This repository contains the final project for the Secure Software Engineering (2024/2025) course, as well as all completed labs (1–3) from the same course.
SecureDocs is a secure, real-time collaborative document editing web application. It was designed and implemented using a Security by Design approach, aligning with best practices and frameworks such as the NIST Secure Software Development Framework (SSDF) and the OWASP Web Security Testing Guide (WSTG).
The platform enables authenticated users to collaboratively edit documents with fine-grained access control. Documents can be private or public, and user roles are enforced through Role-Based Access Control (RBAC).
- Real-time collaboration via secure WebSockets
- Role-based access control: Owner, Editor, Viewer
- Granular permission management per document and user
- Public and private documents with configurable visibility
- Authentication and session handling with secure cookies
- CSRF protection and input sanitization
- RESTful API following OpenAPI standards
- Frontend: HTML5, CSS3, JavaScript (ES6+)
- Backend: Node.js with Express.js
- Database: SQLite
- WebSockets: Socket.IO for real-time editing
- Security libraries: Helmet, bcrypt, validator, express-session, csrf, rate-limit
The project underwent a full security lifecycle, including:
- Threat modeling using STRIDE and Threat Dragon
- Manual and automated testing, including:
- OWASP ZAP (dynamic)
- SonarCloud (static)
- Nikto (server scanning)
- API conformance via OpenAPI
- Vulnerability scanning using
npm auditand Snyk - Security headers enforced via Helmet middleware
/
├── .github/workflows/
├── lab1/ # Lab 1 stuff
├── lab2/ # Lab 2 stuff
├── lab3/ # Lab 3 stuff
├── projeto/ # Project implementation (SecureDocs)
├── .gitignore
├── Lab1.md # Write-up for Lab 1
├── Lab2.md # Write-up for Lab 2
├── Lab3.md # Write-up for Lab 3
├── README.md
└── sonar-project.properties
This repository also contains the lab work from the course:
- Lab 1: Analysis of low-level C vulnerabilities using static analysis and secure coding standards
- Lab 2: Security testing techniques including fuzzing, symbolic execution, and concolic testing
- Lab 3: Web vulnerability detection using SAST/DAST tools like SonarCloud and OWASP ZAP
A detailed report is included in portuguese (see projeto/report.pdf), covering the full development lifecycle: design, implementation, and security analysis.