
This term of 462 has been more focused on the actual building of our project, rather than the research and decisions on what technologies we will use, which was our focus in 461. Fortunately for us, (at least for the most part) we have been able to stick with our choices on technologies for our full-stack Security Research project.
We went into the term knowing that we would be using Vue.js for the main building block of our front-end web app, MySQL for our database, and Python’s flask for our server-side functionality and the bulk of the remainder of our backend development.
Going into this term, I actually lacked experience with most of the technologies we are implementing, so at the start, I was a bit apprehensive about learning them and hitting the ground running. Vue, being the robust framework that it is, is still not something I would say I’m overly confident in using still.
I didn’t take Web Development at OSU; instead, I took a few Web Dev courses at CC before transferring, which focused mostly on classic “vanilla” JavaScript, HTML, and CSS. Considering this, I think it has added to the challenge of picking up Vue. Fortunately, a couple of my team members have more experience with it, so that has become their focus.
I had never used Flask either, but I found that I was able to pick it up efficiently since it seems to be more straightforward in many ways and comes with tons of crucial libraries and modules that we have depended on. I would say that Flask is probably my favorite new technology that I’ve used for our project.
I have been mainly focused on the backend development of our project so far, primarily determining how to set up our server routes, aka API endpoints, so that each page they lead to will give an insecure and a secure version of each vulnerability we are exploiting. Some of the libraries and modules we have made use of for this part of the development have been crucial.
Evaluating Our Backend Tools: Pros and Cons
Flask
Pros: Flask is lightweight and flexible, making it ideal for setting up API endpoints and handling HTTP requests/responses with minimal overhead.
Cons: Its minimalistic design means we have to add several extensions (like Flask_SQLAlchemy and Flask_JWT_Extended) to cover additional features, which can sometimes complicate the overall setup.
Flask_SQLAlchemy
Pros: This ORM simplifies our database interactions by allowing us to work with Python objects instead of writing raw SQL. This abstraction not only speeds up development but also reduces the risk of SQL injection attacks.
Cons: However, the abstraction can sometimes hide the underlying SQL, making it harder to optimize or troubleshoot complex queries.
Flask_JWT_Extended
Pros: Handling authentication is more straightforward with JWTs, and this library integrates well with Flask to create, manage, and verify tokens securely.
Cons: The security of JWTs depends heavily on proper configuration – issues like improper token expiration settings or weak secret keys can introduce vulnerabilities if not carefully managed.
CSRFProtect (from Flask-WTF)
Pros: This module adds a crucial layer of security against Cross-Site Request Forgery attacks by protecting our endpoints.
Cons: It can add extra complexity during testing and debugging if not set up correctly, as it may interfere with legitimate requests unless exemptions are carefully managed.
Flask_Limiter
Pros: Implementing rate-limiting with Flask_Limiter helps defend against brute-force attacks by controlling the number of requests a user can make in a given time frame.
Cons: If the limits are too strict, they could negatively affect user experience by slowing down or blocking legitimate usage.
bcrypt
Pros: bcrypt is excellent for securely hashing passwords, thanks to its computational intensity which makes brute-force attacks difficult.
Cons: The downside is that this same computational overhead can result in slower authentication processes compared to simpler, less secure methods.
Git & Continuous Integration
I feel it is well worth mentioning that one of my favorite aspects of this project has been using Git and Continuous Integration (CI) in a legitimate full-stack project, especially with our team. This is my first time working professionally with these tools in this context, and it has been incredibly rewarding. Some real-world experience with Git for repo branch management has been truly invaluable.
The ability to track our progress, collaborate seamlessly, and automate builds has added a layer of accountability and efficiency to our development process. The sense of accomplishment that comes with seeing everything come together with CI has definitely been a highlight of this term’s work.
– Brett Sullivan