Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: J2EE Application Security Code Review

from [Evans, Arian] Network Security [Permanent Link]
Subject: RE: J2EE Application Security Code Review
Date: Fri, 28 Oct 2005 14:41:45 -0500 
-----Original Message-----
From: Yousef Syed [mailto:yousef.syed@gmail.com] 


[...]

Can someone please advise me on what I should be looking for?
Where can I get further information on the procedure that 
should be followed? Are there any Standards/Best Practices
for Securing J2EE applications?


Yousef, here's a list of resources I provide developers; it
includes links to other people's book lists as well. Many
items on here are Java-specific:

===============================================
Resources on Application and Software Security
===============================================

:::Web-Based Resources:::

OWASP (Open Web Application Security Project):
Focus: Whitepapers, Guidelines, Free Tools
http://www.owasp.org

WASC (Web Application Security Consortium)
Focus: Whitepapers, Research, Standards/Definitions
http://www.webappsec.org
http://www.webappsec.org/web_security_books.shtml (webappsec books)

Java Passion
Focus: J2EE, Security, Webappsec, OWASP Top-10
http://www.javapassion.com/j2ee/WebApplicationSecurity4.pdf
http://www.javapassion.com/j2ee/WebSecurityThreatsAndCounterMeasures4.pdf
http://www.javapassion.com/j2eeadvanced/index0.html#SyallbusforAdvanced
(on the last link search for "Advanced J2EE Security"; nice list of resources)

Threats and Countermeasures
Focus: Info on Patterns (attack/defense, and practice patterns) and Threat 
Modeling
http://www.threatsandcountermeasures.com

Improving Web Application Security: Threats and Countermeasures
Focus: MS Centric, but good info, as book or updated web-based document:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp

TRIKE:
Focus: Threat Modeling
http://dymaxion.org/trike/index.shtml

Foundstone .NET toolkit
Focus: Free tools
www.foundstone.com/resources/proddesc/s3itoolkit.htm


:::Books on Application and Software Security:::

---------------Threat Modeling-----------------------

Threat Modeling, MS Press
http://www.microsoft.com/MSPress/books/6892.asp

----------Designing/Building Secure Apps---------

Secure Coding: Principles & Practices (High Level overview book):
http://www.securecoding.org/book/press.php

Security Engineering: A Guide to Designing Dependable,
-Distributed Applications, Ross Anderson
(Still one of the best security design and architecture books written)
http://www.cl.cam.ac.uk/~rja14/book.html

The Software Vulnerability Guide:
http://www.amazon.com/exec/obidos/tg/detail/-/1584503580/


----------------Writing Secure Code-----------------

19 Deadly Sins of  Software Security
(Mostly a "Things Not to Do" book with examples/case studies)
http://www.amazon.com/exec/obidos/tg/detail/-/0072260858/

-Subset Unmanaged code

Secure Coding, 2nd Edition, MS Press (C/C++ oriented but
covers a wide variety of issues MS-centric)
http://www.microsoft.com/mspress/books/5957.asp


-Subset: Java

Building Secure Software, Hoglund and McGraw
(Secure Coding book, Java-centric)
http://www.amazon.com/exec/obidos/tg/detail/-/020172152X/

-Subset: .NET

---------------Attacking Software---------------------

-Subset: All

Exploiting Software: How to Break Code , Hoglund and McGraw
http://www.amazon.com/exec/obidos/tg/detail/-/0201786958/

How to Break Software, Whittaker
http://www.amazon.com/exec/obidos/tg/detail/-/0201796198

How to Break Software Security, by Whittaker, Thompson & Thompson
(This is more how to test/break software locally, think fat-client
software in a sandbox/vm way using fault injection, and resource
starvation; relies on their proprietary tool Holodeck)
http://www.amazon.com/exec/obidos/tg/detail/-/0321194330/

The Shellcoder's Handbook, Aitel and others (One of several on how to hack 
software)
http://www.amazon.com/exec/obidos/tg/detail/-/0764544683/

Database Hacker's Handbook, David and Mark Litchfield, others
http://www.amazon.com/exec/obidos/tg/detail/-/0764578014/


The Shellcoder's Handbook, Aitel and others (One of several on how to hack 
software)
http://www.amazon.com/exec/obidos/tg/detail/-/0764544683/

Database Hacker's Handbook, David and Mark Litchfield
http://www.amazon.com/exec/obidos/tg/detail/-/0764578014/

-Subset: Web

See WASC List above.

Arian J. Evans
FishNet Security

816.421.6611 [office]
816.701.2045 [direct] <--checked infrequently
888.732.9406 [toll-free]
816.421.6677 [fax]
913.710.7045 [mobile] <--daily/international access
aevans@fishnetsecurity.com [email]

http://www.fishnetsecurity.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: J2EE Application Security Code Review, Prashant Shirangare
Next by Date:  Re: J2EE Application Security Code Review, Eoin Keary
Previous by Thread:  Re: J2EE Application Security Code Review, Dean H. Saxe
Next by Thread:  RE: J2EE Application Security Code Review, Jeff Robertson
Indexes:  [Date] [Thread] [Top] [All Lists]