Presentations & Publications

Chapter 5 of Fearless Change has some great ideas to increase the effectiveness of your meetings and presentations. Here’s a post I wrote on it.

Feel free to contact me if you would like me to help mentor, take a presentation or work-shop on a topic I’m familiar with. Check my blog for my areas of expertise.

I’m also an active member of boaters toastmasters, which provides the opportunity to speak in front of an audience of 40-50 most weeks.


Upcomming Presentations, Publications, Conferences and Events

My book series (Holistic Infosec for Web Developers) is making good progress. Grab your self an electronic or hard copy.

Fascicle 0 is finished, and Fascicle 1 is content complete.


Holistic InfoSec for Web Developers

 

23-11-2017 BSides Wellington
Secrets of a High Performance Security Focussed Agile Team

Kim teaching security focussed agile

Security does not have to be neglected when you’re planning, building & running a high performance development team. Kim will show us how to shift security left <- into the development team, with a set of light weight processes, practises & tools that have proven deadly to defective code and Teams.

 

nn-nn-2017 Application Security interview


Kim Carter SER

This interview was the result of the research involved in the Web Applications chapter of the second part of Kims book.

 

Previous recorded Presentations, Publications, Conferences and Events

 

25-10-2017 All Day DevOps
Secrets of a High Performance Security Focussed Agile Team

Kim teaching security focussed agile

Pre-conference Interview

All Day Devops Kim Carter pre conference interview

Pre Conference Interview

Presentation

Quality (security included) does not have to be neglected when you’re planning, building and running a high performance development team.

Kim will set the stage with how and why Agile Development Teams fail, explained with a familiar anecdote taken from his new book “Holistic Info-Sec for Web Developers”, coupled with how you can change this.

Kim will then cover a set of light weight processes, practises and tools, that when combined have proven their value in:
(1) Aiding high throughput (reducing time to market)
(2) Significantly increasing quality (finding and removing bugs)
(3) Without descoping
and all while reducing total project cost (fact).
If this sounds like breaking the laws of physics, or to good to be true, then this talk is for you.

Kim will finish off with the habits of top developers and how we can make them part of our lives.

Kim Carter teaching high performance security agile

Live Presentation (to come)

Holistic Info-Sec for Web Developers

 

26-10-2017 Christchurch Hacker Conference (CHCon)
Building Security Into Your Development Team(s)

Training being run the day before the conference.

Tickets available here.

Kim will lead the class through the tools, techniques and thought processes of both red and blue teams along with how to combine these attributes into the
purple team focussing on security, productivity, and tasked with continuously delivering sustainable maintainable technical solutions to market.

Kim will explain the roles of ‘T’ shaped professionals, including placement of security champions to create your purple Development Team(s).

We will work through how to implement the Sensible Security Model (SSM) within each and every Sprint, including:

  1. Creating actionable countermeasure Product Backlog Items
  2. Integrating them into the same Product Backlog that your Development Team has been pulling business focussed items from
  3. Ordering them based on the risk ratings you create for each

Kim will discuss how and where Agile Development Teams often fail, along with how to succeed with security with a familiar anecdote.
Then augmenting your Scrum process within each and every Sprint, with a collection of development focussed processes and practises, tools and techniques that have proven their value at drastically reducing defects before production deployment.

Kim will walk us through the SSM threat modelling process with theory and hands on exercises in areas such as Physical, People, VPS, Network, Cloud and Web Applications.
Including sub topics such as Docker, Serverless, PowerShell and many others.

Training material will be augmented with Extracts from Kims interviews on Software Engineering Radio with security experts such as Diogo Mónica (Docker Security Team Lead) and Haroon Meer (creator of Canary tools and tokens).

Copies of the first two parts of Kims book series “Holistic Info-Sec for Web Developers” (weighing in at aprx 700 pages) which this training is based on,
will be provided as: companion course material to accompany the training, ongoing self learning, and as a valuable reference resource long after the training has finished.

26-28 10-2017 Christchurch Hacker Conference (CHCon)

We are proud to announce the second CHCon, a conference for security professionals and hackers in Christchurch, New Zealand. CHCon is being coordinated by a small collection of people (of which I am one), passionate about raising awareness and the skill level of information security within our community.


chcon 2017

 

12-09-2017 Network Security interview


Kim Carter SER

This interview was the result of the research involved in the Network chapter of the second part of Kims book.

