Secure Development: Web Site Development
Problem Statement & Student Guide
Version 3: 25th November 2015
Scenario description
RapidWeb is a small software house specialising in the development of Web sites and
applications. It has grown rapidly by adopting an aggressive pricing strategy when tendering for
work. Low prices are achieved by setting short development timescales. However, customer
complaints and time spent on bug fixes have now started impacting on their profitability.
Many of the complaints relate to poor security in the web sites delivered by RapidWeb.
In an attempt to address this issue, you have been appointed as the new Application Security
manager, responsible for ensuring security is engineered into the company’s systems.
You are pleased to hear that at the kick-off meeting of a project, the director in charge stated,
“This website has to look good, be easy and intuitive to use, and it has to be secure.”
However, at the end of this project, a more accurate statement would have been, “This website
has to look great, be easy for me to use, and if we have time and it doesn’t compromise the
first two aims, be secure.”
In the project, the general attitude was that security was interfering and slowing up the
“amazing creation” being conjured up by the graphic designers. Those tasked with coding the
site were forced to spend most of their time writing JavaScript and testing to ensure they had
produced the desired pixel-perfect effect.
Protestations about the lack of security control testing were quickly batted away by references
to a variety of well-known sites that “don’t have that check, so why should we?”
You ask to see the security guidelines and coding standards and are met mostly with blank
looks, one developer mutters something about using the MVC model.
Learning Outcomes
On completion of the scenario, students will be able to:
1. Identify and explain the top 10 security threats and vulnerabilities to web sites and
how they can be exploited.
2. Explain approaches to mitigating the threats
3. Evaluate technical and non-technical approaches/ models to develop secure web
software.
4. Justify an approach for integrating security audit into the development of Web
Applications and the associated security tasks.
5. Explain good practice in securing software and have an awareness of relevant
standards and codes of practice.
1
Your Task
Clearly there isn’t a security culture here, and it’s your job to change it. Furthermore, it is
apparent that the development team (and director) are unaware of the threats and
vulnerabilities that their web applications experience.
Discussions with the director identify that there are no processes or standards for ensuring
good security, and the director requests that you deliver a report and presentation which
meets the following terms of reference:
1. Identify and explain the top 10 threats to web applications and actions to mitigate
them.
2. Identify the preferred method for secure Web development, identify the phases for
each delivery, and the security audit tasks / tests that will be undertaken at each phase.
3. Specify a training plan to address the current needs.
4. Produce an outline contents for a handbook of secure coding guidelines.
Reflection on Learning
It is also important that at the end of the scenario you should reflect on your learning and team
working and identify what worked well, what didn’t and actions for future improvement.
2
The Consulting Process
One of the benefits of Problem-based Learning is that you learn professional skills as well as
technical knowledge. The process we ask you to follow to explore and provide solutions to the
problem also mirror those used in consultancy.
In order to assist you with the process, the following table shows the activities we would
expect you to complete in your PBL team. You should read this carefully and make sure you
are familiar with both the generic activities (in column 2) and the specific ones in column 3.
Steps 1 & 2 will be conducted in the first PBL tutorial.
Step 3 a) and b) comprises your individual research, and summarizing your learning.
Step 3 c) takes place as a sharing and teaching session at the next tutorial. This process of
sharing and teaching others is extremely beneficial to your own learning.
Step 4, 5, 6 consist of team work and whilst they are logically distinct, they may take place at
the same meeting as stage 3c) depending on the schedule of meetings.
Step 7: In this Scenario you will not be planning or implementing a solution, so this step is not
undertaken in this scenario
Step 8 should be completed at the end of the scenario, both individually and as a team, to
identify what you’ve learned and how you can improve your learning and team performance in
future.
Your tutor/ facilitator will discuss it with you.
3
The CSKE Consulting/ Learning Model
1
Problem-solving model
What PBL normally includes’
Understanding
organizational history and
context



Scenario analysis
Socio-technical organizational analysis.
Clarification of ambiguities



Requirements Analysis: identify key
issues
Simulated consultation with
stakeholders (e.g. through role-play
and/or online interaction).
Reviewing technology/ processes in use.
Identifying learning goals.

Facilitator Guidance.


Individual research & learning to resolve
knowledge gaps.
Summarising & reflection.

Teams share learning.

Determining and agreeing evaluation
criteria and process.

Identifying technical possibilities,
considering acceptance issues and
organizational fit.
Facilitator Guidance.

2
3
4
Determining the problem
to be resolved
Identifying/ learning
necessary knowledge
Identifying alternative
solutions


5
Choosing optimal solution

6
Planning the
implementation

What you will be doing at each stage
a)
Deciding on best technical,
organizational and social outcomes.
Proposing solution with justification

Applying planning and scheduling
techniques.
Proposing plan and deadlines.

