Course Code

Course Title

Trainer

 Course Fee

09-01

Web Application Security – Threats & Countermeasures

Shreeraj Shah,
Vimal Patel

SGD$2000

09-02

Java/JEE security

Marc Schönefeld

SGD$1500

09-04

Writing Windows Shellcode

Dave Aitel

 SGD$2000

09-05

Building a Secure Wireless Network

Cédric Blancher

 SGD$2000

TRAINER COURSE TITLE


Marc Schönefeld

Marc Schönefeld has been involved with the deeper details of java security for about seven years and showed the success of the presented method by finding a large range of CVE relevant vulnerabilities.

After having worked in the banking IT for 10 years he moved to a large operating system vendor to identify and prevent vulnerable parts in open source java distributions. He has spoken on major conferences such as Blackhat, RSA, XCon, HackInTheBox and PacSec.

2002: Blackhat Security Aspects Bytecode Engineering
2003: Java Vulnerabilities, joint paper with iDefense
2003: Java Vulnerabilities (shown at RSA Europe)
2004: D-A-CH Security: Java Side-Channel attacks
2004: DIMVA: Java Vulnerabilities
2004: Second place in RSA European Security Award
2005: RSA USA, Java Security Antipatterns (=> Bellua, Xcon, HITB)
2006: DIMVA: Practical Impact of Java Security Antipatterns (=> Blackhat, Xcon, HITB, WebSec)
2006: PacSec: Security Aspects of .NET WCF
2007: PacSec: Intellectual Property Protection in Java and JEE

Java/J2EE Security Register

(understanding the attacker and defenders view)

Description:

JEE is known as a framework to build java business applications. Vulnerabilities in these applications are on the one hand introduced by the software, and on the other and more likely created by the
application developers. For a complete JEE security audit it is therefore more important to build up the skill to „feel“ the attack surface than just applying pre-build exploits that only expose framework
bugs.

This class starts with describing the important parameters that define the attack surface, such as dangerous code patterns, configuration settings and reasonable secure defaults. Examples of real-life vulnerabilities are used introduce the participatents to the experience that simple bugs are able to create holes, we cover both perspectives, the bug and the fix. The curriculum goes on with presenting and train the use of the tool set, necessary to spot vulnerable code parts. We presented techniques such as code skim reading, binary scanning, reverse engineering and interpreting the hidden security message of harmless looking heap, thread and stack dumps.

The trainer has been involved with the deeper details of java security for about seven years and showed the success of the presented method by finding a large range of CVE relevant vulnerabilities. This class does not require prior knowledge of the java bytecode set but a deeper
understanding how JVMs work mixed with creativity is very helpful to transfer the presented techniques into personal success.

The examples and exercises shown in this class cover apache tomcat, apache geronimo and sun glassfish.

The topics presented are:

  • The Java architecture, JVMs and bytecode
  • The java security model
  • Secure programming in a nutshell
  • Java vulnerabilities, how they differ from C-type bugs
  • The JEE architecture
  • Open holes in JEE, how to spot them
  • How to harden a JEE server
  • Tools and toys to prepare and conduct JEE pentests
  • Writing self-assessment clients
  • Short excursion to web security, xss and xsrf, how to spot and prevent
  • in JEE
    Examples, examples, …
Please direct all enquiries to organiser@syscan.org


Powered by SyScan © 2009