Presentations & Publications

Chapter 5 of Fearless Change has some great ideas to increase the effectiveness of your meetings and presentations. Here’s a post I wrote on it.

Feel free to contact me if you would like me to help mentor, take a presentation or work-shop on a topic I’m familiar with. Check my blog for my areas of expertise.

I’m also an active member of boaters toastmasters, which provides the opportunity to speak in front of an audience of 40-50 most weeks.


Upcomming Presentations, Publications, Conferences and Events

 

My book series (Holistic Infosec for Web Developers) is making good progress. Grab your self an electronic or hard copy.

Fascicle 0 is finished, and Fascicle 1 is progressing quickly.


Holistic InfoSec for Web Developers

 

23-02-2017 DevSecCon Asia
Developing a high-performance security focussed Agile Team (2 hour workshop)

devseccon kim carter

Quality (security included) does not have to be neglected when you’re planning, building and running a high-performance development team.

Kim will set the stage with how and why Agile development teams fail, explained with a familiar anecdote taken from his new book “Holistic Info-Sec for Web Developers”, coupled with how you can change this.

Kim will then discuss and demo a set of light weight processes, practises and tools, that when combined have proven their value in:

  1. Aiding high throughput (reducing time to market)
  2. Significantly increasing quality (finding and removing bugs)
  3. Without de-scoping

and all while reducing total project cost (fact).
If this sounds like breaking the laws of physics, or too good to be true, then this workshop is for you.

Kim will finish off with the habits of top developers and how we can make them part of our lives.

All content sourced from Kim’s book:

Holistic Info-Sec for Web Developers

 

09-03-2017 NZ.JS Conference, Wellington NZ
The Art of Exploitation

Kim teaching the art of exploitaton

In order to understand both the importance and the how to, of mitigating your attackers attempts to exploit your weaknesses, you must first understand your attackers and how they succeed.
Kim will examine and demonstrate a collection of essential attacks, commonly used in the exploitation and demise of many individuals and organisations today.

Kim will then address the mitigation techniques, and how the whole process of exploitation and mitigation can and should fit within each and every Scrum Sprint.

All content is sourced from Kim’s first and second volumes of a three part book series (Holistic Info-Sec for Web Developers) specifically focussed on equipping Web Developers to stay ahead of their attackers.

Holistic Info-Sec for Web Developers

 

15-03-2017 JS Remote Conf
The Art of Exploitation

Kim teaching The Art of Exploitation

The Art of Exploitation Kim Carter

Holistic Info-Sec for Web Developers

 

Previous recorded Presentations, Publications, Conferences and Events

 

25-01-2017 Information Security Interest Group Christchurch NZ
Windows Exploitation and Persistence with PowerShell

Kim teaching how to pop windows boxes with powershell

Kim will walk us through a collection of PowerShell delivery (RAM, not disk) techniques for a common reverse shellcode.

The common payload takes the user supplied shellcode and overwrites the first 0x1000 bytes of the calling instance of PowerShell, creates a thread to execute within the virtual address space of the calling PowerShell instance and starts it.

All delivery and persistence techniques ensure AV bypass of shellcode.

Kim has dissected and will explain how the virus and payload works.

We will look at delivery mediums (virus):

Persistence mediums:

  • Meterpreter (busted by AV)
  • PowerSploit
    • PowerShell persistence with PowerSploit

      All content sourced from Kim’s book:

      Holistic Info-Sec for Web Developers

       

      29-11-2016 AgileNZ, Auckland, New Zealand
      Agile Security for Web Developers (50 minute presentation)

      Agile NZ 2016 security

      Join Kim in the exploration into an insightful set of steps he has learned, from an architectural, engineering and penetration testing perspective. Based on a portion of the content of the first volume of Kim’s new book “Holistic Info-Sec for Web Developers”. We will also walk through how your Scrum Team can bring the specialised process of penetration testing from the release phase to right up front and augment your Scrum process (that’s each and every Sprint), with a collection of processes, practises and tools that have proven their value in the field of information security.

