'[WEB SECURITY] Training for web-apps and db security'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       websecurity
Subject:    [WEB SECURITY] Training for web-apps and db security
From:       Network Fortius <netfortius () gmail ! com>
Date:       2005-07-23 3:23:30
Message-ID: A7B380EB-BAC3-42F0-80FB-8CE83B0FE9DF () gmail ! com
[Download RAW message or body]

I apologize to those on this list, also subscribed to the  
webappsec@xxxxxxxxxxxxxxxxx, as the following is a repeat, but I have  
received more then one advice on that list, to try  
websecurity@xxxxxxxxxxxxx ... so - long story [slightly] short[er] -  
here is the issue:

I am looking into training one of the "geeks" in my group (by "geek" I
mean: open-minded, very good at everything (IT-related) he gets his
hands on, be it OS, apps, network gear, etc., good programmer, but
also capable of understanding network applications behavior in
multi-tier environment,s, etc.) in a very specific security area. Here
are the requirements:
- all the applications are part of Oracle E-business suite
- all the clients - thus - have either a simple browser-based type of
interaccess with a proxy I setup in front of the Oracle servers, or a
slightly "thicker" interaction, via a "Java client" (jinitiator), with
an Oracle front-end server (called web/forms server)
- the back-end consists in communication between the web/forms server
and a multitude of database and analytical/processing servers
Having described the above (very briefly, for those intimate with the
Oracle suite), I have in my mind the following type of security
training:
- heavy in Java and "web" apps
- Apache, Squid security
- MS IE and MS or Sun JVM security (not really sure if worth ... but
just to make the list)
- Oracle DB security training
NOTE: This person is NOT to take charge of the specific servers
running those apps (we have the security team for those - which are
all HP-UX, or Linux based), and the minimal interaction with the
underlying OS components can be handled with the level of knowledge
right now.
I am - personally - a big SANS fan (hold multiple certifications with
them, as a result), and they have an offering for Oracle security
(which I would be tempted to try), but I am not aware of any web-based
apps comprehensive security training. Another option (also based on
some personal experience) would have been some graduate level security
courses, at a reputable institution, but those seem to take for ever,
for someone who plans [almost] immediate specific results, vs. a
well-rounded, long-term degree (which is the case for my techno-geek
;)).
I would really appreciate directions and - most of all - personal
experience of such. I would also appreciate any comments about my list
of needeed know-how, in case someone like you has stumbled across
"things you should have learned in school, had you been paying
attention" ;)
TIA,
Stef
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic