You must work on this assignment on your own. The standard Informatics rules for collision, plagiarism and lateness apply. Any cases of potential misconduct discovered will be reported and investigated.
Part A – Access Control – 15 marks
To do this part of the coursework, you'll need access to a Linux or Unix-based operating system that allows you to create users. The Sussex UNIX server doesn't let you create new users for security reasons. If you're using a Mac, you're all set — it already has a Linux-based terminal you can use. If you're on Windows, you can install Windows Subsystem for Linux ( WSL) to complete this section. Another option is to set up a Linux system on AWS services.
Write Linux/Unix commands to complete each task and show the output that it has worked.
Task 1 – Setup Environment
– Create a directory named computerSecurity_lab.
– Inside it, create: file1.txt, file2.sh, secret.doc.
– Display current permissions.
Task 2 – Modify Permissions
– file1.txt → Owner: read/write; Group & Others: none.
– file2.sh → Executable by everyone.
– secret.doc → Read-only for all users.
– show permissions
Task 3 – Change Ownership
– Create a new user (if permitted) named Bob.
– Change ownership of file1.txt to Bob.
– Change group ownership of the directory computerSecurity_lab to ethicalHackcers (create this
Group first).
Task 4 – Directory Access Control
– Create a subdirectory named shared_docs.
– Set permissions so that: Owner → rwx, Group → rx, Others → —
– Verify the permission.
Task 5 – Umask Configuration
– Display current umask.
– Adjust so new files are created with rw-r—– (umask 027).
– Create a test file and confirm permissions.
Part B (70 marks)
Lovejoy's Antique Evaluation Web Application
In this part of the coursework, you will develop a secure web application for a local antique dealer named Lovejoy. Lovejoy wants a minimum viable product allowing customers to register and then request potential evaluations of antique objects. Lovejoy has many rivals in the antique business who may sometimes resort to underhand tactics and so is very concerned about the security of the application.
Your secure web application will need to have these features for the minimum viable product (MVP) release: user registration and login, a password policy, “request evaluation” page and then an extension of the “request evaluation” page file upload to allow upload of photos. Finally, Lovejoy needs a request listing page.
You should build Lovejoy's MVP focusing on the following features in each task. Mark allocation for each task is as described below and in the security analysis grid. You should reflect upon your work and provide estimates of how much you've achieved by filling out the marking grid. An example of self-reflection is provided in the Canvas. There are thus 30 marks for completing the application reasonably and 40 marks for the security features identified.
You have a choice of technologies from which to build the application:
· PHP
· Java
· Python
No other approach is allowed. If you are using Java and Python, you should research it yourself to find out where you want to host it.
|
Task 1 – Develop a secure web form that allows customers to register in the application. They must register an email address, password, name and contact telephone number. The users' details should be stored in a database.
|
Code Quality 5 marks |
|
Task 2 – Develop a secure login feature.
|
Code Quality 5 marks
|
|
Task 3 – Extend the password management feature to provide password strength recommendations and password recovery.
|
Code Quality 5 marks
|
|
Task 4 – Implement a “Request Evaluation” web page only accessible to logged in users. This web page should have a comment box to type in the details of the object and their request, and a dropdown box for preferred method of contact between phone or email. The evaluation page should allow for file upload of a photo of the object.
|
Code Quality 5 marks
|
|
Task 5 – Implement a page that displays a list of evaluation requests. This page should only be visible to an administrator role. |
Code Quality 5 marks
|
|
Task 6 – Database is designed. |
5 marks. |
Submission guidance
You are only submitting the report to the Canvas. You must follow the report template at the end of the coursework.
Report–You must use the report template provided at the end of this coursework description. In your report, you will provide screenshots of all the marking criteria elements and annotate where necessary. In screen shots for the code, please don't give a big chunk of code, provide only the related lines. Use bullet points to give any explanation, please don't write big paragraphs.
Recording–You are required to use Sussex Panopto to record a video demonstrating the functionality of your application and its associated security features. Relevant links for Panopto are provided at the end of this document. The tool is straightforward to use: log in using your University credentials, select the appropriate screen, and record the demonstration of your application, highlighting the features relevant to the marking criteria.
When recording your video, please observe the following guidelines:
1. The recording must not exceed 10 minutes in duration.
2. The video must demonstrate the testing of all tasks and features in sequence, including all security-related components.
3. Provide either a voice-over narration or on-screen text to explain each part of the recording.
4. Ensure that both your screen and you are visible in the recording.
5. Use the self-reflection grid from Task 0 to determine and present the order of the recorded features.
After completing the recording, access the Share settings in Panopto. Select the option that allows anyone within the organization who has the link to view the video. Then, copy the shareable link and include it in your report.
How to use Panopto?
