> I attended a 2-day course on J2EE Security by Paladion (
> http://www.paladion.net ) six months ago. That was a SANS-style public
> program, but I know they offer on-site versions of the classes too.
>
> The classes discussed common mistakes in J2EE applications and how to
> avoid them. I have worked with servlets for 6 years and still found it
> useful.
Did you learn something useful related with auditing Java code in the Paladion
course?
When I work auditing code, I have serious problems when the Java code is a
classic application (azureus, eclipse, ..) because you don't have common
problems in user input, session handling, auth, etc. (so you can exploit with
vulns like XSS or SQL injection) like in common web applications.
Perhaps you can have some security risks related with the own runtime, the
logic or exception handling, but it's more difficult to find these kind of
problems.
> I attended a 2-day course on J2EE Security by Paladion (
> http://www.paladion.net ) six months ago. That was a SANS-style public
> program, but I know they offer on-site versions of the classes too.
>
> The classes discussed common mistakes in J2EE applications and how to
> avoid them. I have worked with servlets for 6 years and still found it
> useful.
Did you learn something useful related with auditing Java code in the Paladion
course?
When I work auditing code, I have serious problems when the Java code is a
classic application (azureus, eclipse, ..) because you don't have common
problems in user input, session handling, auth, etc. (so you can exploit with
vulns like XSS or SQL injection) like in common web applications.
Perhaps you can have some security risks related with the own runtime, the
logic or exception handling, but it's more difficult to find these kind of
problems.
Regards,
Alejandro
[ reply ]