User Account

All Pages

Perform a security assessment of a hypothetical website

Assignment Help Computer Engineering
Reference no: EM131682027

PROJECT INSTRUCTIONS

Overview

In this project, you will perform a security assessment of a hypothetical website and report upon the results of that assessment. You will provide both an executive summary of your findings as well as detailed results of the assessment. You will complete the report in a subsequent paper by providing remediation recommendations and actions you recommend to mitigate against your findings.

Your assessment is to review the website of a hypothetical company, Liberty Beverages, Inc. It is a global corporation specializing as an e-Commerce business in the delivery of beverage products such as specialty coffee and tea products. The business problem that they wish to address is the recent successful attack by a suspected nation state on their website. The attack was able to deface the website as well as access some personal purchasing data by customers. Given its impact on their brand and customer loyalty, this has high visibility with senior management.

Assume that the current web infrastructure consists of a redundant group of web servers running on a Linux platform with Apache web server and ApacheTomcat application server software on which the web application runs. In addition, perimeter security is provided by redundant edge routers for load balancing and redundant firewalls (e.g., Cisco ASA 5000-series) in a demilitarized zone (DMZ) configuration as well as an intrusion detection software (IDS) solution and SIEM for security monitoring. Lastly, the web servers interface with a relational database (e.g., MySQL, SQL Server, Oracle, DB2) and a Storage Area Network (e.g., SAN) for persistent storage. The e-Commerce website is accessible by a variety of devices such as conventional web browsers, tablets, and smart phones. They communicate with the web server using the HTTPS protocol for enhanced security.

For purposes of this assignment, usethe support files for labs 6 and 7 provided as a zip collection, as well as optionally the results from Labs 1, 2, and 6 for inputs - as they have the results from Skipfish, Nessus, and RATS scans. You may also need to drill down into the directory structure in Labs 6 or 7 to assess some items. Of course, these inputs are not as comprehensive as those in a real-world thorough assessment. Your project report can signify those areas that you do not have enough evidence to properly evaluate.

The scope of your assessment is the e-commerce website itself, including the website code and configuration, Linux platform, and Apache web server and application server software. It is not within scope of this assignment to assess other infrastructure components such as the routers, firewalls, IDS, and databases - nor security on remote devices and authentication or authorization mechanisms. The only exception to that would be if there were a vulnerabilitydiscovered in the software directly related to the database. These may be recommended for subsequent follow-up activities.

Instructions

Collect the results of the web vulnerabilities and exploitations from the Support Files in Blackboard for labs 6-7. You may optionally use your work fromLabs 1, 2, and 6. Complete the assessment template (or use your own organization if you include all of the appropriate content listed below) provided for this assignment entitled "Web Application Security Report Template" - including the following sections:

Section 1: Assessment Introduction - Use the overview information from this document to set the context for the report.

Section 1.1: References - Add at least three (3)references.

Section 2: Web Application Description - Leave this section blank for a later remediation project.

Section 3: Assessment Assumptions - Use information from the assignment overview to describe components included in the assessment and components excluded from the assessment (in scope and out of scope). Also note the template instructions in this area.

Section 4: Assessment Approach. Include paragraph in section 4.5 on out of scope items based upon the information provided in the assignment overview (as it mentions what is in and out of scope)- as well as the tools utilized in sections 4.2 and 4.3

Section 5 and corresponding Appendix details. Also note the template instructions in this area- as there is extensive guidance on assessing pass/fail/not assessable status.

Section 5.1 - Include a count of how many high, medium, and low priority items found as well as a one (1)line per item list of high priority items.

Section 5.2 and 5.3 - Provide a pass/fail assessment in the Appendix on each item (including the NIST section) based upon the inputs listed above. You are using your best judgment based upon the assessment and the principles you have learned. For those items that are not directly or indirectly assessed, indicate that as well.There should be enough evidence, however, to assess some of items as pass or fail.