Founder of Thinkst Haroon Meer talks with Kim Carter about Network Security: how attackers are gaining footholds into our networks, moving laterally, infilling malware and exfiltrating our precious data; why we care; advice on what software engineers can do about it; how infrastructure as code has made software engineers responsible for network security; strategies used by attackers: (social engineering, password reuse); how attacks leverage a person on the inside; techniques of post exploitation and finally, preventive measures.

29-06-2017 OWASP, Christchurch New Zealand
Web Developer Quiz Night

Questions and Answers

09-05-2017 Docker Security interview


Kim Carter SER

This interview was a result of the research involved in the sections (Risks, Countermeasures) on Docker within Kims book.

Docker Security Team lead Diogo Mónica talks with SE Radio’s Kim Carter about Docker Security aspects. Simple Application Security, which hasn’t changed much over the past 15 years, is still considered the most effective way to improve security around Docker containers and infrastructure. The discussion explores characteristics such as Immutability, the copy-on-write filesystem, as well as orchestration principles that are baked into Docker Swarm, such as mutual TLS/PKI by default, secrets distribution, least privilege, content scanning, image signatures, and secure/trusted build pipelines. Diogo also shares his thoughts around the attack surface of the Linux kernel; networking, USB, and driver APIs; and the fact that application security remains more important to focus our attention on and get right.

18-04-2017 DevSecOps interview


Kim Carter SER

This interview was a result of the workshop I ran at DevSecCon.

Francois Raynaud and Kim Carter discuss what’s wrong with the traditional delivery approach and why we need to change. They explore the dangers of retrofitting security to the end of projects, how to combine development, operations, and security people into the same development teams and why, along with cost-benefit analysis. Francois and Kim discuss the cheapest place to deal with defects, challenges facing organizations looking to combine the three skill sets within their development teams, moving security up front, as well as changing traditional thinking.

12-04-2017 Success Skills for Architects interview


Kim Carter SER

Neal Ford of ThoughtWorks chats with SE Radio’s Kim Carter about the skills required to be a successful software architect, how to create and maintain them, and how to transition from other roles, such as software engineering. Neal discusses that the required skills can be learned, you do not have to be born with special attributes. Those looking to make the transition should focus especially on learning “soft skills” before making the move, and exploring the idea of taking an architectural role temporarily to see if it suites you. He also discusses problem solving skills, why understanding history is so important, and how to recognize and avoid increasing complexity.

20-04-2017 My JS Story interview


Kim Carter JavaScript

Charles Max Wood interviews Kim Carter about his technology journey through his career and JavaScript.

Download Interview

19 & 20-04-2017 OWASP New Zealand Day, Auckland

OWASP New Zealand Day

We are proud to announce the eighth OWASP New Zealand Day conference, to be held at the University of Auckland on Thursday April 20th, 2017. OWASP New Zealand Day is a one-day conference dedicated to application security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.


dotnetrocks

  • We had four training workshops on the day before the conference (Wednesday, 19th of April).
  • This year there was two streams running for the entire day.
  • The conference was a sell-out, attracting 900 registrations with a wait-list.

15-03-2017 JS Remote Conf
The Art of Exploitation

Kim teaching The Art of Exploitation

The Art of Exploitation Kim Carter

Live Presentation

Holistic Info-Sec for Web Developers

09-03-2017 NZ.JS Conference, Wellington NZ
The Art of Exploitation

Kim teaching the art of exploitaton

In order to understand both the importance and the how to, of mitigating your attackers attempts to exploit your weaknesses, you must first understand your attackers and how they succeed.
Kim will examine and demonstrate a collection of essential attacks, commonly used in the exploitation and demise of many individuals and organisations today.

Kim will then address the mitigation techniques, and how the whole process of exploitation and mitigation can and should fit within each and every Scrum Sprint.

All content is sourced from Kim’s first and second volumes of a three part book series (Holistic Info-Sec for Web Developers) specifically focussed on equipping Web Developers to stay ahead of their attackers.

Kim Carter nz.js

Live Presentation

Slide Deck

Holistic Info-Sec for Web Developers

23-02-2017 DevSecCon Asia
Developing a high-performance security focussed Agile Team (2 hour workshop)

devseccon kim carter

Quality (security included) does not have to be neglected when you’re planning, building and running a high-performance development team.

