CS 255 Southern New Hampshire University Code Review and Mitigation Plan Discussion
Writing code is difficult; writing secure code can be even more challenging. As the developer, it is your responsibility to write secure code. You will know if your code is secure by manually searching for and identifying possible security vulnerabilities. This is an important skill to develop because it becomes more challenging as the number of lines and complexity of your code increase.
Fortunately, as you learned in this module, you can follow a workflow and use tools that are widely accepted in the field of software security and vulnerability assessments. By following the Vulnerability Assessment Process Flow Diagram (VAPFD), you can focus your manual code inspection and narrow down your search for possible security vulnerabilities within your code.
Specifically, in this assignment, you will do the following:
- Determine relevant areas of security for a software application.
- Identify software security vulnerabilities by manually reviewing source code.
- Identify potential mitigation techniques that have been used to mitigate against vulnerabilities associated with known exploits.
Scenario
You are a senior software developer within a team of software developers that is responsible for a complex web application that uses the Spring framework. The team has been tasked with implementing an expressive command input function for the application. You are told the team is currently using Version 2.6.5 of the spring-data-rest-webmvc in the Spring framework, and you want to use the Spring Expression Language to accomplish the task.
If you are unfamiliar with Spring, learn about the Spring framework by watching What Is the Spring Framework Really All About? (10:44). If you are interested in learning more, refer to these Spring Guides:
Prompt
As the point person on this application, you are responsible for ensuring the code is secure. You will need to assess potential vulnerabilities in the code and create a mitigation plan for any existing vulnerabilities that the software development team must address.
To begin, reference the Vulnerability Assessment Process Flow Diagram (VAPFD) to help guide your code review and mitigation plan. A text version of this diagram is available: Vulnerability Assessment Process Flow Diagram Text Version.
Specifically, you must address the following in your Code Review and Mitigation Plan document:
- Areas of Security: Review the scenario and use what you know about the architecture of the web application to:
- Determine which of the seven areas of security are relevant to assess from the first level of the VAPFD.
- Justify your reasoning for why each area is relevant to the software application.
- Document your findings for the software development team in the Code Review and Mitigation Plan template provided.
- Code Review Summary: Once you have identified the relevant areas of security to review from the first level of the VAPFD, work through the second level. At this stage, you should:
- Manually inspect the code base provided to identify which vulnerabilities exist by uploading the code base as a new project into Eclipse.
- Refer to the Uploading Files to Eclipse Desktop Version Tutorial for how to open the code base for review.
- Document your findings for the software development team in the Code Review and Mitigation Plan template provided.
- Mitigation Plan: Once you have manually inspected the code and identified the security vulnerabilities, do the following:
- Describe potential mitigation techniques such as secure software designs that you could apply to address the software security vulnerabilities you identified.
- It may be helpful to refer to the Module Two Resources, including your textbook, the Java Software Security Guidelines, the Common Vulnerabilities and Exposures (CVE) list, and the National Vulnerability Database.
- Document your findings for the software development team in the Code Review and Mitigation Plan template provided. This plan will be used by the software development team to address all vulnerabilities in the code.