Section 5.5 - List comments about the review of the source code from Labs 1 and 2 and/or the RATS scan results found in the support files zip collection. Note that for purposes of the assignment, this is not a full source code review of all of the web pages but a review of at least one (1)piece of code corresponding to a web vulnerability discovered in the labs.Navigate to the file in the directory structure to research this. Be specific as possible about what you are reviewing. For instance, this could be a review of a web form that has been found to be vulnerable. You mustcomment about what makes the code an issue (e.g., it provides inadequate input validation).

Outputs

This is a five-page research-based paper in current APA format that focuses on the results from a web security assessment. These five or more pages include all of the content in the paper (cover page, table of content, references, all sections of the paper, etc). Since you are adding content to a template that already exceeds the page count, your final paper should exceed the default as well.Use the assessment template "Web Application Security Report Template" as a starting point. You can optionally choose to use your own format, but it must contain all of the elements mentioned above in the instructions. The paper must include at least three (3) referencesin addition to the course textbooks and the Bible.Include relevant screenshots as appropriate and answers to the instruction steps. Be sure to repaginate the table of contents and remove any instructions highlighted in red from the template.

Lab 1: Exploiting Known Web Vulnerabilities

Lab Assessment Questions

1. What are the current OWASP Top 10?

2. What is a brute-force attack and how can the risks of these attacks be mitigated?

3. Explain a scenario where a hacker may use cross-site request forgery (CRFS) to perform authorized transactions.

4. What could be the impact of a successful SQL injection?

5. How would you ensure security between a Web application and a SQL server?

6. What is the underlying cause of a cross-site scripting (XSS) attack?

7. What is the difference between a reflected XSS and a stored, or persistent, XSS?

Challenge Questions

1. What has changed between this year's OWASP Top 10 list and the Top 10 list in 2010? What is the rationale for these changes? List at least five changes.

2. Research any brute-force attack tool (for example, THC Hydra, Brutus, or Burp Intruder). List at least three features of that tool. What method does the tool use in its brute-force attack?

3. What is the purpose of a rainbow table?

Lab 2: Implementing a Security Development Lifecycle (SDL) Plan

Challenge Questions

1. Use the Internet to research the importance of understanding trust boundaries in threat modeling. Summarize your findings. A good resource for this research is the Microsoft SDL Web site.

2. In Part 3 of this lab, you tested five regular expressions to see if they were vulnerable to ReDoS. Two of the five were, in fact, vulnerable. It is possible to conduct these tests without understanding the regular expressions in question. For this challenge, alter the two regular expressions that failed so that they pass. If possible, explain why they failed and why they now pass.

Lab Assessment Questions

1. List and briefly describe the Training phase of the Security Development Lifecycle (SDL).

2. What does the acronym STRIDE stand for?

3. Which of the regular expressions in Part 3 are safe from ReDoS?

4. Why is it necessary for an SDL to include a Response phase? Use the Internet to research at least three components of a typical incident response plan.

5. What are the seven phases in the Microsoft SDL?

6. What is a buffer-overflow or overrun condition?

7. In which phases of the secure software development life cycle might cross-site scripting be discovered?

8. What is ReDoS?

9. What failure did Bin Scope identify in the ActionCenter.dll file? Use the Internet to research the failure and describe its significance.

Verified Expert

Solution file is prepared in ms word which is based on lab 2 ,3 ,5 , 6 and 7. It discussed about the exploiting vulnerability, Implement SDLC, create security assessment for Liberty Beverages company. The solution file follows the assignment requirement with sections and screen shots are attached from the lab. The references are included as per APA format.

