their servers, applications, data and the livelihoods of their users.

  • Welcome to Rootkit Country

    — 11th March 2011 | Graeme Neilson

    Graeme Neilson presented at the CanSetWest Conference in Vancouver (March 11 2011) on developing rootkits for the top ten firewall / UTM manufacturers.

  • Netscreen of the Dead

    — 2008, 2009 | Graeme Neilson

    Graeme Neilson presented at RuxCon in Sydney Australia (2008) and BlackHat, Las Vegas USA (2009). The presentation covered Graeme's research on how he's developed a trojan ScreenOS operating system that when loaded onto any Juniper Firewall turns it into a ZOMBIE, giving Graeme full access to the underlying firewall, bypassing all rules and passwords

    We must of cause mention Juniper at this point - "we express our appreciation for your pragmatic and careful handling of this case" (Juniper, 28 Nov 08). They also released a tech bulletin: PSN-2008-11-111, "ScreenOS Firmware Image Authenticity Notification" which states: "All Juniper ScreenOS Firewall Platforms are susceptible to circumstances in which a maliciously modified ScreenOS image can be installed."



    Aura Information Security

  • 2014

  • New Zealand Hi-Tech Awards, Emerging Business of the Year Finalist
  • 2012

  • Deloitte APAC Tech Fast 500
  • 2011

  • Deloitte APAC Tech Fast 500
  • 2010

  • Deloitte APAC Tech Fast 500
  • 2011

  • Fastest Growing Technology Business Deloitte
  • Electra Business Past Master Award
  • Electra Business of the Year
  • Australia NZ Internet Awards, Security and Privacy

    Aura RedEye Security

  • 2013

  • AUT Excellence in Business Support Awards
  • Electra Business of the Year
  • 2012

  • Australia NZ Internet Awards, Security and Privacy
  • Electra Business Awards, New Thinking category
  • Electra Emerging Business of the Year
  • AUT Excellence in Business Support Awards, Finalist
  • The Wellington Gold Awards, Finalists
  • Go UK, Finalists
  • 2011

  • Australia NZ Internet Awards, Security and Privacy



  • HOW

    Hack our challenge website. Show us what you’ve got. The challenge site is a dedicated hackable web-site spun up just for you that will live for 3 hours and then self-destruct. It’s been built entirely by the Aura crew to test our new recruits, so you won’t be able to Google the answers, you’ll actually have to think! The challenges go from ’walk in the park’ as warm-ups to ’ohhhh now that’s cool’ for those who can really hack-it.

    You will have up to 48 hours to write us your "A-Game" report. Using your findings from stage 1 write a report in a style that is appropriate for presenting to a customer, submit this together with your CV to canyouhackit@aurainfosec.com Our office elves will sort through your application! Our security ninjas will vet through your report! Magic happens!

  • WHAT

    As one of New Zealand’s largest security consultancies, we offer our staff the opportunity to work with a wide range of government organisations and private companies. The work we do is challenging, meaningful and ground-breaking.

    We offer our staff opportunities to grow and develop in their chosen field. Technical staff have their own development projects, tackling new and interesting problems in information security. On the basis of their research, our staff also attend and speak at local and international conferences.

  • WHY

    Our team environment is supportive, collaborative and professional. We work closely together to provide our customers with the best results we can offer. Our main offices are in Wellington, with other offices in Auckland and Melbourne. Does this sound like somewhere you’d like to work? Then contact us.

Email Address

Contact Us

  • +64 4 894 3755
  • PO Box 25609, Featherston Street, 6146
  • Level 12, 79 Boulcott Street, 6011
  • Wellington, NEW ZEALAND
  • +64 4 894 3755
  • Level 5, 135 Broadway
  • Newmarket
  • Auckland, NEW ZEALAND
  • +61 4 040 13515
  • Suite 504, 365 Little Collins Street
  • Victoria 3000
  • Melbourne , AUSTRALIA