      Kim Carter AgileNZ

      All content sourced from Kim’s book:

      Holistic Info-Sec for Web Developers

       
       

      16-11-2016 Kiwicon, New Zealand, Wellington
      Holistic Info-Sec for Web Developers – Intense

      Kim Carter security training

      Four hours of intense hands-on threat modelling, attack and defence strategy training for Web Developers wishing to understand their attackers better, stay ahead of them and create cost effective defence strategies.


      Kim Carter Biography


      Holistic Info-Sec for Web Developers Training

      The content is aimed at software engineers to teach them how to think holistically about security. The theme that runs through the training, and the book, is pulling the security focus that’s usually left until the end of the project or “go live” right into each Sprint. Baking security into the product from the cheapest possible place. Thus saving large amounts of money due to re-work and business asset loss. Kim will be teaching attendees a very simple threat modelling process initially blue printed by one of the best security experts the world has known, Bruce Schneier, then how to apply that process to a 10,000′ view and lower for a collection of areas: Physical, People, Cloud, VPS, Network and Web Applications within each Sprint.

      A hands on training, taking the attackers perspective and extracting a set of development related processes and practises that can be augmented with your Scrum Teams existing processes and practices, creating minimum disruption and maximum cost effective security. Attendees will be able to take these learnings and apply them within their own Scrum Teams.

      Holistic Info-Sec for Web Developers

       

      12 & 13-11-2016 Christchurch Hacker Conference (CHCon)

      We are proud to announce the first CHCon, a conference for security professionals and hackers in Christchurch, New Zealand. CHCon is being coordinated by a small collection of people (of which I am one), passionate about raising awareness and the skill level of information security within our community.


      chcon

      Training will also be run on the day before the conference.

       

      28-10-2016 AWS Meetup, Auckland, New Zealand
      Security Workshop with ZapAPI and NodeGoat


      NodeConfEU

       
      Due to popular demand, this workshop is running again at Auckland AWS.
       

        

      27-10-2016 NodeJS Meetup, Auckland, New Zealand
      Security Workshop with ZapAPI and NodeGoat

      Due to popular demand, this workshop is running again. This time, not on the other side of the planet, but much closer to home, at Auckland NodeJS.

       

      16-10-2016 NodeConf EU, Lyrath Estate, Kilkenny, Ireland
      Security Regression Testing with ZapAPI and NodeGoat (work-shop)


      NodeConfEU

      Due to popular demand, this work-shop is running again. This time at the prestigious NodeConf EU.


      NodeConfEU

      NodeConf EU is just a few short weeks away, so it won’t be long until you get to hear innovators like Kim Carter share their insights. In his talk, Kim Carter will take you on a whirlwind tour of a proof of concept that he implemented for a large international client.


      NodeConfEU

      Kim will demonstrate the OWASP Zap API with NodeGoat, which helps you identify vulnerabilities in your web application as you create it, rather than at the end of a project. It’s a low-cost solution useful for carrying out constant security regression testing on your product, similar to having a full-time penetration tester on your development team.

      Kim Carter has developed a strong track record as a technology architect and information security professional over 15 years. He is a Chapter Leader of the Open Web Application Security Project (OWASP) NZ and a Certified Scrum Master. Kim enjoys facilitating and motivating cross-functional, self-managing teams. You’ll find the insights from Kim’s talk in his new book, Holistic Infosec for Web Developers (Leanpub).

      NodeConf gives you unparalleled access to top thought leaders like Kim Carter. Book your tickets now to avail of this unique opportunity.

       

      05-09-2016 University of Canterbury, Computer Science dept, New Zealand
      Holistic Info-Sec for Computer Science Students (110 minute tutorial)

      Hope

      Kim will take the students on an exploration into an insightful set of steps he has learned, from an architectural, engineering and penetration testing perspective. Based on the content of volume 0 & 1 of Kim’s new book “Holistic Info-Sec for Web Developers” we will walk through how your project Scrum Teams can bring the specialized process of penetration testing, usually performed at or after the release phase, or not at all, to right up front, augmenting your Scrum process within each and every Sprint, with a collection of processes, practises and tools that have proven their value in the field of information security. Kim will walk the students through the Sensible Security Model (SSM) threat modeling process with examples in areas such as physical, people, VPS, network, cloud and web applications.

