SN-DEVELOPMENT LIFE CYCLE

3 MONTH
SS

SN-LP-003

Month 1
Securing an application throughout its development cycle
INTRODUCTION

You will be guided through the steps of the Secure Software Development
Lifecycle (SDLC) for an existing web application developed using Vue.js 3,
Node.js, and MongoDB. This project will allow you to apply essential security
practices and conduct vulnerability tests to ensure that the application meets
security standards.

Target skills
• Follow the steps of the SDLC to secure a web application.
• Identify and remediate security vulnerabilities.
• Use tools such as npm audit, Snyk, Trivy, OWASP ZAP, and
Postman.
• Collaborate with developers to write security stubs to control
the behavior of certain parts of the code.
• Produce deliverables for each phase of the project: security
requirements, planning, security testing, vulnerability analysis,
etc.

THE PROJECT

IMPORTANT : The Readme file shows how to run the application, but further
research is required.

Part 1: Planning and Security Requirements

Step 1: Identify Resources and Estimate Time

Your first task is to plan the project. You will:
1. List the security tools you will need to secure different parts of the
application. For example, you will use npm audit to analyze Node.js
dependencies and tools like Snyk for vulnerability scans.
2. Create a Git repository to version your code and set up branches dedicated
to each phase of the SDLC.
3. Use Jira to plan the tasks for each phase of the SDLC, estimating the
necessary duration for each.

Step 2: Document Security Measures

At this stage, you will identify the sensitive features of the application, such as
authentication, user management, and forms.
1. List the sensitive features and explain why they require special attention.
2. These various functionalities rely on critical processes that are now digitized.
Identify and list these processes.
3. Develop a RACI matrix for each process, specifying roles and responsibilities.
4. Analyze each process and identify the associated risks.
5. Specify the security requirements to be developed for each feature. For
example, for authentication, you may recommend using JWT with a short
expiration and strict input validation for forms.
6. Translate the roles defined in the RACI matrix into RBAC (Roles, Access Rights,
and Justification)
7. Integrate the security flow into the workflow.
8. Prioritize functionalities based on their criticality

Part 1 Delivery

• A project calendar detailing each phase and the tools to be used.

• A Git repository with branch configuration and access for all team members.
• A defined RACI matrix
• Risks identified for each process
• The features necessary to develop to ensure security
 • The RBAC table aligned with the RACI matrix
• A workflow-integrated security flow
• A table containing the prioritization of features
• A document listing sensitive features and the required security measures for
each.

Part 2: Design and Modeling

Step 3: Review Architecture and Identify Threats

In this step, you will analyze the MongoDB database schema to identify potential
threats and vulnerabilities. Follow these steps to conduct your analysis:
1. Access the MongoDB Database:
o Tools: Use MongoDB Compass or the MongoDB Shell.
2. Examine the Collections:
o Tools: Open MongoDB Shell in MongoDB Compass.
o Command:
▪ "show collections"
▪ "db.<collection_name>.find().pretty()"
3. Identify Security Risks:
o Consider common NoSQL vulnerabilities:
▪ Injection Attacks:
▪ Command:
▪ "db.<collection_name>.find({<field>: {$regex:
/<user_input>/}})"
▪ Inadequate Access Controls:
▪ Command:
▪ "db.getUsers()"
▪ Schema Validation:
▪ Command:
▪ "db.<collection_name>.getSchema()"
4. Use Threat Modeling Tools:
 o Tools: Utilize the Microsoft Threat Modeling Tool to document
findings.
o Create a threat model by mapping interactions with the MongoDB
database.
5. Propose Countermeasures:
• For each identified threat, recommend countermeasures. Examples
include:
o Implementing input validation and sanitization using libraries like
Joi or express-validator in your application code.
o Enforcing role-based access control by configuring user roles in
MongoDB Compass.
o Utilizing TLS/SSL for securing data in transit; configure this in your
MongoDB deployment settings.
o Setting up schema validation in the database using commands in
the MongoDB Shell.

Part 2 Delivery

A report detailing the identified threats associated with the MongoDB database,
including:

• A list of potential vulnerabilities.

• The different modelling diagrams with Microsoft Threat Modeling.
• Proposed countermeasures for each threat.

