Hi everyone. In this video, we're going to talk about
some of the resources and the tools you'll need to
go through this course. Of course, first on
that list is OWASP. So, OWASP is the Open Web Application Security Project. In your career, whether you're a developer or a software
security engineer, you're going to reference OWASP and OWASP content constantly So, throughout this course we're going to be making references to OWASP. In fact, one of
the main portions of this project is
the OWASP WebGoat, which is a deliberately
insecure application that OWASP's and open source contributors across
the world contribute to. And, we're going to work
on patching WebGoat. So essentially, we're
going to be securing WebGoat which was
written in Java. The WebGoat code is open freely
on OWASP's own GitHub page, on their WebGoat page. And
you can get there by simply going to
github.com/webgoat/webgoat. However, for our course
for our purposes I have forked off their branch. You can find that under the UC Davis GitHub. And their project is just
called WebGoat-WEB1062. Now the reason we forked it, is we had a couple of reasons
for having forked it; mainly, is that the
open source contributors across the world are constantly contributing to WebGoat. We want to have
a stable platform to work on. So, as the lessons change on
the main branch of WebGoat, we don't want it to be
affecting our course. So essentially, we
forked it off so that we have a stable platform
to work against. Another reason to do it is some of the scripts in here
have been modified to make it a little bit easier for us to run it. Since we
don't need to be an expert in compiling WebGoat as an entirety
of the project, or we don't need to be
an expert on how Docker works, or the various tools
that they utilize works, I've simplified some of
the scripts for our own use. Another tool that we're
going to be using a lot, simply by
necessity, is Maven. So, Maven is a project
management tool. If you come from the C world, you may be familiar
with Make Files. If you're a Java developer but have never heard of Maven, you've probably used something
like Gradle or Ant. Maven's just another
breed of those. The only reason we're
using it as because that's what the
WebGoat project uses. So, we'll be using that
too - pulling packages, creating hard files, and so on. So, you need to install Maven
on your desktop and have it be something that
your IDE can call back to. Another thing you'll
need is an IDE. So, you can use whatever IDE
you're comfortable with. Eclipse is a great IDE and it will work
perfectly fine for this. I personally use IntelliJ. That's just because
that's what I've used at work before, and that's what I'm most comfortable with. But, whatever IDE you use, just make sure it has
support for Maven. So IntelliJ, last I checked, their community edition does not have support for Maven projects. As a result, if you're going
to go to IntelliJ route, you may have to buy
the enterprise version. I do know the Eclipse, which is open source and
free, does support Maven. So, you're more than
welcome to use it as well. Another tool you're
going to hear me talk about is Docker. Docker is essentially
a containerization engine and it allows us to run WebGoat inside of a Docker container. So, that we don't have
to have our IDE up. Alternatively, you can
run it directly from your IDE and that works
equally well too. Lastly, we need a tool to, essentially, do a man-
in-the middle attack. If you're not familiar
with what that is, you can look back on Sandra's courses. Course
two of this series. We basically need
to get in between our browser and our server. In this case, serving WebGoat,
in order to analyze some of the traffic and look at how we could attack
certain vulnerabilities. So, you need a tool that can place itself between
the traffic - in between the client and the server. In that case, we can either use
the OWASP Zed Proxy or Zed Attack Proxy, ZAP for short. Or you're going to see me
using a tool called Burp. I'm using the community
edition and it's free. Again, there's really
no difference between the two; I'm just more
comfortable using Burp. So that's the tool that
I chose for my purposes. Feel free to change it up
to whatever you prefer.