Module 4: Secure Software Development

A 6-Unit Module that Started on November 2022 and was Covered in 6 Weeks by Oliver Buckley

Summary

In this Module, we took a depth look at the security risks associated with programming languages as from the perspectives of :

design and architecture approaches,

programming paradigms,

testing and documentation,

the impact and implications of operating systems and libraries on software development,

the security risks associated with distributed systems and APIs,

the future trends in secure software and systems design.

We also designed and developed a computer program that was a solution that met the design brief given
(more details found on "Tasks and Assignments Done throughout this Module" subheading in this page).

Skills Acquired

Ability to Identify and manage security risks as part of a software development project.

Ability to Critically analyse development problems and determine appropriate methodologies, tools and techniques (including program design and development) to solve them.

Systematically developed and implemented the skills required to be effective member of a development team in a virtual professional environment, adopting real-life perspectives on team roles and organisation.

Gained familiarity of the language and concepts of a security standard which has been published by the ISO/IEC.

Gained knowledge on how a secure software may be developed using an agile process.

Installation and implementation of Python and Django, and using it to develop a Web Application.

Awareness of the various programming languages and their challenges, design patterns and when to use them

Awareness of the importance of creating a culture of risk awareness in an organisation, in addition to the creation of secure software.

Ability to Decompose an activity into a set of tasks which can be represented using a flow chart from the UML portfolio of modelling techniques.

Gained knowledge on how to Design and develop/adapt computer programs and to produce a solution that meets the design brief and critically evaluate solutions that are produced.

Gained a first hand experience on working as a group on a coding project using Scrum framework for project management and GitHub.

How to design software tests through understanding the range of ways which the security of software can be breached.

Gained Knowledge on fog computing, IoT and Cyber Physical System components and solutions, and there security issues

Ability to recommend emerging technologies and solutions to investigate.

Awareness of the various testing software for security and list of questions to ask when designing a test plan for secure software.

Gained knowledge of the different types of Cryptographies and its implementation

Gained knowledge on the security capabilities of programming languages, which include F#, Python, Rust, and Swift.

References Used

Below is a list of all the Sources (articles, books, reports, whitepapers, websites, etc) that I used through out this module (Using Harvard Referencing style).

Anon, 2017. OWASP Top 10 - 2017. [Online] Available at: https://owasp.org/www-pdf-archive/OWASP_Top_10-2017_%28en%29.pdf.pdf [Accessed 28 November 2022].

Fredj, O. B., Cheikhrouhou, O. & Krichen, M., 2021. An OWASP Top Ten Driven Survey on Web Application Protection Methods. s.l., Springer, Cham, pp. 235-252.

Dauzon, S., Bendoraitis, A. & Ravindran, A., 2016. Django: Web Development with Python. Mumbai: Packt Publishing Ltd.

Lenka, C., 2020. Python program check validity Password. [Online] Available at: https://www.geeksforgeeks.org/python-program-check-validity-password/ [Accessed 28 May 2022].

Melé, A., 2020. Django 3 by example. 3rd ed. UK: Packt Publishing Ltd.

Oliphant, T. E., 2007. Python for Scientific Computing. Computing in Science and Engineering, 9(3), pp.10-20.

Beek, van H.M.A., Eijk, van E.J., Baar, van R.B., Ugen, M., Bodde, J.N.C. (2015). Digital Forensics as a Service: Game on. Digital Investigation.

Seyyar, Bas M., Geradts, Z.J.M.H. (2020). Privacy impact in large scale digital forensic investigations. Forensic Science International.

Microsoft. (2003) Improving Web Application Security Threats and Countermeasures. 1st ed.

OWASP (2022). OWASP Top Ten. Available from:https://owasp.org/www-project-top-ten/ [Accessed 15th November 2022]

Pillai, A. (2017) Software Architecture with Python. 1st ed. Birmingham: Packt Publishing Ltd.

Dermott, Mac AM., Baker, T., Buck, P., Iqbal, F., Shi, Q. (2019). The internet of things: challenges and considerations for cybercrime investigations and digital forensics. International Journal of Digital Crime and Forensics.

CWE Content Team, 2021. CWE VIEW: Weaknesses in OWASP Top Ten (2021). [Online] Available at: https://cwe.mitre.org/data/definitions/1344.html [Accessed 15 December 2022].

Django, 2015. Documentation. [Online] Available at: https://docs.djangoproject.com/en/4.1/ [Accessed 15 December 2022].

Government of the Netherlands, N.D.. Fighting cybercrime in the Netherlands. [Online] Available at: https://www.government.nl/topics/cybercrime/fighting-cybercrime-in-the-netherlands [Accessed 15 December 2022].

Saabith, A. S., Fareez, M. & Vinothraj, T., 2019. PYTHON CURRENT TREND APPLICATIONS- AN OVERVIEW.International Journal of Advance Engineering and Research Development, 6(10), pp. 6-12.

T, N., 2013. Lock out users after too many failed login attempts. [Online] Available at: https://stackoverflow.com/questions/9033287/lock-out-users-after-too-many-failed-loginattempts [Accessed 12 December 2022].

