Categories
CS 462

CS 462 Project Review

“Why did you choose your project, and has it met your expectations thus far?”

I chose my project mainly because it is a security research project, and my focus and interest has been in security during my time at OSU recently, especially this last year. I saw how it could be similar to one of my favorite projects that we did in a previous security course, called the Damn Vulnerable Web Application (DVWA). This project gave us the opportunity to build something similar, but from the ground up and how we wanted.

“Did you initially have doubts about your ability to complete the project? How do you feel now?”

Going into this term, we hadn’t really started much development at all, and I was a bit anxious and overwhelmed to get started because I was not familiar with the tech stack we are using, primarily Vue.js and Flask. I was able to find my niche within the backend, mostly in our server and database. Flask was pretty straight forward once I got going, and I had a good idea on the vulnerabilities I wanted to develop.

My experience with the DVWA project in a past course helped tremendously going in and throughout the project. I had a good idea about the OWASP ‘Top Ten Web Application Security Risks’, and had testing/hacking experience with most of them.

“What is the most interesting thing about your project and why?”

I had a handful of vulnerabilities I knew I wanted to implement, such as Brute-force hacking, Cross Site Scripting (XSS), CSRF, and SQL Injection. Accomplishing both developing and exploiting these has been the most fun and interesting part of the project for me so far.

We have managed to get these implemented on our site, through using Pinia (which is a store library for Vue) for state control, which are represented as toggles on the nav bar of our site that pop up under the ‘Vulnerabilities button’ – which when selected will change the API endpoints that are being called shown below on our homepage of our web app.

We have been able to build and design an almost fully functional faux banking web app, that implements both secure and insecure versions built out for each vulnerability. The bulk of this so far has been on the backend, specifically in the server.py code I mentioned above, that has been my main contribution for the project thus far. To make the exploits more easy to test throughout development, I have taken advantage of an extension if VS Code called Thunder Client. Leveraging this this tool, I don’t have to wait on the frontend working to be able to develop and test the vulnerable endpoints that I’ve worked on.

Here is an example of a SQL injection being tested with Thunder client which is simulating a POST request to the web page, with the malicious script included in the JSON body as shown in the left pane, and the response shown in the right pane. This is all being tested on our sql injection vulnerable endpoint, where the malicious user is able to easily enter a SQL query in the login user box, and gets all the database values returned to them, including the users login and password credentials, because of lack on sanitizing or checking user input.

Reflection on 462

Overall, the experience with this project has really boosted my confidence as a software engineer, and someone who can contribute as a solid team member to a code base.

As I get closer to graduation, I can see with more clarity both the strengths and weaknesses that I have when looking for job opportunities. From a project and security standpoint, I think I am in a decent spot compared to many. The main issue I am facing is putting aside time for LeetCode, and until I do that for a while, I likely won’t be able to make it through the tough coding interviews that most companies administer during the interview process. One day at a time.

– Brett

Categories
CS 462

Tech Reflections from Our Security Research Capstone

This term of 462 has been more focused on the actual building of our project, rather than the research and decisions on what technologies we will use, which was our focus in 461. Fortunately for us, (at least for the most part) we have been able to stick with our choices on technologies for our full-stack Security Research project.

We went into the term knowing that we would be using Vue.js for the main building block of our front-end web app, MySQL for our database, and Python’s flask for our server-side functionality and the bulk of the remainder of our backend development.

Going into this term, I actually lacked experience with most of the technologies we are implementing, so at the start, I was a bit apprehensive about learning them and hitting the ground running. Vue, being the robust framework that it is, is still not something I would say I’m overly confident in using still.

I didn’t take Web Development at OSU; instead, I took a few Web Dev courses at CC before transferring, which focused mostly on classic “vanilla” JavaScript, HTML, and CSS. Considering this, I think it has added to the challenge of picking up Vue. Fortunately, a couple of my team members have more experience with it, so that has become their focus.

I had never used Flask either, but I found that I was able to pick it up efficiently since it seems to be more straightforward in many ways and comes with tons of crucial libraries and modules that we have depended on. I would say that Flask is probably my favorite new technology that I’ve used for our project.

