As mentioned in recent lectures, we should not be leaving security to the end of our project development. We are doing this in INFO202 because we need to teach you how to build systems before we can talk about securing those systems. We are doing things backwards. To ensure that we create a system that is as secure as we can reasonably make it we need to be considering security right at the first stages of the analysis and design of the system.

There are a many things that we need to do to secure our system:

Web client and service

• Add a generic error page.
• Add transport encryption (HTTPS) to our web server.
• Check for XSS vulnerabilities.
• Create an allow-list for all of the files that make up our AJAX client.
• Ensure that the user does not have the opportunity to manipulate the price of the products they are purchasing.
• Prevent any sensitive customer data from being stored in the session storage.

Database

• Check for and mitigate SQL injections in the JDBI DAOs.
• Check for dangerous use of the merge statement in JDBI DAOs.
• Salt and hash the customer's passwords.
• Create and use accounts with appropriate privileges to interact with the database.
• Encrypt the database files.

This lab will focus on securing the web client and service. Next week's lab will focus on securing the database.

Be careful with your Milestone 2 project

You will be working in your milestone 2 project this week. We don't want to break anything just prior to the deadline, so test everything thouroughly. Nothing that we are doing in this lab should break features unless you make a mistake --- in this case revert anything that causes a problem.

Milestone 2 is due on Friday @ 5pm

See the following Blackboard section for submission instructions:

<

We will be marking milestone 2 in the labs next week, so make sure you show up.