Scotty's Blog

Hey everyone! Thanks for taking the time to read over my blog below. If you are interested in checking out our project repo head on over to:

https://github.com/ted-miller92/wsrp

What was the most difficult challenge, and how did you solve it?

I initially struggled with managing state in Vue. The learning curve was a bit steep until we transitioned to using a Pinia store. Centralizing state management not only made it easier to track and update data consistently across files but also standardized our implementation. This change ultimately streamlined our workflow and improved overall code clarity.

Why did you choose your project, and has it met your expectations thus far?

I chose the Website Security Research project to dive into the world of cybersecurity since it’s an area of software engineering where I believe the technical skills have a slightly higher barrier against market shifts like outsourcing and cheap global talent influxes. The project has largely met my expectations, providing hands-on experience with critical software systems and reinforcing my understanding of security fundamentals in modern web development.

What would you do differently on your project and why?

One significant challenge for me was coordinating meetings while traveling and contending with time zone differences. In the future, I’d implement a more structured schedule and leverage asynchronous communication tools to ensure smooth collaboration, regardless of location.

Do you feel your project was managed well or poorly, and how would you change things?

Overall, the project management was decent, but I see room for improvement. I would have taken a more proactive role in setting up organizational frameworks and offering guidance on our tech stack. Incorporating additional tools such as Loom for video updates could have further enhanced our asynchronous workflows and overall team coordination.

Did you initially have doubts about your ability to complete the project? How do you feel now?

I did have doubts initially given how new the project and tech stack was for me and the rest of our team. This made it hard to get a good grasp on time allocation requirements and determine how challenging each section of the implementation would be. I feel much better now since after digging into the related content I was able to better plan out a strategy for myself and our team.

What is the most interesting thing about your project and why?

I’m particularly excited about how we simplified the demo of various vulnerabilities. It was fascinating to learn how different attack vectors operate and to see firsthand how modern web applications are fortified against them. This practical demonstration of both weaknesses and defenses was, for me, the most engaging part of the project.

Who will use your project? Will it benefit them?

The primary audience for our project is twofold: it serves as a portfolio demo showcasing our cybersecurity skills, and it functions as an educational tool for students new to cybersecurity. I believe it offers valuable insights into the fundamentals of web security, benefiting anyone interested in bolstering their technical knowledge in this critical field.

If you could start over, what would you do differently?

If given the chance, I would collaborate on an industry partner project to gain real-world experience. I would also simplify the tech stack and minimize the number of workflow tools to reduce development friction caused by unnecessary software for a project of our size. These changes would’ve helped streamline our process for greater efficiency. I think most modern web applications have built in protections against many of the attacks we implemented so shifting toward newer updated security practices would have been a good ideas as well.

Thanks for reading and I hope you get a chance to use our tool in the future!

Keep Building,
Scott Lindsay

Senior SWE Project CS462 – W2025 – Scott Lindsay

Overall, I’m satisfied with the tech stack our team has chosen. In this post, I’d like to share my thoughts on some of the alternatives I considered.

My Favorite Technology:

Flask has been my preferred framework for this project. I appreciate its minimalistic and flexible design, which allows me to build web applications quickly without unnecessary overhead. Flask provides the essential tools to create a solid backend while giving me the freedom to incorporate additional libraries and extensions as needed. Its straightforward routing and request handling have proven very efficient for maintaining server-side logic.

My Least Favorite Technology:

On the other hand, I found Vue.js to be a bit more challenging. Although it is a powerful framework for developing user interfaces, its component-based architecture and reactive system initially felt overwhelming. The steep learning curve—especially around state management and lifecycle hooks—made it harder to get up and running quickly. Despite its many strengths, it took me longer to feel comfortable with Vue.js compared to other parts of our stack.

Technology I Initially Struggled With But Now Appreciate:

State management with Pinia was another area where I faced early challenges. Transitioning from a different state management approach meant I had to adjust to new concepts like stores and reactive state. Over time, I began to appreciate how simple and well-integrated Pinia is with Vue.js. Today, it serves as a reliable tool for managing application state effectively.

What I Would Change:

If I could suggest one improvement, it would be enhanced documentation for Pinia. While I’ve grown more familiar with its core concepts, I believe that additional examples and real-world use cases would help new developers learn it faster and adopt best practices more readily.

The Most Difficult and Easiest Technologies to Learn:

Implementing CSRF protection turned out to be one of the more challenging aspects of this project. Understanding how to correctly apply CSRF tokens and secure all endpoints required careful attention to detail. In contrast, grasping the concept of SQL injection was relatively straightforward. Learning how improperly constructed SQL queries can lead to vulnerabilities underscored the importance of securing our applications.

