Project Paper

5.03 Project Assignment 1: Privacy Questionnaire
For this assignment, you will continue the work you began in earlier modules of the course where you are acting as a software creator. Now, your privacy officer for the company wants to know some of the possible privacy impacts of the software. He asks you to fill out a privacy questionnaire to help him figure out the impacts of this software.
When you’re done with the activity, title your document using the following filename convention: LastnameFirstname_5_privacy_questionnaire.
Note: Only your Final submission attempt will be graded and the submission must be in by the due date. There are multiple submission attemps allowed for any technical difficulties or if you’d like to update your assignmenr prior to the due date.
________________________________________
Scenario and Directions
You work for a SaaS company that is creating software for various homeowners associations. Various HOAs will use your software to maintain their subdivisions. Now, you will fill out the SDL Privacy questionnaire in Appendix C on page 90 of the Microsoft SDL book you’ve been reading all semester. Every company will have its own privacy questionnaire specific to their needs, but for this example, we’ll be using this generic one.
5.06 Project Assignment 2: Incident Response Document
• Allowed Attempts 3
For this assignment, you will continue the work you began in earlier modules of the course where you are acting as a software creator. Now, your board is concerned about how you will react to an incident. They would like to create a call tree and incident response plan.
When you’re done with the activity, title your document using the following filename convention: LastnameFirstname_5_incident_response_document.
Note: Only your Final submission attempt will be graded and the submission must be in by the due date. There are multiple submission attemps allowed for any technical difficulties or if you’d like to update your assignmenr prior to the due date.
________________________________________
Scenario and Directions
You work for a SaaS company that is creating software for various homeowners associations. Various HOAs will use your software to maintain their subdivisions.
For this assignment, in order to create an incident response plan, make sure you create a document that contains at least the following:
• A call tree with the appropriate stakeholders that you’ve identified
• A list of 4 possible common scenarios and what to do for each
• The general sequence of events for assessing damage and responding
• A defined sequence of events on when to notify, escalate, and declare an incident
• A checklist with at least 25 tasks that need to be completed in the event of an incident
• A requirement for a postmortem and how that will be handled
5.07 Project Assignment 3: Gitlab YAML
For this assignment, you will continue the work you began in earlier modules of the course where you are acting as a software creator. Remember, you work for a SaaS company that is creating software for various homeowners associations. Various HOAs will use your software to maintain their subdivisions.
When you’re done with the activity, title your document using the following filename convention: LastnameFirstname_5_gitlab_yaml.
Note: Only your Final submission attempt will be graded and the submission must be in by the due date. There are multiple submission attemps allowed for any technical difficulties or if you’d like to update your assignmenr prior to the due date.
________________________________________
Scenario and Directions
Your operations engineers use Gitlab for their CI/CD process and they contacted you to ask if you would like to automate the deployment of the software to include security checks. Please respond to them with an email addressing their needs.
To complete this assignment, please create a document that includes the following:
• Suggest a solution that contains:
o Make sure to include at least 10 security concerns that could be automated within the “test” stage of a CI/CD pipeline
o At least 2 of these security concerns should be to mitigate some of the 20+ concerns that you identified in your risk analysis project earlier in the course
• A suggested solution of a completed gitlab.yaml file is not required but encouraged for learning the material.
________________________________________
EXAMPLE: Gitlab yaml
stages:
– build
– test

build-code-job:
stage: build
script:
– echo “Check the ruby version, then build some Ruby project files:”
– ruby -v
– rake

test-code-job1:
stage: test
script:
– echo “If the files are built successfully, test some files with one command:”
– rake test1

test-code-job2:
stage: test
script:
– echo “If the files are built successfully, test other files with a different command:”
– rake test2
6.04 Activity 1: OWASP Juice Shop Project
Finding and testing vulnerabilities is a big part of secure app development. It’s not always easy to get experience with application security, though. Often, there are ethical and legal restrictions to be able to test websites. In this project, I will show you a tool that you will be able to use to learn more about application security. The OWASP Juice Shop is a vulnerable software that is used in industry to test for these such things.
________________________________________
Initial Post Directions
I would like you to do the following:
• Install Juice Shop on your own computer
o Refer to the instructions on the bkimminich/juice-shop: OWASP Juice Shop: Probably the most modern and sophisticated insecure web application page (Links to an external site.)
o I suggest either the vagrant or docker setup; the docker setup should be the easiest to install
• Walkthrough (at least) the tutorials in the tables below
• Take a screenshot of the Scoreboard with the tutorials shown as completed
• Submit the screenshot for proof of completion
• Enjoy going through the other vulnerabilities at your leisure
When you’re done with the activity, title your screenshot using the following filename convention: LastnameFirstname_6_OWASP_Juice_Shop_Project_screenshot.
Juice Shop Categories and Levels of Difficulty Table
Challenge Category Difficulty
OWASP Juice Shop: Score Board (Links to an external site.)
Miscellaneous ⭐
OWASP Juice Shop: DOM XSS (Links to an external site.)
XSS ⭐
OWASP Juice Shop: Bonus Payload (Links to an external site.)
XSS ⭐
OWASP Juice Shop: Privacy Policy (Links to an external site.)
Miscellaneous ⭐
OWASP Juice Shop: Login Admin (Links to an external site.)
Injection ⭐⭐
OWASP Juice Shop: Password Strength (Links to an external site.)
Broken Authentication ⭐⭐
OWASP Juice Shop: View Basket (Links to an external site.)
Broken Access Control ⭐⭐

6.06 Activity 2: SQLi Testing
Directions
Please watch the video below about the web application vulnerabilities in 2018 using Juice Shop. Then, use your installed Juice Shop set up to follow along and use the same attacks that are described in this video.
In addition to using the attacks, research input validation and sanitization and give me an example of at least 10 vulnerabilities that could be mitigated by input sanitization or validation and how they would be mitigated. Hint: SQLi could be one example of such an attack.
Please take a screenshot as proof of at least one attack that you performed to prove you watched the video. When you’re done with the activity, title your screenshot using the following filename convention: LastnameFirstname_6_SQLi_Testing_screenshot.