Microproject Report of Java Programming

GOVERNMENT POLYTECHNIC, AMRAVATI

(An Autonomous Institute of Govt. of Maharashtra)

MICRO-PROJECT REPORT ON

CASE STUDY ON SOFTWARE SECURITY

In Partial fulfilment of Diploma in Computer Engineering

In the subject of Software Project Management (FC4452)

By

Chaitanya Paraskar (20CM004)

Under the Guidance of

Dr. C. P. Ahir
Lecturer, Department of Computer Engineering

DEPARTMENT OF COMPUTER ENGENEERING

Session 2021-2022

1
 Microproject Report of Java Programming

GOVERTMENT POLYTECHNIC, AMRAVATI

(An autonomous institute of Government of Maharashtra)

DEPARTMENT OF COMPUTER ENGINEERING

CERTIFICATE

This is to certify 20CM004 Chaitanya Paraskar of Fourth Semester Diploma in

Computer Engineering has satisfactorily completed the Micro-project entitled
“Case Study on Software Security” in Software Project Management – FC
4452 for academic year 2021-22 as prescribed in curriculum.

Place : Amravati Dr. C. P. Ahir

Date: 07/06/2022 Computer Engineering Department

2
 Microproject Report of Java Programming

VISION AND MISSION OF THE INSTITUTION

Vision
To be a vibrant technical institute of global reputes contributing towards the needs of
industries & society.

Mission
1. To develop competent diploma engineers suitable for contemporary industrial environment.
2. To inculcate socially accepted ethics & values among budding engineers.
3. To nurture innovations and entrepreneurship.
4. To produce engineers with psychomotor & cognitive skills committed to lifelong learning.

VISION AND MISSION OF THE DEPARTMENT

Vision
Provide skilled professionals in Computer Engineering to contribute towards the
advancement of technology useful for society and the industrial environment.

Mission
1. Impart need-based and value-based education by providing exposure to the latest tools and
technologies in the area of computer engineering to satisfy the stakeholders.
2. Upgrade and maintain facilities for quality technical education with continuous effort for
excellence in Computer Engineering.
3. Train students with Computer Engineering knowledge to apply it in the general disciplines of
design, deployment of software, and integration of existing technologies for E-governance and
benefit of society.
4. Provide a learning ambiance to enhance innovations, problem-solving skills, leadership
qualities, team spirit, and ethical responsibilities.

3
 Microproject Report of Java Programming

INDEX

Sr. No Contents Page No.

1 Title Page 1

2 Certificate 2

2 Vision and Mission of Institution 3

3 Vision and Mission of Department 4

4 Index 5

5 Figures Index 6

6 Report Part – A 7

7 Conclusion 22

8 References 23

4
 Microproject Report of Java Programming

FIGURES INDEX

Sr. No. Figures Description Page No.

1 Fig 6.1 11

2 Fig 6.2 12

3 Fig 6.3 13

4 Fig 6.4 14

5 Fig 6.5 15

6 Fig 6.6 17

7 Table 6.7 21

5
 Microproject Report of Java Programming

PART - A

1. Brief Introduction

Along with this, this project report also includes what are Software Security Activities,
attacks, challenges in implementing security, guiding principles, security practices, practices
to follow in every phase as well as best practices to follow. This project report is very
beneficial for those who want to learn and understand about what is SSDLC and how to
implement it in real-time software development.

2. Aims of the Micro-Project

This Micro-Project aims at:

 To conduct market survey based on specifications of a product/machinery.

3. Course outcomes integrated

 Apply software quality assurance in software development.

