week 2 assignment 2

deeloc

Week6SECURITYASSESSMENTFINDINGSPROJECTINSTRUCTIONS.pdf

Home >Social Science homework help >Sociology homework help >week 2 assignment 2

CSCI 631

Page 1 of 3

SECURITY ASSESSMENT FINDINGS PROJECT INSTRUCTIONS

Overview

In this project, you will perform a security assessment of a hypothetical website and report upon

the results of that assessment. You will provide both an executive summary of your findings as

well as detailed results of the assessment. You will complete the report in a subsequent paper by

providing remediation recommendations and actions you recommend to mitigate against your

findings.

Your assessment is to review the website of a hypothetical company, Insecure BankCorp. It is a

regional bank used by Liberty Beverages, Inc. – which specializes as an e-Commerce business in

the delivery of beverage products such as specialty coffee and tea products. The business

problem that they wish to address is the recent successful attack by a suspected nation state on

their bank website. The attack was able to deface the website as well as access some personal

purchasing data by customers. Given its impact on their brand and customer loyalty, this has

high visibility with senior management.

Assume that the current web infrastructure consists of a redundant group of web servers running

on a Linux platform with Apache web server software on which the web application runs. In

addition, perimeter security is provided by redundant edge routers for load balancing and

redundant firewalls (e.g., Cisco ASA 5000-series) in a demilitarized zone (DMZ) configuration

as well as an intrusion detection software (IDS) solution and SIEM (e.g., Splunk) for security

monitoring. Lastly, the web servers interface with a relational database (e.g., MySQL) and a

Storage Area Network (SAN) for persistent storage. The bank website is accessible by a variety

of devices such as conventional web browsers, tablets, and smart phones either internally or

remotely using VPN software. They communicate with the web server using the HTTPS

protocol.

For purposes of this assignment, use the lab report files you generated for previous labs 1-4 as

inputs. These involved various web vulnerabilities – Cross-Site scripting, CSRF, SQL Injections,

and Broken Access Control.

The scope of your assessment is the website itself, including the website code and configuration,

Linux platform, and Apache web server software. It is not within scope of this assignment to

assess other infrastructure components such as the routers, firewalls, IDS, and databases - nor

security on remote devices and authentication or authorization mechanisms. The only exception

to that would be if there were a vulnerability discovered in the software directly related to the

database. These may be recommended for subsequent follow-up activities.

Inputs

• Lab report files from Labs 1-4

• Course textbooks

• NIST Publication 800-44v2

• Other external resources as needed

http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf

CSCI 631

Page 2 of 3

Instructions

1. As mentioned above, collect the report files from Labs 1-4. Complete the assessment template (or use your own organization if you include all of the appropriate content listed

below) provided for this assignment entitled “Web Application Security Report

Template”.

2. Complete the following sections in the assessment template for this project. Note: You will complete the remaining sections in the template in the later remediation project.

a. Section 1: Assessment Introduction – Use the overview information from this document to set the context for the report.

b. Section 1.1: References – Add at least three (3) references. c. Section 2: Web Application Description – Leave this section and sub-sections

blank for later remediation paper.

d. Section 3: Assessment Assumptions – Use information from the assignment overview to 1) describe components included in the assessment, 2) components

excluded from the assessment (in scope and out of scope), and 3) 3 or more other

assumptions about the hypothetical assessment. In the context of this project, as

assumption describes what an assessment team is assuming as true or in place as

part of this hypothetical assessment. These can be things like the availability of

customer resources, access to facilities, accounts and passwords, etc. An

assumption is not a description of the technical environment or facts about the

system.

e. Section 3.4: Biblical Principles – Add one or more paragraphs about biblical principles and supporting scripture that are applicable to this project.

f. Section 4: Assessment Approach. Include paragraph in section 4.5 on out of scope items based upon the information provided in the assignment overview (as it

mentions what is in and out of scope)- as well as the tools utilized in sections 4.2

and 4.3

g. Section 5

Sections 5.1.1-5.1.4 – Summary of test results from Labs 1-4 respectively

Include screenshots and a paragraph summation of the test results / finds from

each lab.

Section 5.2 – Summary of the source code findings from Labs 2 and 4

Review at least one piece of code from each lab describing what the issue /

finding was that makes it vulnerability to the vulnerabilities. Note that for

purposes of the assignment, this is not a full source code review of all of the web

pages but a review of at least one (1) piece of code corresponding to a web

vulnerability discovered in the labs. Be specific as possible about what the issue

was and the source code affected (e.g., lack of input validation, session

management, etc).

CSCI 631

Page 3 of 3

Sections 5.3 – 5.5 – Included for illustrative and eductional purposes and require

no action.

h. Section 6 – Recommended Remediation Actions: Leave blank for later remediation project.

Outputs

This is a research-based paper in current APA format that focuses on the results from a web

security assessment. It leverages a standard report template - “Web Application Security Report

Template” as a starting point. You can optionally choose to use your own format, but it must

contain all of the elements mentioned above in the instructions. The paper must include at least

three (3) references in addition to the course textbooks and the Bible. Include relevant

screenshots as appropriate. Be sure to repaginate the table of contents and remove any

instructions highlighted in red from the template.

Submit this assignment by 11:59 p.m. (ET) on Sunday of Module/Week 6.