Kim will set the stage with how and why Agile development teams fail, explained with a familiar anecdote taken from his new book “Holistic Info-Sec for Web Developers”, coupled with how you can change this.

Kim will then discuss and demo a set of light weight processes, practises and tools, that when combined have proven their value in:

  1. Aiding high throughput (reducing time to market)
  2. Significantly increasing quality (finding and removing bugs)
  3. Without de-scoping

and all while reducing total project cost (fact).
If this sounds like breaking the laws of physics, or too good to be true, then this workshop is for you.

Kim will finish off with the habits of top developers and how we can make them part of our lives.

DevSecCon DevSecOps training Kim Carter

All content sourced from Kim’s book:

Holistic Info-Sec for Web Developers

25-01-2017 Information Security Interest Group Christchurch NZ
Windows Exploitation and Persistence with PowerShell

Kim teaching how to pop windows boxes with powershell

Kim will walk us through a collection of PowerShell delivery (RAM, not disk) techniques for a common reverse shellcode.

The common payload takes the user supplied shellcode and overwrites the first 0x1000 bytes of the calling instance of PowerShell, creates a thread to execute within the virtual address space of the calling PowerShell instance and starts it.

All delivery and persistence techniques ensure AV bypass of shellcode.

Kim has dissected and will explain how the virus and payload works.

We will look at delivery mediums (virus):

Persistence mediums:

PowerShell persistence with PowerSploit

All content sourced from Kim’s book:

Holistic Info-Sec for Web Developers

29-11-2016 AgileNZ, Auckland, New Zealand
Agile Security for Web Developers (50 minute presentation)

Agile NZ 2016 security

Join Kim in the exploration into an insightful set of steps he has learned, from an architectural, engineering and penetration testing perspective. Based on a portion of the content of the first volume of Kim’s new book “Holistic Info-Sec for Web Developers”. We will also walk through how your Scrum Team can bring the specialised process of penetration testing from the release phase to right up front and augment your Scrum process (that’s each and every Sprint), with a collection of processes, practises and tools that have proven their value in the field of information security.

Kim Carter AgileNZ

All content sourced from Kim’s book:

Holistic Info-Sec for Web Developers

16-11-2016 Kiwicon, New Zealand, Wellington
Holistic Info-Sec for Web Developers – Intense

Kim Carter security training

Four hours of intense hands-on threat modelling, attack and defence strategy training for Web Developers wishing to understand their attackers better, stay ahead of them and create cost effective defence strategies.


Kim Carter Biography


Holistic Info-Sec for Web Developers Training

The content is aimed at software engineers to teach them how to think holistically about security. The theme that runs through the training, and the book, is pulling the security focus that’s usually left until the end of the project or “go live” right into each Sprint. Baking security into the product from the cheapest possible place. Thus saving large amounts of money due to re-work and business asset loss. Kim will be teaching attendees a very simple threat modelling process initially blue printed by one of the best security experts the world has known, Bruce Schneier, then how to apply that process to a 10,000′ view and lower for a collection of areas: Physical, People, Cloud, VPS, Network and Web Applications within each Sprint.

A hands on training, taking the attackers perspective and extracting a set of development related processes and practises that can be augmented with your Scrum Teams existing processes and practices, creating minimum disruption and maximum cost effective security. Attendees will be able to take these learnings and apply them within their own Scrum Teams.

Holistic Info-Sec for Web Developers

12 & 13-11-2016 Christchurch Hacker Conference (CHCon)

We are proud to announce the first CHCon, a conference for security professionals and hackers in Christchurch, New Zealand. CHCon is being coordinated by a small collection of people (of which I am one), passionate about raising awareness and the skill level of information security within our community.


chcon

Training will also be run on the day before the conference.

28-10-2016 AWS Meetup, Auckland, New Zealand
Security Workshop with ZapAPI and NodeGoat


NodeConfEU

Due to popular demand, this workshop is running again at Auckland AWS.

27-10-2016 NodeJS Meetup, Auckland, New Zealand
Security Workshop with ZapAPI and NodeGoat

Due to popular demand, this workshop is running again. This time, not on the other side of the planet, but much closer to home, at Auckland NodeJS.

