• Home   /  
  • Archive by category "1"

Cmis 460 Assignments

ObtainVisualStudio.htm; updated January 9, 2013

Obtaining Microsoft Visual Studio Software

If You Do Not Have a Home Computer

SIUE has installed Visual Studio software including Visual Basic in two open-access computer laboratories in Founders Hall.These computer laboratories are located in the 2nd floor and on the basement floor.

Visual Studio is also installed in the and Library open access computer laboratories – when using these facilities, please ensure that the version of Visual Studio installed is the version used for your class.

If You Have a Home Computer

You may wish to obtain a copy of Visual Studio (Professional Edition), Visual Basic (Express), or Visual Web Developer (Express) to install on your home computer.Microsoft makes this software free to students within the United States.

CMIS 142 students can complete all assignments by use of the Visual Basic Express Edition.CMIS 460 students can complete all assignments by use of the Visual Web Developer Express Edition. You can also elect to download the full version of Visual Studio Professional if you desire by linking to the Microsoft DreamSpark Program described below.

Link to Visual Basic Express Edition

You can download the Express version of Microsoft's programming languages (this includes Visual Basic and Visual Web Developer) for FREE!!!

Download Visual Studio Express 2010 for Windows 7.

Download Visual Studio Express 2012 for Windows 8.

You can complete all assignments for your courses in CMIS with these free products.Downloads and installation with a cable modem connection can usually be completed in less than 20 minutes.

Microsoft DreamSpark Program

Microsoft has recently announced the "Microsoft DreamSpark" program to supply students with free copies of software used for application development and server support.The Microsoft DreamSpark site provides software download links for software that you may use in several CMIS courses including CMIS142, CMIS460, and others.

·         Visual Studio Professional Edition (takes quite a while to download; includes SQL Server Database Management System).

·         Other software such as Windows Server 2008.

You follow these directions as a student:

·         Click this link to download DreamSpark:https://www.dreamspark.com/default.aspx.The DreamSpark home page displays as shown here.

·         Follow the directions under DreamSpark for Students - click the Learn More link under the Download Products section. Make certain that you are downloading the correct product.

·         Continue to follow the directions on the web pages.