Building the solution (if appropriate).

Deploying the solution (if appropriate).

Formal evaluation methods re project
success.
Personal reflection and evaluation.
b)
c)
a)
b)
c)
a)
b)
c)
a)
8
Implementation
Final evaluation

4
Team review of scenario: identifying key
issues.
Identifying learning goals.
Team publish action list & summary in
forum.
Individual research & learning to resolve
knowledge gaps.
Individually creating summary of learning
and how it applies to the scenario.
Team sharing learning/ teach each other.
c)
Determining evaluation criteria through
team discussion.
Team identification of options considering
acceptance issues and organizational fit.
Facilitator Guidance.
a)
Team decision and justification.
b)
c)
Review Scenario text and resources.
Produce Report identifying the threats &
controls, preferred development methods,
training plan, handbook outline.
Presentation to Tutor as stakeholder.
b)
d)
7
Individual and team review of scenario
text and video resources.
Team discussion.
Clarification of ambiguities with
tutor/facilitator.
a)
b)
Team evaluation of performance and
project success.
Individual reflection on personal learning
& development.
Resources
There are a number of resources available to you:
Cobb, M. (2012) Building a secure website and maintaining good website design.
Computerweekly.com, available online at http://www.computerweekly.com/tip/Building-asecure-website-and-maintaining-good-website-design [last accessed 24/11/15]

A short, readable article providing tips for secure websites. A good starting point.
Cobb,M. (2011) Secure SDLC for SMBs available online at
http://www.computerweekly.com/tip/Secure-software-development-lifecycle-An-approachfor-SMBs last accessed [last accessed 24/11/15]

Another short article from Computer Weekly discussing approaches for SMEs
developing Apps.
Cobb,M. (2011) Web application security guidelines available online at
http://www.computerweekly.com/tip/Web-application-security-guidelines-for-developers last
accessed [last accessed 24/11/15]

This article has further hints and links.
Hunt, T. (2015) Web Security Fundamentals: Varonis. Available from:
http://info.varonis.com/web-security-fundamentals-course [Last Accessed: 25/11/15]

An excellent introductory video course (1 hr) which explains four important
vulnerabilities and how to control the risks. These are: SQL Injection; Transport Layer
Security; Insecure Password Storage; Cross-Site Scripting; Weak Account
Management.
Institute of Information Security Professionals (2010) IISP INFORMATION SECURITY SKILLS
FRAMEWORK, Available online at:
https://www.iisp.org/imis15/iisp/Accreditation/Our_Skills_Framework/iispv2/Accreditation/Ou
r_Skills_Framework.aspx [last accessed 24/11/15]

A detailed document which will be useful for specifying training and skills levels in this
scenario.
Microsoft (2015) Security Development Lifecycle, Microsoft, available online at:
http://www.microsoft.com/en-us/sdl/default.aspx [last accessed 24/11/15]

The Security Development Lifecycle (SDL) is a software development process that helps
developers build more secure software and address security compliance requirements
while reducing development cost
OWASP (2015) OWASP Top Ten Project Available online at:
https://www.owasp.org/index.php/OWASP_Top_Ten_Project [last accessed 24/11/15]

The OWASP Top Ten represents a broad consensus about what the most critical web
application security flaws are. Project members include a variety of security experts
from around the world who have shared their expertise to produce this list. Rather vital
for this scenario.
Stuttard,D. & Pinto,M. (2011) The Web Application Hacker’s Handbook, 2nd Edition, Wiley.

5
An excellent, detailed book which would be worth skimming for this scenario. It goes
into much more depth than required.
Symantec (2015) Website Security Threat Report 2015: Symantec.

A good industry report that identifies trends over several years, high profile
vulnerabilities, cybercrime, (another) ‘top 10 vulnerabilities, websites with malware,
malicious web domains. Provides excellent background.
The Open Web Application Security Project (OWASP) Available online at:
https://www.owasp.org/index.php/Main_Page [last accessed 24/11/15]

You should be aware of OWASP, it is important. They say that :”The Open Web
Application Security Project (OWASP) is a not-for-profit charitable organization focused
on improving the security of software. Our mission is to make software security ‘visible,
so that individuals and organizations worldwide can make informed decisions about
true software security risks.
OWASP WebGoat Project
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

The primary goal of the WebGoat project is simple: create a de-facto interactive
teaching environment for web application security.
SANS Institute (2004) A Security Checklist for Web Application Design
http://www.sans.org/reading-room/whitepapers/securecode/security-checklist-webapplication-design-1389 [last accessed 24/11/15]

A bit more than a checklist. It provides a description of the security challenges
introduced by externally facing web applications. It provides the knowledge necessary
to articulate to developers the security requirements for a specific web application.
Web Application Security Consortium http://www.webappsec.org [last accessed 24/11/15]

Another body you should be aware of: The Web Application Security Consortium
(WASC) is 501c3 non profit made up of an international group of experts, industry
practitioners, and organizational representatives who produce open source and widely
agreed upon best-practice security standards for the World Wide Web.
Whitehat security (2015) Website Security Statistics report.

