Technological University: Secure App Development Report (Module XYZ)
VerifiedAdded on 2022/08/30
|24
|4990
|17
Report
AI Summary
This report analyzes the secure development lifecycle for a social media application, focusing on the specific needs of a university environment. The report begins with an executive summary and overview of the Secure Development Lifecycle (SDL) and its importance in building secure software. It details applicable principles for web security, including authentication, authorization, confidentiality, integrity, availability, accountability, and non-repudiation. The report then delves into web application security, including policy frameworks (COBIT, ISO 27002, and Sarbanes-Oxley), authentication methods, and best practices for password management and sensitive data storage. It covers vulnerability analysis, access control, session management, and data validation techniques. Furthermore, the report examines vulnerability and assessment testing, including VAPT, and applies these principles to the context of a banking application, highlighting the steps required for secure development. Finally, the report outlines the steps for banking app developers, including security requirements, attack surface analysis, threat modeling, security testing, and data retention and disposal. The conclusion summarizes the key findings and emphasizes the importance of a proactive approach to security throughout the development lifecycle.
Table of Contents
Executive Summary 2
Overview 3
Applicable principles for web security 3
Web application security 5
Policy framework 5
Web application authentication 6
Access control and authentication 8
Session management 9
Data Validation 9
Vulnerability and Assessment testing 9
Overview of the application 11
Steps for banking app developer 12
1. Security requirement establishment 12
2. Attack surface analysis 12
3. Threat modeling implementation 12
4. Perform static analysis security testing 13
5. Interactive application security testing operation 13
6. Security gate creation 13
7. Ongoing source development education introduction 14
Overview of secure SDL 15
SDL Design 15
Security Requirements 16
Security Awareness and training 16
Threat modeling 17
Software tracking by third-party 18
Executive Summary 2
Overview 3
Applicable principles for web security 3
Web application security 5
Policy framework 5
Web application authentication 6
Access control and authentication 8
Session management 9
Data Validation 9
Vulnerability and Assessment testing 9
Overview of the application 11
Steps for banking app developer 12
1. Security requirement establishment 12
2. Attack surface analysis 12
3. Threat modeling implementation 12
4. Perform static analysis security testing 13
5. Interactive application security testing operation 13
6. Security gate creation 13
7. Ongoing source development education introduction 14
Overview of secure SDL 15
SDL Design 15
Security Requirements 16
Security Awareness and training 16
Threat modeling 17
Software tracking by third-party 18
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Secure build18
QA and security testing 19
Data Retention and Disposal 21
Conclusion 22
Appendices 23
References 24
QA and security testing 19
Data Retention and Disposal 21
Conclusion 22
Appendices 23
References 24
EXECUTIVE SUMMARY
The project elaborates about the details for the secure development of the application,
following a suitable Secure Development Lifecycle model, e.g. Microsoft SDL. It includes
several terms which are utilized in this report findings are shown below as:
• Strategies/ Policy structure
• Corroboration
• Authorisation/ Approach authority
• Time administration
• Facts authorization
• Vulnerability assessment and testing
• Recording
The project elaborates about the details for the secure development of the application,
following a suitable Secure Development Lifecycle model, e.g. Microsoft SDL. It includes
several terms which are utilized in this report findings are shown below as:
• Strategies/ Policy structure
• Corroboration
• Authorisation/ Approach authority
• Time administration
• Facts authorization
• Vulnerability assessment and testing
• Recording
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
OVERVIEW
SDLC is the main pillar of the secure software pillars network, which can also be termed as
the security development lifecycles. The meaning of the pillar is related to the important
activities which provide the assurance for securing the software here. SDL can also be
elaborated as the procedure for submerging reliability artefacts in the whole application
cycles. These SDL occurrences must be plotted to a general software development lifecycle
(SDLC) either by using the agile or the waterfall procedure. There are several interests for the
SDL ventures which are approximated numerous but two main benefits are:
Build buy-in.
Security by default.
Software development lifecycle elaborates the several stages that an application results which
go through from starting to close of its existence. There are various SDLCs which subsist in
the company’s recently and these organizations are unbound to explain the phases. SDLC not
at most useful to the application straight delivered to the clients, but it is also applicable to IT
and to software as a service (SaaS) projects. (dzone.com, 2019)
The development methodologies such as Agile, CD and Lean and others need to rethink the
subsisting SDLCs and promising the accommodations. For instance, a group with the active
habitat may have the ensuing movement:
Figure.1 SDLC Phases and activities
Applicable principles for web security:
Web security is totally based on the 7 principles which are elaborated below: (Spacey, 2011)
SDLC is the main pillar of the secure software pillars network, which can also be termed as
the security development lifecycles. The meaning of the pillar is related to the important
activities which provide the assurance for securing the software here. SDL can also be
elaborated as the procedure for submerging reliability artefacts in the whole application
cycles. These SDL occurrences must be plotted to a general software development lifecycle
(SDLC) either by using the agile or the waterfall procedure. There are several interests for the
SDL ventures which are approximated numerous but two main benefits are:
Build buy-in.