I have been mainly focused on the backend development of our project so far, primarily determining how to set up our server routes, aka API endpoints, so that each page they lead to will give an insecure and a secure version of each vulnerability we are exploiting. Some of the libraries and modules we have made use of for this part of the development have been crucial.

Evaluating Our Backend Tools: Pros and Cons

Flask
Pros: Flask is lightweight and flexible, making it ideal for setting up API endpoints and handling HTTP requests/responses with minimal overhead.
Cons: Its minimalistic design means we have to add several extensions (like Flask_SQLAlchemy and Flask_JWT_Extended) to cover additional features, which can sometimes complicate the overall setup.

Flask_SQLAlchemy
Pros: This ORM simplifies our database interactions by allowing us to work with Python objects instead of writing raw SQL. This abstraction not only speeds up development but also reduces the risk of SQL injection attacks.
Cons: However, the abstraction can sometimes hide the underlying SQL, making it harder to optimize or troubleshoot complex queries.

Flask_JWT_Extended
Pros: Handling authentication is more straightforward with JWTs, and this library integrates well with Flask to create, manage, and verify tokens securely.
Cons: The security of JWTs depends heavily on proper configuration – issues like improper token expiration settings or weak secret keys can introduce vulnerabilities if not carefully managed.

CSRFProtect (from Flask-WTF)
Pros: This module adds a crucial layer of security against Cross-Site Request Forgery attacks by protecting our endpoints.
Cons: It can add extra complexity during testing and debugging if not set up correctly, as it may interfere with legitimate requests unless exemptions are carefully managed.

Flask_Limiter
Pros: Implementing rate-limiting with Flask_Limiter helps defend against brute-force attacks by controlling the number of requests a user can make in a given time frame.
Cons: If the limits are too strict, they could negatively affect user experience by slowing down or blocking legitimate usage.

bcrypt
Pros: bcrypt is excellent for securely hashing passwords, thanks to its computational intensity which makes brute-force attacks difficult.
Cons: The downside is that this same computational overhead can result in slower authentication processes compared to simpler, less secure methods.

Git & Continuous Integration

I feel it is well worth mentioning that one of my favorite aspects of this project has been using Git and Continuous Integration (CI) in a legitimate full-stack project, especially with our team. This is my first time working professionally with these tools in this context, and it has been incredibly rewarding. Some real-world experience with Git for repo branch management has been truly invaluable.

The ability to track our progress, collaborate seamlessly, and automate builds has added a layer of accountability and efficiency to our development process. The sense of accomplishment that comes with seeing everything come together with CI has definitely been a highlight of this term’s work.

– Brett Sullivan

Categories
CS 461

Clean Code & Code-Smells

What is one thing from the articles that you would like to start doing (more often), and why?

I found an interesting article, “Clean Code Principles: Best Practices for Writing High-Quality Software.”, that lists some of the most important concepts to do our best to adhere to, in order to create and maintain clean code for all parties involved. Some obvious ones that all of us are surely aware of are thing like, “Meaningful names and variables”, or, “keep methods and functions small”, that states that “Small, focused functions and methods are easier to understand, test, and maintain.”

Of course these are crucial for code development. Some other ones from the article that may not be as well known are ones like, “Follow the Open/Closed Principle”. This one I was not fully aware of based off the name. The description goes into the fact that “(…OCP states that software entities should be open for extension but closed for modification. We’ll explain how adhering to this principle enables code to be easily extended without modifying existing code. We’ll discuss techniques such as interfaces, abstractions, and design patterns that facilitate OCP and promote clean code practices.)”.

When it comes to answering the question at hand, the two principles that stick out to me that most that I would like to implement more in my coding style, firstly, would be the “Don’t Repeat Yourself or DRY” principle. I find that I have the bad habit of overlooking where I can implement a function or even an import to save myself the time of having duplicate code, especially in larger projects.

The second principle that sticks out to me that I would like to work on more is Test Driven Development. The main emphasis here is on writing tests before writing a lot of the code. We worked on this quite a lot in SWE 11, but haven’t done much of it in other courses or projects.

What is one thing you want to avoid doing and why?

As the second article, “Code Smells and Refactoring: A Tertiary Systematic Review of Challenges and Observations.”, states:

“In general, developers introduce code smells in software systems when modifications and enhancements are performed to meet new requirements. The code becomes complex and the original design is broken, lowering software quality.”.

