CYB 240 Project Two Guidelines and Ru
ic Recommendations Report
CYB 240 Project Two Guidelines and Ru
ic
Recommendations Report
Overview
A security analyst’s responsibility in the software development life cycle (SDLC) is not to write code, but to interface with programmers. Secure programming is
not necessarily in the skill set of many programmers. Therefore, it is your job as a security analyst to help identify areas of concern.
For this project, you are in the role of a security analyst collaborating with a larger software development team and you are creating a recommendations report
to the development team. You will be describing areas of concern and how to avoid them based on your role as the security analyst. You will also be explaining
the value you add participating in the SDLC.
The project builds off of skills you practiced in the Project Two Stepping Stone, which will be submitted in Module Three. The project will be submitted in
Module Seven.
In this assignment, you will demonstrate your mastery of the following course competency:
CYB-240-02: Describe the fundamental principles and practices of application security
Scenario
In a course announcement, your instructor will provide you with a scenario on which you will base your work. Use the scenario to address the critical elements.
Prompt
Select two known development issues/vulnerabilities relevant to the project in the scenario. You can use the issues or vulnerabilities you identified as part of the
Project Two Stepping Stone submitted in Module Three.
You must address the critical elements listed below in your recommendations report. The codes shown in
ackets indicate the course competency to which
each critical element is aligned.
I. Development Issue/Vulnerability One
A. Describe why the OWASP element selected is a potential area of concern for the development team. [CYB-240-02]
B. Recommend techniques or methods to apply a specific fundamental security design principle to avoid the development issue/vulnerability.
Justify the relevance of the fundamental security design principle you select. [CYB-240-02]
1
II. Development Issue/Vulnerability Two
A. Describe why the OWASP element selected is a potential area of concern for the development team. [CYB-240-02]
B. Recommend techniques or methods to apply a specific fundamental security design principle to avoid the development issue/vulnerability.
Justify the relevance of the fundamental security design principle you select. [CYB-240-02]
III. Discuss the value of a security practitioner equipped with the fundamental security design principles in preventing security issues during the SDLC.
[CYB-240-02]
Project Two Ru
ic
Guidelines for Submission: Your submission should be 2 to 3 pages in length and should be written in APA format. Use double spacing, 12-point
Times New Roman font, and one-inch margins. Use a file name that includes the course code, the assignment title, and your name—for example,
CYB_123_Assignment_Firstname_Lastname.docx.
Critical Elements Exemplary (100%) Proficient (85%) Needs Improvement (55%) Not Evident (0%) Value
Development
Issue/Vulnerability One:
Potential Area of
Concern
[CYB-240-02]
Meets “Proficient” criteria
and addresses critical
element in an exceptionally
clear, insightful,
sophisticated, or creative
manner
Describes why the OWASP
element selected is a potential
area of concern for the
development team
Addresses “Proficient” criteria,
ut there are gaps in clarity,
logic, or detail
Does not address critical
element, or response is
i
elevant
18
Development
Issue/Vulnerability One:
Techniques or Methods
[CYB-240-02]
Meets “Proficient” criteria
and addresses critical
element in an exceptionally
clear, insightful,
sophisticated, or creative
manner
Recommends techniques or
methods to apply a specific
fundamental security design
principle to avoid the
development
issue/vulnerability, including a
justification of the relevance of
the fundamental security
design principle selected
Addresses “Proficient” criteria,
ut there are gaps in clarity,
logic, or detail
Does not address critical
element, or response is
i
elevant
18
Development
Issue/Vulnerability Two:
Potential Area of
Concern
[CYB-240-02]
Meets “Proficient” criteria
and addresses critical
element in an exceptionally
clear, insightful,
sophisticated, or creative
manner
Describes why the OWASP
element selected is a potential
area of concern for the
development team
Addresses “Proficient” criteria,
ut there are gaps in clarity,
logic, or detail
Does not address critical
element, or response is
i
elevant
18
2
Critical Elements Exemplary (100%) Proficient (85%) Needs Improvement (55%) Not Evident (0%) Value
Development
Issue/Vulnerability Two:
Techniques or Methods
[CYB-240-02]
Meets “Proficient” criteria
and addresses critical
element in an exceptionally
clear, insightful,
sophisticated, or creative
manner
Recommends techniques or
methods to apply a specific
fundamental security design
principle to avoid the
development
issue/vulnerability, including a
justification of the relevance of
the fundamental security
design principle selected
Addresses “Proficient” criteria,
ut there are gaps in clarity,
logic, or detail
Does not address critical
element, or response is
i
elevant
18
Preventing Security
Issues
[CYB-240-02]
Meets “Proficient” criteria
and addresses critical
element in an exceptionally
clear, insightful,
sophisticated, or creative
manner
Discusses the value of a security
practitioner equipped with the
fundamental security design
principles in preventing security
issues during the SDLC
Addresses “Proficient” criteria,
ut there are gaps in clarity,
logic, or detail
Does not address critical
element, or response is
i
elevant
18
Articulation of Response Submission is free of e
ors
elated to grammar, spelling,
and organization and is
presented in a professional
and easy-to-read format
Submission has no major e
ors
elated to grammar, spelling, or
organization
Submission has some e
ors
elated to grammar, spelling, or
organization that negatively
impact readability and
articulation of main ideas
Submission has critical e
ors
elated to grammar, spelling, o
organization that prevent
understanding of ideas
10
Total 100%
3
CYB 240 Project Two Guidelines and Ru
ic Recommendations Report
Overview
Scenario
Prompt
Project Two Ru
ic
CYB 240 Project Two Scenario One
You are a newly hired analyst for a health insurance company with a central office and several satellite
offices. The central office administers all back-end servers and pushes out all communications to
satellite offices via a web interface. The organization has requested a security analyst be part of a new
web application development from the start of the project to advise on possible security risks. The
application is used as an interface with the patient information system, and it is used by internal
employees only.
A member of the IT team has reviewed the design documents for the new development project, and has
provided the following list of system specifications:
● Three-tiered system:
○ MySQL Database
Cu
ent system specifications:
■ Proper authentication to access data in table
■ Communication with transaction server done through PHP
○ Microsoft Transaction Server
Cu
ent system specifications:
■ Transaction server has administrative access to MySQL database
■ Communication to the database is done over company network
■ Communication to the web server front end is done over the internet
■ Components sent to web server front end are in XML format with weak
metadata
■ Transactions sent to web server are unencrypted and 1-1 (not batched)
○ Web Server Front End
Cu
ent system specifications:
■ Data displayed on webpages is in clear text using HTTP protocols
■ Log-on access to web server is via client-side scripting