Develop and deliver a new company Web application for outsourced suppliers to use as they help support your company's production resources

Your team received an assignment to develop and deliver a new company Web application for outsourced suppliers to use as they help support your company's production resources. The IT director recently returned from an OWASP conference in India and insists that the app will have strong security. As he walked out the door from your initial project briefing the IT director said, "I do not want to wait 200 days after an exploit to hear about it. If something happens, I want to know yesterday." Instructions The project specs require a multi-page design. The app will need to provide an interface to your company's supply database for reading and entering data remotely as well as the ability to contact, via the e-mail server, your company supply managers. To save money, management decided that the team would use some open-source software library modules. Provide at least six steps in the SDLC during which security-strengthening behaviors will be applied. Explain the specific security-relevant actions taken during each step, including the people involved, the considerations taken, and the security assurance methods used. Identify and briefly explain at least three different security testing methods and indicate which methods analyze the app's front end, source code, or vulnerabilities while the app is running. Justify when you would use each method. Explain at least six different vulnerabilities that could potentially affect your app and actions that your team could take to prevent each.

Sample Solution

       

Security Throughout the SDLC for Supplier Web App

Here are six steps in the SDLC where security-strengthening behaviors will be applied for your supplier web app:

1. Requirements Gathering:

  • People Involved: Project Manager, Security Specialist, Business Stakeholders
  • Security Actions: Identify security requirements based on OWASP Top 10 and data sensitivity (e.g., authentication, authorization, data encryption).
  • Considerations: Data classification (public, confidential), access control needs, potential attack vectors (e.g., SQL injection, XSS).
  • Security Assurance Methods: Threat modeling to identify vulnerabilities and mitigation strategies.

2. Design & Architecture:

  • People Involved: Developers, Security Architect
  • Security Actions: Design secure architecture with defense-in-depth approach (e.g., input validation, firewalls, secure coding practices).
  • Considerations: Principle of least privilege for access control, separation of duties, secure coding standards (e.g., OWASP Secure Coding Practices).
  • Security Assurance Methods: Peer code reviews to identify security flaws in design and architecture.

Full Answer Section

         

3. Development & Coding:

  • People Involved: Developers, Security Engineer
  • Security Actions: Use secure coding practices, leverage static code analysis tools to identify vulnerabilities in code.
  • Considerations: Secure coding libraries, proper input validation to prevent injection attacks, secure data storage (e.g., hashing passwords).
  • Security Assurance Methods: Static Application Security Testing (SAST) to scan code for vulnerabilities before deployment.

4. Testing & Integration:

  • People Involved: QA Testers, Security Testers
  • Security Actions: Perform Dynamic Application Security Testing (DAST) to simulate real-world attacks, penetration testing to exploit vulnerabilities and identify weaknesses.
  • Considerations: Testing different attack vectors, user input validation testing, session management testing.
  • Security Assurance Methods: DAST and penetration testing to identify vulnerabilities before app goes live.

5. Deployment & Monitoring:

  • People Involved: Operations team, Security Analyst
  • Security Actions: Secure deployment configuration, implement intrusion detection/prevention systems (IDS/IPS), regular security audits.
  • Considerations: Secure server configuration, vulnerability scanning of deployed application, monitoring for suspicious activity.
  • Security Assurance Methods: Regular security audits and vulnerability scanning to identify and address issues promptly.

6. Maintenance & Support:

  • People Involved: Developers, Security Team
  • Security Actions: Patching vulnerabilities promptly, keeping security libraries and frameworks updated, security awareness training for developers.
  • Considerations: Regular vulnerability scanning for newly discovered threats, incident response plan in case of security breach.
  • Security Assurance Methods: Continuous monitoring and patching to ensure ongoing security posture.

Security Testing Methods

  1. Static Application Security Testing (SAST): Analyzes source code for vulnerabilities without executing the application (focuses on code). Useful in early development stages to identify potential issues before coding is complete.

  2. Dynamic Application Security Testing (DAST): Simulates real-world attacks by injecting malicious code into the application while it's running (focuses on front-end and back-end functionality). Useful for identifying vulnerabilities that can be exploited during runtime.

  3. Penetration Testing (Pen Testing): Ethical hacking where security experts attempt to exploit vulnerabilities in the application (focuses on front-end, back-end, and overall security posture). Useful for identifying critical vulnerabilities and potential attack paths.

Potential Vulnerabilities and Prevention

  1. SQL Injection: Occurs when malicious code is injected into user input to manipulate the database.
  • Prevention: Use parameterized queries, input validation to sanitize user input.
  1. Cross-Site Scripting (XSS): Malicious scripts are injected into user input and executed in the user's browser.
  • Prevention: Input validation and encoding (e.g., HTML escaping) to prevent script execution.
  1. Broken Authentication & Authorization: Weak password policies, lack of multi-factor authentication, or improper access control.
  • Prevention: Strong password policies, multi-factor authentication, implement role-based access control (RBAC).
  1. Insecure Direct Object References: Direct access to sensitive data or functionalities without proper authorization checks.
  • Prevention: Proper access control mechanisms, validation of user input for accessing resources.
  1. Security Misconfiguration: Insecure server settings, outdated software, or improper configuration of security features.
  • Prevention: Secure server configuration, regular patching and updates, following security best practices.
  1. Insufficient Logging & Monitoring: Lack of logs to track user activity and system events makes it difficult to detect suspicious behavior.
  • Prevention: Implement comprehensive logging and monitoring of user activity and system events, analyze logs for anomalies.
We are here to help
We have crazy offers
It’s quick and easy to place an order. We have an efficient customer service that works 24/7 to assist you.It’s quick and easy to place an order. We have an efficient customer service that works 24/7 to assist you.

We are here and ready to help

Order Now

IS IT YOUR FIRST TIME HERE? WELCOME

USE COUPON "11OFF" AND GET 11% OFF YOUR ORDERS

PLACE AN ORDER NOW REGISTER NOW