This is a concept we mostly only covered in CS361, SWE 1. We covered this when going through the software development and Agile workbook, but did not spend a ton of time on this topic. My take on it that is the gist of the problem is laziness and trying to save time when adding to or modifying software to meet instant needs, as the quote above alludes to.

To answer the second question directly, I wish to avoid making these mistakes, by looking at the project overall when making adjustments to consider the possible development of any code-smells in the future, as a result of changes being made to it after the fact. I think the trick here is thinking more about the lifetime of the project, rather than how many hours are going to be put into the modifications and additions at hand.

Works Cited

Dyankov, Dimitar. “Clean Code Principles: Best Practices for Writing High-Quality Software.” The Coding Hub, 24 May 2023, www.thecodinghub.com/articles/clean-code-principles-best-practices-for-writing-high-quality-software.

Lacerda, Guilherme, et al. “Code Smells and Refactoring: A Tertiary Systematic Review of Challenges and Observations.” Journal of Systems and Software, vol. 167, Sept. 2020, p. 110610, https://doi.org/10.1016/j.jss.2020.110610.

Blogs by Brett Sullivan

Categories
Uncategorized

The Ending of 2024

Job Hunting

Above picture represents my experience trying to put together any progress in landing an internship or entry level role for next year, as a developer or anything cybersecurity related. As I assume anyone reading this blog post knows, it is brutal right now for people trying to get their first jobs in tech. It seems the market is saturated right now with fresh graduates competing with thousands of other candidates for their first dev jobs. There are simply too many people and not enough jobs right now, especially for internships. I have had my resume looked over by friends and acquaintances that work in industry and have received great feedback on it being near perfect, yet I get little to no responses from job applications.

In this current climate, all I can do is try to keep improving my skillset and hopefully make myself more marketable to employers. I lack actual developer experience aside from what I’ve done in school (build build build). I also need to improve my LeetCode skills, as most companies seem to want you to be able to work through a few medium-hard problems in a short window of time before you can even talk to a recruiter or person from the company (I’ve had a few of these screenings now and they have not been great). Between attempting to build projects outside of schoolwork, getting better at LeetCode, and networking for jobs here in Silicon Valley, I have plenty to keep me busy between now and graduation in about a year.

Wrapping up 461 (Senior Capstone Project l)

The first term for the Senior Capstone project has been great overall, and it far exceeded expectations. I went into it with quite a bit of fear and anticipation, and it ended up being not what I expected at all. The workload is not bad at all, and there are nice helpful videos and lectures added to the modules throughout the term. The first term in this sequence is mostly all just planning, and getting the bare bones of the project going and ready to start for next term.

The last couple modules give some good info on perfecting one’s resume, and getting better prepared for job interviews. Both the instructor and the TA’s seem available and ready to help at any given time (even during the big strike going on).

Finally done with 373 (Defense Against the Dark Arts)

Again, I will try to focus on the positives from this class. This was one I knew was time consuming going into it, and many of us in the class were a bit hyped up around the name of the course. Some of the labs and homework we did were really interesting, such as using a buffer overflow to take over control of an application on a Windows XP VM, or working with hardware for the first time using a Teensy Board loaded with a hex program, then analyzing soldered pins for signals with different protocols on a Logic program. We also got a ton of experience using different systems on a variety of virtual machines, and lots of terminal experience pretty much every one of those times as well.

It turns out we were the last group of students that will take CS373 in its current form, as a full revamp is supposed to take place after this term. This course at up about 90% of my time each week that I set aside for school, so, to 373 I say – bon voyage!

PS – Goodbye to my awesome Astronomy course and lab I am finishing up for a needed GE science requirement. Truly fascinating field of study, I highly recommend checking it out to anyone that has the opportunity to do so!

Categories
CS 461

Week 7 – 461 & 373

Above image represents how I feel almost 4 years into my CS degree, after a grueling fall term so far (mainly due to Defense Against the Dark Arts).