Reference no: EM131682027

Questions Cloud

Discuss about the crm strategies : Delivering good value to customers requires that firms use CRM strategies to effectively manage relationships with customers.
Describe the ethical public policy problem of hate crimes : "Border Patrol" Video Game: What, if Anything, Should Be Done with It? There's a video game making its way around the Internet, and many who have come across.
What is the relative humidity of the parcel of air : Assuming the mixing ratio of the parcel of air at 2000 feet is 4.6 g/kg, what is the relative humidity of the parcel of air in percent
Discuss what characteristic of warming temperature today : What characteristic of warming temperature today appear to be different from warm periods of the past
Perform a security assessment of a hypothetical website : Perform a security assessment of a hypothetical website and report upon the results of that assessment. You will provide both an executive summary
Average fixed cost function : Derive the average variable cost function, the marginal cost function, and the average fixed cost function, and graph them on graph paper.
Provide your rationale for selecting particular securities : Provide your rationale for selecting the particular securities such as stock, mutual funds, ETFs, bonds, bond funds, real estate funds, etc.
Evaluate key elements of the selected production : Evaluate key elements of the selected production or service organization's operational efficiency with its operational strategy.
Define eighth amendment ban on cruel and unusual punishments : Assume you're an advisor to the Criminal Law Committee in your state's legislature, which is considering legislation adopting "shaming" punishments.

Reviews

inf1682027

1/17/2018 5:06:57 AM

I value your organizations assist and will prescribe it to any individual who needs help. My major doesn't require as I'm bad in the subject; I did a couple tests in scored 70%-low 80, however utilizing your administrations my evaluations has helped. Much thanks!

inf1682027

12/18/2017 5:26:59 AM

lab 5 and 6 lab 5 and 6 25611087_1Lab 5.docx 25611072_2Lab 6.docx can you format into this tamplate? 25611047_1Web Application Security Assessment Report Template3.doc I also would like to to same thing for remedition. I am also attached template for that. 25611022_1Security Assessment Remediation Project Instructions1.docx 25611022_2Lab 1 Evaluating Web Vulnerabilities .docx 25611039_3Security Assessment Remediation Project Grading Rubric1.docx It is 2nd part of assignment. for the first deliverlable use the first report and put in the template i send you. 5611047_1Web Application Security Assessment Report Template3.doc i have to do another assignment similar to the first one which i sent the requirement and template. It is remediation project. use the same template for deliverable.

len1682027

10/16/2017 5:37:46 AM

I have to write paper on lab 2, 3, 5and 6 for 5 pages with references in APA format. instruction listed in security assessment output. You can optionally choose to use your own format, but it must contain all of the elements mentioned above in the instructions. The paper must include at least three (3) referencesin addition to the course textbooks and the Bible.Include relevant screenshots as appropriate and answers to the instruction steps. Be sure to repaginate the table of contents and remove any instructions highlighted in red from the template.

Write a Review

Computer Engineering Questions & Answers

  Mathematics in computing

Binary search tree, and postorder and preorder traversal Determine the shortest path in Graph

  Ict governance

ICT is defined as the term of Information and communication technologies, it is diverse set of technical tools and resources used by the government agencies to communicate and produce, circulate, store, and manage all information.

  Implementation of memory management

Assignment covers the following eight topics and explore the implementation of memory management, processes and threads.

  Realize business and organizational data storage

Realize business and organizational data storage and fast access times are much more important than they have ever been. Compare and contrast magnetic tapes, magnetic disks, optical discs

  What is the protocol overhead

What are the advantages of using a compiled language over an interpreted one? Under what circumstances would you select to use an interpreted language?

  Implementation of memory management

Paper describes about memory management. How memory is used in executing programs and its critical support for applications.

  Define open and closed loop control systems

Define open and closed loop cotrol systems.Explain difference between time varying and time invariant control system wth suitable example.

  Prepare a proposal to deploy windows server

Prepare a proposal to deploy Windows Server onto an existing network based on the provided scenario.

  Security policy document project

Analyze security requirements and develop a security policy

  Write a procedure that produces independent stack objects

Write a procedure (make-stack) that produces independent stack objects, using a message-passing style, e.g.

  Define a suitable functional unit

Define a suitable functional unit for a comparative study between two different types of paint.

  Calculate yield to maturity and bond prices

Calculate yield to maturity (YTM) and bond prices

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd