Testing-Framework-and-Basic-Security-Controls

SDEV 460 – Homework 2
Testing Framework and Basic Security Controls
Overview:
This homework will demonstrate your knowledge of creating a testing framework and using that
framework to conduct some basic server and web application security controls.
Assignment: Total 100 points
Using

the readings from weeks 3 and 4 as a baseline, first develop a testing

framework with these phases as guidelines for your organization or an

organization you would like to work for in the future.
• Before development begins
• During definition and design
• During development
• During deployment
• Maintenance and operations
You

will need to fill in the details for each phase by 1) describing what

each phase encompasses and 2) 3 or more activities you will engage in

for each phase. In addition, you will apply part of this framework in

the phase “During development” by engaging in three tests/security

controls outlined below to the existing SDEV virtual machine in the

default root website.
Security Controls to Test
1. Fingerprint Web Server (OTG-INFO-002)
ï‚· Use netcat, httprint or other tool to discover the web server software vendor and release. Show output of the tool output.
ï‚·

Perform online research about the discovered software vendor and

release. Report upon documented vulnerabilities with the release.
ï‚· Report upon how you would mitigate any documented vulnerabilities.
2.

Review webpage comments and metadata for information leakage

(OTG-INFO-005). Manually review the sample HTML applications in the

Apache Web Server directories
ï‚· Based upon online research, what are

three or more categories of information that would be considered

information leakage that is not acceptable?
ï‚· Review the web site to

see if there is information leakage in the SDEV information. Report upon

what you have discovered and your method of discovery.
3. Test HTTP Methods (OTG-CONFIG-006) – See which HTTP methods are available on the virtual
machine. Use Netcat or other tool against this SDEV site.
ï‚· What HTTP methods are enabled and disabled on this site? Show the output of your tool indicating the HTTP methods.
ï‚· Which methods (and why) have potentially pose a security risk for a web application. Describe
how these pose a risk.
Site Configuration:
Note: The SDEV Virtual Machine you downloaded and used for SDEV 300. The URL is here if you need to download it again: https://citeapps.umuc.edu/SDEV/
The

VM runs on the latest version of Oracle Virtual Box. Also review the

instructions for installing and configuring the VM and application under

the “Course Materials” section of the course portal. It also contains

the necessary password(s) to login as well.
Deliverables:
You should submit your source testing framework document along with the results testing the three
security

controls listed above. Screen captures should be clearly labeled

indicating exactly what the screen capture represents. Your document

should be well-organized, include page numbers, include all references

used and contain minimal spelling and grammatical errors.
Grading Rubric:
Attribute
Meets
Does not meet
Testing Framework
50 points
Develops and fills in details for the “before development begins” phase testing framework.
(10 points)
Develops and fills in details for the “during definition and design” phase testing framework.
(10 points)
Develops and fills in details for the “during development” phase testing framework.
(10 points)
Develops and fills in details for the “during deployment” phase testing framework
(10 points)
Develops and fills in details for the “maintenance and operations” phase testing framework.
(10 points)
Does not develop or fill in details for the “before development begins” phase testing framework.
Does not develop or fill in details for the “during definition and design” phase testing framework.
Does not develop or fill in details for the “during development” phase testing framework.
Does not develop and fill in details for the “during deployment” phase testing framework.
Does not develop or fill in details for the “maintenance and operations” phase testing framework.
Security Controls
30 points
Fingerprints Web Server (OTG-INFO-002) in the Apache Web Server main site. Identifies and researches Apache software version.
(10 points)
Reviews webpage comments and metadata for information leakage (OTG-INFO-005).
(10 points)
Tests

HTTP Methods (OTG-CONFIG-006) and documents which HTTP methods are

available on the virtual machine main web site. Describes risks in HTTP

methods.
(10 points)
Does not fingerprint Web Server

(OTG-INFO-002) in the Apache Web Server main site. Does not identify and

research Apache software version.
Does not review webpage comments and metadata for information leakage (OTG-INFO-005).
Does

not test HTTP Methods (OTG-CONFIG-006) and document which HTTP methods

are available on the virtual machine main web site. Does not describe

risks in HTTP methods.
Documentation and Submission
20 points
Submits source testing framework document.
(5 points)
Document includes the results from testing the three security controls listed in the instructions.
(5 points)
Screen captures are clearly labeled indicating exactly what the screen capture represents.
(5 points)
Document

is well-organized, includes page numbers, includes all references used,

and contains minimal spelling and grammatical errors.
(5 points)
Does not submits source testing framework document.
Does not include the results from testing the three security controls listed in the instructions.
Screen captures are not clearly labeled indicating exactly what the screen capture represents.
Document

is not well-organized, or include page numbers, or include all

references used, and contains multiple spelling and grammatical errors.