Senior Software Engineering (CS-461)

The first term of my Senior Software Engineering Project class (461) has been a good experience overall, and much less intense than I had expected it to be. Some things that I think have contributed most to this are as follows:

  • An awesome and approachable hands-on professor.
  • A well designed and thought out course.
  • Building a CyberSecurity related project that I am somewhat passionate about.
  • A solid and diverse project group that each brings a unique set of skills to the table.
  • Likely the fact that it is not an industry partnered project, so probably not as intense as those can be.
  • The first term in this course sequence being more about planning and design than actual building.

These factors, along with others, have provided a good experience with 461, and looking back on hearing some horror stories about the difficulty of the sequence from some past students, I wish I wouldn’t have spent so much time in fear and worry about this course.

Defense Against the Dark Arts (CS-373)

As you can maybe guess by now, this hasn’t exactly been the case for CS373. I will attempt to focus on the positive here for this course, as there is plenty of that. The course it not what I expected after taking my previous and first cybersecurity course last term in CS370. We are covering many different areas that may or may not have to do with security.

One takeaway so far has been that this class could likely be classified as a low-level systems class. The reason I say this is because the majority of our weekly labs and homework have been working in a virtual environment, whether that we a Kali Linux of some Windows OS variation, and we are dealing with a heavy amount of both assembly and operating systems stuff. Some major benefits here have been getting better with systems overall, not being so dependent on my local machine and it’s tools, and getting a TON of terminal experience. I view these all as important skills to improve on, and am doing my best to focus on the positives here.

For our final few weeks in 373, we have some higher-level concepts to focus on, such as network and firewall areas. The exception to this being in week 7 we will be using actual hardware that we ordered for a lab, so that should get interesting. Hopefully in a few weeks I can say I made it through the other side of this challenging course as a more experienced cybersecurity focused CS major with another couple notches on my belt.

Categories
Uncategorized

Project Blog – Day 1

My journey as a computer science student began about 4 years ago. I have been working for a small medical company for the last 8 years or so, we specialize in anesthesia systems, for research, private practice, and human use. Over time I grew a bit bored and stagnant in this job, and had always wanted to go back to school to get a higher education. One could say I fall into the non-traditional category of students, as I am in my mid 30s, and almost nobody in my entire family has a formal education beyond high school.

I grew up and have lived in the bay area, right in the heart of Silicon Valley, my whole life. Most of my immediate family still lives in my home town which is on the coast, about 25 minutes south of San Francisco. Living where I do, I feel I am pretty exposed to the ‘tech way of life’, as it seems most the people that live on the peninsula here nowadays are folks that have moved here from all over the country and world for tech jobs.

I wasn’t sure which major I would choose at the time, and had an interest in business administration. One of my best friends is a former software engineer that got his Masters in EE from Stanford, and he encouraged me to try out some coding courses online to see how I liked it. I started out with a Python course offered through Coursera, that was taught by a University of Michigan professor, if my memory serves. I was enthralled with the challenges and mental stimulation of programming pretty quickly. A few of those things that kept me in this field that I discovered early in my programming journey, I still feel the same about today, and they help motivate me to stay on this challenging endeavor of a path.

Rather quickly from that point, I decided to start out at community college as a CS major, fully online as this was the first year into the pandemic. After almost finishing up my Associates degree in CS, I decided I was going to stay a fully online student and transfer to finish my last two years of undergrad. Surprisingly there weren’t many decent universities in California that offered a bachelors in CS fully online. After extensive searching and research, I discovered that Oregon State was clearly my best option, and transferred over at the start of 2023.

I recently switched my minor/focus area from business to a custom build – mostly cybersecurity along with a few business courses. I took the ‘Intro to CyberSecurity’ course over the summer, it was challenging, but one of my favorite courses I’ve taken so far.

As my focus area is now cybersecurity, and I am taking the notorious Defense Against the Dark Arts course this term, I would like to pick a project that is related, if possible. Other areas of interest for me include AI (mainly because it seems to stick out on a resume more than anything these days), and front-end development for web apps, as I probably have more experience in this area compared to many others.

Some other things that I feel are tied to my identity these days are my two adorable cats, my passion and love for the sport of tennis, my love of travel, my insistence to chase goals and strive for a growth mindset.

“There is some good in this world, and it’s worth fighting for.” — J.R.R. Tolkien

Categories
Uncategorized

Hello world!

Welcome to blogs.oregonstate.edu. This is your first post. Edit or delete it, then start blogging!