If I Could Start Over, What Technologies Would I Use?

If I were to start over, I would consider replacing MySQL with PostgreSQL for the database. PostgreSQL offers advanced features—such as JSONB support and better handling of complex queries—that provide greater flexibility for data models. I might also explore Django as an alternative to Flask because its structured approach and built-in features could streamline development even further.

A Technology I Wish Had Been in My Tech Stack:

One technology I believe could have added significant value is GraphQL. Its capability to let clients request only the data they need would have streamlined our API interactions and reduced unnecessary data transfer. This efficiency could have made managing complex data relationships easier, especially in a project focused on addressing vulnerabilities.

How My Favorite Technology Works:

Flask is a lightweight Python tool that makes building websites simple. One helpful analogy to simplify the tools purpose could be a recipe book: when someone visits your site, Flask checks the URL to pick the right “recipe” of instructions, then puts together and serves the correct page. It smoothly handles requests and responses while giving you the flexibility to add extra features as your site grows. In my view, Flask is a lightweight Python framework that simplifies web development. It lets you map URLs to functions through defined routes, making the process of handling incoming requests and returning responses very clear.

Happy Building!
– Scott Lindsay

Winter 2025 Term – Scott Lindsay – CS462

Introduction

Looking back at my older code, I’ve often found myself struggling to understand what I wrote. Writing clean, maintainable code is a crucial skill for any developer, but achieving it consistently can be difficult. What exactly makes code “clean”? How can we identify and eliminate bad coding practices, commonly known as “code smells”? In this post, I’ll share some basic insights from my research on clean code and code smells which I believe will be beneficial to incorporate into my workflow and also what I plan to avoid.

Clean Code: Focusing On The Human Element

One of the core principles from Robert Martin’s Clean Code: A Handbook of Agile Software Craftsmanship is that code should be written for humans, not just computers. This means using meaningful variable and function names, writing small and single-purpose functions, and avoiding unnecessary complexity.

Example of Bad Practice: Unclear variable names, no comments

def calc(x, y):
return x * y

Improved Version: Descriptive names and clear functionality

def multiply_numbers(factor1, factor2):
“””
Multiplies two numbers and returns the result.
“””
return factor1 * factor2

Code Smells: Recognizing and Avoiding Bad Practices

Martin Fowler’s Refactoring: Improving the Design of Existing Code describes various code smells as reliable indicators of bad coding practices that lead to maintainability issues. One of the most common code smells is caused by functions getting too long and becoming bloated with too much responsibility.

Bad Practice Ex: Long method doing too much
public void processUserRegistration(User user) {

Validate user
if (user == null || user.getEmail().isEmpty()) {
throw new IllegalArgumentException(“Invalid user”);
}

Save user to database
UserRepository repository = new UserRepository();
repository.save(user);

Send welcome email
EmailService emailService = new EmailService();
emailService.sendWelcomeEmail(user);

}

What I Will Start Doing: Writing Smaller Functions

From my research, I’ve realized the importance of writing small, single-purpose functions. This makes code easier to read, test, and maintain. Going forward, I will be more intentional about breaking down large methods into smaller, more modular functions and keep an eye on the length as I code each function.

What I Will Avoid: Ignoring Code Smells

In the past, I’ve sometimes ignored minor inefficiencies, thinking they wouldn’t matter much. However, I now understand that bad practices accumulate over time, making future modifications harder. I will actively look for and eliminate code smells, especially long methods and poor naming conventions.

Conclusion

I’ve realized that clean code is not just about making things look nice; it significantly improves maintainability and reduces technical debt. By writing meaningful function names, breaking down long methods, and avoiding common code smells, we can make our codebases more efficient and understandable.

I hope you found my post helpful and appreciate any comments or feedback.

– Scott Lindsay

Some reflections on our project so far…

1. Introduction

• The project aims to build a mock web app that simulates common security flaws. The goal is to test the app’s security, find vulnerabilities, and figure out ways to protect sensitive user data while documenting the whole process.
• Penetration testing is being used to check for weaknesses in the app. This involves simulating attacks like SQL injection, XSS, and CSRF to see how these vulnerabilities might be exploited and also to find ways to fix them.

2. Project Overview

• The main goal is to create a web app that is vulnerable to common attacks, and then fix those issues to make the app more secure. This project also serves to teach testers about penetration testing and how to secure web applications.
• The vulnerable version of the app contains flaws like SQL injection, CSRF, and XSS. The secure version includes fixes like input validation, password hashing, and better session management to prevent these issues from being exploited.
• The project uses Flask for the backend, MySQL for the database, and Vue.js for the frontend. The testing environment is set up in a virtual machine running Ubuntu 22.04, with Burp Suite for penetration testing and MySQL Workbench for managing the database.