W3Schools, N.D.. CSS Tutorial. [Online] Available at: https://www.w3schools.com/css/default.asp [Accessed 12 December 2022].

Django, N.D.. Django 1.7.11 documentation. [Online] Available at: https://django.readthedocs.io/en/1.7.x/index.html [Accessed 12 December 2022].

Overview of Key Tasks and Projects Completed

During this module, I completed a series of tasks and assignments that equipped me with practical skills in cybersecurity and software development.
Below is a summary of the projects, techniques, and security solutions learned throughout the course.

Secure Software Development Methodologies and UML Modeling

Explored waterfall vs. agile methodologies with a focus on security implications in software development.

Learned aboutUnified Modeling Language (UML) and industry standards for secure software development.

Collaborative Learning Discussion: Selected Visual Paradigm as my UML tool and created a flowchart illustrating an OWASP-identified coding weakness.

Group Project: Part of a team working on a secure software project based on The Dutch Police Internet Forensics case study.

Designed multiple UML diagrams and contributed to the Development Team Project: Design Document (Proposal Report).

Programming and Secure Coding Practices

Studied programming language security concepts with a focus on Python and C.

Conducted a Codio activity on Buffer Overflow attacks in C and Python, gaining hands-on experience in identifying and mitigating these vulnerabilities.

Finalized and submitted the Development Team Project: Design Document as a team.

Software Testing and Secure Development

Reviewed software testing methodologies and industry standards.

Explored automated testing tools and frameworks for Python applications .

Began development of the secure web application using Django and Python, as outlined in our project's first sprint.

Installed and configured Django in a local development environment and started implementing the project in Visual Studio Code.

Secure Web Application Development Project

Team Workload Distribution: Due to tight deadlines, I focused on developing the web application, while my teammates handled testing, documentation, and demonstration.

Implemented key Django components:
- admin.py : Managed administrative functionalities.
- Template system : Developed HTML templates with inheritance and CSS styling.
- views.py : Handled HTTP requests and user authentication.
- urls.py : Defined routing paths between requests and responses.
- models.py : Designed and integrated a SQLite database for user profiles.
- decorators.py : Created custom permission controls (e.g., login_required).
- userlogs.py : Implemented system logging functions to track user activities.
- settings.py : Configured middleware, databases, password validators, and installed apps.

Project Finalization: Conducted a walkthrough with my team of 4 to demonstrate functionality before they performed testing and documentation.

Security of Programming Languages Debate and Final Submissions

Researched and debated the security capabilities of Python, Rust, Swift, and F#.

Final Deliverables:
- Test Report: Documented all tests conducted on the Django application.
- README Documentation: Provided a comprehensive project summary, setup instructions, and screenshots.

Reflective Piece

Submitted a Reflective Essay analyzing key takeaways from the module, challenges faced, and how the acquired skills apply to real-world secure software development.

Key Tasks and Projects Completed

The tasks, projects and assignments that equipped me with practical skills in cybersecurity and software development.

Codio activity on Buffer Overflow in both C and Python programming languages

Below is a screenshot of the Buffer Overflow in C.

Download PDF

Vulnerability Assessment Project

My group members of 4 worked on the first part of the assessment project Development Team Project: Design Document, focusing on The Dutch Police Internet Forensics case study.

Using Visual Paradigm UML tool, I designed a couple of UML diagrams and did personal researches on the project (sources are referenced on the left pane), I was able to create and submit to my group the document below (as part of my contribution towards successful completion of the Development Team Project: Design Document).

Download PDF

Finale copy of the first part of the assessment project, that is Development Team Project: Design Document.

Download PDF

Screenshots of Django Web Application project (internetForensics) as from Github (our groupleader's repository)

Below is admin.py screenshot.

Download PDF

Below is the Template folder that has all the project's HTML files designed for the application (inheritance was used so as to avoid code repitition and CSS was used to style html document).

Download PDF

Below is the views.py file that shows the Python functions that takes http requests and returns http response (HTML documents). It also shows the logout request, user controls and all the imports of the models, libraries, decorators, etc. that were made to the application.

Download PDF

Below is the urls.py file that shows the different paths are to be taken between a Django request and its matching function in views.py.

Download PDF

Below is the models.py file that contains a SQLite database (whereby I created the userProfile database to be an extension of the Django's default user database).

Download PDF

Below is the decorators.py file that contains the Decorators (which I created the login_required and allowed_users classes).This acts as custom permissions that enables control of the users' access in the application.

Download PDF

Below is the userlogs.py file that has the Python functions to capture system logs (logs of when and which user successfully/unsuccessfully logs in and logs out from the system).

Download PDF

Below is the settings.py file that has the Python functions and the Django application's settings. These include: middleware, databases, password custom and default validators, installed apps, etc.

Download PDF

Final Tests document and documentation (a readme file)

Below is the Tests file that includes all the tests (and there screenshots) that were perfomed by one of my groupmates on the Django web application project .

Download PDF

Below is the README file that included the documentation and screenshots of the Django web application project that was created by one of my groupmates.

Download PDF

Reflective Piece

Assessment on "Reflective Piece" essay.

Download PDF

E-Portfolio: Beatrice MUTEGI-ROYER