4. Actual Procedure Followed.

Sr. no. Details of activity Start date Finish date

1. Research and Collecting Data 20/04/2022 02/05/2022

2. Sorting the required information 03/05/2022 04/05/2022

3. Creating and editing the report 08/05/2022 09/05/2022

4. Preparing Case Study 10/05/2022 13/05/2022

5. Editing and making changes to the Report 14/05/2022 19/05/2022

6. Removing Errors from the Report 20/05/2022 25/05/2022

7 Preparing Final Submission File 26/05/2022 28/05/2022

6
 Microproject Report of Java Programming

5. Actual Resources Used

Sr. No. Name of The Resource Specifications

1 INTERNET --

2 GOOGLE CHROME BROWSER --

Core i3, 1st generation , 4 GB Ram ,

3 LAPTOP
500 GB HDD

4 MS WORD 2007 64-bit

5 MS POWERPOINT 2007 64 bit

7
 Microproject Report of Java Programming

PART - B
1. Brief Introduction

Along with this, this project report also includes what are Software Security Activities, attacks,
challenges in implementing security, guiding principles, security practices, practices to follow in
every phase as well as best practices to follow. This project report is very beneficial for those
who want to learn and understand about what is SSDLC and how to implement it in real-time
software development.

2. Aims of the Micro-Project

This Micro-Project aims at:

 To conduct market survey based on specifications of a product/machinery.

3. Course outcomes integrated

 Apply software quality assurance in software development.

4. Actual Procedure Followed.

Sr. no. Details of activity Start date Finish date

1. Research and Collecting Data 20/04/2022 02/05/2022

2. Sorting the required information 03/05/2022 04/05/2022

3. Creating and editing the report 08/05/2022 09/05/2022

4. Preparing Case Study 10/05/2022 13/05/2022

5. Editing and making changes to the Report 14/05/2022 19/05/2022

6. Removing Errors from the Report 20/05/2022 25/05/2022

7 Preparing Final Submission File 26/05/2022 28/05/2022

8
 Microproject Report of Java Programming

5. Actual Resources Used

Sr. No. Name of The Resource Specifications

1 INTERNET --

2 GOOGLE CHROME BROWSER --

Core i3, 1st generation , 4 GB Ram ,

3 LAPTOP
500 GB HDD

4 MS WORD 2007 64-bit

5 MS POWERPOINT 2007 64 bit

6. Assessment by Faculty as per Rubrics

Process Assessment Product Assessment Total Marks Signature by Faculty

9
 Microproject Report of Java Programming

CASE STUDY ON SOFTWARE SECURITY

INTRODUCTION:

 Software security is an idea implemented to protect software against malicious attack and
other hacker risks so that the software continues to function correctly under such potential
risks. Security is necessary to provide integrity, authentication and availability. Any
compromise to integrity, authentication and availability makes a software unsecure.
Software systems can be attacked to steal information, monitor content, introduce
vulnerabilities and damage the behaviour of software. Malware can cause DoS (denial of
service) or crash the system itself.
 Software security looks to increase the integrity of software by testing and fortifying
software at the various stages and environments it moves through during the software
development lifecycle (SDLC) and following its release.

Software security activities include:

Fig 6.1 SOFTWARE SECURITY ACTIVITIES

10
 Microproject Report of Java Programming

 Secure software design

 User authentication
 User session management
 Secure coding that follows established guidelines
 Validation of third-party components
 Most common attacks on software :

Fig 6.2 COMMON ATTACKS ON SOFTWARE

11
 Microproject Report of Java Programming

 The most common attacks on software are Buffer overflow, stack overflow, command
injection and SQL injections. Buffer and stack overflow attacks overwrite the contents of
heap or stack respectively by writing extra bytes.
 Command injection can be achieved on the software code when system commands are
used predominantly. New system commands are appended to existing commands by
malicious attack. SQL injections use malicious SQL code to retrieve or modify important
information from database servers. SQL injections can be used to bypass login credentials.
Sometimes SQL injections fetch important information from a database or delete all
important data from a database.

CHALLENGES IN IMPLEMENTING SOFTWARE SECURITY DURING

SOFTWARE DEVELOPMENT

Fig 6.3 CHALLENGING IN IMPLEMENENTING SOFTWARE SECURITY

12
 Microproject Report of Java Programming

 Advances in technology results in more complex application environments and

application development security becomes more challenging. Applications, systems, and
networks are constantly under various security attacks such as malicious code of denial
of service. Some of the challenges from Software Security point of view includes
Viruses, Trojan horses, Logic bombs, Worms, Agents, and Applets.
 Applications can contain security vulnerabilities that may be introduced by software
engineers either intentionally or carelessly.
 Even though programmers may follow best practices, an application can still fail due to
unpredictable conditions and therefore should handle unexpected failures successfully by
first logging all the information it can capture in preparation for auditing. As security
increases, so does the relative cost and administrative overhead.