Security by default.
Software development lifecycle elaborates the several stages that an application results which
go through from starting to close of its existence. There are various SDLCs which subsist in
the company’s recently and these organizations are unbound to explain the phases. SDLC not
at most useful to the application straight delivered to the clients, but it is also applicable to IT
and to software as a service (SaaS) projects. (dzone.com, 2019)
The development methodologies such as Agile, CD and Lean and others need to rethink the
subsisting SDLCs and promising the accommodations. For instance, a group with the active
habitat may have the ensuing movement:
Figure.1 SDLC Phases and activities
Applicable principles for web security:
Web security is totally based on the 7 principles which are elaborated below: (Spacey, 2011)
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1. Authentication:
Applicable in user’s identity confirmation
2. Authorization:
Applicable in specification for accessing rights to resources
3. Confidentiality:
Information disclosure prevention for the unauthorized systems
4. Information Probity:
Information cannot be bribed without observation
5. Opportunity:
Websites must be available and fast.
6. Accountability:
When the system accesses the data their action must be traceable, for instance:
logging.
7. Abrogation:
This is the capacity for proving that the agreement took place such as: electronic
receipts.
Web application security
Policy Frame work:
Figure.2 Policy Framework
Applicable in user’s identity confirmation
2. Authorization:
Applicable in specification for accessing rights to resources
3. Confidentiality:
Information disclosure prevention for the unauthorized systems
4. Information Probity:
Information cannot be bribed without observation
5. Opportunity:
Websites must be available and fast.
6. Accountability:
When the system accesses the data their action must be traceable, for instance:
logging.
7. Abrogation:
This is the capacity for proving that the agreement took place such as: electronic
receipts.
Web application security
Policy Frame work:
Figure.2 Policy Framework
Organizations require establishing data protection strategy illuminated by the pertinent
national prescription; merchant agreement, company directive, and subordinate top practices
for instance OWASP. (Owasp.org, 2020)
a. COBIT:
It is a famous probability administration substructure constructed around four provinces such
as:
Organization and Planning
Delivery and related support
Execution and Acquisition
Visualizing
b. ISO 27002:
It is a probability formed data safety administration substructure which is straight obtained by
the BS 7799 levels. It is an intercontinental level and utilized steadily for all the organization.
Nevertheless, Little US companies utilize ISO 27002 as well, especially if they have the
branches exterior US.
c. Sarbanes-Oxley:
The main creator for several US companies in embracing the OWASP commands is to help
with the on-going Sarbanes-Oxley agreement. If a company accompanied each authority, it
would not instinctively allow the company SOX agreement. Hence, the evolution lead is
functional as an acceptable application authority accession and in-house evolution as a bit of
huge agreement scheme.
Web application authentication:
There are 6 web authentications which are elaborated below: (Killoran, 2018)
1. Create a Web Application Authentication Checklist:
The checklist must include four major steps such as:
Data gathering
Course of action plan
Security check execution
national prescription; merchant agreement, company directive, and subordinate top practices
for instance OWASP. (Owasp.org, 2020)
a. COBIT:
It is a famous probability administration substructure constructed around four provinces such
as:
Organization and Planning
Delivery and related support
Execution and Acquisition
Visualizing
b. ISO 27002:
It is a probability formed data safety administration substructure which is straight obtained by
the BS 7799 levels. It is an intercontinental level and utilized steadily for all the organization.
Nevertheless, Little US companies utilize ISO 27002 as well, especially if they have the
branches exterior US.
c. Sarbanes-Oxley:
The main creator for several US companies in embracing the OWASP commands is to help
with the on-going Sarbanes-Oxley agreement. If a company accompanied each authority, it
would not instinctively allow the company SOX agreement. Hence, the evolution lead is
functional as an acceptable application authority accession and in-house evolution as a bit of
huge agreement scheme.
Web application authentication:
There are 6 web authentications which are elaborated below: (Killoran, 2018)
1. Create a Web Application Authentication Checklist:
The checklist must include four major steps such as:
Data gathering
Course of action plan
Security check execution
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Major issues remedies
2. Update and security of passwords:
Figure.3 Passwords do’s and Dont’s
There are many issues with passwords which are annoyance for customers to control it:
Uncomplicated for estimate physically or by utilizing the automatic instruments
The countersigns which are user generated follow the pattern often for making easy to
compromise.
