Coding with Cassidy

Website Security Research

For my capstone project, I am working on a Website Security Research Project. In this project, I will create a simple web application backed by a database, and perform penetration testing on select vulnerabilities while compiling easy to follow reports for users to follow along with the attacks. As I have recently transitioned to working solo on this project, I have been focusing on revamping my design document which will guide project development through the rest of the school year.

Current Progress
As the end of the first term of my capstone project approaches, my focus has been on designing and planning my project, as well as implementing the initial version. I have outlined the database plan as well as drafting the website user interface using wireframes. I used Figma for my wireframes, which I have also been using in my Usability Engineering course, and I have found it to be a very useful tool for prototyping. The website will be simple and will mostly be displaying and interacting with data from the database. I am working on pinning down which vulnerabilities I intend to address and how I will incorporate them into my website, as well as other important aspects of the system.

Development Plan
I plan to build this website incrementally. I will start with an initial version of my website with a simple log in page. Ideally, this will be connected to the database so that a user could log in with credentials saved in the database. At this point in time, the database may not be fully developed and may contain only user credentials. The first vulnerability I intend to exploit is SQL Injection, which will be done through this log in page. Time permitting, I may be able to implement an initial attack and defense in my initial version of the website that I could walk through in my v0.0.1 progress report video.

Once the initial website is up and running, I will first ensure the database is implemented as designed to hold all necessary data for the website. I will be building the rest of the project incrementally based on vulnerabilities. With the first version being a log in page connected to the database, I will build each page from there when it becomes relevant to exploiting a vulnerability, or simply if I have spare time. While much is still to be determined regarding the vulnerabilities, I have a tentative list of ten attacks from five vulnerability categories. I am unsure how much time each vulnerability process will take, so I may not actually get to implementing each of the vulnerabilities, but I would rather have more planned than I could complete than having to adjust my plan to add new vulnerabilities later. In order to properly plan each attack, I will be including in my design document the following information for each vulnerability: a description of the vulnerability and background information (which will be added to the final vulnerability reports), a defined attack surface (which may involve adding new pages or features not are currently planned), and a general attack and defense plan, noting any tools necessary for the process.

By thoroughly designing my project, implementation will be much easier. I will have clear goals and completion criteria for each sprint and will be able to incrementally build my project. Each iteration of the website and vulnerability reports ought to be usable as they are, so that no matter how many vulnerabilities I have time for, once I complete each iteration the website and reports will be ready for users to explore.

Initial Implementation
In addition to planning the project, I have been working on implementing the initial version of the website and database. I am hoping to do so in Google Cloud, and have been learning about the process. I have never used Google Cloud before, and previous websites and databases I have made have all been hosted through OSU. I am excited to be working on a live website and database, as this project is something that I would be interested in continuing to develop after my time in school as well as wanting to put it on my resume. Thus far I have successfully connected to a test database on Google Cloud, and I am working on implementing my initial website as well. It has been a learning experience as I am doing this by myself, but Google Cloud has a lot of tutorials which have been helpful for the process.

Going Forward
For the rest of this term, my biggest hurdles will likely be implementing the website and connecting it to the database. I have some experience in this area (coursework only), but I feel confident that I will be able to get it working. I will also be continuing to work on updating my design document and planning my vulnerabilities to exploit. By the end of the term, I am hoping that I will have a clear vision of how to split up my work for each sprint. My design document may include details of my plans for each iteration of the project, such as including that the initial version will have a login page, credentials in a database, and a vulnerability to SQL Injections. Each planned iteration will include which pages will be present as well as which vulnerabilities, and each vulnerability completed will be detailed in its vulnerability report.

Overall, I am very excited to be working on this project. I tend to enjoy planning and designing, and it has been rewarding to me to see my imagined project materialize in the design document. Solid planning is the first step to a solid project, and I am doing my best to ensure my design is thorough and detailed. I am looking forward to continuing to develop the project, and I am sure that I will be able to create an end result that I will be proud of, and potentially continue to develop after I graduate. The process of penetration testing and hardening the application will be great hands-on practice to better prepare me for my future career in cybersecurity.

Thanks for reading!