End of Notes

Question description

SDEV 460 – Homework 3
Authentication, Authorization and Session Management Security Controls
Overview:
This homework will demonstrate your knowledge of testing security controls aligned with
Authentication, Authorization and Session Management
Assignment: Total 100 points
Using the readings from weeks 5 and 6 as a baseline, analyze, test and document the results for the tutoring web application found on the SDEV virtual machine. You must use a combination of automated (e.g., OWASP ZAP) and manual methods. Specific tests to be conducted include:
1. Test Role Definitions (OTG-IDENT-001)
 Create a test matrix for the Roles you see in the application- including the role, permissions for what actions, objects and constraints.
2. Test User Registration Process (OTG-IDENT-002)
 Describe why this test is important to conduct and what threat does it mitigate against.
 Be sure to the answer the six questions and two validation processes found in the OWASP testing guide for the user registration process and make at least three recommendations for improvements for this aspect of the application.
3. Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)
 Describe why this test is important to conduct and what threat does it mitigate against.
 Note since HTTPS is not implemented, this will fail. But what recommendations (at least three) would you make to rectify the situation? What do other sites do for Authentication?
4. Testing for default credentials (OTG-AUTHN-002)
 Describe why this test is important to conduct and what threat does it mitigate against.
 Are you able to guess a username and default email address for the application or underlying components such as the database?
 Does the application store any credentials in the database or in a flat file unencrypted?
5. Testing for Weak lock out mechanism (OTG-AUTHN-003)
 Describe why this test is important to conduct and what threat does it mitigate against.
 Will the system lock-out after X attempts for a period of time. If not, what issues are associated with this and how could it be remedied (at least three recommendations)?
6. Testing for Weak password policy (OTG-AUTHN-007)
 Are passwords weak? If so, describe at least three recommendations for improvement?
 What is at least one recommended password and lockout policy in the industry (e.g., NIST) – listing what they recommend for a strong password policy.
7. Testing Directory traversal/file include (OTG-AUTHZ-001)
 Describe why this test is important to conduct and what threat does it mitigate against.
 Are you able to traverse to another directory? If so, what can be done to fix this? Note: This can be difficult to manually verify without testing all possible cases – thus lending itself to automatic scanning.
8. Testing for Bypassing Authorization Schema (OTG-AUTHZ-002)
 Is it possible to obtain Admin rights through the non-admin path? Verify and demonstrate.
9. Testing for cookies attributes (OTG-SESS-002)
 Describe why this test is important to conduct and what threat does it mitigate against.
 Are cookies present? Are they expired? Do they have the HttpOnly attribute set? Are they easy to guess – why or why not?
10. Testing for logout functionality (OTG-SESS-006)
 Describe why this test is important to conduct and what threat does it mitigate against.
 Can a user logout of their session properly. If not, what recommendations (at least three) do you have to improve session security?
Other Guidance:
You should document the results for the tests and your comments, and recommendations for improved security for each security control tested in a word or PDF document. Provide screen captures and 
descriptions for all tests conducted. Discuss any issues found and possible mitigations. Review the grading rubric below to verify completeness.
Note: The SDEV Virtual Machine you downloaded and used for SDEV 300. The URL is here if you need to download it again:https://citeapps.umuc.edu/SDEV/
The VM runs on the latest version of Oracle Virtual Box. Full instructions, as well as the necessary passwords, are included in the course materials within this course.
Deliverables:
You should submit your document by the due date. Your document should be well-organized, include all references used and contain minimal spelling and grammar errors. Screen captures should be clearly labeled indicating exactly what the screen capture represents.
Grading Rubric: Attribute Meets
Role Definitions
10 points
Conducts Test Role Definitions for OTG-IDENT-001 as applied to the sample tutor application- including all attributes. (5 points)
Creates a test matrix for the roles seen in sample tutor application. (5 points)
User Registration
10 points
Describes importance of this test and threat it addresses. (2 points)
Tests the user registration process (OTG-IDENT-002) as applied to the sample tutor application. (3 points)
Answers the six questions and two validation processes found in the OWASP testing guide for the user registration process and make at least three recommendations for improvements for this aspect of the application. (5 points)
Credentials Transported
5 points
Describes importance of this test and threat it addresses. (1 point)
Tests for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001) as applied to the sample tutor application. (2 points)
Provides 3 or more recommendations to mitigate against threat and discusses
what other sites do for authentication. (2 points)
Default Credentials
5 points
Describes importance of this test and threat it addresses. (1 point)
Tests for default credentials (OTG-AUTHN-002) as applied to the sample tutor application. (2 points)
Discusses findings about guessing credentials and the storage of credentials on flat files or the database. (2 points)
Weak lock out mechanism
10 points
Describes importance of this test and threat it addresses. (1 point)
Tests for weak lock-out mechanism (OTG-AUTHN-003) as applied to the sample tutor application. (4 points)
Discusses results from system lock-out after X attempts and associated issues. Provides at least three recommendations to remedy. (5 points)
Weak password policy
10 points
Tests for Weak password policy (OTG-ATHN-007) as applied to the sample tutor application. (4 points)
Discusses if passwords are weak and provides at least 3 recommendations to remedy. (3 points)
Researches and describes at least one recommended
password policy in the industry – listing what they recommend for a strong password policy.
(3 points)
Directory traversal/file include
10 points
Describes importance of this test and threat it addresses. (1 point)
Tests Directory traversal/file include (OTG-AUTHZ-001) as applied to the sample tutor application. (5 points)
Discusses if a user is able to traverse to another directory and what can be done to fix the issue. (4 points)
Bypassing Authorization Schema
10 points
Tests for Bypassing Authorization Schema (OTG-AUTHZ-002) as applied to the sample tutor application. (5 points)
Discusses and demonstrates if a user can obtain Admin rights through the non-admin path. (5 points)
Cookies Attributes
5 points
Describes importance of this test and threat it addresses. (1 point)
Discusses if cookies are present, are they expired, easy to guess, and have the HttpOnly attribute set. (4 points)
Logout Functionality
5 points
Describes importance of this test and threat it addresses. (1 point)
Tests for logout functionality (OTG-SESS006) as applied to the sample tutor application. (2 points)
Discusses if a user can logout of their session properly and provides at least 3 recommendations to improve session security. (2 points)
Documentation and Submission
20 points
Submits Word or PDF document including results from all security control testing. (10 points)
Screen captures are clearly labeled and visible indicating exactly what the screen capture represents. (5 points)
Document is well-organized, including page numbers, includes all references used, and contains minimal spelling and grammatical errors. (5 points).

One thought on “Cmis 460 Assignments

Leave a comment

L'indirizzo email non verrà pubblicato. I campi obbligatori sono contrassegnati *