       

      18-08-2016 Agile Professionals Network, Christchurch, New Zealand
      Agile Security for Web Developers

      Due to popular demand, this presentation is running again. This time at Christchurch Test Professionals Network.

       

      23-07-2016 Hope, New York City, USA
      Holistic Info-Sec for Web Developers (90 minute tutorial)


      Hope

      Join Kim in the exploration into an insightful set of steps he has learned, from an architectural, engineering and penetration testing perspective. Based on the content of volume 0 & 1 of Kim’s new book “Holistic Info-Sec for Web Developers” we will walk through how your Scrum Team can bring the specialized process of penetration testing from the release phase to right up front, augmenting your Scrum process within each and every Sprint, with a collection of processes, practises and tools that have proven their value in the field of information security. Kim will walk us through the SSM threat modeling process with examples in areas such as physical, people, VPS, network, cloud and web applications.

       

      21-07-2016 OWASP, New York City, USA
      Security Regression Testing with ZapAPI and NodeGoat (work-shop)

      Due to popular demand, this work-shop is running again. This time at the OWASP, New York, chapter.

       

      29-06-2016 OWASP, Christchurch New Zealand
      Security Regression Testing with ZapAPI and NodeGoat (work-shop)

      Due to popular demand, this work-shop is running again. This time at the OWASP, Christchurch, New Zealand chapter.

       

      23-06-2016 Chc.js Meetup, Christchurch, New Zealand
      Security Regression Testing with ZapAPI and NodeGoat (work-shop)

      Kim Carter of BinaryMist will provide a whirlwind tour of a Proof of Concept covered in his new book “Holistic Info-Sec for Web Developers“, that he has since implemented for a large international client.

      This will demonstrate how you can leverage the abilities of the OWASP Zap API to discover many vulnerabilities in your web application as you are creating it, rather than at the end of the project.

      This is essentially like having a full time penetration tester on your development team, continuously security regression testing your product as a CI or nightly build as it’s being developed. For a very minimal set-up cost.

      github source

      YouTube Teaser

       

      18-06-2016 Code Camp, Christchurch, New Zealand
      Agile Security for Web Developers

      Join Kim in the exploration into an insightful set of steps he has learned, from an architectural, engineering and penetration testing perspective. Based on a portion of the content of the first volume of Kim’s new book “Holistic Info-Sec for Web Developers”. We will also walk through how your Scrum Team can bring the specialised process of penetration testing from the release phase to right up front and augment your Scrum process (that’s each and every Sprint), with a collection of processes, practises and tools that have proven their value in the field of information security.

      All content sourced from Kim’s book:

      Holistic Info-Sec for Web Developers

       

      23-05-2016 AusCERT2016, Surfers Paradise, Australia
      Holistic Information Security Training

      This training is now available for all organisations requiring it.


      AusCERT16

      Full day training on Monday 23 May at Australia’s largest and oldest information security conference. Based on the training performed at Kiwicon with improvements. All content sourced from Kim’s book:

      Holistic Info-Sec for Web Developers

       

      27-04-2016 ISIG, Twisted Hop, 616 Ferry Road, Christchurch New Zealand
      Holistic Info-Sec for Web Developers Tools, Password profiling, Brute Forcing

      Kim will take us through the collection of tools added and configured on his penetration testing machine used throughout his book (Holistic Info-Sec for Web Developers). Kim will then profile a well known celebrities password, creating a short-list, then (on-line) brute force their login. Come along, it’ll be fun. We have another two excellent speakers (Kevin and
      Chris (ISIG organisers)) as well, discussing data recovery and training your employees how not to fall for phishing attacks.