BASIC GUIDING PRINCIPLES TO SOFTWARE SECURITY

Protection from disclosure

Protection from alteration
Protection from destruction
Who is making request
What rights and privileges does requester have
Ability to build historical evidence
Management of configuration , sessions and
errors/exceptions
Fig 6.4 GUIDING PRINCIPLES

13
 Microproject Report of Java Programming

 Protection from disclosure

 Protection from alteration
 Protection from destruction
 Who is making the request
 What rights and privileges does the requester have
 Ability to build historical evidence
 Management of configuration, sessions and errors/exceptions

BASIC SECURITY PRACTICES

Fig 6.5 BASIC SECURITY PRACTICES

14
 Microproject Report of Java Programming

The following lists some of the recommended web security practices that are more specific
for software developers.

 Sanitize inputs at the client side and server side

 Encode request/response
 Use HTTPS for domain entries
 Use only current encryption and hashing algorithms
 Do not allow for directory listing
 Do not store sensitive data inside cookies
 Check the randomness of the session
 Set secure and Http Only flags in cookies
 Use TLS not SSL
 Set strong password policy
 Do not store sensitive information in a form’s hidden fields
 Verify file upload functionality
 Set secure response headers
 Make sure third party libraries are secured
 Hide web server information

SSDLC BRIEF INTRODUCTION :

 What is SSDLC ?
 Established in the late 1960s, the Secure Software Development Life Cycle (SDLC) has
grounded itself in nearly every modern software company.

The secure software development life cycle is a step-by-step procedure to develop software
with several objectives, including:

 Scalably streamlining the product/software pipeline

 Optimizing the design, deployment, and maintenance of said software

 What is the need of Secure SDLC ?

 In a world overrun by devices, gadgets and electronics, security vulnerabilities can spell
disaster for people and organizations. If you’re a company, ignoring security can lead to

15
 Microproject Report of Java Programming

huge financial losses. It only takes the exploitation of a single vulnerability to wreak
havoc on an organization’s systems.
 In this landscape, any software developer needs to make security the key consideration at
every stage of the development life cycle.
 SSLDC offers solutions to such security disasters, empowering organizations to
minimize risks and take control of their reputation and financial security significantly
more effectively. This is the main reason behind companies’ adoption of SSDLC

EMBEDDING SECURITY INTO ALL PHASES OF THE SSDLC:

 What is SDLC and brief history :

 Software Development Lifecycle (SDLC) describes how software applications are built.

It usually contains the following phases:

 Planning
 Requirement and Analysis
 Architecture and Design
 Development / Coding
 Testing
 Maintenance
 Secure Software Development Life Cycle Processes?
 While building security into every phase of the SDLC is first and foremost a mindset that
everyone needs to bring to the table, security considerations and associated tasks will
actually vary significantly by SDLC phase.

16
 Microproject Report of Java Programming

Fig 6.6 PHASES OF SDLC

Phase 1: Planning

The planning phase is where security and development teams get details on the project
requirements and start planning the execution of the entire project. In order to secure this phase,
developers and security experts need to think about which common risks might require attention
during development and prepare for it.

Phase 2: Requirements and Analysis

 This phase translates in-scope requirements into a plan of what this should look like in the
actual application. Here, functional requirements typically describe what should happen,
while security requirements usually focus on what shouldn’t.
 This is when experts should consider which vulnerabilities might threaten the security of the
chosen development tools in order to make the appropriate security choices throughout
design and development.

