Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [1/2OT] Training for web-apps and db security

from [bizmaninatl] Network Security [Permanent Link]
Subject: RE: [1/2OT] Training for web-apps and db security
Date: Sat, 23 Jul 2005 15:05:13 -0700 
Are you the same Quakenbush ?

http://www.securiteam.com/securitynews/2UUQBQ0Q0A.html

If so is the class based on your experience of building rather 
silly insecure systems yourself?

_________________________________________

Since you asked, here's the shameless plug...

I teach a 3-day "AppSec Bootcamp" training class for MasterMind 
Security
Group (http://www.mastermindsecuritygroup.com). You can get an 
outline of
what is covered in the class from the web site.

The focus of the class is to help developers understand how
application-layer attacks work. It is platform/tools agnostic. I 
believe the
difference between an person like you describe (strong IT 
background +
programming skills) and a hacker is more often than not a paradigm 
shift,
and not so much a factor of skills. They need to see what they 
already know
in a different way. That's the goal of my 3-day class: get them 
looking at
their code like never before.


Gerald Quakenbush, CISSP, NSA-IAM



-----Original Message-----
From: Gunnar Peterson [mailto:gunnar@arctecgroup.net]
Sent: Friday, July 22, 2005 9:07 AM
To: Stef
Cc: webappsec@securityfocus.com
Subject: Re: [1/2OT] Training for web-apps and db security

Arctec does training on some related topics, including threat 

modeling 

and Service Oriented Security architecture, and seucrity in the 
development
lifecycle:

http://www.arctecgroup.net/briefings.htm

-gp


Quoting Stef <stefmit@gmail.com>:


Kind of OT, but couldn't find a better place to ask a group of 
professionals about such a subject:

I am looking into training one of the "geeks" in my group (by 

"geek" 

I
mean: open-minded, very good at everything (IT-related) he gets 

his 

hands on, be it OS, apps, network gear, etc., good programmer, 

but 

also capable of understanding network applications behavior in 
multi-tier environment,s, etc.) in a very specific security 

area. 

Here are the requirements:
- all the applications are part of Oracle E-business suite
- all the clients - thus - have either a simple browser-based 

type 

of interaccess with a proxy I setup in front of the Oracle 

servers, 

or a slightly "thicker" interaction, via a "Java client" 
(jinitiator), with an Oracle front-end server (called web/forms 



server)
- the back-end consists in communication between the web/forms 
server and a multitude of database and analytical/processing 

servers


Having described the above (very briefly, for those intimate 

with 

the Oracle suite), I have in my mind the following type of 

security

training:
- heavy in Java and "web" apps
- Apache, Squid security
- MS IE and MS or Sun JVM security (not really sure if worth 

... but 

just to make the list)
- Oracle DB security training

NOTE: This person is NOT to take charge of the specific servers 



running those apps (we have the security team for those - which 

are 

all HP-UX, or Linux based), and the minimal interaction with 

the 

underlying OS components can be handled with the level of 

knowledge 

right now.

I am - personally - a big SANS fan (hold multiple 

certifications 

with them, as a result), and they have an offering for Oracle 
security (which I would be tempted to try), but I am not aware 

of 

any web-based apps comprehensive security training. Another 

option 

(also based on some personal experience) would have been some 
graduate level security courses, at a reputable institution, 

but 

those seem to take for ever, for someone who plans [almost] 
immediate specific results, vs. a well-rounded, long-term 

degree 

(which is the case for my techno-geek ;)).

I would really appreciate directions and - most of all - 

personal 

experience of such. I would also appreciate any comments about 

my 

list of needeed know-how, in case someone like you has stumbled 



across "things you should have learned in school, had you been 
paying attention" ;)

TIA,
Stef






Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Securing PDF file on a Website, focus
Next by Date:  Re: [1/2OT] Training for web-apps and db security, Saqib Ali
Previous by Thread:  RE: [1/2OT] Training for web-apps and db security, Gerald Quakenbush
Next by Thread:  Re: [1/2OT] Training for web-apps and db security, Saqib Ali
Indexes:  [Date] [Thread] [Top] [All Lists]