Similar credentials are applicable for protecting the different accounts.
Not stored in the correct way.
3. Sensitive data storage separation from the regular data:
Several protection authorities propose data classification into three types:
Some tactful data that could place the organization and its customer at the greater
possibility must be examined confined information. This data must at most be
constructed present on secretive manner.
2. Update and security of passwords:
Figure.3 Passwords do’s and Dont’s
There are many issues with passwords which are annoyance for customers to control it:
Uncomplicated for estimate physically or by utilizing the automatic instruments
The countersigns which are user generated follow the pattern often for making easy to
compromise.
Similar credentials are applicable for protecting the different accounts.
Not stored in the correct way.
3. Sensitive data storage separation from the regular data:
Several protection authorities propose data classification into three types:
Some tactful data that could place the organization and its customer at the greater
possibility must be examined confined information. This data must at most be
constructed present on secretive manner.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Personal information is data that is tactful but quite requires to be retrieved by the
whole division. For example: customers’ home addresses must still support a extent of
seclusion but might be applicable to the merchandise group.
Lastly the general information is a non-delicate data which shows minimum
possibility to the work. This data is normally attainable for anybody in the work as
well as at intervals publically shown as the people’s identity or the public network
account.
Figure.4 document security feature levels
4. Web applications vulnerabilities analysis:
There are few questions which are required to investigate for web applications
vulnerabilities analysis as mentioned below:
Does the website use non-password login? If it is not, does the two factor
authentication for account protection?
Are there limited login attempts for hacks prevention from attempting the
brute-force attack?
Does the application allow the user authorization for other application to
information access?
5. Test the web applications authentications based on the lower permission:
whole division. For example: customers’ home addresses must still support a extent of
seclusion but might be applicable to the merchandise group.
Lastly the general information is a non-delicate data which shows minimum
possibility to the work. This data is normally attainable for anybody in the work as
well as at intervals publically shown as the people’s identity or the public network
account.
Figure.4 document security feature levels
4. Web applications vulnerabilities analysis:
There are few questions which are required to investigate for web applications
vulnerabilities analysis as mentioned below:
Does the website use non-password login? If it is not, does the two factor
authentication for account protection?
Are there limited login attempts for hacks prevention from attempting the
brute-force attack?
Does the application allow the user authorization for other application to
information access?
5. Test the web applications authentications based on the lower permission:
It is common issue for operators to utilize low- level accounts as an arrival end into
the application’s under structure as long as these descriptions are having some
features such as:
These are frequently slighter done up and having fragile countersign.
These accounts hold upper level permission that not at all modernizes.
These are not maintained as high-level accounts.
Once it make sure that the low level accounts are protected then it is possible to move on the
high level accounts for assuring that the security measures stands strong with no matter.
6. Web application Firewall applications:
The rearmost web application corroboration good practices can endorse to the organizations
is to utilize a request firewall throughout the whole procedure. The applications managing by
the test and implementations changes could take much time through all the main threats. It is
essential that the team must be vigilant in applications monitoring for any threat. Hence it is
required to use WAF for threat protection. Fundamentally, some congestion scattered any
WAF is choked if it is spiteful and it can generate practice regulation to additionally
implementation protection.
Access control and authentication:
The ideology of access control is mandatory and critical design component for any of the
application’s security. Generally, a web application must prevent the front-end and the back-
end information and the system assets by access control boundaries implementation on what
client can do, which assets access must provide, and what operations are allowed for
performing the data. In ideal case, n access control idea must protect against the unauthorized
reviewing, modifications or the data copying. In addition, access control methodology can
also support for restricting the malicious code simulation, or unauthorized activity by an
attacker exploiting the architecture dependencies such as(DNS server, ACE server, etc.).
(Cgisecurity.com, 2020)
Session management:
Web session management is the ideology which permits the web server for exchanging state
data to identify and track each user connection. It is generally user authentication and the
preference management for example the history storing for previously visited contexts and
the application’s under structure as long as these descriptions are having some
features such as:
These are frequently slighter done up and having fragile countersign.
These accounts hold upper level permission that not at all modernizes.
These are not maintained as high-level accounts.
Once it make sure that the low level accounts are protected then it is possible to move on the
high level accounts for assuring that the security measures stands strong with no matter.