Part 3: Implementation

Step 4: Integrate Security Tools into CI/CD

You will now set up a CI/CD pipeline to automate security testing on every code push.
1. Configure a pipeline with GitHub Actions or Jenkins to execute security tests
with each code modification.
 2. Integrate security tools like Snyk into the pipeline to scan the code for
vulnerabilities.
3. Set up a vulnerability monitoring system that records the results of analyses
performed by Snyk
4. Set up notifications to alert the development team when vulnerabilities are
detected. Use integrations with communication tools like Slack to send real-
time alerts
5. Create a dashboard showing all detected vulnerabilities and their status. You
can use Grafana
6. Set up scripts or webhooks to automate dashboard updates at regular
intervals, for example, after each security scan or on a daily basis

Part 3 Delivery

A CI/CD pipeline configured to run security tests and generate reports on detected
vulnerabilities.

Part 4: Testing and Integration

Step 5: Security Testing Scenarios and Creation of Security Stubs

This step is crucial to verify that security features are properly implemented.

1. Write Security Testing Scenarios:

o Focus on key functionalities such as:
▪ Authentication: Test login attempts with valid and invalid
credentials.
▪ Session Management: Verify session expiration and token
validity.
▪ User Input Validation: Check for SQL injection or XSS by
submitting malicious input.
o Tools: Use Postman to create and execute these tests.
▪ Example Scenarios:
 ▪ Authentication:
▪ Test Case: Login with valid credentials.
▪ Request:
▪ POST /api/login
▪ Body: {"username": "validUser", "password":
"validPass"}
▪ Session Management:
▪ Test Case: Attempt access with an expired token.
▪ Request:
▪ GET /api/protected
▪ Headers: Authorization: Bearer
<expired_token>
▪ Input Validation:
▪ Test Case: Submit a malicious script.
▪ Request:
▪ POST /api/user
▪ Body: {"name": "<script>alert('XSS')</script>"}

2. Write Security Stubs:

o Purpose: Stubs simulate specific behaviors in the application for
testing purposes. This allows you to isolate security features and
validate their effectiveness.
o Implementation: Use Node.js for backend stubs and Vue.js for
frontend stubs.
Backend (Node.js):
• Create middleware stubs in your Node.js application to simulate
various scenarios.
• Example: Simulating unauthorized access.
o Code:
 ```javascript
// authStub.js
function unauthorizedAccess(req, res, next) {
// Simulate unauthorized user
req.user = null; // No user is authenticated
next();
}

module.exports = unauthorizedAccess;

// Usage in your routes

const express = require('express');
const unauthorizedAccess = require('./authStub');
const router = express.Router();

router.get('/api/protected', unauthorizedAccess, (req, res) => {

if (!req.user) {
return res.status(401).json({ message: 'Unauthorized access' });
}
res.json({ message: 'Welcome to the protected route' });
});
```

Frontend (Vue.js):
• Create mock components or use Vue's testing libraries to simulate security
behaviors.
• Example: Simulating a restricted area access attempt.
o Code:

```javascript
// RestrictedComponent.vue
<template>
<div v-if="isAuthorized">Welcome to the restricted area!</div>
<div v-else>You are not authorized to view this content.</div>
</template>

<script>
export default {
data() {
return {
isAuthorized: false, // Simulate unauthorized access
};
},
mounted() {
// Simulate an unauthorized state
this.checkAuthorization();
},
methods: {
checkAuthorization() {
// Stub logic to simulate unauthorized access
this.isAuthorized = false;
},
},
};
</script>

```
Part 4 Delivery

• A list of security test scenarios to be run with the Postman tool in the format:
Scenario, steps, expected results based on your understanding of the
application architecture, the definition of security objectives and the potential
threats identified.
• Results of security test scenarios executed with postman.
• Integrated security stubs in both the Node.js backend and Vue.js frontend that
simulate specific behaviors during security testing.

Part 5: Deployment and Maintenance

Step 6: Vulnerability Analysis of Containers

Once testing is complete, you will check the security of the containers and perform
dynamic analyses.
1. Analyze Docker containers with Trivy to detect vulnerabilities in container
images. You can also add Trivy in your workflow.
2. Use OWASP ZAP to conduct a dynamic application security test (DAST) to
identify security flaws (e.g., injections, XSS).

Step 7: Penetration Testing and Vulnerability Management

Finally, you will take an attacker's perspective to identify residual vulnerabilities.

