publications

latest publications

X-Excess: WebApps meet Native Apps

7 November 2011
Mike Haworth and Aura associate Kirk Jackson talked at Kiwicon V about issues where the boundary betwen web apps and native apps gets blurry. Click here for the slides to the talk.

PDF Download "X-Excess: WebApps meet Native Apps"

Hack·Ed: Boost your defenses!

Andy Prow and Kirk Jackson presented at Tech·Ed NZ 2011 - the largest tech conference in New Zealand. They have compiled a "Cheat Sheet" of defenses for the common web risks for ASP.NET, MVC and SharePoint developers. You can download the PDF here.

PDF Download "Securing ASP.NET Webforms, MVC and SharePoint Cheat Sheet"

File Upload Considerations

Kirk Jackson presented at OWASP New Zealand Day 2011 on File Upload Considerations. You can download his presentation here.
PDF Download "File Upload Considerations"


Taking Information Security to the Exec Team

Gary Hinson of ISECT presented at the Annual CIO Summit on behalf of Aura. You can download his presentation here.
PDFDownload "Taking Information Security to the Exec Team".

Cloud Security Policies

24 May 2011

Andy Prow gave a presentation at the Cloud Security Summit on what's happening in the Cloud Infrastructure as a Service (IaaS) space, including the pros and cons of using a Cloud provider and the security implications and risks. He also explained how to mitigate these risks by implementing specific cloud security policies. You can access the presentation here.
PDFDownload "Cloud Security Policies" 

 

Welcome to Rootkit Country

Graeme Neilson presented at the CanSetWest Conference in Vancouver (March 11 2011) on developing rootkits for the top ten firewall / UTM manufacturers. You can download this well received presentation here.
PDFDownload "Rootkit Country" 


Feeling Insecure about your Web Testing?

Scott Fletcher presented at the Australia & New Zealand Testing Board on 30 March 2011 on beginner testing strategies for five of the OWASP Top Ten web security threats. These strategies will help testers ensure the security of web applications.
PDFDownload "Feeling Insecure about your web testing?" 


Tales from the Crypt0

Graeme Neilson presented with Kirk Jackson from Xero on cryptography at the OWASP Day New Zealand 15th July 2010.
Does the thought of SSL, HTTPS and S/MIME make you squeamish? Does PKI make you want to scream? Does encrypting data at rest make you want to bury yourself alive?
Cryptography is an important part of most web applications these days, and developers and admins need to understand how, why and when to employ the best and appropriate techniques to secure their servers, applications, data and the livelihoods of their users.
Download "Tales of the Crypt0"


Netscreen of the Dead

Graeme Neilson presented at RuxCon in Sydney Australia (2008) and BlackHat, Las Vegas USA (2009).
The presentation covered Graeme's research on how he's developed a trojan ScreenOS operating system that when loaded onto any Juniper Firewall turns it into a ZOMBIE, giving Graeme full access to the underlying firewall, bypassing all rules and passwords.
We must of cause mention Juniper at this point - "we express our appreciation for your pragmatic and careful handling of this case" (Juniper, 28 Nov 08). They also released a tech bulletin: PSN-2008-11-111, "ScreenOS Firmware Image Authenticity Notification" which states: "All Juniper ScreenOS Firewall Platforms are susceptible to circumstances in which a maliciously modified ScreenOS image can be installed."
Listen in to Graeme's interview on IT Radio download (18MB mp3 file)
Download "Netscreen of the Dead"


Proactive Software Assurance

Andy Prow presented at the ISACA Computer Security Day on the 2nd Dec 2008 in Wellington. Andy's presentation focussed on the "SANS Defensive Wall 1 - Proactive Software Assurance", covering the steps you should take as an organisation to proactively protect your systems against attack.
Download "Proactive Software Assurance"


Better than the regular script kiddie: w3af

The w3af framework project is the up-and-coming MetaSploit of Web application security. It's flexible design allows new attack vectors to be easily written and includes many features which are only available in the grossly expensive commercial tools. Mark's presentation will discuss why we need webapp scanners and demo the w3af framework and how to automate the Discovery, Audit and Attack of web applications.

 The presentation can be downloaded here


Scanberry: Advanced Attacks via a trojaned Blackberry

Building on the Blackjacking tools presented at DefCon, Graeme will present some advanced tools for attacking internal networks via Blackberrys. For example how to use TicTactrojan on a Blackberry to port scan an internal network from the comfort of your external host.

 The presentation can be downloaded here


Quality Software - Designed to be Hacked

Andy will focus on how software quality MUST include security considerations during the requirements, design, implementation, testing, roll-out and maintenance phases. He will also include some examples of real-world security issues that "make you think..."

 The presentation can be downloaded here


It only takes a Pin Prick to burst your Enterprise Security bubble

The presentation highlights the need for an organisation to have there own "trusted in-house hacker" who thinks like a hacker would. 

Some of the other topics covered are:

  • Some of the latest tools hackers use
  • A sample of common vulnerabilities and how they can be exploited
  • How to protect your network against these exploits

 
Please feel free to contact Aura for more detailed information and to request a security assessment.

 The presentation can be downloaded here

 

 


All presentations are Copyright Aura Software Security Ltd 2010, All Rights Reserved. You may download these presentations for research purposes only. Any re-use or reproduction of these presentation may only be peformed with express permission from Aura Software Security Ltd.