17
 Microproject Report of Java Programming

To ensure that security considerations are also integrated into the overall project plan,
enterprises can take the following steps:

 Access customer needs: Depending on the end product being designed, you need to create
a list of security requirements that need to be included as part of the entire project. One of
the primary goals of this is to not only strengthen application security, but to also make it as
easy as possible for the development team to code securely.
 Incorporate industry-standards on security: Once the initial planning is completed,
developers need to include and abide by the industry-standard compliance practices and
policies. Application security features that are standard to the industry need to be included
as an essential requirement, while additional security features can be added during delivery.
So don’t go trying to roll your own authentication or session management. There are good
strong references for this, use those.
 Assign responsibility for software security: Before you start development, it is vital to
have a team responsible for the application security. Assign the role to the security team
responsible for doing quality checks and test each aspect of the solution. Develop security
stories as part of the lifecycle and continually do threat modeling to feed these stories.
 Choose the right architecture: When planning, developers need to think about which
common risks might require attention during development, and prepare for them.
Depending on the architecture and design of the application, security requirements need to
be included accordingly. Again, the goal is to have the architecture make it easy for the
developers to code securely and have secure code if they follow established patterns.

Phase 3: Architecture and Design

 Teams should follow the architecture and design guidelines to address the risks that were
already considered and analyzed during the previous stages.
 This phase translates in-scope requirements into a plan of what this should look like in the
actual application.

Some key security-focused activities in this stage include :

 Threat modelling :

Early detection of possible threats not only reduces the likelihood of successful attacks but
also reduces costs associated with security integration for the whole project.

18
 Microproject Report of Java Programming

 Design documents and reviews :

The modelling results help teams prepare design documents identifying security
requirements and key vulnerabilities that need to be addressed for the security of the
application.

 Identifying third-party risks :

It is paramount to check and monitor possible security holes in third-party apps and apply
patches as necessary for the integrity of the whole application system.

Phase 4: Development/build/implementation

 In this stage, developers build code using secure coding standards and ensure their systems
are working within the set security frameworks.
 During the development phase, teams need to make sure they use secure coding standards.
While performing the usual code review to ensure the project has the specified features and
functions, developers also need to pay attention to any security vulnerabilities in the code.

Here are some other elements of the implementation or coding stage:

 Design of the various items like input, output, programs, procedures, controls, and
database.
 The installation of both software and relevant hardware.
 Depending on what the project is, another element involves converting between old and
new systems.
 Running tests on the system.
 Giving adequate personnel training on how the system should be used
 Perfecting the different elements of the system to correct the issues that may linger.

The stage involves activities such as:

 Secure coding :

Secure best practices for application coding such as authentication and encryption are taken
care of in this stage.

 SAST (Static Application Scanning Tools) :

19
 Microproject Report of Java Programming

Static scanning helps discover security issues at any stage of development, making it easier
to detect and fix issues as the project evolves. Because of this, developers can test and review
code before the application is developed.

 Manual code review :

Human supervision is still needed to identify potential issues in the code that malicious
attackers could potentially exploit.

Secure coding guidelines, in this case, may include:

 Using parameterized, read-only SQL queries to read data from the database and
minimize chances that anyone can ever commandeer these queries for nefarious purposes
 Validating user inputs before processing data contained in them
 Sanitizing any data that’s being sent back out to the user from the database
 Checking open source libraries for vulnerabilities before using them

Phase 5: Testing

Testing phase includes security tests, application testing, penetration testing, and other
DevSecOps automation test processes.

Common practices performed during this stage include:

 Dynamic Scanning :

Dynamic application scanner tools (DAST) simulate hacking attempts and threats at runtime
to expose application vulnerabilities. Combined with SAST in the previous stage, DAST
adds an extra layer of testing that eliminates most security errors.

 Fuzzing :

Developers generate random inputs that mimic custom patterns and check if the application
can handle these inputs. This helps build protection for problems like SQL injection, which
is essentially a form of malicious input.

 Penetration Testing :

It’s always possible for the developing team to overlook certain attack scenarios that the
experience and knowledge of third-party experts might reproduce through penetration

20
 Microproject Report of Java Programming

testing. Simulating attacks by inviting a third-party team of security professionals is one of

the best ways of exposing hidden vulnerabilities in any system.

Phase 6: Deployment and Maintenance

 The maintenance stage is where the security teams continuously analyze and evaluate the
progress of the solution while mitigating any risks or activities that are suspicious.
Maintenance is an ongoing process in secure SDLC. It continues up until the discovery
of a new issue in the system.
 The eligibility of the software for periodic updates will depend on the policies of the
company involved.

