RE: J2EE Security Training

• Previous message: David A. Wheeler: "Security: OSS vs. proprietary, development processes, deadlines, etc."
• Maybe in reply to: bsec_at_cotse.net: "J2EE Security Training"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 26 Jan 2005 16:57:31 -0500
To: "Donald Philip" <donald.philip@gmail.com>, <SECPROG@securityfocus.com>

I looked at their site. Ya know.. The one thing that makes me laugh at some of the security firms is how they give up information that everybody knows you should protect. Off their own page: http://www.paladion.net/customers/success_stories/application_security_audit.htm "The client we refer to in this 'success story' is one of India's leading public sector banks. The bank recently launched a centralized banking solution through which their branches and automatic teller machines, spread across the country, are networked." "Application architecture The application has two major components: The core banking system (CBS) connects the various branches and keeps track of all corporate banking data. The branches connect to a local server, which in turn connects to a central server running the application. This synchronization happens in real time. If there is a downtime the local server updates the data with the central server the next time it connects. The CBS database runs on Oracle, running on AIX. The local databases are also Oracle databases, but running on Win 2K. The interface for the end customer is via the web. The retail banking component takes care of branch operations; it fully automates the branch operations. End users at the bank get a web interface to interact with the application. This is the interface with which customers can do Internet banking / phone banking / ATM operations. The branch-level operations are also handled by this method. The components include a branch server, which is an IIS web server, a communication server and the Oracle database. The communication server is responsible for communication with the central server." A gift for hackers, by a security firm. Have to love it. Jeffrey -----Original Message----- From: Donald Philip [mailto:donald.philip@gmail.com] Sent: Wednesday, January 26, 2005 09:33 AM To: SECPROG@securityfocus.com Subject: Re: J2EE Security Training I attended a 2-day course on J2EE Security by Paladion ( http://www.paladion.net ) six months ago. That was a SANS-style public program, but I know they offer on-site versions of the classes too. The classes discussed common mistakes in J2EE applications and how to avoid them. I have worked with servlets for 6 years and still found it useful. Donald. -----Original Message----- From: bsec@cotse.net [mailto:bsec@cotse.net] Sent: Tuesday, January 25, 2005 1:44 PM To: SECPROG@SECURITYFOCUS.COM Subject: J2EE Security Training Greetings list, Has anyone had a company come on-site to provide security training to J2EE application developers? I'm trying to find a consultant or training company to provide a 2-3 day course on how to write secure code in the J2EE environment. Thanks in advance, -Brett ----------------------------------------- This e-mail message is private and may contain confidential or privileged information.

• Previous message: David A. Wheeler: "Security: OSS vs. proprietary, development processes, deadlines, etc."
• Maybe in reply to: bsec_at_cotse.net: "J2EE Security Training"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]