16-10-2016 NodeConf EU, Lyrath Estate, Kilkenny, Ireland
Security Regression Testing with ZapAPI and NodeGoat (work-shop)


NodeConfEU

Due to popular demand, this work-shop is running again. This time at the prestigious NodeConf EU.


NodeConfEU

NodeConf EU is just a few short weeks away, so it won’t be long until you get to hear innovators like Kim Carter share their insights. In his talk, Kim Carter will take you on a whirlwind tour of a proof of concept that he implemented for a large international client.


NodeConfEU

Kim will demonstrate the OWASP Zap API with NodeGoat, which helps you identify vulnerabilities in your web application as you create it, rather than at the end of a project. It’s a low-cost solution useful for carrying out constant security regression testing on your product, similar to having a full-time penetration tester on your development team.

Kim Carter has developed a strong track record as a technology architect and information security professional over 15 years. He is a Chapter Leader of the Open Web Application Security Project (OWASP) NZ and a Certified Scrum Master. Kim enjoys facilitating and motivating cross-functional, self-managing teams. You’ll find the insights from Kim’s talk in his new book, Holistic Infosec for Web Developers (Leanpub).

NodeConf gives you unparalleled access to top thought leaders like Kim Carter. Book your tickets now to avail of this unique opportunity.

05-09-2016 University of Canterbury, Computer Science dept, New Zealand
Holistic Info-Sec for Computer Science Students (110 minute tutorial)

Hope

Kim will take the students on an exploration into an insightful set of steps he has learned, from an architectural, engineering and penetration testing perspective. Based on the content of volume 0 & 1 of Kim’s new book “Holistic Info-Sec for Web Developers” we will walk through how your project Scrum Teams can bring the specialized process of penetration testing, usually performed at or after the release phase, or not at all, to right up front, augmenting your Scrum process within each and every Sprint, with a collection of processes, practises and tools that have proven their value in the field of information security. Kim will walk the students through the Sensible Security Model (SSM) threat modeling process with examples in areas such as physical, people, VPS, network, cloud and web applications.

18-08-2016 Agile Professionals Network, Christchurch, New Zealand
Agile Security for Web Developers

Due to popular demand, this presentation is running again. This time at Christchurch Test Professionals Network.

23-07-2016 Hope, New York City, USA
Holistic Info-Sec for Web Developers (90 minute tutorial)


Hope

Join Kim in the exploration into an insightful set of steps he has learned, from an architectural, engineering and penetration testing perspective. Based on the content of volume 0 & 1 of Kim’s new book “Holistic Info-Sec for Web Developers” we will walk through how your Scrum Team can bring the specialized process of penetration testing from the release phase to right up front, augmenting your Scrum process within each and every Sprint, with a collection of processes, practises and tools that have proven their value in the field of information security. Kim will walk us through the SSM threat modeling process with examples in areas such as physical, people, VPS, network, cloud and web applications.

21-07-2016 OWASP, New York City, USA
Security Regression Testing with ZapAPI and NodeGoat (work-shop)

Due to popular demand, this work-shop is running again. This time at the OWASP, New York, chapter.

29-06-2016 OWASP, Christchurch New Zealand
Security Regression Testing with ZapAPI and NodeGoat (work-shop)

Due to popular demand, this work-shop is running again. This time at the OWASP, Christchurch, New Zealand chapter.

23-06-2016 Chc.js Meetup, Christchurch, New Zealand
Security Regression Testing with ZapAPI and NodeGoat (work-shop)

Kim Carter of BinaryMist will provide a whirlwind tour of a Proof of Concept covered in his new book “Holistic Info-Sec for Web Developers“, that he has since implemented for a large international client.

This will demonstrate how you can leverage the abilities of the OWASP Zap API to discover many vulnerabilities in your web application as you are creating it, rather than at the end of the project.

This is essentially like having a full time penetration tester on your development team, continuously security regression testing your product as a CI or nightly build as it’s being developed. For a very minimal set-up cost.

github source

YouTube Teaser

18-06-2016 Code Camp, Christchurch, New Zealand
Agile Security for Web Developers

Join Kim in the exploration into an insightful set of steps he has learned, from an architectural, engineering and penetration testing perspective. Based on a portion of the content of the first volume of Kim’s new book “Holistic Info-Sec for Web Developers”. We will also walk through how your Scrum Team can bring the specialised process of penetration testing from the release phase to right up front and augment your Scrum process (that’s each and every Sprint), with a collection of processes, practises and tools that have proven their value in the field of information security.