3. Challenges Encountered

• Some of the challenges include making sure the vulnerabilities are added in a controlled way, balancing the development of both versions, and configuring the database and server to function like a real app.
• Introducing vulnerabilities like SQL injection and XSS in a way that can be safely demonstrated without breaking the system is tricky.
• The project is divided into phases with clear goals to track progress. Team members focus on different areas like the backend, frontend, database, and testing to make sure the project moves forward smoothly.

4. Penetration Testing Techniques Used

• Penetration testing techniques being used include SQL injection, XSS, CSRF, brute-force attacks, and testing weak password hashing.
• We are using Burp Suite to automate brute-force attacks on the login page and to test other vulnerabilities like SQL injection.
• These techniques help reveal problems with how the app handles user inputs. For example, SQL injection shows that the app doesn’t properly validate inputs, while the absence of CSRF tokens and weak password storage are also significant issues.

5. Findings and Results

• The biggest vulnerabilities found so far include SQL injection, which allows attackers to access data, XSS, which lets attackers inject malicious scripts, and CSRF, which allows attackers to perform actions on behalf of legitimate users.
• For example, an SQL injection attack on the login page allowed access to user data by entering a specially crafted string, bypassing authentication.
• If these vulnerabilities were left unpatched, attackers could gain unauthorized access to sensitive data, make transactions, or take over user accounts. This could lead to data breaches, loss of customer trust, and legal issues.

6. Fixes and Improvements

• To fix these issues, we are using practices like validating all inputs, securely hashing passwords with bcrypt, enforcing HTTPS, limiting login attempts to prevent brute-force attacks, and improving session management.
• Technologies like bcrypt for password hashing, Flask’s secure session management, and the addition of CSRF tokens are key improvements that are making the app more secure.

7. Lessons Learned

• This project is teaching me practical skills in penetration testing, securing web applications, and the importance of building security into every part of an app from the beginning.
• It has also made me realize how easy it is for real-world applications to be hacked if security isn’t prioritized from the start. Even simple oversights can open the door for attacks.

8. Conclusion

• The main takeaway from this project is that building secure applications from the start is essential. By following secure coding practices and continuously testing for vulnerabilities, we can protect user data.
• This experience will be invaluable in my future career, especially if I choose to pursue a role in cybersecurity. It provides hands-on experience with testing and securing web applications, which is directly applicable to real-world scenarios.
• I plan to continue learning about advanced security techniques and tools, particularly in the areas of secure software development.

9. Call to Action

• I encourage others to start by learning about basic vulnerabilities and practicing hands-on exercises to secure their own web applications. Platforms like OWASP offer great resources for this.
• I recommend checking out OWASP for comprehensive guides on vulnerabilities, Burp Suite for penetration testing practice, and Hack The Box for real-world security challenges to test your skills.

This post helped me clarify my takeaways thus far from the assignment and has prepared me for the next steps to come. I hope you enjoyed reading and learning a bit about the project!

Thanks for reading my blog post #3!

-Scott Lindsay

CS461 – Website Security Research Project

Scott Lindsay

Reflections on the journey of the Website Security Research Project so far

The idea for approaching this project was inspired by the growing cybersecurity threats facing web applications, especially in sensitive areas like banking, where data protection is essential. Our goal is to design a mock banking application that will allow us to test different vulnerabilities in a controlled environment. This setup will let us explore both insecure and secure versions of the app, highlighting how various cyber threats, like SQL injection or brute-force attacks, play out in real time.

One of the main aims of the project is to create a safe learning environment where we can test different attack methods without putting any real systems or data at risk. To do this, we’re designing the project to run within a virtual environment, which will isolate it from public exposure. This setup allows us to safely study common vulnerabilities without opening up a live system to any actual security risks.

Even in this planning and design phase, we’ve faced some interesting challenges. Balancing “vulnerable” and “secure” versions, for example, has required us to think carefully about how to make each setup realistic enough to test while still being secure. We’re frequently revisiting our design plans, rethinking how the app’s functions will interact, and considering how to make the project both practical and educational. Though we haven’t built the app yet, designing and testing the project has already given us valuable insights into the nuances of web security and set us on a solid path toward creating an effective, controlled environment for cybersecurity learning.

