Categories
Uncategorized

Kicking Off the Website Security Research Project

Since my first post a little over a month ago, projects have been assigned, requirements gathered, designs drafted, and initial development has kicked off. I was fortunate to be assigned to my top choice, the Website Security Research Project, and am working with a very capable team to deliver something exceptional.

The project involves building a simple web application and adopting an iterative process of performing penetration testing on the application infrastructure, hardening the application security according to test results, and creating detailed documentation on detected vulnerabilities, methods used to exploit those vulnerabilities, and strategies to improve the application’s security. By the time we are finished, we will have an application that can be used by anyone with an interest in website security to learn about common vulnerabilities, exploitation methods, and recommended security practices. Our goal is to enable users of any skill or experience level to easily deploy the application and follow our documentation to gain useful, hands-on experience in identifying, exploiting, and mitigating common web security vulnerabilities. We will implement both secure and insecure versions of each web page in the application and allow users to toggle individual vulnerabilities on or off, providing them an opportunity to directly observe the impacts of specific vulnerabilities and security measures on the system. My team has decided to build this application as a simulated health plan portal with various exploitable features, including text inputs for various types of injection attacks and a role-based access control system for demonstrating broken access control vulnerabilities.

Because the focus of our project is on security testing and hardening rather than application development, we initially planned to build the application on top of OWASP’s Vulnerable-Web-App repository, which uses a LAMP stack (Linux, Apache, MySQL, and PHP), to speed up the development phase. While doing research, I forked the Vulnerable-Web-App repository to see how difficult it would be to modify to meet our requirements. I can’t tell you how happy I am that I did this when I did, because I realized very quickly that modifying the existing codebase would almost certainly require more effort than simply starting from scratch. The majority of the OWASP code is not easily reusable for our design, and adapting it to our project’s needs would introduce unnecessary complexity. After discovering this, I began exploring other ways we might be able to speed up the development of the application’s core infrastructure.

During my research, I came across Laravel, a PHP framework with a robust set of features for developing modern web applications. I was drawn to Laravel by its rapid prototyping capabilities and scalable architecture. It offers an array of pre-built components, a simple but powerful routing engine, an ORM, a built-in authentication and authorization system, an extensive package ecosystem, and built-in features for automated testing and job processing, all of which we can leverage speed up the development process. Perhaps more importantly, it provides useful abstractions that will allow our code to be more modular, maintainable, and adaptable as the application evolves. After exploring Laravel’s features, I decided to create a proof-of-concept to better understand its potential and to pitch its value to my team. In one afternoon/evening, I was able to create a landing page, navigation bar, a fully functional authentication system (complete with profile creation, login, logout, and profile update features), and a role-based access control system with an admin page for setting user roles. I was sold by this experience, and when I showed my team what I had been able to accomplish, they were fully on-board.

My proof-of-concept has now become the foundation upon which we will build the rest of our application. The immediate next steps will involve setting up our repository and project infrastructure to ensure optimal development operations and collaboration among team members. This will include integrating with GitHub Actions to automate our workflows, enabling automatic testing, building, and linting of the application on each push to the repository. This will help make sure our application remains stable and does not regress. We’ll also need to establish a clear system for making changes and adding new features. We have some ideas and plans around how to do this, but there are still some specifics to work out. Once we’ve done this, we can implement the core data models that will be used throughout the system and begin to build out the remaining infrastructure. After the application infrastructure is in place, we’ll shift focus to penetration testing, application hardening, and documentation.

I’ve already learned quite a bit in the initial stages of this project. I have been involved with full-stack development on a handful of projects in the past, but most of these experiences have involved only a small part of a larger system. I have rarely been involved with building and maintaining entire web applications from scratch, and I have never built anything with PHP, so creating the Laravel proof-of-concept was an enlightening experience. In addition to learning new technical skills, I’ve been getting plenty of opportunities to practice my soft skills. Working on something as important as the capstone project, with a team operating in a flat structure without a designated lead, has highlighted how essential skills like clear communication and adaptability are for effective collaboration in a self-managed environment. These skills are, of course, important in any team environment, but in my experience, a clear hierarchy of authority often reduces friction, streamlines decision-making, and helps to keep everyone aligned and moving in the right direction. Without a team lead, it takes some effort to find an optimal balance between taking initiative and creating space for others to contribute. My team has been great, though, and so far, this has been a valuable experience. I’m very much looking forward to seeing what we can build together.

Thanks for reading. I look forward to sharing more updates as the project progresses.