6. Web application Firewall applications:
The rearmost web application corroboration good practices can endorse to the organizations
is to utilize a request firewall throughout the whole procedure. The applications managing by
the test and implementations changes could take much time through all the main threats. It is
essential that the team must be vigilant in applications monitoring for any threat. Hence it is
required to use WAF for threat protection. Fundamentally, some congestion scattered any
WAF is choked if it is spiteful and it can generate practice regulation to additionally
implementation protection.
Access control and authentication:
The ideology of access control is mandatory and critical design component for any of the
application’s security. Generally, a web application must prevent the front-end and the back-
end information and the system assets by access control boundaries implementation on what
client can do, which assets access must provide, and what operations are allowed for
performing the data. In ideal case, n access control idea must protect against the unauthorized
reviewing, modifications or the data copying. In addition, access control methodology can
also support for restricting the malicious code simulation, or unauthorized activity by an
attacker exploiting the architecture dependencies such as(DNS server, ACE server, etc.).
(Cgisecurity.com, 2020)
Session management:
Web session management is the ideology which permits the web server for exchanging state
data to identify and track each user connection. It is generally user authentication and the
preference management for example the history storing for previously visited contexts and
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
the level data. Most commonly example for the session oriented systems are the web based
apps which require to maintaining the user specific data. The general pattern of the web based
session management is to authenticate the user to the web server with the login credential at
once and to set the formal sessions. By this manner, the user does not require to send the
identity and passwords to the web server for each request. (Pdfs.semanticscholar.org, 2011)
Data Validation:
SDV or the semantic data validation is implemented in Java Servlet and Java and the filters.
The web servers utilized are Apache 1.3.20 running on MS Windows Server 2003, and
Apache Tomcat 5.01. As far as the operation will be concerned, the SDV prototype service
could be able to secure infinite number of application attacks.
The prototype service implementation of this service involves three main elements: HTTP
Interceptor, RDF parser, and Data validator. Initially HTTP interceptor takes benefit of the
term that the browser appeals are directed at both a certain host and the port. In this working,
the Tomcat server listens on port 8081. The utility review the browser appeal on the default
port 80 and it redirects to Tomcat. The outcomes coming to this ideology are not transferred
to the client on port 80. The HTTP interceptor is a multi-threaded java application for
handling the concurrent connections by utilizing multi threads that enhances the flexibility or
power of the web server and client programs majorly.
Vulnerability and Assessment testing:
VAPT and Vulnerability assessment and Penetration Testing are two categories of
vulnerability testing. The tests have several strengths and are often combined for achieving
the more complex vulnerability observation. In short, Vulnerability Assessments and
Penetration Testing perform two different works usually with different outcomes, within the
same concentrative region.
Vulnerability assessment equipment vulnerabilities are available, but they do not differentiate
between the flaws which can be exploited to damage and those that cannot. Vulnerability
scanners alert companies to the pre-existing flaws in their code and where they are
located. Penetration tests attempt to exploit the vulnerabilities in a system to determine
whether unauthorized access or other malicious activity is possible and identify which flaws
pose a threat to the application.
apps which require to maintaining the user specific data. The general pattern of the web based
session management is to authenticate the user to the web server with the login credential at
once and to set the formal sessions. By this manner, the user does not require to send the
identity and passwords to the web server for each request. (Pdfs.semanticscholar.org, 2011)
Data Validation:
SDV or the semantic data validation is implemented in Java Servlet and Java and the filters.
The web servers utilized are Apache 1.3.20 running on MS Windows Server 2003, and
Apache Tomcat 5.01. As far as the operation will be concerned, the SDV prototype service
could be able to secure infinite number of application attacks.
The prototype service implementation of this service involves three main elements: HTTP
Interceptor, RDF parser, and Data validator. Initially HTTP interceptor takes benefit of the
term that the browser appeals are directed at both a certain host and the port. In this working,
the Tomcat server listens on port 8081. The utility review the browser appeal on the default
port 80 and it redirects to Tomcat. The outcomes coming to this ideology are not transferred
to the client on port 80. The HTTP interceptor is a multi-threaded java application for
handling the concurrent connections by utilizing multi threads that enhances the flexibility or
power of the web server and client programs majorly.
Vulnerability and Assessment testing:
VAPT and Vulnerability assessment and Penetration Testing are two categories of
vulnerability testing. The tests have several strengths and are often combined for achieving
the more complex vulnerability observation. In short, Vulnerability Assessments and
Penetration Testing perform two different works usually with different outcomes, within the
same concentrative region.
