Description
It is the 2nd portion of the previous assignment. See attached.
Unformatted Attachment Preview
1
Project 3: Secure Coding Report
Your name
University of Maryland Global Campus
COP 640: Secure Coding
Instructor’s name
Due date
2
TABLE OF CONTENTS
Project 3: Secure Coding Report ………………………………………………………………………… 3
INTRODUCTION …………………………………………………………………………………………… 3
SYSTEM OVERVIEW …………………………………………………………………………………….. 3
REQUIREMENTS MATRIX ……………………………………………………………………………. 3
Table 1. Requirement Matrix Completion ……………………………………………………….. 3
DESIGN …………………………………………………………………………………………………………. 6
THE TOP 10 WEB APPLICATION SECURITY RISKS AND A BRIEF
EXPLANATION OF EACH ……………………………………………………………………………………….. 7
Injection (A1): ……………………………………………………………………………………………… 7
Broken Authentication (A2):………………………………………………………………………….. 7
Sensitive Data Exposure (A3): ……………………………………………………………………….. 7
XML External Entities (XXE) (A4):……………………………………………………………….. 7
Broken Access Control (A5): …………………………………………………………………………. 8
Security Misconfigurations (A6): …………………………………………………………………… 8
Cross-Site Scripting (XSS) (A7): ……………………………………………………………………. 8
Insecure Deserialization (A8): ……………………………………………………………………….. 8
Using Components with Known Vulnerabilities (A9): ………………………………………. 8
Insufficient Logging & Monitoring (A10): ………………………………………………………. 9
A DESCRIPTION OF THE FRAMEWORKS AND TOOLS YOU WILL USE IN
THIS DEVELOPMENT ……………………………………………………………………………………………… 9
A DESCRIPTION OF THE ENCRYPTION AND CRYPTOGRAPHY BEST
PRACTICES THAT WILL BE PART OF THIS APPLICATION. …………………………………. 10
REFERENCES………………………………………………………………………………………………. 14
3
Project 3: Secure Coding Report
INTRODUCTION
Welcome to the secure coding project documentation, an online application listing for
viewing the environment results associated with the surrounding area. This document fully
articulates operational aspects used within the system, which includes deployment
procedures, administrative responsibilities, and functionalities incorporated by the user.
SYSTEM OVERVIEW
This thus properly offers a comfortably smooth interface for the said functionality to
be accessed through administrators or users, with seen features being accessed. The system
meets the stipulated requirements as clearly highlighted under the Needs Matrix, and for each
given requirement, attention has been accorded and met due to the set under.
REQUIREMENTS MATRIX
The Requirements Matrix serves as a comprehensive reference, confirming the
successful implementation of all specified requirements. This document reflects our
commitment to meeting and exceeding expectations, providing users with a reliable and
feature-rich web application experience.
Table 1. Requirement Matrix Completion
Requirement/Control
Comments
The web application allows a user to
log in and authenticate using a
unique username and password.
Upon successful login, the web
application displays a welcome
page, welcoming the user and
displaying a simple navigation
menu.
Implemented correctly and
working
Implemented correctly and
working
Complete
(Y/N)
Y
Y
4
The navigation menu includes
options for “Home,” “View
Environmental Results,” and
“Logout.”
The Home menu option includes the
last time the user accessed the
application, along with a brief
description of what the each of menu
options provide.
The View Environmental Results
menu option displays the
temperature and relative humidity
values for the Industrial control
environmental sensors for the last 24
hours.
The Logout menu option logs the
user out of the application and
redisplays the login screen.
The web application allows two
different roles for accessing the
application: user and administrator.
The user role has read privileges
supporting all web pages
The administrator role has all the
privileges of the user role, plus the
ability to insert, update, and delete
records in the related sensor files by
using a web page form.
AC-2 Account Management
Implemented correctly and
working
Y
Implemented correctly and
working
Y
The user is able to view and
manage the weather attributes as
desired.