~ Cassidy Williams ~

Hello world, and welcome to my Capstone blog! I am Cassidy Williams and I am majoring in Computer Science with a Cybersecurity focus. I live in the Portland area with my four-year-old son and two cats. In my spare time I enjoy running, yoga, painting, and adventuring with my son.

I have always enjoyed working with computers, despite not growing up in a technologically friendly household. As a child, I enjoyed tinkering with broken electronics to see if I could fix them or figure out how they worked. As a teen, I took as many computer classes as my school offered (which was not many!) and tinkered with my own computer in my spare time. My first computer “project” that I was proud of was fully customizing my laptop to be Matrix themed, including playing Matrix quotes during boot up and requiring clicking on the correct pill to log in. While it was not very technically complicated, I had a lot of fun with it and began working more in depth with my computer afterwards. I became interested in Cryptography (math has always been a passion of mine) and Cybersecurity related topics, as well as general software programming.

I studied Computer Science at PCC for my AS before transferring to OSU, where I have been attending online via eCampus. I have really enjoyed studying Computer Science and especially find project-based assignments to be very rewarding. My favorite classes so far have been Cryptography, Computer Architecture and Assembly Language, Analysis of Algorithms, Operating Systems, Intro to Computer Networks and Intro to Security. I look forward to taking Defense Against the Dark Arts (this term) as well as  Digital Forensics (Winter) and Network Security (Spring). And of course I look forward to completing my Capstone Project and graduating next spring!

With this as my final year in school, I hope to make the best of my time and be able to contribute to a Capstone Project that is challenging, personally rewarding, and either builds towards my career goals or has some sort of positive real-world impact.

The top five projects that stand out to me are:

• Malware Analysis: This project interests me because it is related to Cybersecurity and would look good on my resume. This project seems like it would be a healthy challenge for me to learn more real-world application of cybersecurity topics as we will be analyzing malware, which sounds like a great way to get a head start into my intended career path. As I have not yet done any malware analysis, I would appreciate the challenge of this project and I feel it would fit well with some of the courses I will be taking this year as well.
• Website Security Research Project: This project interests me because it seems like it would be very helpful to have on my resume for a Cybersecurity career. I have taken Intro to Security and found the DVWA (Damn Vulnerable Web Application) project to be very fun and rewarding, and this seems like a good way to expand on that by not only attempting penetration testing on the app, but also on hardening the app against our penetration testing results. I feel this project would be very rewarding for me and relevant to my intended career path.
• Math Go!: This project appeals to me because it seems like it would be rewarding and could have a real-world impact to help students have a more fun way to learn and practice math. While I do not have experience with game development, I think that this project sounds like a lot of fun and I could see it being very helpful for students that really struggle with math, as a common complaint is that math “isn’t fun”. In addition, having it help keep students active by encouraging them to seek out the beasties seems like this project would be very rewarding for me to work on. I would love to see my son use a game like this to help him learn math!
• Lidar to 3D Sound Application for the Seeing-impaired: This project interests me because of the real-world impact. I love to see different ways that technology can be used to make the world more accessible to people with disabilities. This project also seems like it would be challenging but very rewarding. I would love to be a part of something that can improve the lives of seeing-impaired, as technology often leaves out marginalized groups when it ought to be used to help them.
• Text Adventure Game for Education: This project appeals to me because I would like to contribute to something with a positive real-world impact. I love the idea of allowing teachers to create their own Text Adventure Games to increase engagement for students. I have known many students who would benefit from a more gamified educational approach, and it seems like as children grow up with more technology as part of their day to day, the benefit of incorporating games into education are greater now than ever before.

Other projects that caught my attention were:

• Citizen Science App for Kids
• A-Life Challenge
• Lets Launch a Game
• Online Trading Card Game Maker
• Cross-Platform Personal Trainer App

Overall I am excited to be able to be involved in a capstone project with other students, and I am looking forward to seeing which project I end up with! I feel that any of these projects would be a great opportunity to apply what I have learned in my studies so far to achieve a challenging goal, and I am excited to be part of creating something that I can show off!

Thanks for your time!

~ Cassidy Williams ~