Hey, and welcome to
the course on exploiting and security vulnerabilities
in Java applications. This is the fourth
and last course into secure programming specialization
offered by UC Davis. My name is [inaudible] Bhai. My love for security started when I was ten or 11 years old. Before I moved to the United
States I was living in Iran. Back then, our inner
was heavily censored. But I wanted to play a game on a server which was blocked. As a result, my
friends and I had to learn about proxies to
get out the censorship. That's where my love
for security began. Outsmarting smart people to find flaws where they have mistake. For my undergraduate work, I received the scholarship called Scholarship for Service, SFS, which was designed to bring
folks with a background in computer science or
computer engineering with an emphasis on security
to the governments. The program was designed
and monitored by the Department of
Homeland Security and the National
Science Foundation. Through my computer
science curriculum along with SFS work, I was able to hone my skills as a developer with
an emphasis on security. I began my professional career as a software developer working on embedded and distributed systems. Over the last few years
I have transitioned from my primarily development role to a software security architect. I have to admit, I don't write
as much code as I used to, but I do miss it,
and I try to say active with my own
projects in office. Over the next several weeks, your course learning
objectives will be to learn, to use tools and
techniques of an attacker. You will detect and fix injection attacks in
a large Java application. You will be able
to detect and fix problems related to
broken authentication, find and fix problems related to cross site scripting attacks and even run some code on
a compromised server. In the first module, we'll focus our attention on
cross site scripting. After module 1, you'll
be able to find and fix issues related to cross
site scripting vulnerabilities. In the second module, we'll
cover issues related to interpreting user input that
lead into injection attacks. After module 2, you'll
be able to detect and fix injection attacks
on a large code base. In the third module, we'll turn our attention into
authentication weaknesses. After that, you'll be
able to better understand the pitfalls with regards to authentication
and authorization. In the final module, we'll wrap up by fixing
some vulnerable components. If you've been
paying attention to the news you may have heard about the Equifax breach which was a result of a
vulnerable component. At the conclusion of module 4, you will compile activities
you've been doing throughout the course
into your final project. The entire course is sequenced to help you complete
the final project. Patching vulnerabilities
in WebGoat. WebGoat is deliberately
insecure web application. You will go through a process I layouts to exploit WebGoat, in order to understand
vulnerabilities, find and fix the code, and then re-verify the fix by attempting to re-explore
the same vulnerability. Our deliberately vulnerable
application, WebGoat, might include
some design patterns and architectures that might
seem overly complicated. That's because it's designed to house the lessons themselves, and the vulnerabilities are not central to the back
end architecture. It's okay, I will do my
best to make sure that we don't get to lost
in the scaffolding. The WebGoat has to enable
this modular lesson plans. Each module will teach you
the essentials you will need to know and to be prepared to complete
your final projects. After I introduced each topic, you'll get a chance to try, then I'll show you my approach. At the end of each module, you will complete a peer
review graded lab activity. The lab activity
simply demonstrating your approach to the activities
you get a chance to do. Remember, you can always
review any lessons or resources that address areas
where you need a refresher. You also have the discussion
areas to look to. Remember, software security
is not difficult. If you feel overwhelmed just try, try, try again, and we'll
get through it together. We have a lot to cover,
So let's dive in.