Y
Implemented correctly and
working
Y
Implemented correctly and
working
Implemented correctly and
working
Y
•
Specify authorized users of the
system.
Specify group and role
membership.
Monitor the use of accounts.
Authorize access to the system
based on a valid access
authorization
Y
Log the execution of
privileged (administration)
functions.
Prevent nonprivileged users
from executing privileged
functions.
Restrict privileged accounts on
the system to administrators.
Y
Enforce a limit of four consecutive
invalid logon attempts by a user
Y
•
•
•
AC-6 Least Privilege
•
•
•
AC-7 Unsuccessful Logon Attempts
Y
5
AC-8 System Use Notification
AC-9 previous Logon Notification
AU2- Event Logging
CA-8 Penetration Testing
IR-4 Incident Handling
IA-2 Identification and
Authentication
SA-5 System Documentation
and automatically lock the
account.
• Display system use notification Y
warning to users before
granting access to the system
that states system usage may
be monitored, recorded, and
subject to audit; unauthorized
use of the system is prohibited
and subject to criminal and
civil penalties; use of the
system indicates consent to
monitoring and recording.
• Retain the notification message
or banner on the screen until
users acknowledge the usage
conditions.
Notify the user, upon successful
logon to the system, of the date
and time of the last logon.
• The system shall log the
following events:
• Website access for each web
page to include date/time, IP,
URL, and HTTP access code
and any system lockout events.
Y
Conduct software penetration
testing prior to deployment on the
system using available tools.
Implement an incident handling
capability for incidents that
includes preparation, detection and
analysis, containment, eradication,
and recovery.
Uniquely identify and authenticate
organizational users and associate
that unique identification with
processes acting on behalf of those
users.
• Develop administrator
documentation for the system
including the operation of the
system, deployment of the
system and any known
vulnerabilities.
• Develop user documentation
for the system including a
Y
Y
Y
Y
Y
6
user’s guide describing the
functionality.
SA-11 Developer Testing and
Evaluation
•
•
y
Employ static code analysis
tools to identify common flaws
and document the results of the
analysis
Perform a manual code review
of code developed for the
application.
DESIGN
Record the results from your design phase tasks including:
•
The attack surface table
Attack Category
Login/Authentication
Admin Interface
Inquiries and search
functions
Data Entry
APIs
Interfaces with external
Systems
Attack Entry Description
User login form authentication
Admin login form authentication
The application is designed to display the
information directly without a search function
The data to be entered is by the admin with the
roles to read and write within the application.
No APIs were added to the application
No external systems were used with the
application
7
THE TOP 10 WEB APPLICATION SECURITY RISKS AND A
BRIEF EXPLANATION OF EACH
The Open Web Application Security Project (OWASP) denominates these ten most
critical web application security risks aptly with the term “OWASP Top Ten.” This
lists major risks or vulnerabilities which seem to be repetitive when these exist within
web applications. Below is a slight elaboration of each risk.
Injection (A1):
Description: Injection flaws occur when untrusted data is sent to an interpreter as part
of a command or query.
Example: SQL injection, where an attacker injects malicious SQL code into input
fields to manipulate a database.
Broken Authentication (A2):
Authentication and Session Management: This could be the vulnerability in an
application’s authentication mechanisms as well as its session management
mechanisms.
Example: Weak passwords, session fixation, or insecure session management.
Sensitive Data Exposure (A3):
Sensitive Data: Sensitive data can be leaking, such as transaction passwords, credit
card details, or any other personal information.
Example: Insecure storage of sensitive data, transmitting data over unsecured
channels.
XML External Entities (XXE) (A4):
XXE Vulnerabilities: When processing XML input, referencing entities during
processing bring Duke Wei internal files for DoS or code execution.
8
Example: Attacker-controlled XML input exploiting external entity references.
Broken Access Control (A5):
Description: Broken access controls allow unauthorized users to access functionality
or data.
Example: Lack of proper authorization checks, allowing users to access privileged
features.
