Trainers: Marc Schoenefeld (Independent Network Security Specialist)
Capacity: 15 pax
Seats Left: CLASS IS CLOSED
Duration: 2 days
Cost: (per pax) USD1499 (early bird) / USD1899 (non early-bird)
Overview
JEE is known as a framework to build java business applications. Vulnerabilities in these applications are on the one hand introduced by the software, and on the other and more likely created by the application developers. For a complete JEE security audit it is therefore more important to build up the skill to “feel” the attack surface than just applying pre-build exploits that only expose framework bugs.
This class starts with describing the important parameters that define the attack surface, such as dangerous code patterns, configuration
settings and reasonable secure defaults. Examples of real-life vulnerabilities are used introduce the participatents to the experience that simple bugs are able to create holes, we cover both perspectives, the bug and the fix. The curriculum goes on with presenting and train the use of the tool set, necessary to spot vulnerable code parts. We presented techniques such as code skim reading, binary scanning, reverse engineering and interpreting the hidden security message of harmless looking heap, thread and stack dumps.
The trainer has been involved with the deeper details of java security for about seven years and showed the success of the presented method by finding a large range of CVE relevant vulnerabilities. This class does not require prior knowledge of the java bytecode set but a deeper understanding how JVMs work mixed with creativity is very helpful to transfer the presented techniques into personal success. The examples and exercises shown in this class cover apache tomcat, apache geronimo, jboss and sun glassfish.
The topics presented are:
Prerequisite Knowledge
About the trainer
Marc Schoenefeld
Marc Schönefeld has been involved with the deeper details of Java security for about seven years and showed the success of the presented method by finding a large range of CVE relevant vulnerabilities. After having worked in the banking IT for 10 years he moved to a large operating system vendor to identify and prevent vulnerable parts in open source java distributions. He has spoken on major conferences such as Blackhat, RSA, XCon, HackInTheBox and PacSec.