eCommerce and Web Security (CBER 705)

Assignment # 1
Due date: October 24, 2021
Student Name: Sanjeev Lamba Student ID # 301201322 .

Note:
- For all screenshots, customize your desktop or application window to show your Name/ID.
- Plagiarism will result in a zero mark.

Objectives
The objective of this assignment is to (1) find security related resources, (2) review security
issues faced by the network and cloud, and (3) understand different secure software development
processes.

Materials Required
Access to internet

Part 1:
Description:

1. Visit the websites and find the resources that can be used to learn online safe hacking
experience, such as, hack.me.
2. Select the maximum of five types of attacks that have a devastating effect on a PC and
Enterprise level system both.
3. Provide the mitigation of these attacks in terms of software design and implementation.

Response
1) Hackaday, Cybrary and FromDev also have some good source to learn online safe
hacking.

I created my own Hack me and this is the link for the same
http://s159392-108012-3qs.sipontum.hack.me/level1.html

2) Five types of attacks having devastating effect are

 Botnets
 SQL Injection
 Phishing
 Malware
 XSS(Cross Site Scripting)
 3) Prevention of these attacks can be done by
 Phishing : sorting and blocking IP addresses, filtering spam emails , blocking
domains names.
 Botnets : Using firewalls, using protection that works at DNS level, and training
employees.
 SQL Injection : By limiting inputs, by supplying queries in order of execution
and using character-escaping functions.
 Malware : Using antivirus software, regularly updating software and avoiding
suspicious link and emails.
 XSS : Filtering the input, encoding output data and using Content Security Policy.

Part 2:
Description and Background
Small and medium businesses are depending more and more on the cloud to host their
ecommerce websites. However, the cloud infrastructure and the internet are fraught with risks
and threats that an ecommerce website will have to deal with.
Steps
1. Go to https://csrc.nist.gov/publications/detail/sp/800-145/final and review the document.
2. Go to https://cloudsecurityalliance.org/ to open Cloud Security Alliance website and under
the “Research” tab select CSA Security Guidance and review the document.
3. Go to The European Union Agency for Network and Information Security (ENISA)
https://www.enisa.europa.eu/ for European Union Agency for Network and Information
Security. From the left panel, select Cloud and Big Data and then select Cloud security.
From the right panel, select “Exploring Cloud Incidents” published in 2016 and “Cloud
Security Guide for SME’s” published in 2015.

Answer the following questions

1. What could be the incident response plan for a company that use the cloud for its business?
Ans : • Proper pre-work should be completed.
• Get to know your specialised organisations.
• Strike a balance between your cloud and traditional conditions.
• Join and collaborate with other organisations.

2. As per the ENISA guide, what are the security risks in using the cloud?
 Natural Disaster
 Physical Damage
 Software Security Vulnerability
 Social Engineering Attack

3. What are the legal issues common across all cloud computing scenarios?
Ans : • Third-party access issue: The involvement of a third party creates numerous security
risks. To ensure that security is not jeopardised, it is necessary to sign the HIPPA.
 • Intellectual property rights: Each country has a unique set of rights. As a result, the provider
must be aware of the rights.

• Security procedures: Most businesses lack the method and resources to evaluate cloud
applications.

• Data theft attack on confidentiality: One should be aware of the Service agreement as to how
and when the security breach will be disclosed to them.
4. What are the pros and cons of the cloud computing deployment models?
Ans 5 : Pros of Cloud Computing Deployment Models
 Scalable
 They are easily accessible
 Payment as per usage
 Reliable

Cons of Cloud Computing Deployment Models

 Establishment Cost
 Security Trust
 Public and Private Cloud are difficult to setup

Part 3:
Description and Background
Any software should be developed according to a pre-defined process. Many such processes exist. There
are also some specialized processes that include secure software development activities. Such activities
ensure that the developed software complies with security best practices and guidelines. These practices
and guidelines are applicable in each life cycle phase (requirements engineering, design, implementation,
testing, deployment, and maintenance).

Steps
1. Go to https://www.microsoft.com/en-us/sdl and study all the activities.
2. Go to https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf
and study all the activities.
3. Go to https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=7657 and download the
Security Quality Requirements Engineering Technical Report. Study all the activities.

Answer the following questions

1. What are the major steps in a secure software development life cycle model?
• Employees should be properly trained, and security requirements should be properly
documented.
• Threat modelling should be performed • Cryptography standards should be used in
accordance with the guidelines
 • Manage the security risks associated with the use of any third-party components.
• Only tools that have been approved should be used.
• Conduct static and dynamic analysis security testing; and • Document all incident
responses.
2. What is a response phase in a software development life cycle model?

When a product is deployed, the product delivery team must continue to maintain it in order to
respond to any unanticipated security flaws. There is a need to develop a post-discharge
response strategy here.
Incident Response Plan systems with no known flaws at the time of delivery may be
vulnerable to new threats that emerge over time.
3. Describe the Heap manager Fail Fast Setting.

At the operating system level, Microsoft has implemented a number of centre guards that
assist protect against specific types of attacks. Individually, they cannot guarantee security;
however, when used collectively, they can successfully provide security.
In applications using pile memory on the board, the Heap Manager Fail Fast Setting
requirement might cause quality concerns. This flaw in the code may readily be identified and
corrected, making it both safer and more robust.

4. At which point in the Microsoft SDL is the web server, web application, and penetration
testing carried out?
It is carried out at the Verification step, when one ensures that the code complies with the protection and
security requirements laid forth in previous phases. This is accomplished through security and protection
testing as well as a security push.

5. What is meant by deprecation in a software development life cycle model?

Deprecation is the state of a feature or functionality that is no longer in active development.

A deprecated feature may be removed in future releases.

6. Which is the most important phase in a secure (or typical) software development life cycle
model?

• Manage the security risk of employing any third-party components through threat modelling
• Conducting security testing using static and dynamic analysis.
• Pen testing must be carried out.

7. In which phase could we be able to discover the cross-site scripting attack?

It can be identified during the security testing phase of static or dynamic analysis. It can also
be identified through pen testing.

8. When should we apply security assurance techniques?

Throughout the task's lifespan, security must be handled. From the beginning to the end,
security should be addressed. It is critical to incorporate security into the standard of the
product development life cycle (SDLC).