Security Misconfigurations (A6):
Security misconfigurations arise from wrong settings or configurations, which leave
delicate information exposed.
Example: Default credentials, unnecessary services enabled, open permissions.
Cross-Site Scripting (XSS) (A7):
Cross-Site Scripting is a web security vulnerability that occurs when an application
includes untrusted data in a web page and uses it to execute a script in the user’s web
browser.
Example: Reflective and stored XSS attacks.
Insecure Deserialization (A8):
Description: Insecure deserialization vulnerabilities can lead to remote code execution
or other security issues.
Example: Exploiting flaws in the deserialization process to execute arbitrary code.
Using Components with Known Vulnerabilities (A9):
The dangers of using obsolete or otherwise vulnerable software components, libraries,
or frameworks in the course of developing an application are elaborated. Example:
Using an outdated version of a library with known security issues.
9
Insufficient Logging & Monitoring (A10):
Description: Insufficient logging and monitoring can lead to delayed detection of
security incidents.
Example: Lack of proper logging, monitoring, or alerting mechanisms to identify and
respond to security events.
A DESCRIPTION OF THE FRAMEWORKS AND TOOLS YOU WILL USE
IN THIS DEVELOPMENT
In the provided Flask application code, the primary framework used is Flask, a micro
web framework for Python. Additionally, the code utilizes a combination of HTML
for rendering web pages and basic CSS for styling. Below is a brief description of
these frameworks and tools:
Flask:
Description: Flask is a lightweight and extensible web framework for Python. It
provides the tools needed to build web applications quickly and efficiently. Flask is
known for its simplicity, flexibility, and ease of use. It follows the WSGI (Web Server
Gateway Interface) specification and allows developers to choose components as
needed.
HTML (HyperText Markup Language):
Description: HTML is the standard markup language used to create the structure and
content of web pages. It defines the elements and their attributes, forming the
backbone of web content. In the provided code, HTML templates are used to generate
dynamic content for the web application, allowing the server to send structured
responses to the client.
CSS (Cascading Style Sheets):
Description: CSS is a style sheet language used for describing the presentation and
formatting of HTML documents. It enhances the visual appearance of web pages by
defining styles, layouts, and design elements. In the provided code, CSS is used to add
basic styling to the HTML templates, improving the overall look and feel of the web
application.
10
Jinja2 Templating Engine:
Description: Flask uses the Jinja2 templating engine to embed dynamic content within
HTML templates. Jinja2 allows for the inclusion of variables, control structures, and
template inheritance, making it easier to generate dynamic web pages based on data
from the server.
Python (Programming Language):
Description: Python is a high-level programming language known for its readability
and simplicity. In the context of the Flask application, Python is used for server-side
logic, route handling, and other backend functionalities. It interacts with the Flask
framework to process requests, manage sessions, and render dynamic content.
A DESCRIPTION OF THE ENCRYPTION AND CRYPTOGRAPHY BEST
PRACTICES THAT WILL BE PART OF THIS APPLICATION.
In the provided Flask application, encryption and cryptography best practices are
essential for ensuring the security of sensitive data, such as user credentials and session
information. Here’s a description of the encryption and cryptography practices used:
Password Hashing:
Description: Storing passwords in plaintext is a significant security risk. Instead, the
application hashes user passwords using strong cryptographic hashing algorithms such as
bcrypt or SHA-256.
Best Practice: Use a salted hashing algorithm like bcrypt to securely hash passwords.
Salting adds random data to each password before hashing, making it more resistant to
rainbow table attacks.
Session Management:
11
Description: Session management is crucial for maintaining user authentication and
preventing session hijacking. The application uses session cookies to track authenticated user
sessions.
Best Practice: Generate secure session tokens with sufficient entropy and expire them
after a reasonable period of inactivity. Additionally, use HTTPS to encrypt the
communication channel and prevent session hijacking via network sniffing.
Secure Transmission:
Description: Encrypting data transmitted between the client and server is essential for
protecting sensitive information from eavesdropping attacks. The application uses HTTPS to
ensure secure communication.
