The following criteria and weighting will be applied in the marking, as shown in the table below.
|
Criteria
|
Mark
|
|
Testcase interactions and verification (Task 1, 5)
|
20%
|
|
Reduction of the attack surfaces of the images. (Task 2)
|
30%
|
|
Deployed Hardened Images (Tasks 3,4) and presentation of working deployment
|
40%
|
|
Report Presentation and Structure:
· Report’s logical and well-defined structure
· Clear and high-quality figures/screenshots
· Good writing without grammar or spelling issues
|
10%
|
|
TOTAL MARKS
|
100%
|
Pass band marks
Marks in pass band will be awarded for correctly delivering against all of the following:
· Satisfying all the file name constraints and internal structural requirements of all the deliverables.
· Partial reduction of the attack surfaces of the images, supported by clear narrative in the pdf / comments in scripts of the reasoning associated with trying to reduce the attack surface.
· Somewhat restrictive though overly permissive security policies supported by clear narrative in the pdf / comments in scripts, of the reasoning associated with the development of the security policies.
· Somewhat restrictive though overly permissive runtime environment supported by clear narrative in the pdf / comments in scripts of the reasoning associated with trying to establish a secure runtime container ecosystem.
· A functional though somewhat insecure application that can be run at the demo supported by clear narrative in the pdf / comments in scripts of understanding of the shortcomings of the submission.
Merit band Marks
Once all the requirements of the pass band are achieved, then marks in the merit band will be awarded for additionally satisfying all of the following:
· substantial reduction of the attack surfaces of at least one image, supported by clear narrative in the pdf / comments in scripts of the reasoning associated with reducing the attack surface. Other images partially reduced, as the pass band.
· tight security policies with suitably restrictive runtime environment for at least one container supported by clear narrative in the pdf / comments in scripts of the reasoning associated with the development of the security policies and secure runtime container ecosystem. Other containers somewhat restricted as the pass band.
· robust treatment of persistence, a functional modestly secure application that can be run at the demo.
Distinction band marks
· Once all the requirements of the merit band are achieved, then marks in the distinction band will be awarded for additionally satisfying all of the following:
· Complete reduction of the attack surfaces of the images, supported by clear narrative in the pdf / comments in scripts.
· Tight security policies with suitably restrictive runtime environment of all containers s supported by clear narrative in the pdf / comments in scripts.
· Deep insight and associated application to the problem at hand, that goes beyond the material taught in the module.
· Robust, clean, well structured, well- commented build scripts that could be safely passed to a third party to maintain and / or further develop.
· A functional, secure, robust application that can be run at the demo.
Please also see marking scale.
|
|
|
|
|
|
|
|
|
|
Analyse the security relationships within a virtualised ecosystem between a virtualised container and its sibling containers
Assessed in Task: 1
|
Exceptional work of the highest quality, demonstrating excellent knowledge and understanding, analysis, organisation, accuracy, relevance, presentation, and appropriate skills in the analysis of the security relationships. The work may achieve or be close to publishable standard
|
Work of original and exceptional quality in the analysis of the security relationships, which in the examiners’ judgement merits special recognition by the award of the highest possible mark
|
High-quality work demonstrating excellent knowledge and understanding, analysis, organisation, accuracy, relevance, presentation and appropriate skills in the analysis of the security relationships. Work which may extend existing debates or interpretations.
|
Competent work demonstrating good knowledge and understanding, analysis, organisation, accuracy, relevance, presentation and appropriate skills in the analysis of the security relationships.
|
Work of limited quality, demonstrating some relevant knowledge and understanding in the analysis of the security relationships.
|
Work does not meet standards required for the appropriate stage of a Masters degree. Evidence of study and demonstrates some knowledge and some basic understanding of relevant concepts and techniques, but subject to significant omissions and errors
|
Work of no merit OR Absent, work not submitted, penalty in some misconduct cases
|
|
Analyse the security relationships within a virtualised ecosystem between a virtualised container and the underlying host
Assessed in Task: 4
|
Exceptional work of the highest quality, demonstrating excellent knowledge and understanding, analysis, organisation, accuracy, relevance, presentation, and appropriate skills in the the analysis of the security relationships. The work may achieve or be close to publishable standard
|
Work of original and exceptional quality in the analysis of the security relationships, which in the examiners’ judgement merits special recognition by the award of the highest possible mark
|
High-quality work demonstrating excellent knowledge and understanding, analysis, organisation, accuracy, relevance, presentation and appropriate skills in the analysis of the security relationships. Work which may extend existing debates or interpretations.
|
Competent work demonstrating good knowledge and understanding, analysis, organisation, accuracy, relevance, presentation and appropriate skills in the analysis of the security relationships.
|
Work of limited quality, demonstrating some relevant knowledge and understanding in the analysis of the security relationships.