All content sourced from Kim’s book:

Holistic Info-Sec for Web Developers

23-05-2016 AusCERT2016, Surfers Paradise, Australia
Holistic Information Security Training

This training is now available for all organisations requiring it.


AusCERT16

Full day training on Monday 23 May at Australia’s largest and oldest information security conference. Based on the training performed at Kiwicon with improvements. All content sourced from Kim’s book:

Holistic Info-Sec for Web Developers

27-04-2016 ISIG, Twisted Hop, 616 Ferry Road, Christchurch New Zealand
Holistic Info-Sec for Web Developers Tools, Password profiling, Brute Forcing

Kim will take us through the collection of tools added and configured on his penetration testing machine used throughout his book (Holistic Info-Sec for Web Developers). Kim will then profile a well known celebrities password, creating a short-list, then (on-line) brute force their login. Come along, it’ll be fun. We have another two excellent speakers (Kevin and
Chris (ISIG organisers)) as well, discussing data recovery and training your employees how not to fall for phishing attacks.

26-04-2016 Holistic Info-Sec for Web Developers interview


dotnetrocks

Interview (show 1287) with Richard Campbell and Carl Franklin on book (Holistic Info-Sec for Web Developers) currently being worked on and released continually on LeanPub.

Download Interview

03 & 04-02-2016 OWASP New Zealand Day, Auckland

OWASP New Zealand Day

We are proud to announce the seventh OWASP New Zealand Day conference, to be held at the University of Auckland on Thursday February 4th, 2016. OWASP New Zealand Day is a one-day conference dedicated to application security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.


dotnetrocks

Similar to last year:

  • We will be offering training on the day before the conference (Wednesday, 3rd of February).
  • After lunch on the conference day, we will split to two tracks – one focused on technical topics, the other on policy, compliance and risk management.

Presentation Slide Show on speakerdec.com

09-12-2015 Kiwicon, New Zealand, Wellington
Holistic Information Security Training

After a successful and productive day at New Zealand’s largest hacker conference, this training is now available for all organisations requiring it.

Kim Carter Biography

Holistic Info-Sec for Web Developers Training

The content is aimed at software engineers to teach them how to think holistically about security. The theme that runs through the training and the book is pulling the security focus that’s usually left until the end of the project or “go live” right into each Sprint. Baking security into the product from the cheapest possible place. Thus saving large amounts of money due to re-work and business asset loss. Kim will be teaching attendees a very simple threat modelling process initially blue printed by one of the best security experts the world has known, Bruce Schneier, then how to apply that process to a 10,000′ view and lower for a collection of areas: Physical, People, Cloud, VPS, Network and Web Applications within each Sprint.

A hands on training. Emulating the Scrum process and augmenting with the processes and practices as the day progresses. For each of the above areas mentioned, we will be creating Product Backlog Items and a Product Owner facilitating the ordering of them. Attendees will be able to take these learnings and apply them within their own Scrum Teams.

Holistic Info-Sec for Web Developers

04-12-2015 Boaters Toastmasters, Christchurch, New Zealand
Password Profiling

Following on from Passwords 101, in this talk and demonstration Kim covers how attackers take targeted open-source intelligence (OSINT) and use it to formulate short password lists using both tools and manual techniques.

Kim then takes the word-lists and analysis of failed and successful login attempts to a web application and educates a collection of brute-forcing tools what an unsuccessful and successful login looks like. Then run the brute-forcing tools until the credentials have been discovered. This demonstrates that common password strategies are no longer sufficient to stop full account compromise and worse.

This is followed up with some tips on how to make this process a lot harder for attackers. Content can be found in Kims Holistic Infosec for Web Developers book.

27-11-2015 Boaters Toastmasters, Christchurch, New Zealand
Infectious Media with Rubber Ducky

This talk is based on the Infectious Media section in the People chapter of Kims new book Holistic Infosec for Web Developers and also demonstrated in the Kiwicon training.

