WebApp Sec mailing list archives
RE: [1/2OT] Training for web-apps and db security
From: <bizmaninatl () hushmail com>
Date: Sat, 23 Jul 2005 15:05:13 -0700
Are you the same Quakenbush ? http://www.securiteam.com/securitynews/2UUQBQ0Q0A.html If so is the class based on your experience of building rather silly insecure systems yourself? _________________________________________ Since you asked, here's the shameless plug... I teach a 3-day "AppSec Bootcamp" training class for MasterMind Security Group (http://www.mastermindsecuritygroup.com). You can get an outline of what is covered in the class from the web site. The focus of the class is to help developers understand how application-layer attacks work. It is platform/tools agnostic. I believe the difference between an person like you describe (strong IT background + programming skills) and a hacker is more often than not a paradigm shift, and not so much a factor of skills. They need to see what they already know in a different way. That's the goal of my 3-day class: get them looking at their code like never before. Gerald Quakenbush, CISSP, NSA-IAM
-----Original Message----- From: Gunnar Peterson [mailto:gunnar () arctecgroup net] Sent: Friday, July 22, 2005 9:07 AM To: Stef Cc: webappsec () securityfocus com Subject: Re: [1/2OT] Training for web-apps and db security Arctec does training on some related topics, including threat
modeling
and Service Oriented Security architecture, and seucrity in the development lifecycle: http://www.arctecgroup.net/briefings.htm -gp Quoting Stef <stefmit () gmail com>:Kind of OT, but couldn't find a better place to ask a group of professionals about such a subject: I am looking into training one of the "geeks" in my group (by
"geek"
I mean: open-minded, very good at everything (IT-related) he gets
his
hands on, be it OS, apps, network gear, etc., good programmer,
but
also capable of understanding network applications behavior in multi-tier environment,s, etc.) in a very specific security
area.
Here are the requirements: - all the applications are part of Oracle E-business suite - all the clients - thus - have either a simple browser-based
type
of interaccess with a proxy I setup in front of the Oracle
servers,
or a slightly "thicker" interaction, via a "Java client" (jinitiator), with an Oracle front-end server (called web/forms
server) - the back-end consists in communication between the web/forms server and a multitude of database and analytical/processing
servers
Having described the above (very briefly, for those intimate
with
the Oracle suite), I have in my mind the following type of
security
training: - heavy in Java and "web" apps - Apache, Squid security - MS IE and MS or Sun JVM security (not really sure if worth
... but
just to make the list) - Oracle DB security training NOTE: This person is NOT to take charge of the specific servers
running those apps (we have the security team for those - which
are
all HP-UX, or Linux based), and the minimal interaction with
the
underlying OS components can be handled with the level of
knowledge
right now. I am - personally - a big SANS fan (hold multiple
certifications
with them, as a result), and they have an offering for Oracle security (which I would be tempted to try), but I am not aware
of
any web-based apps comprehensive security training. Another
option
(also based on some personal experience) would have been some graduate level security courses, at a reputable institution,
but
those seem to take for ever, for someone who plans [almost] immediate specific results, vs. a well-rounded, long-term
degree
(which is the case for my techno-geek ;)). I would really appreciate directions and - most of all -
personal
experience of such. I would also appreciate any comments about
my
list of needeed know-how, in case someone like you has stumbled
across "things you should have learned in school, had you been paying attention" ;) TIA, Stef
Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427
Current thread:
- [1/2OT] Training for web-apps and db security Stef (Jul 22)
- Re: [1/2OT] Training for web-apps and db security Gunnar Peterson (Jul 23)
- RE: [1/2OT] Training for web-apps and db security Richard Lindberg (Jul 23)
- RE: [1/2OT] Training for web-apps and db security Gerald Quakenbush (Jul 23)
- RE: [1/2OT] Training for web-apps and db security Richard Lindberg (Jul 23)
- <Possible follow-ups>
- RE: [1/2OT] Training for web-apps and db security bizmaninatl (Jul 23)
- Re: [1/2OT] Training for web-apps and db security Saqib Ali (Jul 24)
- Re: [1/2OT] Training for web-apps and db security Ken Pfeil (Jul 24)
- Re: [1/2OT] Training for web-apps and db security Saqib Ali (Jul 24)
- Re: [1/2OT] Training for web-apps and db security Gunnar Peterson (Jul 23)