Capstone Reflections

Since my first post a little over a month ago, projects have been assigned, requirements gathered, designs drafted, and initial development has kicked off. I was fortunate to be assigned to my top choice, the Website Security Research Project, and am working with a very capable team to deliver something exceptional.

The project involves building a simple web application and adopting an iterative process of performing penetration testing on the application infrastructure, hardening the application security according to test results, and creating detailed documentation on detected vulnerabilities, methods used to exploit those vulnerabilities, and strategies to improve the application’s security. By the time we are finished, we will have an application that can be used by anyone with an interest in website security to learn about common vulnerabilities, exploitation methods, and recommended security practices. Our goal is to enable users of any skill or experience level to easily deploy the application and follow our documentation to gain useful, hands-on experience in identifying, exploiting, and mitigating common web security vulnerabilities. We will implement both secure and insecure versions of each web page in the application and allow users to toggle individual vulnerabilities on or off, providing them an opportunity to directly observe the impacts of specific vulnerabilities and security measures on the system. My team has decided to build this application as a simulated health plan portal with various exploitable features, including text inputs for various types of injection attacks and a role-based access control system for demonstrating broken access control vulnerabilities.

Because the focus of our project is on security testing and hardening rather than application development, we initially planned to build the application on top of OWASP’s Vulnerable-Web-App repository, which uses a LAMP stack (Linux, Apache, MySQL, and PHP), to speed up the development phase. While doing research, I forked the Vulnerable-Web-App repository to see how difficult it would be to modify to meet our requirements. I can’t tell you how happy I am that I did this when I did, because I realized very quickly that modifying the existing codebase would almost certainly require more effort than simply starting from scratch. The majority of the OWASP code is not easily reusable for our design, and adapting it to our project’s needs would introduce unnecessary complexity. After discovering this, I began exploring other ways we might be able to speed up the development of the application’s core infrastructure.

During my research, I came across Laravel, a PHP framework with a robust set of features for developing modern web applications. I was drawn to Laravel by its rapid prototyping capabilities and scalable architecture. It offers an array of pre-built components, a simple but powerful routing engine, an ORM, a built-in authentication and authorization system, an extensive package ecosystem, and built-in features for automated testing and job processing, all of which we can leverage speed up the development process. Perhaps more importantly, it provides useful abstractions that will allow our code to be more modular, maintainable, and adaptable as the application evolves. After exploring Laravel’s features, I decided to create a proof-of-concept to better understand its potential and to pitch its value to my team. In one afternoon/evening, I was able to create a landing page, navigation bar, a fully functional authentication system (complete with profile creation, login, logout, and profile update features), and a role-based access control system with an admin page for setting user roles. I was sold by this experience, and when I showed my team what I had been able to accomplish, they were fully on-board.

My proof-of-concept has now become the foundation upon which we will build the rest of our application. The immediate next steps will involve setting up our repository and project infrastructure to ensure optimal development operations and collaboration among team members. This will include integrating with GitHub Actions to automate our workflows, enabling automatic testing, building, and linting of the application on each push to the repository. This will help make sure our application remains stable and does not regress. We’ll also need to establish a clear system for making changes and adding new features. We have some ideas and plans around how to do this, but there are still some specifics to work out. Once we’ve done this, we can implement the core data models that will be used throughout the system and begin to build out the remaining infrastructure. After the application infrastructure is in place, we’ll shift focus to penetration testing, application hardening, and documentation.

I’ve already learned quite a bit in the initial stages of this project. I have been involved with full-stack development on a handful of projects in the past, but most of these experiences have involved only a small part of a larger system. I have rarely been involved with building and maintaining entire web applications from scratch, and I have never built anything with PHP, so creating the Laravel proof-of-concept was an enlightening experience. In addition to learning new technical skills, I’ve been getting plenty of opportunities to practice my soft skills. Working on something as important as the capstone project, with a team operating in a flat structure without a designated lead, has highlighted how essential skills like clear communication and adaptability are for effective collaboration in a self-managed environment. These skills are, of course, important in any team environment, but in my experience, a clear hierarchy of authority often reduces friction, streamlines decision-making, and helps to keep everyone aligned and moving in the right direction. Without a team lead, it takes some effort to find an optimal balance between taking initiative and creating space for others to contribute. My team has been great, though, and so far, this has been a valuable experience. I’m very much looking forward to seeing what we can build together.

Thanks for reading. I look forward to sharing more updates as the project progresses.

Hello! My name is Cody Ray. I currently live in Bend, Oregon (PST/PDT). Lately, I’ve been doing a lot of hiking and fly fishing. When the weather turns, I enjoy reading fiction and playing guitar.

I became interested in software in my early 20s. Before that, I worked as a welder, building trailers. That experience sparked my interest in becoming an engineer, so I enrolled in a few community college courses on a Mechanical Engineering track. One of those courses was Intro to Engineering Computing, which taught MATLAB. This was my first exposure to programming, and I found it so interesting that I switched my major to Computer Science by the end of the term.

After that school year, I had the opportunity to take a summer internship in the software engineering department at a company called 6 Degrees Health. Following the internship, I transferred to Oregon State University and moved to Corvallis to live just off campus. I had a great time and learned a lot while taking classes on campus, but unfortunately, the world went into lockdown for COVID in the middle of the spring term, forcing me to pivot. For various pandemic-related reasons, I went to work full-time for 6 Degrees Health, the company I had interned with. I completed a few courses sporadically over the next few years through e-campus but had to focus mainly on my job, and it looked like it would take me quite a while to graduate. Gradually, circumstances improved, and a few months ago I realized I was in as good a position as I would ever be to return to school, so I decided to focus on my degree full-time.

Healthcare billing is an interesting field with many challenging problems, but I am excited to get my degree so I can branch out into other areas. I am particularly interested in security and hope to eventually move into that industry.

I have been working for a startup called My Price Health for a little over a year now. My boss has been kind enough to allow me to continue working reduced hours while I complete my degree. In my job, I work on tools and systems for managing healthcare claims and eligibility data. I feel fortunate to do most of my work with Go and PostgreSQL, as I find both enjoyable to work with. I sometimes use Python or shell scripts for quick, ad-hoc tasks. Last winter, I switched my editor from Visual Studio Code to Emacs and have since developed an affinity for Emacs Lisp, which I now use whenever I can justify it.

There are many interesting projects for this course. Because of my interest in security, I am most drawn to the Website Security Research and Malware Analysis projects. Both sound like fantastic ways to gain valuable real-world experience in the field. The Website Security Research project, in particular, seems like it would be very practical. Having been involved in web development for a few years but knowing little about properly securing a website, it would be an excellent experience to build one specifically for researching vulnerabilities.

Welcome to blogs.oregonstate.edu. This is your first post. Edit or delete it, then start blogging!