In this talk Kim walks through the psychology of why humans succumb to infectious media attacks and how the attacker is easily able to leverage the human weaknesses to do their bidding. This is a very useful and effective approach at getting inside a target organisation with no physical or network access.

When the human weaknesses are coupled with the inherent trust of Human Interface Devices (HID) we have a recipe for success, or disaster depending on which side of the equation you are on.

Kim walks through:

  1. Ducky Script
  2. Encoding the payload
  3. Loading the SD card and card into the device
  4. Distributing the devices
  5. Launching attacks

The community contributed attacks are also discussed and how to extend them.

Finally mitigation techniques are explored. Including using the device of compromise to train potential targets how not to be targets.

Presentation Slide Show on speakerdec.com

30-09-2015 OWASP NZ Christchurch
The Exploited & the Exploiters – Case Study of a Real Cyber Hack and Live Demo’s

This is going to be a play off based around two presentations. Both taking quite different view points. Salinda is going to be discussing the perspective of the organisations that get compromised by cyber criminals. How much these types of attacks cost them on a yearly basis in terms of assets. At a high level, how these attacks are played out. Kim is going to be taking the perspective of the penetration tester hired in by the target to find the defects in their security defences before the cyber criminals do.

15-09-2015 Functional Christchurch Meetup
0wn1ng The Web

Due to popular demand, this presentation is running again. This time at Functional Christchurch.

08-09-2015 Christchurch Test Professionals Network, New Zealand
0wn1ng The Web

Due to popular demand, this presentation is running again. This time at Christchurch Test Professionals Network.

30-07-2015 Chc.js Meetup, Christchurch, New Zealand
0wn1ng The Web

Due to popular demand, this presentation is running again. This time at chc.js.

23-07-2015 WDC New Zealand, Wellington
0wn1ng The Web

Kim Carter WDCNZ

JavaScript is an incredibly powerful tool for good. With great power comes great responsibility. Are we taking our responsibility seriously? JavaScript is also an incredibly powerful tool for evil. As a developer it’s time to empower your tech sense and see how easy it is for those hiding in the shadows to own not only you, but your friends, family, clients, customers… Anyone that uses a browser.

Kim Carter wdcnz

New advances in technology look shiny… until we stop believing the hype, open our minds and start poking at them. Let me show you what happens when we start poking.

WDCNZ 2015 0wn1ng The Web

Full House, Standing Room Only!

Presentation Slide Show on speakerdeck.com

demo’s on YouTube

WDCNZ Presentation Stills

Live Presentation

30-06-2015 Christchurch .Net User Group
Does your Cloud Solution look like a Mushroom?

Due to popular demand, this presentation is running again. This time at the Christchurch .Net User Group.

24-06-2015 OWASP NZ Christchurch
Does your Cloud Solution look like a Mushroom?

Similar to talk presented at Saturn in Baltimore

5-06-2015 Boaters Toastmasters, Christchurch, New Zealand
Passwords 101

In this 5 – 7 minute talk, I demonstrate (hands on) how easy it can be to compromise passwords using a collection of techniques. I discuss how most developers are failing at keeping their end users safe.

I then go over a collection of techniques that end users can employ to keep themselves safe while we’re waiting for developers to accept the call to action and increase their knowledge and ability to create robust software and networks.

Presentation Slide Show on speakerdec.com

22 -> 25-05-2015 CampJS, Melbourne, Australia
Holistic InfoSec For Web Developers

Holistic InfoSec

Presentation Slide Show on speakerdeck.com

Work-shop Wiki (in progress)

27 -> 30-04-2015 SATURN, Baltimore, MD, USA
Does your Cloud Solution look like a Mushroom?

Kim Carter Saturn

Also MC’d three talks.

This talk was based around ideas from the following blog posts

Journey To Self Hosting

Installation, Hardening of Debian Web Server

Evaluation of Host Intrusion Detection Systems

Keeping your NodeJS Web App Running on Production Linux

Presentation Slide Show on speakerdeck.com

25-03-2015 OWASP Christchurch NZ Meetup

Reverse Engineering, Cracking, Compromising Software Security & Mitigations

26 & 27-01-2015 OWASP New Zealand Day, Auckland

OWASP New Zealand Day

We are proud to announce the sixth OWASP New Zealand Day conference, to be held at the University of Auckland on Friday February 27th, 2015. OWASP New Zealand Day is a one-day conference dedicated to application security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications.