1. Perform black-box and gray-box penetration tests to simulate external
attacks on the application, without access to the source code (black-box) and
with partial information (gray-box).
2. Establish a vulnerability management plan to ensure that identified flaws
are corrected in the long term. This plan will include periodic scans,
dependency updates, and remediation of vulnerabilities found during testing.
Part 5 Delivery

• A report listing vulnerabilities in Docker containers and recommended fixes.

• A DAST report with recommendations for detected vulnerabilities.
• A report detailing residual vulnerabilities and proposed fixes after penetration
testing.
• A documented vulnerability management plan, including steps to maintain
application security.

Delivery

1. Detailed project plan (Part 1)

2. Document of security requirements (Part 1)
3. Threat analysis report and countermeasures (Part 2)
4. Configured CI/CD pipeline integrating security tests (Part 3)
5. List of security testing scenarios and integrated security stubs (Part 4)
6. Report of container vulnerability analysis and DAST (Part 5)
7. Penetration testing report and vulnerability management plan (Part 5)

Resources

1. Example of Secure SDLC documentation

2. Official Documentation:

o Vue.js: Guide to Vue.js for front-end development.

o Node.js: Backend development documentation.

o MongoDB: NoSQL database reference.

o Express.js: Web framework for building the backend.

3. Security Tools:
 o OWASP ZAP: Web application security scanner.

o Snyk: Vulnerability scanning tool for dependencies.

o npm audit: Scan Node.js packages for vulnerabilities.

o Postman: API testing platform.

o Trivy: Docker image vulnerability scanner.

4. Threat Modeling:

o Microsoft Threat Modeling Tool.

o OWASP Top 10: Web security risks.

5. Version Control:

o GitHub Guide: GitHub and version control basics.

o GitHub Actions: Setting up CI/CD pipelines.

6. Courses:

o FreeCodeCamp: Full-stack web development.

o Vue Mastery: In-depth Vue.js courses.

7. Development Tools:

o VSCode: IDE for full-stack development.

o Docker: Containerizing applications.

o Nodemon: Auto-restart for Node.js.

8. Best Practices:

o Node.js Security Best Practices.

o Vue.js Security Guide.

Development benchmark

To get rich, you choose to develop a complete web platform about crypto-
currencies.

Doing so, you’ll be able to source intel from your users and benefit from their
knowledges.

FEATURES

USERS MANAGEMENT
Three levels of access are managed with specific privileges:

• anonymous access:

o have access to the N most popular cryptocurrency courses as well

as their evolution (trend and percentage) since the opening
 The list of the N most popular cryptocurrencies is defined by an
administrator

o can check the latest K articles in the press K is set by an

administrator.

• user access:

o must first create an account both MUST be implemented

o user can authenticate by email/password or by Oauth2 ( )

o can determine their own list(*) of crypto-currencies
o can define keywords to refine the press review
o can change their preferences on their profile page

• administrator access:

o manage global application preferences

o list of cryptocurrencies that can be consulted
o list of sources (RSS feed) to constitute the press review (* The list of
eligible crypto-currencies is established by an administrator. By
default, this list is the same as for an anonymous user.)

CRYPTO-CURRENCIES

Your backend’s API manage crypto-currencies.

PRESS REVIEW

Your platform must be able to provide the freshest news on crypto-currencies. Set
up a background running service that will consume RSS feeds and offer a fine and
up-to-date press review.
Practical Tips

• Prepare thoroughly: rehearse your presentation in advance.

• Be concise and to the point.
• Take notes during feedback sessions to improve your project.
Agenda for the "Review"
1. Introduction (5 minutes)
a. Welcome and session opening.
b. Explanation of presentation rules and process.
c. Recap of objectives for each presenter.

2. Project Presentations (10 minutes)

a. Presentation Organization:
i. Each group has a maximum of 10 minutes to present their
project.
ii. Presentations follow a predefined order.
b. Presentation Tips:
i. Prepare to present your project clearly and succinctly.
ii. Always prepare a presentation PowerPoint (pptx, Canva, etc.).
iii. Highlight the most important aspects of your work.

3. Discussions and Feedback (10 minutes)

a. Post-Presentations Exchange:
i. Evaluators and other students can ask questions or provide
feedback.
ii. Take note of suggestions and comments to enhance your
project.

4. Conclusion (5 minutes)
a. Session summary and thanks to all participants.
b. Announcement of next steps or actions to be taken.

Time Management

c. Each group has 10 minutes for presentation.

d. Total presentation time is approximately 25 minutes.
e. Remaining 5 minutes are for transitions between presentations,
discussions, and feedback.