RE: J2EE Security Training
From: Levenglick, Jeff (JLevenglick_at_fhlbatl.com)
Date: Wed, 26 Jan 2005 16:57:31 -0500 To: "Donald Philip" <firstname.lastname@example.org>, <SECPROG@securityfocus.com>
I looked at their site. Ya know.. The one thing that makes me laugh at
some of the security firms is how they give up information that everybody
knows you should protect.
Off their own page:
"The client we refer to in this 'success story' is one of India's leading public sector banks. The bank recently launched a centralized banking solution through which their branches and automatic teller machines, spread across the country, are networked."
The application has two major components:
The core banking system (CBS) connects the various branches and keeps track of all corporate banking data. The branches connect to a local server, which in turn connects to a central server running the application. This synchronization happens in real time. If there is a downtime the local server updates the data with the central server the next time it connects. The CBS database runs on Oracle, running on AIX. The local databases are also Oracle databases, but running on Win 2K. The interface for the end customer is via the web.
The retail banking component takes care of branch operations; it fully automates the branch operations. End users at the bank get a web interface to interact with the application. This is the interface with which customers can do Internet banking / phone banking / ATM operations. The branch-level operations are also handled by this method. The components include a branch server, which is an IIS web server, a communication server and the Oracle database. The communication server is responsible for communication with the central server."
A gift for hackers, by a security firm. Have to love it.
From: Donald Philip [mailto:email@example.com]
Sent: Wednesday, January 26, 2005 09:33 AM
Subject: Re: J2EE Security Training
I attended a 2-day course on J2EE Security by Paladion (
http://www.paladion.net ) six months ago. That was a SANS-style public
program, but I know they offer on-site versions of the classes too.
The classes discussed common mistakes in J2EE applications and how to
avoid them. I have worked with servlets for 6 years and still found it
From: firstname.lastname@example.org [mailto:email@example.com]
Sent: Tuesday, January 25, 2005 1:44 PM
Subject: J2EE Security Training
Has anyone had a company come on-site to provide security training to
J2EE application developers? I'm trying to find a consultant or
training company to provide a 2-3 day course on how to write secure
code in the J2EE environment.
Thanks in advance,
This e-mail message is private and may contain confidential or privileged