Re: [1/2OT] Training for web-apps and db security

[Gunnar Peterson <gunnar () arctecgroup net>]

Arctec does training on some related topics, including threat modeling and
Service Oriented Security architecture, and seucrity in the development
lifecycle:

http://www.arctecgroup.net/briefings.htm

-gp


Quoting Stef <stefmit () gmail com>:

> Kind of OT, but couldn't find a better place to ask a group of
> professionals about such a subject:
>
> I am looking into training one of the "geeks" in my group (by "geek" I
> mean: open-minded, very good at everything (IT-related) he gets his
> hands on, be it OS, apps, network gear, etc., good programmer, but
> also capable of understanding network applications behavior in
> multi-tier environment,s, etc.) in a very specific security area. Here
> are the requirements:
> - all the applications are part of Oracle E-business suite
> - all the clients - thus - have either a simple browser-based type of
> interaccess with a proxy I setup in front of the Oracle servers, or a
> slightly "thicker" interaction, via a "Java client" (jinitiator), with
> an Oracle front-end server (called web/forms server)
> - the back-end consists in communication between the web/forms server
> and a multitude of database and analytical/processing servers
>
> Having described the above (very briefly, for those intimate with the
> Oracle suite), I have in my mind the following type of security
> training:
> - heavy in Java and "web" apps
> - Apache, Squid security
> - MS IE and MS or Sun JVM security (not really sure if worth ... but
> just to make the list)
> - Oracle DB security training
>
> NOTE: This person is NOT to take charge of the specific servers
> running those apps (we have the security team for those - which are
> all HP-UX, or Linux based), and the minimal interaction with the
> underlying OS components can be handled with the level of knowledge
> right now.
>
> I am - personally - a big SANS fan (hold multiple certifications with
> them, as a result), and they have an offering for Oracle security
> (which I would be tempted to try), but I am not aware of any web-based
> apps comprehensive security training. Another option (also based on
> some personal experience) would have been some graduate level security
> courses, at a reputable institution, but those seem to take for ever,
> for someone who plans [almost] immediate specific results, vs. a
> well-rounded, long-term degree (which is the case for my techno-geek
> ;)).
>
> I would really appreciate directions and - most of all - personal
> experience of such. I would also appreciate any comments about my list
> of needeed know-how, in case someone like you has stumbled across
> "things you should have learned in school, had you been paying
> attention" ;)
>
> TIA,
> Stef