Another useful background report which overlaps with the Symantec report, but some
different emphasis. Worth a skim read.
Other security guidelines include:
The following are technical resources, not necessary for completion of this scenario, but for
interest if you are a technical developer:
https://github.com/OWASP/DevGuide/tree/dc5a2977a4797d9b98486417a5527b9f15d8a251/
DevGuide2.0.1 [last accessed 24/11/15]
The NSA also provide useful sources of generic information - guidance on Information
Assurance security solutions: NSA Methodology for Adversary Obstruction; Defensive Best
Practices for Destructive Malware; Top 10 IA Mitigation Strategies
https://www.nsa.gov/ia/mitigation_guidance/index.shtml
The following are PHP general coding standards which are not security specific but incorporate
the basics:
http://pear.php.net/manual/en/standards.php [last accessed 24/11/15]

Coding standards
https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-2-coding-style-guide.md

6
Coding Style Guide
https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines

7
WebAppSec/Secure Coding Guidelines: a concise and consistent approach to secure
application development of Mozilla web applications and web services
Assessment Grading Criteria
Learning Outcome
LO1. Identify and explain the
top 10 security threats
and vulnerabilities to
web sites and how they
can be exploited.
LO2. Explain approaches to
mitigating the threats
LO3. Evaluate technical and
non-technical
approaches/ models to
develop secure web
software.
LO4. Justify an approach for
integrating security
audit into the
development of Web
Applications and the
associated security
tasks.
LO5. Explain good practice in
securing software and
have an awareness of
relevant standards and
codes of practice
Working With Others:
Participate constructively in
team by



Taking responsibility
Showing sensitivity and
provide supportive
feedback to others.
Meeting deadlines
Evidence
Pass (40-49%)
Top 10 Security
Risks identified.
Some controls
identified.
Development model
identified showing
some phases/ tasks.
Team Report
Appropriate industry
standard identified.
Acceptable spelling
and grammar.
Mostly relevant
content.
Some good quality
references provided
Sound Pass (50-59%)
Top 10 Security Risks explained,
identifying vulnerabilities
Links are made between risks and
controls.
Development model identified
showing most phases & sec tasks.
Appropriate industry standard
identified.
Alternatives are discussed, but
may be briefly.
Report structured with appropriate
headings.
Accurate spelling and grammar.
Generally appropriate level of
detail, but inconsistent
Good quality references provided
with correct syntax. Range may be
limited.
Very Good Pass (60-69%)
Thorough discussion of top 10 risks,
vulnerabilities and exploits in
suitable format, and prioritised
appropriately with clear discussion of
appropriate controls.
Development model identified
showing all phases & sec tasks, linked
to standards and risks.
Appropriate industry standard
identified.
Alternatives are discussed
highlighting key issues.
Report structured with appropriate
headings.
Written in clear consistent and
appropriate (business) style of
English.
Technical detail explained
appropriately and consistently.
An appropriate range of good
quality references provided with
correct syntax.
Excellent (70-100%)
Comprehensive list of risks , identifying
emerging threats. Risks, evaluated and
prioritised appropriately and clearly linked to
appropriate controls.
Development model identified showing all
phases & sec tasks with appropriate
justification for preferred method.
Critical evaluation of alternatives, supported
by compelling evidence linked to appropriate
industry standards or research.
Discussion of coding best practices, data
storage issues and hacker mentality.
Almost all security requirements identified
with critical justification.
Weight
70%
Report structured with appropriate headings.
Accurate and consistent English throughout
report.
Clear, concise and complete with appropriate
level of detail throughout almost all report. An
appropriate range of good quality references
provided with correct syntax.
Team
Presentation
Presentation is
consistent with, and
relates to report.
As pass and presentation
emphasises key points and has
balanced content.
As sound pass and presentation
clearly links features/ benefits of
solution with client needs and
problems.
Presentation is persuasive, balanced, thorough
and clearly links features/benefits of solution
to client needs/p[problems
20%
Timekeeping
, oral
contribution
s, VLE
postings,
timeliness of
work
produced.
Usually
communicates
quickly with others if
problems attending
or meeting
commitments.
On time for most
meetings.
Considered reliable by team mates.
Almost always communicates
quickly with others & renegotiates
if problems attending or meeting
commitments.
Shares work with others in timely
way.
As Sound pass and on time for almost
all meetings.
Completes all work as agreed.
As Very good pass and shows initiative /
leadership in some areas of work.
10%
8
Completes most
work allocated.
NB Students can be
excluded from
teams for not
meeting these
requirements.
9