Vulnerability assessment equipment vulnerabilities are available, but they do not differentiate
between the flaws which can be exploited to damage and those that cannot. Vulnerability
scanners alert companies to the pre-existing flaws in their code and where they are
located. Penetration tests attempt to exploit the vulnerabilities in a system to determine
whether unauthorized access or other malicious activity is possible and identify which flaws
pose a threat to the application.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
OVERVIEW OF THE APPLICATION
Banking has gone digital in today’s timing. Approximately all major banks offer both an
online portal and the mobile app as well. The people seem prefer both in this way. A recent
survey named as PWC study established that 46% of the users at most utilize online banking
and a huge leap from the preceding literature such as in 2012, in which at most 27% utilized
online banking entirely. (Checkmarx, 2018)
Figure.5 Digital banking Graph
The major issue was found as the flaw pertaining is proof restraining, which signified that the
observations were shortcoming for detecting the important destructibility that could permit
striker take command on the sufferer’s online banking. Its security issues like mentioned
above shows the importance of covering these topics at the time of digital bank app
development. Hence conducting additional obtains for the monetary organizations; digital
banking also conveys a lot of risks.
For SDLC development, it is a quite critical to be pursued evolution of the fixed applications.
The SDLC will emplacement of a methodology for developing the certain protection is
constructing into the result, without decelerating the evolution procedure downwards. Now
Banking has gone digital in today’s timing. Approximately all major banks offer both an
online portal and the mobile app as well. The people seem prefer both in this way. A recent
survey named as PWC study established that 46% of the users at most utilize online banking
and a huge leap from the preceding literature such as in 2012, in which at most 27% utilized
online banking entirely. (Checkmarx, 2018)
Figure.5 Digital banking Graph
The major issue was found as the flaw pertaining is proof restraining, which signified that the
observations were shortcoming for detecting the important destructibility that could permit
striker take command on the sufferer’s online banking. Its security issues like mentioned
above shows the importance of covering these topics at the time of digital bank app
development. Hence conducting additional obtains for the monetary organizations; digital
banking also conveys a lot of risks.
For SDLC development, it is a quite critical to be pursued evolution of the fixed applications.
The SDLC will emplacement of a methodology for developing the certain protection is
constructing into the result, without decelerating the evolution procedure downwards. Now
there are 7 censorious stairs which are required for SDLC that designers and the protection
groups should tasks jointly for ensuring the releasing the online protection or the mobile
banking app.
Steps for banking app developers:
1. Security Requirements establishments:
The initial move is to learn the certainty needs of the banking app. Due to the tactful essence
for the banking apps, it is essential to allocate at the minimum one associate of the protection
group to effort with the construction group and the association requires beginning prior to the
management done.
Throughout this SDLC bit, management and security must know the main security risks
within the software which includes the standard the program should pursue. The collaborator
from twain of the security and development groups should be known to check transmission is
intelligible from the arrival, and some chinks in the procedure must be eminent.
2. Attack surface analysis:
Some banking software will occur with risk regions, which can refer as the charge exterior.
This charge exterior OWASP writes is assembled with:
The volume for entire information and the instruction paths into and out of these
applications.
The coding protects the paths.
All the valuable data must be used in the applications which include the keys and the
secrets, analytic work facts, intellectual property, confidential information and PII.
The coding secures the data.
There are several organizations which have come up with methodologies for charge exterior
quantifying. Microsoft’s Michael Howard has implemented a respective charge exterior
computation, and the investigators at Carnegie Mellon have implemented the charge exterior
grade. It can be obliging for begin by utilising one of these ideas term simulating one that
operates finest for the company.
groups should tasks jointly for ensuring the releasing the online protection or the mobile
banking app.
Steps for banking app developers:
1. Security Requirements establishments:
The initial move is to learn the certainty needs of the banking app. Due to the tactful essence
for the banking apps, it is essential to allocate at the minimum one associate of the protection
group to effort with the construction group and the association requires beginning prior to the
management done.
Throughout this SDLC bit, management and security must know the main security risks
within the software which includes the standard the program should pursue. The collaborator
from twain of the security and development groups should be known to check transmission is
intelligible from the arrival, and some chinks in the procedure must be eminent.
2. Attack surface analysis:
Some banking software will occur with risk regions, which can refer as the charge exterior.
This charge exterior OWASP writes is assembled with:
The volume for entire information and the instruction paths into and out of these
applications.
The coding protects the paths.
All the valuable data must be used in the applications which include the keys and the
secrets, analytic work facts, intellectual property, confidential information and PII.
The coding secures the data.
There are several organizations which have come up with methodologies for charge exterior
quantifying. Microsoft’s Michael Howard has implemented a respective charge exterior
computation, and the investigators at Carnegie Mellon have implemented the charge exterior
grade. It can be obliging for begin by utilising one of these ideas term simulating one that
operates finest for the company.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 24
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.