New company Web application for outsourced suppliers

at
Categories
Tags

 

Your team received an assignment to develop and deliver a new company Web application for outsourced suppliers to use as they help support your company’s production resources. The IT director recently returned from an OWASP conference in India and insists that the app will have strong security. As he walked out the door from your initial project briefing the IT director said, “I do not want to wait 200 days after an exploit to hear about it. If something happens, I want to know yesterday.”

Instructions
The project specs require a multi-page design. The app will need to provide an interface to your company’s supply database for reading and entering data remotely as well as the ability to contact, via the e-mail server, your company supply managers. In an effort to save money, management decided that the team will use some open-source software library modules.

Provide at least six steps in the SDLC during which security-strengthening behaviors will be applied.

Explain the specific security-relevant actions taken during each step, including the people involved, the considerations taken, and the security assurance methods used.

Identify and briefly explain at least three different security testing methods and indicate which methods analyze the app’s front end, source code, or vulnerabilities while the app is running. Justify when you would use each method.

Explain at least six different vulnerabilities that could potentially affect your app and actions that your team could take to prevent each.

 

Sample Solution

Security Throughout the SDLC for Supplier Web Application

Integrating Security into the SDLC

Here are six stages of the Secure Development Lifecycle (SDLC) where security-strengthening actions will be implemented for your supplier web application:

  1. Requirements Gathering:

    • People Involved: Project Manager, Security Analyst, Business Stakeholders
    • Security Actions: Identify security requirements aligned with OWASP Top 10, analyze data sensitivity (supplier information, production data), define access control levels for suppliers.
    • Assurance Methods: Threat modeling to identify potential attack vectors, security requirement reviews.

  2. Design:

    • People Involved: Developers, Security Architect
    • Security Actions: Design secure architecture with data encryption at rest and in transit (SSL/TLS). Implement secure coding practices (e.g., input validation, parameterized queries) to prevent injection attacks.
    • Assurance Methods: Secure design reviews, code reviews focusing on secure coding practices.

  3. Development:

    • People Involved: Developers, Security Engineer
    • Security Actions: Use static application security testing (SAST) tools to identify vulnerabilities in code. Employ code repositories with access controls and version control.
    • Assurance Methods: SAST scans, code reviews focusing on identified vulnerabilities from SAST reports.

  4. Testing:

    • People Involved: QA Testers, Security Testers
    • Security Actions: Perform dynamic application security testing (DAST) to identify vulnerabilities while the application is running. Conduct penetration testing (pen testing) to simulate real-world attacks and identify exploitable weaknesses.
    • Assurance Methods: DAST scans, pen testing reports with identified vulnerabilities and remediation steps.

  5. Deployment:

    • People Involved: System Administrators, Security Operations Center (SOC)
    • Security Actions: Deploy the application to a secure web server with firewalls and intrusion detection/prevention systems (IDS/IPS). Configure secure server settings and access controls.
    • Assurance Methods: Security configuration reviews, vulnerability scans of the deployed application.

  6. Monitoring and Maintenance:

    • People Involved: System Administrators, Security Analysts, Developers
    • Security Actions: Continuously monitor application logs for suspicious activity. Implement a vulnerability management program to patch newly discovered vulnerabilities promptly.
    • Assurance Methods: Log analysis, vulnerability scans at regular intervals.

Security Testing Methods:

  1. Static Application Security Testing (SAST): Analyzes source code to identify vulnerabilities without running the application. (Focuses on source code)
  2. Dynamic Application Security Testing (DAST): Tests the application while it’s running to identify vulnerabilities exploitable through user input. (Focuses on application front-end)
  3. Penetration Testing (Pen Testing): Simulates real-world attacks to identify exploitable weaknesses in the application and infrastructure. (Focuses on both front-end and back-end while the application is running)

Justification for Testing Methods:

  • Use SAST early in development to identify and fix vulnerabilities in the code before they become exploitable.
  • Use DAST during testing to catch vulnerabilities that might be missed by SAST, such as those related to user input validation.
  • Use Pen Testing closer to deployment to simulate real-world attacks and uncover complex vulnerabilities.

Potential Vulnerabilities and Prevention Actions

  1. SQL Injection: Validate and sanitize all user input to prevent malicious code injection into database queries. (Use prepared statements with parameterized queries)
  2. Cross-Site Scripting (XSS): Encode all user-generated content displayed in the application to prevent attackers from injecting malicious scripts. (Use HTML entity encoding)
  3. Insecure Direct Object References (IDOR): Implement proper authorization checks to ensure suppliers can only access data they are authorized to see. (Use access control lists and role-based access control)
  4. Broken Authentication: Enforce strong password policies (minimum length, complexity requirements) and implement multi-factor authentication (MFA) for added security.
  5. Insufficient Logging & Monitoring: Implement comprehensive logging of user activity and system events to detect

This question has been answered.

Get Answer