· Recording presentation using Panopto
Code file location (OneDrive)– Upload your code to the OneDrive and provide the code link in the report for our inspection.
Select the folder where you have all the code, then click on the share option. In the settings, click on the pencil drop down menu and select the option can edit. Copy the link and put it in your report.
See the recording on the Canvas how to setup this in a correct way.
Report
1) Code file Location: ——————————————
Upload your code to OneDrive and provide a link here. Set up correct permission so that anyone with a link can view it.
2) Panopto recording:————————————————
If you don't provide this, I will not be
Task 0 – Self-reflection
Themarking grid should be completedobjectively and accurately to reflect the standard of your work. Indicate allsuggested features that have been successfully implemented by marking the corresponding boxes. Anyadditional security features you have developed should be listed in the'Suggestive Features' column where placeholders (dashes) are provided. Finally,Identify and highlight theappropriate level of attainment (Poor,Average to Good, orExcellent) that most accurately represents the quality and completeness of your submission.
|
Excellent [7 to 10 marks]
Implementation has no flaws, and the student has gone beyond to be considered for this. [ You must mention in self-reflection if you have implemented more features] |
Average to good [4 to 7 marks]
|
Poor or evidence is not clear in the report. [0 to 4 marks]
|
Tick (Y) / Cross (X) |
Suggestive features to implement |
Criteria |
|
Policy has no flaw, and its implementation is excellent. Various mechanisms implemented to ensure password policy is secure. |
Policy has no flaws, but implementation of policy is simple. |
Policy has many flaws for example password is not encrypted, and no salt applied. Password forgot policy has security flaws. |
|
Password entropy |
Password policy – 10 marks |
|
|
Security questions |
||||
|
|
Password recovery |
||||
|
|
Account Lockout |
||||
|
|
—– |
||||
|
Several countermeasures are implemented, and the quality of countermeasures are excellent. Other vulnerabilities are dealt with. |
Countermeasures are implemented in all the pages however the quality of implementation is simple. |
Very little effort to implement countermeasures to avoid these vulnerabilities.
|
|
SQL injection |
Vulnerabilities – 10 marks
|
|
|
XSS |
||||
|
|
CSR |
||||
|
|
File Upload |
||||
|
|
—– |
||||
|
Excellent implementation. Student has gone beyond. |
All requirements are implemented to authenticate the user. However, quality of implementation is simple. |
Lots of obvious authentication's requirements are not implemented. |
|
Email verification for registration, |
Authentication – 10 marks |
|
|
2 factor authentication (PIN) |
||||
|
|
2 factor authentications (email) |
||||
|
|
——– |
||||
|
Excellent implementation of countermeasures against these attacks. |
No flaws in countermeasures however quality of implementation is simple. |
Very little effort against these attacks |
|
Brute force attack – Number of attempts |
Obfuscation/Common attacks – 10 marks |
|
|
Botnet attack – Captcha |
||||
|
|
Dictionary attack/Rainbow table attack |
||||
|
|
—– |
||||
|
|
|
|
|
User registration |
Features of web application – 30 marks |
|
|
User login |
||||
|
|
Forgot password |
||||
|
|
Evaluation |
||||
|
|
List evaluation |
||||
|
|
Database design and its security |
||||
|
|
|
|
|
|
Access control -15 marks |
|
|
|
|
|
All the marking criteria covered |
Video – 9 marks |
|
|
|
|
|
Completion of this marking grid clearly |
Self-reflection – 6 marks |
Part A – Access Control – 15 marks
Task 1 – Setup Environment
Task 2 – Modify Permissions
Task 3 – Change Ownership
Task 4 – Directory Access Control
Task 5 – Umask Configuration
Part B – Lovejoy (70 marks)
Task 1 – Develop a secure web form that allows customers to register in the application. They must register an email address, password, name and contact telephone number. The users' details should be stored in a database.
Bullet list why it is secure and provide evidence of code snippet.
Task 2 – Develop a secure login feature.
Bullet list why it is secure and provide evidence of code snippet.
Task 3 – Extend the password management feature to provide password strength recommendations and password recovery.
Create a couple of test accounts in Lovejoy and provides its passwords as evidence. These passwords must not be used by you somewhere else.
– Password 1:
– Password 2:
Bullet list other reasons why this is secure:
Task 4 – Implement a “Request Evaluation” web page only accessible to logged in users. This web page should have a comment box to type in the details of the object and their request, and a dropdown box for preferred method of contact between phone or email. The evaluation page should allow for file upload of a photo of the object.
Bullet list why it is secure and provide evidence of code snippet.
Task 5 – Implement a page that displays a list of evaluation requests. This page should only be visible to an administrator role.
Bullet list why it is secure and provide evidence of code snippet.