Here are some requirements of this phase of the secure development lifecycle:

 There’s a need to analyze the feasibility of some elements like legal requirements, value,
technical parts, economic value, operation and scheduling need, and their relevance to the
system in the long term.
 Delivering improved systems when necessary
 Periodically replacing old hardware.
 Providing updates for specific components to ensure they meet standards
 Regularly evaluating system performance as the secure SDLC progresses

Some SSDLC practices in this stage include:

 Environmental Response :

Once an application is launched, monitoring the environment and its influence on the app’s
behaviour and integrity is a critical aspect of maintenance.

 Incident Response Plan :

An incident response plan prescribes the plans, actions, and procedures that your team must
follow in the event of a breach.

 Security Checks :

Frequent security checks help protect applications from new forms of attacks and
vulnerabilities.

21
 Microproject Report of Java Programming

BEST PRACTICES FOR A SECURE SOFTWARE DEVELOPMENT

CYCLE PROCESS

PRACTICES DESCRIPTION
Specify your Requirements  Should have precise and specific
requirements.
 Vulnerabilities should be handled
appropriately and immediately.

Developers should be appropriately  Following secure coding guidelines

Educated  Trained with secure coding training
and security awareness
Focus on solving the big problems before  Focus on big problems instead of
others small
Cultivate a growth mindset among the  Keep an open mind
Team

Table 6.7 BEST PRACTICES

1. Specify your requirements

It is vital to have precise requirements so that there is no difficulty in understanding what is

created. For this reason, developers and their teams should have specific requirements that are
easily executable. Vulnerabilities exposed during tests should be handled appropriately and
immediately. The secure SDLC process should be a solution-oriented one as much as it is
already one for problem finding.

2. Developers should be appropriately educated

The secure SDLC process requires specific knowledge from the developers involved.
Developers should be appropriately educated on aspects like the creation of a secure coding
guideline. Also, they should be provided with secure coding training and security awareness

22
 Microproject Report of Java Programming

before the project begins. Besides, clear expectations regarding how fast issues or risks found
out are handled should be set.

3. Focus on solving the big problems before others

The big problems are usually the more critical and demanding issues that need fixing. A good
approach would be to focus on them instead of fixing all the project’s threats or loopholes. This
is especially helpful in applications or software that are bigger. Fixing newer and smaller issues
in place of the big ones won’t be feasible in that instance. Focusing on the problems in the
secure development lifecycle helps stop problematic issues from entering production. With this
approach, they are handled on time.

4. Cultivate a growth mindset among the team

One way to go about the whole secure SDLC process and succeed is to keep an open mind. This
approach should be cultivated amongst the security team working on the project as well. It will
help developers to further enhance the security of their applications.

23
 Microproject Report of Java Programming

CONCLUSION

 Software Security is a concept of protecting software from frequent attacks by means of

following some predefined practices, principles during overall development process of
software.
 This includes activities such as user authentication, user session management etc. Attacks
such as SQL and command injections, Trojan horses etc. can damage the software.
Applications can be protected from such attacks by securing each and every phase of
development process which is nothing but SDLC. SDLC with security enabled practices
is known as SSDLC. In order to secure a software, we need to secure the development
phases.
 This includes activities such as secure coding, SAST, threat modeling, fuzzing, integration
testing, penetration testing, manual code review, identifying third party risks etc. Unless
all the phases are not secured by implementing security standards, we can’t ensure that
particular software is secured. Nowadays, technology is developing rapidly and along
with it the need of data and Software security is increasing. So, Software security is a key
aspect in order to secure Information Communication System and the use of E-media.

24
 Microproject Report of Java Programming

REFERENCES
(1) Software development security Wikipedia:
Software Development Security

(2) Synopsis.com:
Synopsis.com

(3) Cypressdatadefence.com:
cypressdatadefence.com

(4) Synk.io:
synk.io

(5) Trio.dev :
Trio.dev

(6) Resourcesinfo.com
Resourcesinfo.com

25