Module: CMP-7038B - Developing Secure Software
Assignment: R002 - Secure Development Project and Presentation (Individual)
Learning outcomes
• Understand the importance of designing software with the security needs of an end user in mind
• Develop a secure and usable website that meets the needs of the user
• Analyse the effectiveness of a range of security methods and tools
• Analyse the evolving threats associated with the internet
Specification
Overview
The aim of this individual R002 assignment is for you to code a secure usable and accessible web-based movie blog system that mitigates, at a minimum, the five most common security vulnerabilities of account enumeration, session hijacking, SQL injection, cross-site scripting and cross-site request forgery.
You will work individually to code and secure the web-based blog using JavaScript. and Node.js, with a MySQL database.
At minimum, the movie blog system will require registration and login authentication (via 2FA of username/password and email One-Time-Passwords (OTP)), search functionality, and the ability to add, edit and delete posts. You can use pre-built security libraries, but you must clearly and concisely explain how they work and how they improve security for your movie blog system.
To evidence your system’s security mitigations working, you need to create a maximum 15-minute MP4 (max 720P) video demonstration, showing both the front-end (user website view) and back-end (code and database) elements of your system and try attacking the system yourself to evidence that you have protected your system from a threat actor attacking each vulnerability/element. A OneDrive link to the working video should be sent via email to the MO ([email protected]), before the submission deadline.
Description
You are required to individually develop a small, secure, usable and accessible, web-based move blog site that mitigates various security vulnerabilities.
Development coding of web-based movie blog:
At a minimum, your code should defend against the five most common vulnerabilities of:
• Account enumeration
• Session hijacking
• SQL injection
• Cross-site scripting
• Cross-site request forgery
You need to concentrate on coding the security, usability and accessibility aspects of the web-based movie blog and not on web development, as you only need to produce a basic usable and accessible front-end. This will be used to evidence your security processes and mitigations during a 15-minute MP4 video demonstration. Functionality of the front-end should be prioritised over aesthetics, but you still need to consider usability and accessibility.
You must code your website using JavaScript. and Node.js, with a MySQL database. Any Node framework, such as Express, is acceptable but you cannot use any other types of SQL databases, as you are restricted to using MySQL.
To secure your movie blog you must include hashing and/or salting, encryption and a 2FA authentication of username/password and email One Time Password (OTP).
The movie blog should not sacrifice security or usability and accessibility, but there will be some trade-offs needed. You must discuss and justify any trade-offs you have chosen, during your video demonstration.
You can use any pre-built security libraries you believe will be useful, but these must be clearly and concisely explained as to how they work, what they secure against and exactly how they provide security protection specifically for this movie blog. If you cannot or do not fully explain your library use, you will not attain any marks for that mitigation. You should also consider coding some of your own processes, as extra marks are available for self-coded mitigations.
Each mitigation must be valid across the whole web-blog site, e.g., you cannot mitigate SQL injection and then break it later when mitigating another vulnerability.
The code you produce must be fully tested, using think-aloud user testing and system unit testing. Evidence of these tests (and results) must be recorded via separate test plans and must be shown during the MP4 video demonstration.
You must not reuse any code from other sources, including work from assignment 001, previous courses, Stack Overflow, YouTube etc.
Deliverables
See description section above, and marksheet at the end of this specification brief, for the deliverable requirements for this R002 reassessment.
The easiest way to evidence these deliverable requirements is to record a maximum 15-minute video presentation in an MP4 format (max 720p). It must be a fully rendered and working single video. You do not have to show your face during the video (although it is nice to do so) but a voiceover discussing your justifications and decision making is a requirement.
This video demo should be structured to evidence the system working for both front-end and back-end security mitigations, authentication, encryption, hashing and/or salting, usability and accessibility, etc.
o The front-end must show evidence of the security issues you have protected against, and system usability and accessibility, from a user perspective.
o The back-end must show evidence of the coding functions you have used to secure your system for both the code and database
o You should also discuss any libraries used and justifications for any trade-offs between security and usability/accessibility.
The video demonstration must be clear and concise, and you must not speed up the video to hit the 15-minute time limit.
Please note: If the video exceeds 15 minutes, the marking will cease immediately at that point, and any information or code discussed after this time will not be marked.
Relationship to formative assessment
This assignment builds on the formative work you complete during your weekly lab sessions, as well as the feedback from assignment 001. You cannot use anything from your group’s 001 assignment, the internet or a previous course.
Resources
Lecture notes and previous lab sessions are highly relevant to this work. You should also refer to the feedback given for assignment 001.
• Erickson J., (2008) Hacking: The art of exploitation. 2nd edition San Francisco: No Start Press
• OWASP Top 10. Available at https://owasp.org/www-project-top-ten/
• Anderson R. (2008) Security Engineering: A Guide to Building Dependable
Distributed Systems, Wiley, available on the author’s website (https://www.cl.cam.ac.uk/~rja14/book.html)
• The DBLP bibliography server (https://dblp.org/) is also an excellent resource for most topics and holds data and links for over 4.8 million computing
publications.
You can use any video editing software you choose but the upload must include a single video file for the entire presentation from start to finish. You can show a watermark across the video, but only if this does not stop the marker being able to view your slide content.
If you have questions, please email the MO Debbie Taylor on Debbie.taylor@uea.ac.uk.
Handing in procedure:
• Blackboard - upload a copy of the source code and README
document, on how to run the code, to the R002 submission point. This will open 1 week before the deadline.
• OneDrive link – send the MO Debbie Taylor ([email protected]) a link to access your completed, maximum 15-minute MP4 video. Please
ensure you give access to a working video, as you will not be asked to provide another copy if the uploaded version does not play when being marked.
Please note: Please ensure you allow yourself enough time to upload/send
everything before 14:59 on the submission day or LTS will automatically add the late submission penalties when the final score is added to eVision. CMP faculty do not
have any control over this process, or extensions, as these are fully controlled by the LTS team.