|
Work does not meet standards required for the appropriate stage of a Masters degree. Evidence of study and demonstrates some knowledge and some basic understanding of relevant concepts and techniques, but subject to significant omissions and errors
|
Work of no merit OR Absent, work not submitted, penalty in some misconduct cases
|
|
Evaluate the extent to which a virtualised container ecosystem satisfies its desired security properties
Assessed in Task: 5
|
Exceptional work of the highest quality, demonstrating excellent knowledge and understanding, analysis, organisation, accuracy, relevance, presentation, and appropriate skills in the satisfying the desired security properties. The work may achieve or be close to publishable standard
|
Work of original and exceptional quality in satisfying the desired security properties, which in the examiners’ judgement merits special recognition by the award of the highest possible mark
|
High-quality work demonstrating excellent knowledge and understanding, analysis, organisation, accuracy, relevance, presentation and appropriate skills in satisfying the desired security properties. Work which may extend existing debates or interpretations.
|
Competent work demonstrating good knowledge and understanding, analysis, organisation, accuracy, relevance, presentation and appropriate skills in satisfying the desired security properties.
|
Work of limited quality, demonstrating some relevant knowledge and understanding in satisfying the desired security properties.
|
Work does not meet standards required for the appropriate stage of a Masters degree. Evidence of study and demonstrates some knowledge and some basic understanding of relevant concepts and techniques, but subject to significant omissions and errors
|
Work of no merit OR Absent, work not submitted, penalty in some misconduct cases
|
|
Configure a virtualised container ecosystem to achieve the desired security properties from the perspective of both the container and the underlying host.
Assessed in Tasks: 2, 3
|
Exceptional work of the highest quality, demonstrating excellent knowledge and understanding, analysis, organisation, accuracy, relevance, presentation, and appropriate skills in the delivery of a secure configuration. The work may achieve or be close to publishable standard
|
Work of original and exceptional quality in the delivery of a secure configuration, which in the examiners’ judgement merits special recognition by the award of the highest possible mark
|
High-quality work demonstrating excellent knowledge and understanding, analysis, organisation, accuracy, relevance, presentation and appropriate skills in the delivery of a secure configuration. Work which may extend existing debates or interpretations.
|
Competent work demonstrating good knowledge and understanding, analysis, organisation, accuracy, relevance, presentation and appropriate skills in the delivery of a secure configuration.
|
Work of limited quality, demonstrating some relevant knowledge and understanding in the delivery of a secure configuration.
|
Work does not meet standards required for the appropriate stage of a Masters degree. Evidence of study and demonstrates some knowledge and some basic understanding of relevant concepts and techniques, but subject to significant omissions and errors
|
Work of no merit OR Absent, work not submitted, penalty in some misconduct cases
|
1 Assessment brief
Overall Context:
As a cloud and virtualization security expert, you're responsible for assessing and strengthening the security of a prototype containerized cloud system. You have been provided with prototype that is intended for deployment within the company's existing Docker production setup. The development team has expertise in system development but lacks experience in virtualization security. Your task is to create a detailed report presenting your evaluation results and security recommendations for the client, a company that develops cloud-based solutions.
This report will:
• Provide recommendations on how they could improve the security of a system, using a technical case study of their work as an example.
TASKS:
1. Define up to 10 test cases to verify the functionality and security of the containers and application.
2. Refine supplied Dockerfiles and any custom files, excluding those from official repositories, to create hardened images capable of running the application.
3. Generate hardened images from the refined Dockerfiles.
4. Determine runtime commands for running containers from the images on the production team's chosen system, ensuring maximum security. Consider commands for:
a. one-time configuration
b. running the container each time
5. Verify the application's correct functionality against the test cases when applying the proposed runtime security to the containers.
Deliverables:
Report:
Via tabula, a succinct pdf report named csvs.pdf containing the following five sections:
· Section 1 your set of testcase interactions.
· Section 2 containing your reasoning and evidence for your submission against tasks 2 & 3 (image hardening & image generation).
· Section 3 containing your reasoning and evidence for your submission against tasks 4 & 5 (runtime hardening & verification).
· References.
Pages must be numbered in the page footer. In sections 2, 3 you should illustrate significant aspects of the process that you followed. Include significant examples that demonstrate your ability to think and act coherently. It is not sufficient merely to produce the finished item; reasoning about the process followed is essential.
B, Compressed Archive
Via Tabula, a compressed archive named csvs.zip containing:
· the build directories and additional scripts related to the image build process associated with Tasks 1 & 2.
· the various files require to deploy the containers securely in the runtime environment associated with Task 3.
· Video file or video file link for your presentation
2 Special instructions
Do not include the Assignment Guidance and Front Sheet in the submission.
Spelling/grammar. Ensure that you spell check the submission, use a grammar checker and ensure that you proofread your work prior to submission. Spell/grammar checkers must be set to UK English, do not use ‘Americanised’ spellings.
References. References are to be included at the end of the report using the Harvard referencing system. You may also include a bibliography. Each reference must be connected to a citation within the main body of the report.
Do not attempt to hide text within JPEGs, this will be construed as an attempt to mislead the assessor.
Coherence. A poorly worded report will hide excellent content. The narrative should be easy to read, and arguments should be presented coherently and convincingly.
Presentation. At this stage in your studies, there is no excuse for poor presentation. You will not receive marks for presentation; however, your submission will be penalised for poor presentation.
Formatting. All figures and tables must be properly labelled and captioned. All pages must be numbered. Formatting must be consistently applied throughout the submission. Submissions that stray from this guidance may be penalised.