Software Security - Mini project: Web application and cyber security risk assessment
Software Security
Mini project
1. You are required to develop a three page web application with the following specifications
a. Login page, Form submission page and Thank you page with logout feature. When logged out, return to login page
b. Data submitted in the form page and login details are stored in a database
c. Technology choice for the web development and database is up to you. You can choose any technology of your choice
Form submission page should collect name, email address, phone number, country, gender and qualification.
2. Once the application is designed/developed you need to come up with a cyber security risk assessment done for that website.
https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-20/ipd
There are six functions for the CSF 2.0. Team needs to analyse and list implementation examples for each of them (based on the spec below) in the report. (at least one category, two subcategories with examples)
Actual implementation of the controls are not required.
3. Perform penetration testing for OWASP attacks for the developed application and analyse the results
a. You can choose any tool of your choice for the testing.
b. Identify which OWASP attacks to perform as per below spec.
4. Software Security testing is very important for any software developed
a. Identify static analysis and dynamic analysis tools and approaches for testing the developed application.
b. Perform static analysis using any tool of your choice for the code written and analyse the results.
5. Report/Presentation
a. Prepare a report outlining the following
Spec based on team size
Item | 1 member team | 2 members team | 3 members team |
Web development | Same effort for all teams | ||
Risk analysis | Protect and Detect | Protect, Detect, Respond and Recover | All six categories (Including /Govern) |
Penetration Testing | XSS, SQL injection | XSS, SQL Injection and any additional two items from OWASP list | XSS, SQL Injection and any additional four items from OWASP list |
Software Security Testing | Same effort for all teams | ||
Report | ~6 pages | ~8 pages | ~10 pages |
Submission details:
Video and report submission
1. Prepare report as per the template.
2. Prepare a 10-minute video demonstration outlining a brief slide-deck based project overview, demonstration of the website, pen-testing and static analysis and end with “Lessons learned” from this mini-project