Feedback on the Course

This course has been helpful in our project’s progress, particularly the resources related to data security and risk assessment that are linked on our project page. The theoretical foundation provided by these documents has given us a solid understanding of security issues, such as protecting against Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS), which we will be testing soon. Feedback from instructors has encouraged us to explore solutions and techniques we may have missed otherwise, especially regarding vulnerability management and secure coding best practices. The course material has also provided a good framework for approaching this project and has helped keep us organized and on track.

Career and/or Job Hunt

I’m building confidence in my skills now and am excited to take these lessons with me to my job and throughout my software engineering career. I am very grateful to already have a software engineering job lined up for this summer once I graduate. This project has given me hands-on experience with security vulnerabilities and has deepened my understanding of how to proactively identify and mitigate risks in web applications. Working through real-world challenges has shown me the value of a strong foundation in cybersecurity, and I’m more prepared to handle similar issues in a professional setting. I’m also excited to apply this knowledge to new technologies and frameworks, knowing that security should always be a priority in any software I develop. This experience has reinforced my commitment to building secure and reliable software during my software engineering career.

New Technologies and Tools in Use

In building this application, we selected MySQL for database management, Vue.js for the front end, and Flask for the server-side functions. For our testing environment, we are planning to rely on VirtualBox to maintain isolation, which is crucial given the security risks associated with intentionally insecure applications. Each technology plays a role in creating a realistic, full-stack application that effectively demonstrates cybersecurity threats and solutions. This setup also allows us to isolate our testing from external networks, providing a secure platform to observe vulnerabilities without exposing real data to risk.

Life Hacks: Handling Project Challenges and Managing Workload

One approach we found effective was splitting the tasks by interest level and skill level to evenly distribute them within the larger goal. This modular approach helped prevent overwhelming the team and kept our progress steady. We also set clear deadlines and designated specific roles for testing and implementing features, which helped manage our workload more evenly. Taking regular breaks after challenging debugging sessions has also helped me in the past to stay fresh and avoid burnout. I would recommend this approach to other groups since this combination of organization and balance has been critical in maintaining productivity and achieving our project goals.

Conclusion

This journey into web application security has been both challenging and rewarding. Through planning our project, preparing to tackle various cyber threats, and designing solutions, we’ve learned firsthand the complexities of securing sensitive information online. This project has strengthened our skills, reinforced our interest in cybersecurity, and highlighted the importance of thorough testing and proactive measures in web development. As we move forward, we’re excited to start building and learning more about website security.

Hey everyone, here is my first blog post for the online CS capstone project. I’m excited to learn and build with you all.

Introduction

My name is Scotty and I’m a senior computer science student at OSU. I am originally from California but lived in Washington for a while and most recently Texas where I’ll be heading back to once I graduate for my job.

My timezone and/or location

I am currently in the GMT+8 timezone but will be moving around throughout the year. I love working remotely and also enjoy traveling.

Get to know me: kids, pets, hobbies, sports, games, activities, shows, etc

I don’t have any kids or pets but I am a big fan of dogs and other animals. I like to lift weights and run for exercise and enjoy most adventure sports such as mountain biking, snowboarding, surfing, etc. I don’t play video games or watch shows since I am busy and limited on time.

What got me started with computers and software?

I have always been fascinated by technology and think engineering is better than magic. Once I was introduced to the tech world I knew I wanted to work in the field for many reasons such as pay, remote work possibilities, interesting and impactful opportunities, and to have a skillset that I can apply to a wide range of companies.

My journey with OSU

I transferred to OSU a few years ago after getting my AS degree from a community college in California. I chose the remote program because I wanted flexibility and lower tuition.

Current job and internship

I most recently interned with Dell and will be starting full time as a software engineer after I graduate this spring.

My favorite technologies

I am more concerned with what I’m building and the company mission than I am the tech stack being used but I do enjoy coding in Python since it’s the most familiar to me and abstracts away a lot of the lower level complexities. This summer I worked on using AI agents built with Python, LangChain, LangGraph, and various LLMs to automate code fixes which was an interesting experience. With the current industry trends I am considering transitioning into a more cybersecurity focused role for better job stability and hopefully more pay.

My favorite listed projects (in this course) and why

I found many of the projects fascinating and focused on areas that apply to my career goals. I chose two cybersecurity related projects, a machine learning game project, an animal adoption app, an AI trading bot project, and an LLM agent project. I chose these because they sounded interesting and would help me develop skills in areas that would benefit my career.

Conclusion

That’s a bit about me. If anyone has questions or comments please let me know.

Thanks! – Scotty Lindsay

Welcome to blogs.oregonstate.edu. This is your first post. Edit or delete it, then start blogging!