As mentioned in recent lectures, we should not be leaving security to the end of our project development. We are doing this in INFO202 because we need to teach you how to build systems before we can talk about securing those systems. We are doing things backwards. To ensure that we create a system that is as secure as we can reasonably make it we need to be considering security right at the first stages of the analysis and design of the system.
There are a many things that we need to do to secure our system:
Web client and service
- Add a generic error page.
- Add transport encryption (HTTPS) to our web server.
- Check for XSS vulnerabilities.
- Create an allow-list for all of the files that make up our AJAX client.
- Ensure that the user does not have the opportunity to manipulate the price of the products they are purchasing.
- Prevent any sensitive customer data from being stored in the session storage.
- Check for and mitigate SQL injections in the JDBI DAOs.
- Check for dangerous use of the
merge statement in JDBI DAOs.
- Salt and hash the customer's passwords.
- Create and use accounts with appropriate privileges to interact with the database.
- Encrypt the database files.
* Add transport encryption to the database to protect JDBC operations.
This lab will focus on securing the web client and service. Next week's lab will focus on securing the database.
Don't use your milestone 1 project for this lab
We don't want to break anything just prior to the deadline.
Use the CSR version of the student system for this lab.
Milestone 2 is due on Friday @ 5pm
See the following Blackboard section for submission instructions:
Project > Submission Instructions">>
We will be marking milestone 2 in the labs next week, so make sure you show up.