       

      26-04-2016 Holistic Info-Sec for Web Developers interview


      dotnetrocks

      Interview (show 1287) with Richard Campbell and Carl Franklin on book (Holistic Info-Sec for Web Developers) currently being worked on and released continually on LeanPub.

      Download Interview

       

      03 & 04-02-2016 OWASP New Zealand Day, Auckland

      OWASP New Zealand Day

      We are proud to announce the seventh OWASP New Zealand Day conference, to be held at the University of Auckland on Thursday February 4th, 2016. OWASP New Zealand Day is a one-day conference dedicated to application security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.


      dotnetrocks

      Similar to last year:

      • We will be offering training on the day before the conference (Wednesday, 3rd of February).
      • After lunch on the conference day, we will split to two tracks – one focused on technical topics, the other on policy, compliance and risk management.

      Presentation Slide Show on speakerdec.com

       

      09-12-2015 Kiwicon, New Zealand, Wellington
      Holistic Information Security Training

      After a successful and productive day at New Zealand’s largest hacker conference, this training is now available for all organisations requiring it.

      Kim Carter Biography

      Holistic Info-Sec for Web Developers Training

      The content is aimed at software engineers to teach them how to think holistically about security. The theme that runs through the training and the book is pulling the security focus that’s usually left until the end of the project or “go live” right into each Sprint. Baking security into the product from the cheapest possible place. Thus saving large amounts of money due to re-work and business asset loss. Kim will be teaching attendees a very simple threat modelling process initially blue printed by one of the best security experts the world has known, Bruce Schneier, then how to apply that process to a 10,000′ view and lower for a collection of areas: Physical, People, Cloud, VPS, Network and Web Applications within each Sprint.

      A hands on training. Emulating the Scrum process and augmenting with the processes and practices as the day progresses. For each of the above areas mentioned, we will be creating Product Backlog Items and a Product Owner facilitating the ordering of them. Attendees will be able to take these learnings and apply them within their own Scrum Teams.

      Holistic Info-Sec for Web Developers

       

      04-12-2015 Boaters Toastmasters, Christchurch, New Zealand
      Password Profiling

      Following on from Passwords 101, in this talk and demonstration Kim covers how attackers take targeted open-source intelligence (OSINT) and use it to formulate short password lists using both tools and manual techniques.

      Kim then takes the word-lists and analysis of failed and successful login attempts to a web application and educates a collection of brute-forcing tools what an unsuccessful and successful login looks like. Then run the brute-forcing tools until the credentials have been discovered. This demonstrates that common password strategies are no longer sufficient to stop full account compromise and worse.

      This is followed up with some tips on how to make this process a lot harder for attackers. Content can be found in Kims Holistic Infosec for Web Developers book.

       

      27-11-2015 Boaters Toastmasters, Christchurch, New Zealand
      Infectious Media with Rubber Ducky

      This talk is based on the Infectious Media section in the People chapter of Kims new book Holistic Infosec for Web Developers and also demonstrated in the Kiwicon training.

      In this talk Kim walks through the psychology of why humans succumb to infectious media attacks and how the attacker is easily able to leverage the human weaknesses to do their bidding. This is a very useful and effective approach at getting inside a target organisation with no physical or network access.

      When the human weaknesses are coupled with the inherent trust of Human Interface Devices (HID) we have a recipe for success, or disaster depending on which side of the equation you are on.

      Kim walks through:

      1. Ducky Script
      2. Encoding the payload
      3. Loading the SD card and card into the device
      4. Distributing the devices
      5. Launching attacks

      The community contributed attacks are also discussed and how to extend them.

      Finally mitigation techniques are explored. Including using the device of compromise to train potential targets how not to be targets.

      Presentation Slide Show on speakerdec.com

       

      30-09-2015 OWASP NZ Christchurch
      The Exploited & the Exploiters – Case Study of a Real Cyber Hack and Live Demo’s

      This is going to be a play off based around two presentations. Both taking quite different view points. Salinda is going to be discussing the perspective of the organisations that get compromised by cyber criminals. How much these types of attacks cost them on a yearly basis in terms of assets. At a high level, how these attacks are played out. Kim is going to be taking the perspective of the penetration tester hired in by the target to find the defects in their security defences before the cyber criminals do.

