Testing-Framework-and-Basic-Security-Controls
SDEV 460 – Homework 2
Testing Framework and Basic Security Controls
Overview:
This homework will demonstrate your knowledge of creating a testing framework and using that
framework to conduct some basic server and web application security controls.
Assignment: Total 100 points
Using
the readings from weeks 3 and 4 as a baseline, first develop a testing
framework with these phases as guidelines for your organization or an
organization you would like to work for in the future.
• Before development begins
• During definition and design
• During development
• During deployment
• Maintenance and operations
You
will need to fill in the details for each phase by 1) describing what
each phase encompasses and 2) 3 or more activities you will engage in
for each phase. In addition, you will apply part of this framework in
the phase “During development†by engaging in three tests/security
controls outlined below to the existing SDEV virtual machine in the
default root website.
Security Controls to Test
1. Fingerprint Web Server (OTG-INFO-002)
ï‚· Use netcat, httprint or other tool to discover the web server software vendor and release. Show output of the tool output.
ï‚·
Perform online research about the discovered software vendor and
release. Report upon documented vulnerabilities with the release.
ï‚· Report upon how you would mitigate any documented vulnerabilities.
2.
Review webpage comments and metadata for information leakage
(OTG-INFO-005). Manually review the sample HTML applications in the
Apache Web Server directories
ï‚· Based upon online research, what are
three or more categories of information that would be considered
information leakage that is not acceptable?
ï‚· Review the web site to
see if there is information leakage in the SDEV information. Report upon
what you have discovered and your method of discovery.
3. Test HTTP Methods (OTG-CONFIG-006) – See which HTTP methods are available on the virtual
machine. Use Netcat or other tool against this SDEV site.
ï‚· What HTTP methods are enabled and disabled on this site? Show the output of your tool indicating the HTTP methods.
ï‚· Which methods (and why) have potentially pose a security risk for a web application. Describe
how these pose a risk.
Site Configuration:
Note: The SDEV Virtual Machine you downloaded and used for SDEV 300. The URL is here if you need to download it again: https://citeapps.umuc.edu/SDEV/
The
VM runs on the latest version of Oracle Virtual Box. Also review the
instructions for installing and configuring the VM and application under
the “Course Materials†section of the course portal. It also contains
the necessary password(s) to login as well.
Deliverables:
You should submit your source testing framework document along with the results testing the three
security
controls listed above. Screen captures should be clearly labeled
indicating exactly what the screen capture represents. Your document
should be well-organized, include page numbers, include all references
used and contain minimal spelling and grammatical errors.
Grading Rubric:
Attribute
Meets
Does not meet
Testing Framework
50 points
Develops and fills in details for the “before development begins†phase testing framework.
(10 points)
Develops and fills in details for the “during definition and design†phase testing framework.
(10 points)
Develops and fills in details for the “during development†phase testing framework.
(10 points)
Develops and fills in details for the “during deployment†phase testing framework
(10 points)
Develops and fills in details for the “maintenance and operations†phase testing framework.
(10 points)
Does not develop or fill in details for the “before development begins†phase testing framework.
Does not develop or fill in details for the “during definition and design†phase testing framework.
Does not develop or fill in details for the “during development†phase testing framework.
Does not develop and fill in details for the “during deployment†phase testing framework.
Does not develop or fill in details for the “maintenance and operations†phase testing framework.
Security Controls
30 points
Fingerprints Web Server (OTG-INFO-002) in the Apache Web Server main site. Identifies and researches Apache software version.
(10 points)
Reviews webpage comments and metadata for information leakage (OTG-INFO-005).
(10 points)
Tests
HTTP Methods (OTG-CONFIG-006) and documents which HTTP methods are
available on the virtual machine main web site. Describes risks in HTTP
methods.
(10 points)
Does not fingerprint Web Server
(OTG-INFO-002) in the Apache Web Server main site. Does not identify and
research Apache software version.
Does not review webpage comments and metadata for information leakage (OTG-INFO-005).
Does
not test HTTP Methods (OTG-CONFIG-006) and document which HTTP methods
are available on the virtual machine main web site. Does not describe
risks in HTTP methods.
Documentation and Submission
20 points
Submits source testing framework document.
(5 points)
Document includes the results from testing the three security controls listed in the instructions.
(5 points)
Screen captures are clearly labeled indicating exactly what the screen capture represents.
(5 points)
Document
is well-organized, includes page numbers, includes all references used,
and contains minimal spelling and grammatical errors.
(5 points)
Does not submits source testing framework document.
Does not include the results from testing the three security controls listed in the instructions.
Screen captures are not clearly labeled indicating exactly what the screen capture represents.
Document
is not well-organized, or include page numbers, or include all
references used, and contains multiple spelling and grammatical errors.