RE: [1/2OT] Training for web-apps and db security

["Gerald Quakenbush" <geraldq () mastermindsecuritygroup com>]

Since you asked, here's the shameless plug...

I teach a 3-day "AppSec Bootcamp" training class for MasterMind Security Group
(http://www.mastermindsecuritygroup.com). You can get an outline of what is
covered in the class from the web site.

The focus of the class is to help developers understand how application-layer
attacks work. It is platform/tools agnostic. I believe the difference between
an person like you describe (strong IT background + programming skills) and a
hacker is more often than not a paradigm shift, and not so much a factor of
skills. They need to see what they already know in a different way. That's the
goal of my 3-day class: get them looking at their code like never before.


Gerald Quakenbush, CISSP, NSA-IAM


> -----Original Message-----
> From: Gunnar Peterson [mailto:gunnar () arctecgroup net]
> Sent: Friday, July 22, 2005 9:07 AM
> To: Stef
> Cc: webappsec () securityfocus com
> Subject: Re: [1/2OT] Training for web-apps and db security
>
> Arctec does training on some related topics, including threat modeling and
> Service Oriented Security architecture, and seucrity in the development
> lifecycle:
>
> http://www.arctecgroup.net/briefings.htm
>
> -gp
>
>
> Quoting Stef <stefmit () gmail com>:
>
> > Kind of OT, but couldn't find a better place to ask a group of
> > professionals about such a subject:
> >
> > I am looking into training one of the "geeks" in my group (by "geek" I
> > mean: open-minded, very good at everything (IT-related) he gets his
> > hands on, be it OS, apps, network gear, etc., good programmer, but
> > also capable of understanding network applications behavior in
> > multi-tier environment,s, etc.) in a very specific security area. Here
> > are the requirements:
> > - all the applications are part of Oracle E-business suite
> > - all the clients - thus - have either a simple browser-based type of
> > interaccess with a proxy I setup in front of the Oracle servers, or a
> > slightly "thicker" interaction, via a "Java client" (jinitiator), with
> > an Oracle front-end server (called web/forms server)
> > - the back-end consists in communication between the web/forms server
> > and a multitude of database and analytical/processing servers
> >
> > Having described the above (very briefly, for those intimate with the
> > Oracle suite), I have in my mind the following type of security
> > training:
> > - heavy in Java and "web" apps
> > - Apache, Squid security
> > - MS IE and MS or Sun JVM security (not really sure if worth ... but
> > just to make the list)
> > - Oracle DB security training
> >
> > NOTE: This person is NOT to take charge of the specific servers
> > running those apps (we have the security team for those - which are
> > all HP-UX, or Linux based), and the minimal interaction with the
> > underlying OS components can be handled with the level of knowledge
> > right now.
> >
> > I am - personally - a big SANS fan (hold multiple certifications with
> > them, as a result), and they have an offering for Oracle security
> > (which I would be tempted to try), but I am not aware of any web-based
> > apps comprehensive security training. Another option (also based on
> > some personal experience) would have been some graduate level security
> > courses, at a reputable institution, but those seem to take for ever,
> > for someone who plans [almost] immediate specific results, vs. a
> > well-rounded, long-term degree (which is the case for my techno-geek
> > ;)).
> >
> > I would really appreciate directions and - most of all - personal
> > experience of such. I would also appreciate any comments about my list
> > of needeed know-how, in case someone like you has stumbled across
> > "things you should have learned in school, had you been paying
> > attention" ;)
> >
> > TIA,
> > Stef