软件开发代写｜COMP 4035: Secure Software Development

这是一篇来自澳洲的关于安全的软件开发代写

For this assignment, you will do a deep dive into a security vulnerability of your choosing, with opportunities to learn about a vulnerability in theory and in practice.

You have been granted access to the codebase of a vulnerable web application,Guardian Store, which will serve as the basis for the assignment.

In this assignment, you will:

Similar to the seminars and practicals in this course, the assignment is based on a scenario where you are an employee in the Guardian Protect workforce in the fictitious company Guardian. Your ability to produce deliverables which align with this scenario will impact your grade for the assessment. See the scenario section of this document for more details.

Assessment weighting: 30% of overall grade

Assignment type: Individual

Deliverables:

Word count: 2500 words (approximately)

Due date: 31st October 2022

Scenario

Guardian Store is an online storefront where Guardian sells its products,accessories, service subscriptions and merchandise. The store was developed in the early days of Guardian when they were a small start-up, a time when rapid feature development was prioritised over quality and security. Guardian Store was not developed with the same secure development practices used to develop their newer products, and no security reviews or testing was performed during the SDLC.

As part of their work to build a modern application security program, the Guardian Protect workforce contracted a local information security firm to perform a penetration test against Guardian Store. The objective of the penetration test was to understand the current level of risk in the application and to identify any security vulnerabilities that are present. The findings of the penetration test will be used by Guardian Protect to determine where they should focus their efforts.

The Guardian Store landing page.

The penetration test revealed a large number of security vulnerabilities, spanning several vulnerability classes, including:

Guardian Protect must now respond to the penetration test. Due to the high volume of vulnerabilities, each member of Guardian Protect is tasked with selecting and addressing one vulnerability type within Guardian Store.

Guardian’s objective is to not only resolve specific instances of security vulnerabilities; their aim is to systematically select a vulnerability type and eliminate it from all software products across the organisation.

Objective

The objective of this assignment is to help Guardian meet their goal of eliminating your chosen vulnerability type entirely from their suite of products. In order to achieve this goal, you will need to deeply understand your chosen vulnerability type,so you can educate other developers about the vulnerability, how it occurs and how to prevent it, and you will need to provide guidance to Guardian about how they can uplift their secure development practices to prevent the vulnerability from occurring again.

Your grade for this assessment will be based on how well your deliverables meet this objective.

About Guardian Store

Guardian Store is a lightly skinned version of OWASP Juice Shop, which according to their website is “probably the most modern and sophisticated insecure web application”. There are plenty of resources, blogs and documentation about OWASP Juice Shop online. You are welcome (and I encourage you) to use these resources,particularly in the early stages of the assignment.

Website: https://owasp.org/www-project-juice-shop/

Documentation: https://pwning.owasp-juice.shop/

GitHub: https://github.com/UniSA-Secure-Software-Development/unisa-guardian-store

Front end: Angular 14 (TypeScript, HTML, CSS)

Back end: Node.js Express (TypeScript)

Assignment Task

Begin by selecting a vulnerability type that you would like to focus on for your assignment. For example, you may choose to focus on Broken Access Controls, Cross-Site Scripting or SQL Injection. You may choose any vulnerability type that exists within Guardian Store.

When selecting a vulnerability type, you may choose to:

a.Select a vulnerability you are interested in, then try to find an instance of that vulnerability in Guardian Store.

b.Try finding a vulnerability in Guardian Store, then select whichever vulnerability you find.

c.Select one of the vulnerabilities listed within the OWASP Juice Shop documentation.

https://pwning.owasp-juice.shop/part2/

Once you have selected a vulnerability, exploit it. Make sure you understand what the vulnerability is, how the exploit works, and what the impact would be if a malicious user exploited the vulnerability.

Milestone 1: Proceed to the next step once you have selected a vulnerability, exploited the vulnerability within Guardian Store, and understand the instance of the vulnerability within Guardian Store.

Locate the vulnerability in the source code, and review the code to understand how the vulnerability was introduced. Based on this understanding, see if you can find any other instances of the vulnerability in the codebase. Ensure you understand the root cause of the vulnerability, as this will be necessary to implement an effective fix.

Milestone 2: Proceed to the next step once you are confident you understand the root cause of the vulnerability in code, that you have found all instances of the vulnerability within Guardian Store, and you could explain the cause of the vulnerability to a classmate.

Next, research your chosen vulnerability to build a deeper understanding. You should understand what the vulnerability is, how it occurs in software, and what a malicious actor could do if they exploit the vulnerability.

Research approaches to remediating the vulnerability in the languages and frameworks used to build Guardian Store. Investigate options to apply defence in depth to provide additional layers of protection beyond just fixing the vulnerability. Also review secure development practices covered throughout the course which could help Guardian prevent or detect your chosen vulnerability type earlier in the SDLC.

Tip: Make sure you collect references during this step, as you will need them when it comes time to write your report.

Milestone 3: Proceed to the next step when you have a good sound understanding of your chosen vulnerability type and how you plan to fix the vulnerability within Guardian Store.

Next, implement a patch to resolve your vulnerability. At a minimum,implement a single fix to the vulnerability that you exploited, however if you found additional instances of the vulnerability in Step 2, implement patches for those as well.

Perform testing against your patched code to ensure that the vulnerability has been resolved, and that the application still functions as expected for the “happy path” (i.e., make sure you have not broken the application while implementing your patch).

Milestone 4: Proceed to the next step when you can demonstrate that the vulnerability has been patched and that the application still works when on the happy path.

Next, review options for automated security testing that specifically targets your chosen vulnerability type. Based on the CI / CD pipeline provided in the Week 12 practical, implement your selected automated testing to automatically scan the codebase each time a pull-request is raised.

Note: If you reach this stage of the assignment before Week 12, I recommend you skip this step and get started on your report. You can come back to this step after you have completed the Week 12 practical.

Finally, write a report that covers everything you have learned throughout the assignment. The report should be targeted fellow software developers within Guardian to educate them about your chosen vulnerability.

At a minimum, your report should include:

Summarises purpose and key outcomes of the project, aimed at an executive level.

Introduce the report, including the purpose of the report and a summary of what it includes.

Refer to the following link for help with referencing:

https://lo.unisa.edu.au/course/view.php?id=3839