       

      15-09-2015 Functional Christchurch Meetup
      0wn1ng The Web

      Due to popular demand, this presentation is running again. This time at Functional Christchurch.

       

      08-09-2015 Christchurch Test Professionals Network, New Zealand
      0wn1ng The Web

      Due to popular demand, this presentation is running again. This time at Christchurch Test Professionals Network.

       

      30-07-2015 Chc.js Meetup, Christchurch, New Zealand
      0wn1ng The Web

      Due to popular demand, this presentation is running again. This time at chc.js.

       

      23-07-2015 WDC New Zealand, Wellington
      0wn1ng The Web

      Kim Carter WDCNZ

      JavaScript is an incredibly powerful tool for good. With great power comes great responsibility. Are we taking our responsibility seriously? JavaScript is also an incredibly powerful tool for evil. As a developer it’s time to empower your tech sense and see how easy it is for those hiding in the shadows to own not only you, but your friends, family, clients, customers… Anyone that uses a browser.

      New advances in technology look shiny… until we stop believing the hype, open our minds and start poking at them. Let me show you what happens when we start poking.

      WDCNZ 2015 0wn1ng The Web

      Full House, Standing Room Only!

      Presentation Slide Show on speakerdeck.com

      demo’s on YouTube

      WDCNZ Presentation Stills

      Live Presentation

       

      30-06-2015 Christchurch .Net User Group
      Does your Cloud Solution look like a Mushroom?

      Due to popular demand, this presentation is running again. This time at the Christchurch .Net User Group.

       

      24-06-2015 OWASP NZ Christchurch
      Does your Cloud Solution look like a Mushroom?

      Similar to talk presented at Saturn in Baltimore

       

      5-06-2015 Boaters Toastmasters, Christchurch, New Zealand
      Passwords 101

      In this 5 – 7 minute talk, I demonstrate (hands on) how easy it can be to compromise passwords using a collection of techniques. I discuss how most developers are failing at keeping their end users safe.

      I then go over a collection of techniques that end users can employ to keep themselves safe while we’re waiting for developers to accept the call to action and increase their knowledge and ability to create robust software and networks.

      Presentation Slide Show on speakerdec.com

       

      22 -> 25-05-2015 CampJS, Melbourne, Australia
      Holistic InfoSec For Web Developers

      Holistic InfoSec

      Presentation Slide Show on speakerdeck.com

      Work-shop Wiki (in progress)

       

      27 -> 30-04-2015 SATURN, Baltimore, MD, USA
      Does your Cloud Solution look like a Mushroom?

      Kim Carter Saturn

      Also MC’d three talks.

      This talk was based around ideas from the following blog posts

      Journey To Self Hosting

      Installation, Hardening of Debian Web Server

      Evaluation of Host Intrusion Detection Systems

      Keeping your NodeJS Web App Running on Production Linux

      Presentation Slide Show on speakerdeck.com

       

      25-03-2015 OWASP Christchurch NZ Meetup

      Reverse Engineering, Cracking, Compromising Software Security & Mitigations

       

      26 & 27-01-2015 OWASP New Zealand Day, Auckland

      OWASP New Zealand Day

      We are proud to announce the sixth OWASP New Zealand Day conference, to be held at the University of Auckland on Friday February 27th, 2015. OWASP New Zealand Day is a one-day conference dedicated to application security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.

      Similar to last year:

      • We will be offering training on the day before the conference (Thursday, 26th of February).
      • After lunch on the conference day, we will split to two tracks – one focused on technical topics, the other on policy, compliance and risk management.

       

      3,4-09-2014 AgileNZ, Wellington, New Zealand
      How to Increase Software Developer Productivity

      Agile NZ 2014 security

      If you’re looking to get more out of your organisation’s software developers, increase your ROI, spend less money on fixing bugs or increase your development team’s business value release rate, this session is for you. Or you might be a software developer looking to lift your game to the next level.

