Java Enterprise Security //Need advice please

OrexOrex Member Posts: 6 ■□□□□□□□□□
in GIAC
Hello Everyone

Please I need advice for my new path.

I’m Java Enterprise Developer, I’m always fascinate by Security now I want to enter this field.

I searched for certifications for me and I found certifications from SANS in three ways(Defense, Secure Code and Attack)

After I read every certification description, I really like this one GWAPT (web app pen testing and Ethical Hacking)

https://www.sans.org/course/web-app-penetration-testing-ethical-hacking

Any advice this certification or another certification that good for me, will I find a job as web app pen tester or just something nice to have it?

Thanks so much
· Share on FacebookShare on Twitter

Comments

  • ChooseLifeChooseLife Member Posts: 941 ■■■■■■■□□□
    Here's an even more specific course from SANS:
    Secure Coding in Java/JEE: Developing Defensible Applications

    What is your goal? Do you want to obtain a certificate or take a course? I have a feeling certifications are not valued as much in the dev world as on the IT/administration side of the house.
    “You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896

    GetCertified4Less     - discounted vouchers for certs
    · Share on FacebookShare on Twitter
  • OrexOrex Member Posts: 6 ■□□□□□□□□□
    Hi ChooseLife, Thanks for your reply.

    First of all This is the my first hand in security ever

    My goal is just enter the security world as Java Enterprise Developer, I have 5 years experience, I didn't find any course or certification for me except SANS certifications.

    Is this course the right for me or not ?

    still     I can't answer, all I can do just read the description which I had done already still the same for me just in diffident paths (Defense, Secure Code and Attack)


    · Share on FacebookShare on Twitter
  • ChooseLifeChooseLife Member Posts: 941 ■■■■■■■□□□
    Orex wrote: »
    My goal is just enter the security world as Java Enterprise Developer
    I wonder what you mean by that. Can you elaborate, perhaps describe an ideal job that you are targeting?
    Do you want to continue the Java developer path with focus on code security? Or do you want to move into other (non-development) areas of InfoSec and utilize previous experience during transition?
    “You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896

    GetCertified4Less     - discounted vouchers for certs
    · Share on FacebookShare on Twitter
  • OrexOrex Member Posts: 6 ■□□□□□□□□□
    ChooseLife wrote: »
    I wonder what you mean by that. Can you elaborate, perhaps describe an ideal job that you are targeting?
    Do you want to continue the Java developer path with focus on code security? Or do you want to move into other (non-development) areas of InfoSec and utilize previous experience during transition?

    I'm sorry I should be more specific

    When I choosed GWAPT, I thought I going to write web app look like a trap or something, the same way the web app hackers doing but ethical, That why I choose it.

    This scenario I'm looking for, If this not exited I'll take the second way you write
    Or do you want to move into other (non-development) areas of InfoSec and utilize previous experience during transition?

    But the most important part: I don't want to throw my experience away.

    Thank you so much!
    · Share on FacebookShare on Twitter
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    The GWAPT really only covers the starting basics of web application pentesting, in my opinion. It touches on JavaScript and Python, but it's really more about web app enumeration, leveraging of site objects, tricking databases into giving up data, etc.. It's not a bad course, but I sense it's not what you're looking for.

    You can always email Kevin Johnson (the course author) and I'm sure he'll be more than happy to tell you whether this will fit your needs or not.

    But as mentioned earlier, it sounds like SANS DEV-541 is right up your alley.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
    · Share on FacebookShare on Twitter
  • OrexOrex Member Posts: 6 ■□□□□□□□□□
    docrice wrote: »
    The GWAPT really only covers the starting basics of web application pentesting, in my opinion. It touches on JavaScript and Python, but it's really more about web app enumeration, leveraging of site objects, tricking databases into giving up data, etc.. It's not a bad course, but I sense it's not what you're looking for.

    You can always email Kevin Johnson (the course author) and I'm sure he'll be more than happy to tell you whether this will fit your needs or not.

    But as mentioned earlier, it sounds like SANS DEV-541 is right up your alley.

    Hi docrice

    Congratulation for GWAPT, I just read your review

    Thanks for your help and I'll email Kevin now and return with his reply

    About Dev-541, It's just learn how to write secure code. some additional methods for writing apps more secure, I'm looking for learning 2 things :

    How can hacker or PT hack my web app ?
    How can I write trap web app (for ethical of-course) ?

    in the GWAPT description :
    Web applications are a major point of vulnerability in organizations today. Web app holes have resulted in the theft of millions of credit cards, major financial and reputational damage for hundreds of enterprises, and even the compromise of thousands of browsing machines that visited Web sites altered by attackers. In this intermediate to advanced level class, you'll learn the art of exploiting Web applications so you can find flaws in your enterprise's Web apps before the bad guys do.

    This part exactly what I'm looking for
    · Share on FacebookShare on Twitter
  • ChooseLifeChooseLife Member Posts: 941 ■■■■■■■□□□
    Now it is starting to shape up into something... I have not take the GWAPT course, but in my understanding it would address this question of yours:
    How can hacker or PT hack my web app ?
    at least to a certain extent.

    Having said that, are you footing the bill for studying these things yourself? I don't think it is necessary to take an expensive course to learn these things - all of this information is freely accessible on Internet, all you need to learn how attackers break into web applications is curiosity, free time, and a search engine.
    “You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896

    GetCertified4Less     - discounted vouchers for certs
    · Share on FacebookShare on Twitter
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    You should also consider the Penetration Testing with BackTrack course as well (http://www.offensive-security.com/information-security-training/penetration-testing-with-backtrack/).
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
    · Share on FacebookShare on Twitter
  • OrexOrex Member Posts: 6 ■□□□□□□□□□
    Guys

    I talk with Kevin (really very nice guy), He said that :
    Web applications are a major point of vulnerability in organizations today. Web app holes have resulted in the theft of millions of credit cards, major financial and representational damage for hundreds of enterprises, and even the compromise of thousands of browsing machines that visited Web sites altered by attackers. In this intermediate to advanced level class, you'll learn the art of exploiting Web applications so you can find flaws in your enterprise's Web apps before the bad guys do.

    Exactly what I'm looking for

    I ask about : Is this course exactly what I looking for ?
    >

    And I believe it is from what you said. :) If you are looking to become a penetration tester, this is an excellent way to move down that path.

    > They told me you do't neet to be software developer to take the course that mean I'll just throw my experience away
    >

    It does not mean you will throw away your experience, just that the course does not require it. Having experience developing code will always be a benefit for people testing web application security.
    · Share on FacebookShare on Twitter
  • OrexOrex Member Posts: 6 ■□□□□□□□□□
    ChooseLife wrote: »
    Now it is starting to shape up into something... I have not take the GWAPT course, but in my understanding it would address this question of yours:

    at least to a certain extent.

    Having said that, are you footing the bill for studying these things yourself? I don't think it is necessary to take an expensive course to learn these things - all of this information is freely accessible on Internet, all you need to learn how attackers break into web applications is curiosity, free time, and a search engine.

    You're absulolty right, and I did it already, Sorry to say I wasn't gain much, just spasific methods(cut and paste) If I change any thing I have error because I don't have any security's concept


    So I choose to begin from the start and take the first step

    Thanks for your help
    You should also consider the Penetration Testing with BackTrack course as well (http://www.offensive-security.com/in...ith-backtrack/).

    I'll consider it, Thank you very much
    · Share on FacebookShare on Twitter
Sign In or Register to comment.