Briefly summarize your client, Artemis Financial, and their software requirements. Who was the client? What issue did they want you to address?
Artemis Financial is a company that deals with individualized financial plans for savings, retirement, investements and insurance. The nature of their business puts them within the reach of some federal, state, and international regulations. The client wanted to update their systems with security in mind, and improve their RESTful web application.
What did you do very well when you found your client’s software security vulnerabilities? Why is it important to code securely? What value does software security add to a company’s overall wellbeing?
The two things I did best in this assignment were updating the software to help modernize the system and my implementation of PBKDF2 to secure their website. PBKDF2 is primarily used for password storage but adds extra collision resistance to hashes. Secure coding is important because sloppy practices can make code more difficult to work with and expose bugs which can lead to vulnerabilities in a system. By increasing the security of Artemis Financials I have greatly reduced the risk of data breaches, which can result in fines, possible jail time, loss of trust, and class action lawsuits.
The ability to run the dependency check and read the vulnerability assessments was the most helpful. I've already started including the checks in personal projects and encouraging my developer friends to do the same. The most challenging part was trying to figure out how to classify and document the vulnerabilities. Logically, classification of vulnerabilities makes more sense to me when considered in context of the layers of the OSI model.
How did you increase layers of security? In the future, what would you use to assess vulnerabilities and decide which mitigation techniques to use?
Over the course I made notes for myself based on the OSI model. Understanding the layers helps to scope in on the specific technology that operates at that layer and the attacks that are aimed at each specific layer. The OWASP dependency check is now a standard tool in my personal projects. Otherwise I'm always striving for best practices when it comes to writing code, relying on proven idioms, architecture patterns, and using SOLID principles to help me stay focused on writing clean, easy to work with, and secure code.
How did you make certain the code and software application were functional and secure? After refactoring the code, how did you check to see whether you introduced new vulnerabilities?
After updating, I ran a clean install. Eclipse confirmed that it was successful, then I ran the java application and accessed it through my browser. I included a statement to print to console to confirm that the output to my browser was the same as the output to the console. That was a nice visual confirmation. I ran the dependency check multiple times, and worked my way through vulnerabilities until the number reached 0 with no suppressions.
What resources, tools, or coding practices did you use that might be helpful in future assignments or tasks?
I found this reference for maven goals, which I learned can be run via the terminal command line to stream line the update process, even allowing for incremental updates or reverting to previous versions if an update causes too many issues. While it's very helpful to know how to do it manually, as we did throughout the class, it can be a much more efficient process once you test out commands and let the software handle the updates. https://www.mojohaus.org/versions/versions-maven-plugin/index.html
Employers sometimes ask for examples of work that you have successfully completed to show your skills, knowledge, and experience. What might you show future employers from this assignment?
That I understand the importance of security and am familiar with the resources needed to track down vulnerabilities and mitigate them. The time spent on OWASP and the outgoing links explaining how to deal with various CVE's and CPE's, made me more comfortable with seeking out proven and tested methods for mitigating vulnerabilities. While I didn't get to try many of them, it was interesting to read about the use of modern penetration testing tools and methods for altering the code that ranged from easy to expert level, I'm now much more aware of the possibilities and where to seek guidance if a vulnerability is discovered. Often you can update your way out of most vulnerabilities, but sometimes the code is working as it should, and it falls on the engineers to handle things like whitelisting or other forms of input validation. The dependency could be "vulnerable" because it was written to allow flexibility instead of restrict it.