Best Practice: Always use HTTPS to encrypt data in transit. Obtain an SSL/TLS
certificate from a trusted certificate authority (CA) to enable HTTPS encryption.
Secret Key Management:
Description: The application uses a secret key to secure session data and other
sensitive information.
Best Practice: Store secret keys securely and avoid hardcoding them in the source
code. Use environment variables or a secure key management system to store and retrieve
secret keys.
Data Validation and Sanitization:
Description: Proper input validation and data sanitization help prevent common
security vulnerabilities such as SQL injection and cross-site scripting (XSS).
12
Best Practice: Validate and sanitize all user inputs to ensure they meet expected
criteria and do not contain malicious code. Use parameterized queries or ORM libraries to
mitigate SQL injection risks.
Introduction to Python Flask Lab
For your lab and report, continue with this example and add the following unique code to
your Python Flask Web application.
1. Complete the HTML code for the home.html, cloud.html, ics.html and about.html. Use
primarily html code that has an interesting combination of HTML5 elements such as tables,
paragraphs, hyperlinks and images. (Consult those HTML reference documents at the
beginning of this lab as needed)
2. Check the Requirements for additional functionality that you need to add. You can
add login/logout components to your menu. Consider using a file to store encrypted
password data and read in as needed.
Add one additional menu item of your choice along with an associated html file that
enhances the starter Python web application.
3. Document your work by preparing a description of your web site that includes
a. Walkthrough of each menu item along with a description and screen capture of the
component
b. An appendix that includes the Python and HTML code you wrote to complete the lab
4. Lessons learned summarizes where you struggled and how you overcome those challenges.
Implementation
Include results from each of these events including:
•
Answer the questions posed in “How to do a code review” (code-health-devguide-copybara,
2021)
13
•
•
Describe and show screen captures of you running functionality tests for your web
application. You should align the tests with the requirements matrix you prepared in step 2
of this project.
Summarize the SCA report using bandit on your web application. Specifically, you should
provide a list of any High Severity issues resulting from your bandit analysis along with a
count of the following issues.
o
o
o
Severity: High
Severity: Medium
Severity: Low
Hint: You can use search features in your text editor to perform the counts. Also, there is the
possibility that no specific vulnerabilities are found in your code.
Verification
For your lab report, provide a screen capture of the results and a short description how you could
mitigate any medium or high alerts. Hint: the report provides specific guidance on how to mitigate
the issues in the solutions field.
Conclusion
Finalize the Secure Coding report by adding a conclusion section. The conclusion section should list
any limitations of the application and possible security weaknesses. This section should also describe
future possible enhancements, both in functionality and in security. For example, you might need
additional environmental sensors and additional security best practices, such as separation of the
database to a separate server and the use of SSL certificates, two-factor authentication, or other
enhancements.
Finally, discuss deployment options for consideration. For example, how would you package and
then deploy the Python Flask application so others can host it on their servers. Keep the deployment
discussion at a higher level as this topic could have many options and technical detail. Consider
focusing on options for deployment such as Heroku, Azure and AWS as opposed to the many steps
associated with each. (e.g. see the information at this site;
https://flask.palletsprojects.com/en/2.0.x/deploying/)
14
REFERENCES
Author’s last name, Initial(s). (Year of publication). Title of the book. Publisher.
https://doi.org/DOI
Author’s last name, Initial(s). (Year of publication). Title of the article. Title of Journal,
Volume(Issue), Pages. https://doi.org/DOI
Author’s last name, Initial(s). (Year, Month Day of publication). Title of the work. Website.
https://URL
Author’s last name, Initial(s). (Year of publication). Title of the article. Newspaper.
https://URL
Last name, Initial(s). [Channel]. (Year, Month Day of publication). Title of the video [Video].
Website. https://URL
Organization. (Year of publication). Word. In Dictionary. Publisher. https://URL
Purchase answer to see full
attachment