Similar to last year:

  • We will be offering training on the day before the conference (Thursday, 26th of February).
  • After lunch on the conference day, we will split to two tracks – one focused on technical topics, the other on policy, compliance and risk management.

3,4-09-2014 AgileNZ, Wellington, New Zealand
How to Increase Software Developer Productivity

Agile NZ 2014 security

If you’re looking to get more out of your organisation’s software developers, increase your ROI, spend less money on fixing bugs or increase your development team’s business value release rate, this session is for you. Or you might be a software developer looking to lift your game to the next level.

There are many ways to lift software developers’ productivity and, as a result, the development team’s total output. This session addresses some quick wins, as well as some that take longer to implement.

This talk was based around ideas from the following blog post

How to Increase Software Developer Productivity

Presentation Slide Show on slideshare.net

23-01-2014 CHC.JS, Christchurch, New Zealand
Walkthrough writing an Ember.JS Application

The format of this presentation was to write a blogging platform in JavaScript using Ember.js. The application had the functionality to display, edit and navigate blog posts written in markdown in about 35 lines of JavaScript on top of the handlebars templates. If your interested in seeing this code, contact me. This talk was held at the MV* Battle Royale event.

As part of my research I produced the following blog post

Evaluation of AngularJS, EmberJS, BackboneJS + MarionetteJS

12-09-2013 OWASP New Zealand Day 2013
What’s Our Software Doing With All That User Input

OWASP New Zealand Day

What are we doing with all the characters that get shoved into our applications? Have we considered every potential execution context?
It’s often interesting and surprising to see what sort of concoction of characters can be executed in different places… and linking multiple attack vectors together which the builders haven’t thought about.
What are we trusting? Why are we trusting it? What, where and how should we be sanitising?

We have a vast collection of libraries, techniques, cheat sheets, tutorials, guides and tools at our disposal.
I often find myself thinking… how can we commoditise the sanitisation of user input and I keep coming up with the same answer.
It’s not easy. Every application has a completely different set of concerns.

In order for our software to be shielded from an attack, the builders must think like attackers.

In this talk I’ll attempt to:

  • Increase our knowledge and awareness
  • Discuss practical techniques and approaches that increase our defences
  • Break some software

Presentation Slide Show on slideshare.net.

09-2013 PenTest Magazine Extra, USA
Kali Linux Review

When it comes to measuring the security posture of an application or network, the best defence against an attacker is offence. What does that mean? It means your best defence is to have someone with your best interests (generally employed by you), if we’re talking about your asset, assess the vulnerabilities of your asset and attempt to exploit them.

PenTest Magazine on MediaFire

26-08-2013 ANZTB, Christchurch, New Zealand
Security Testing with Kim Carter

Security Training Kim Carter BinaryMist

Join Kim Carter in a hands-on insight into security testing. Kim will discuss some of the more common security vulnerabilities being found in today’s software implementations, and will demonstrate ways of testing them. He would like to encourage anyone interested to join him in working through the “hacks” used when doing security testing. To enable participation in this session, he will use an open source security testing toolkit – Kali Linux. Anyone interested in working through the security tests with Kim is welcome to create a Kali Linux USB boot disk (instructions are on their website), and bring it with them on the night, along their own laptop/device.

Presentation Slide Show on slideshare.net

05-03-2013 Canterbury Software Cluster, Christchurch, New Zealand
Moving to test and behaviour-driven development

In this session I went over the benefits of introducing TDD and BDD: How to introduce them, their differences, how to deal with push back from team members and upper management.
The benefits of driving our development with tests, how it helps the quality and maintainability of our software, how it helps the business and the client. The types of tests that best serve us for the different layers of our application development and how business people can get benefit from TDD and especially BDD.

Presentation Slide Show on slideshare.net

25-04-2012 TSBC
Pearls For Improving Operational Efficiency

This was a presentation held at one of TSBCs Sprint Reviews after attending a Clarus Professional Scrum Master course.

Presentation Slide Show on slideshare.net

Advertisements

2 Responses to “Presentations & Publications”

  1. Helen McLeod Says:

    Wow. That is awesome. Well done!
    Did you make it to the Technology Summit in Chch last week. I attended the business stream. Some excellent speakers there.
    All the best
    From Helen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: