RE: [1/2OT] Training for web-apps and db security

[<bizmaninatl () hushmail com>]

Are you the same Quakenbush ?

http://www.securiteam.com/securitynews/2UUQBQ0Q0A.html

If so is the class based on your experience of building rather 
silly insecure systems yourself?

_________________________________________

Since you asked, here's the shameless plug...

I teach a 3-day "AppSec Bootcamp" training class for MasterMind 
Security
Group (http://www.mastermindsecuritygroup.com). You can get an 
outline of
what is covered in the class from the web site.

The focus of the class is to help developers understand how
application-layer attacks work. It is platform/tools agnostic. I 
believe the
difference between an person like you describe (strong IT 
background +
programming skills) and a hacker is more often than not a paradigm 
shift,
and not so much a factor of skills. They need to see what they 
already know
in a different way. That's the goal of my 3-day class: get them 
looking at
their code like never before.


Gerald Quakenbush, CISSP, NSA-IAM


> -----Original Message-----
> From: Gunnar Peterson [mailto:gunnar () arctecgroup net]
> Sent: Friday, July 22, 2005 9:07 AM
> To: Stef
> Cc: webappsec () securityfocus com
> Subject: Re: [1/2OT] Training for web-apps and db security
>
> Arctec does training on some related topics, including threat 
modeling 
> and Service Oriented Security architecture, and seucrity in the 
> development
> lifecycle:
>
> http://www.arctecgroup.net/briefings.htm
>
> -gp
>
>
> Quoting Stef <stefmit () gmail com>:
>
> > Kind of OT, but couldn't find a better place to ask a group of 
> > professionals about such a subject:
> >
> > I am looking into training one of the "geeks" in my group (by 
"geek" 
> > I
> > mean: open-minded, very good at everything (IT-related) he gets 
his 
> > hands on, be it OS, apps, network gear, etc., good programmer, 
but 
> > also capable of understanding network applications behavior in 
> > multi-tier environment,s, etc.) in a very specific security 
area. 
> > Here are the requirements:
> > - all the applications are part of Oracle E-business suite
> > - all the clients - thus - have either a simple browser-based 
type 
> > of interaccess with a proxy I setup in front of the Oracle 
servers, 
> > or a slightly "thicker" interaction, via a "Java client" 
> > (jinitiator), with an Oracle front-end server (called web/forms 

> > server)
> > - the back-end consists in communication between the web/forms 
> > server and a multitude of database and analytical/processing 
servers
> > Having described the above (very briefly, for those intimate 
with 
> > the Oracle suite), I have in my mind the following type of 
security
> > training:
> > - heavy in Java and "web" apps
> > - Apache, Squid security
> > - MS IE and MS or Sun JVM security (not really sure if worth 
... but 
> > just to make the list)
> > - Oracle DB security training
> >
> > NOTE: This person is NOT to take charge of the specific servers 

> > running those apps (we have the security team for those - which 
are 
> > all HP-UX, or Linux based), and the minimal interaction with 
the 
> > underlying OS components can be handled with the level of 
knowledge 
> > right now.
> >
> > I am - personally - a big SANS fan (hold multiple 
certifications 
> > with them, as a result), and they have an offering for Oracle 
> > security (which I would be tempted to try), but I am not aware 
of 
> > any web-based apps comprehensive security training. Another 
option 
> > (also based on some personal experience) would have been some 
> > graduate level security courses, at a reputable institution, 
but 
> > those seem to take for ever, for someone who plans [almost] 
> > immediate specific results, vs. a well-rounded, long-term 
degree 
> > (which is the case for my techno-geek ;)).
> >
> > I would really appreciate directions and - most of all - 
personal 
> > experience of such. I would also appreciate any comments about 
my 
> > list of needeed know-how, in case someone like you has stumbled 

> > across "things you should have learned in school, had you been 
> > paying attention" ;)
> >
> > TIA,
> > Stef




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427