SDEV 460 – Homework 3
Authentication, Authorization and Session Management Security Controls
Overview:
This homework will demonstrate your knowledge of testing security controls aligned with
Authentication, Authorization and Session Management
Assignment: Total 100 points
Using the readings from weeks 5 and 6 as a baseline, analyze, test and document the results for the tutoring web application found on the SDEV virtual machine. You must use a combination of automated (e.g., OWASP ZAP) and manual methods. Specific tests to be conducted include:
1. Test Role Definitions (OTG-IDENT-001)
ï‚· Create a test matrix for the Roles you see in the application- including the role, permissions for what actions, objects and constraints.
2. Test User Registration Process (OTG-IDENT-002)
ï‚· Describe why this test is important to conduct and what threat does it mitigate against.
ï‚· Be sure to the answer the six questions and two validation processes found in the OWASP testing guide for the user registration process and make at least three recommendations for improvements for this aspect of the application.
3. Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)
ï‚· Describe why this test is important to conduct and what threat does it mitigate against.
ï‚· Note since HTTPS is not implemented, this will fail. But what recommendations (at least three) would you make to rectify the situation? What do other sites do for Authentication?
4. Testing for default credentials (OTG-AUTHN-002)
ï‚· Describe why this test is important to conduct and what threat does it mitigate against.
ï‚· Are you able to guess a username and default email address for the application or underlying components such as the database?
ï‚· Does the application store any credentials in the database or in a flat file unencrypted?
5. Testing for Weak lock out mechanism (OTG-AUTHN-003)
ï‚· Describe why this test is important to conduct and what threat does it mitigate against.
ï‚· Will the system lock-out after X attempts for a period of time. If not, what issues are associated with this and how could it be remedied (at least three recommendations)?
6. Testing for Weak password policy (OTG-AUTHN-007)
ï‚· Are passwords weak? If so, describe at least three recommendations for improvement?
 What is at least one recommended password and lockout policy in the industry (e.g., NIST) – listing what they recommend for a strong password policy.
7. Testing Directory traversal/file include (OTG-AUTHZ-001)
ï‚· Describe why this test is important to conduct and what threat does it mitigate against.
 Are you able to traverse to another directory? If so, what can be done to fix this? Note: This can be difficult to manually verify without testing all possible cases – thus lending itself to automatic scanning.
8. Testing for Bypassing Authorization Schema (OTG-AUTHZ-002)
ï‚· Is it possible to obtain Admin rights through the non-admin path? Verify and demonstrate.
9. Testing for cookies attributes (OTG-SESS-002)
ï‚· Describe why this test is important to conduct and what threat does it mitigate against.
 Are cookies present? Are they expired? Do they have the HttpOnly attribute set? Are they easy to guess – why or why not?
10. Testing for logout functionality (OTG-SESS-006)
ï‚· Describe why this test is important to conduct and what threat does it mitigate against.
 Can a user logout of their session properly. If not, what recommendations (at least three) do you have to improve session security?
Other Guidance:
You should document the results for the tests and your comments, and recommendations for improved security for each security control tested in a word or PDF document. Provide screen captures and 
descriptions for all tests conducted. Discuss any issues found and possible mitigations. Review the grading rubric below to verify completeness.
Note: The SDEV Virtual Machine you downloaded and used for SDEV 300. The URL is here if you need to download it again:https://citeapps.umuc.edu/SDEV/
The VM runs on the latest version of Oracle Virtual Box. Full instructions, as well as the necessary passwords, are included in the course materials within this course.
Deliverables:
You should submit your document by the due date. Your document should be well-organized, include all references used and contain minimal spelling and grammar errors. Screen captures should be clearly labeled indicating exactly what the screen capture represents.
Grading Rubric: Attribute Meets
Role Definitions
10 points
Conducts Test Role Definitions for OTG-IDENT-001 as applied to the sample tutor application- including all attributes. (5 points)
Creates a test matrix for the roles seen in sample tutor application. (5 points)
User Registration
10 points
Describes importance of this test and threat it addresses. (2 points)
Tests the user registration process (OTG-IDENT-002) as applied to the sample tutor application. (3 points)
Answers the six questions and two validation processes found in the OWASP testing guide for the user registration process and make at least three recommendations for improvements for this aspect of the application. (5 points)
Credentials Transported
5 points
Describes importance of this test and threat it addresses. (1 point)
Tests for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001) as applied to the sample tutor application. (2 points)
Provides 3 or more recommendations to mitigate against threat and discusses
what other sites do for authentication. (2 points)
Default Credentials
5 points
Describes importance of this test and threat it addresses. (1 point)
Tests for default credentials (OTG-AUTHN-002) as applied to the sample tutor application. (2 points)
Discusses findings about guessing credentials and the storage of credentials on flat files or the database. (2 points)
Weak lock out mechanism
10 points
Describes importance of this test and threat it addresses. (1 point)
Tests for weak lock-out mechanism (OTG-AUTHN-003) as applied to the sample tutor application. (4 points)
Discusses results from system lock-out after X attempts and associated issues. Provides at least three recommendations to remedy. (5 points)
Weak password policy
10 points
Tests for Weak password policy (OTG-ATHN-007) as applied to the sample tutor application. (4 points)
Discusses if passwords are weak and provides at least 3 recommendations to remedy. (3 points)
Researches and describes at least one recommended
password policy in the industry – listing what they recommend for a strong password policy.
(3 points)
Directory traversal/file include
10 points
Describes importance of this test and threat it addresses. (1 point)
Tests Directory traversal/file include (OTG-AUTHZ-001) as applied to the sample tutor application. (5 points)
Discusses if a user is able to traverse to another directory and what can be done to fix the issue. (4 points)
Bypassing Authorization Schema
10 points
Tests for Bypassing Authorization Schema (OTG-AUTHZ-002) as applied to the sample tutor application. (5 points)
Discusses and demonstrates if a user can obtain Admin rights through the non-admin path. (5 points)
Cookies Attributes
5 points
Describes importance of this test and threat it addresses. (1 point)
Discusses if cookies are present, are they expired, easy to guess, and have the HttpOnly attribute set. (4 points)
Logout Functionality
5 points
Describes importance of this test and threat it addresses. (1 point)
Tests for logout functionality (OTG-SESS006) as applied to the sample tutor application. (2 points)
Discusses if a user can logout of their session properly and provides at least 3 recommendations to improve session security. (2 points)
Documentation and Submission
20 points
Submits Word or PDF document including results from all security control testing. (10 points)
Screen captures are clearly labeled and visible indicating exactly what the screen capture represents. (5 points)
Document is well-organized, including page numbers, includes all references used, and contains minimal spelling and grammatical errors. (5 points).

Do you need a similar assignment done for you from scratch? We have qualified writers to help you. We assure you an A+ quality paper that is free from plagiarism. Order now for an Amazing Discount!
Use Discount Code "Newclient" for a 15% Discount!

NB: We do not resell papers. Upon ordering, we do an original paper exclusively for you.