      There are many ways to lift software developers’ productivity and, as a result, the development team’s total output. This session addresses some quick wins, as well as some that take longer to implement.

      This talk was based around ideas from the following blog post

      How to Increase Software Developer Productivity

      Presentation Slide Show on slideshare.net

       

      23-01-2014 CHC.JS, Christchurch, New Zealand
      Walkthrough writing an Ember.JS Application

      The format of this presentation was to write a blogging platform in JavaScript using Ember.js. The application had the functionality to display, edit and navigate blog posts written in markdown in about 35 lines of JavaScript on top of the handlebars templates. If your interested in seeing this code, contact me. This talk was held at the MV* Battle Royale event.

      As part of my research I produced the following blog post

      Evaluation of AngularJS, EmberJS, BackboneJS + MarionetteJS

       

      12-09-2013 OWASP New Zealand Day 2013
      What’s Our Software Doing With All That User Input

      OWASP New Zealand Day

      What are we doing with all the characters that get shoved into our applications? Have we considered every potential execution context?
      It’s often interesting and surprising to see what sort of concoction of characters can be executed in different places… and linking multiple attack vectors together which the builders haven’t thought about.
      What are we trusting? Why are we trusting it? What, where and how should we be sanitising?

      We have a vast collection of libraries, techniques, cheat sheets, tutorials, guides and tools at our disposal.
      I often find myself thinking… how can we commoditise the sanitisation of user input and I keep coming up with the same answer.
      It’s not easy. Every application has a completely different set of concerns.

      In order for our software to be shielded from an attack, the builders must think like attackers.

      In this talk I’ll attempt to:

      • Increase our knowledge and awareness
      • Discuss practical techniques and approaches that increase our defences
      • Break some software

      Presentation Slide Show on slideshare.net.

       

      09-2013 PenTest Magazine Extra, USA
      Kali Linux Review

      When it comes to measuring the security posture of an application or network, the best defence against an attacker is offence. What does that mean? It means your best defence is to have someone with your best interests (generally employed by you), if we’re talking about your asset, assess the vulnerabilities of your asset and attempt to exploit them.

      PenTest Magazine on MediaFire

       

      26-08-2013 ANZTB, Christchurch, New Zealand
      Security Testing with Kim Carter

      Security Training Kim Carter BinaryMist

      Join Kim Carter in a hands-on insight into security testing. Kim will discuss some of the more common security vulnerabilities being found in today’s software implementations, and will demonstrate ways of testing them. He would like to encourage anyone interested to join him in working through the “hacks” used when doing security testing. To enable participation in this session, he will use an open source security testing toolkit – Kali Linux. Anyone interested in working through the security tests with Kim is welcome to create a Kali Linux USB boot disk (instructions are on their website), and bring it with them on the night, along their own laptop/device.

      Presentation Slide Show on slideshare.net

       

      05-03-2013 Canterbury Software Cluster, Christchurch, New Zealand
      Moving to test and behaviour-driven development

      In this session I went over the benefits of introducing TDD and BDD: How to introduce them, their differences, how to deal with push back from team members and upper management.
      The benefits of driving our development with tests, how it helps the quality and maintainability of our software, how it helps the business and the client. The types of tests that best serve us for the different layers of our application development and how business people can get benefit from TDD and especially BDD.

      Presentation Slide Show on slideshare.net

       

      25-04-2012 TSBC
      Pearls For Improving Operational Efficiency

      This was a presentation held at one of TSBCs Sprint Reviews after attending a Clarus Professional Scrum Master course.

      Presentation Slide Show on slideshare.net

2 Responses to “Presentations & Publications”

  1. Helen McLeod Says:

    Wow. That is awesome. Well done!
    Did you make it to the Technology Summit in Chch last week. I attended the business stream. Some excellent speakers there.
    All the best
    From Helen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: