Activity 2 Questions

• What Web Application security mechanisms are involved in your topology? What security mechanisms would ideally be involved?

  • Following are several security methods that we will implement in our application (with the exception of implementing the required security vulnerabilities):
  • HTTPS (TLS 1.2) - We chose to use an encrypted connected to communicate between client web browsers and the web server. This will prevent an attacker from sniffing unencrypted packets to discover a user's password.
  • Password hashing and salting - We chose to hash and salt our passwords to prevent storing the password in plain text in the database in the event of a data breach. We chose to salt as well as hash the password to prevent rainbow table attacks.
  • Input sanitization - We will ensure to sanitize our inputs for any operations performed in the browser address bar or in a user input field, to ensure arbitrary code is not executed on the server.
  • Firewall/IDS - We would like to implement a firewall or intrusion detection system between the web server and the internet to provide packet filtering and malicious traffic detection capabilities. Options that we are considering are Snort, Suricata, or Security Onion. This will be added to the topology at a later date after we determine the best way to implement such a service.
  • Antivirus software - In addition to adding a network security solution, we would also like to add a host-based antivirus agent for an extra layer of security. This would detect when malicious files are uploaded as videos, and prevent our application from handling them.

• What testing framework did you choose and why?

  We chose to use the pytest framework to develop our unit tests. Our project will be written mostly in Python, and this is one of the most popular testing frameworks available for the language. In addition to pytest, we will also be checking code coverage.