Residency Make Up Session Assignment

Residency Make Up Session Assignment

Residency Make Up Session Assignment Course ISOL531 – Access Control Deliverable Individual Projects Prepare a report to address all aspects of the assignment. This report should be no less than 10 pages of content. You need to include outside sources and properly cite and reference your sources. You must have at least 10 references, 5 of which must be scholarly peer-reviewed articles. In addition to the 10 pages of content, you will want a title page and a reference sheet. This report needs to be in proper APA format. Research Paper Sections The following sections should be outlined as Headers in the paper. Introduction, thesis statement, overview, purpose Background, discuss history of topic Discussion, identify benefits, obstacles, innovations Conclusion, summarize the overall study, lessons learned References, minimum three references with citations in the body All written reports should be submitted in MS Word. The paper submission will use SafeAssign. Please ensure to use the proper Author, YYYY APA citations with any outside content brought into the paper. Be prepared to present a 10-minute presentation on this assignment. Students must submit both written assignment and presentation slides in the folder labeled “Make Up Assignment” in your iLearn course. Assignment Below are Residency Project examples by Faculty. Select one of the Residency Project Options. Please note, you may have to select a topic within one of the option. Read Carefully. Residency Project Option 1 Topics to select from for research project. Topic 1 – Security testing for applications from https://en.wikipedia.org/wiki/Application_security#Security_testing_for_applications Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. Unfortunately, testing is often conducted as an afterthought at the end of the development cycle. Vulnerability scanners, and more specifically web application scanners, otherwise known as penetration testing tools (i.e. ethical hacking tools) have been historically used by security organizations within corporations and security consultants to automate the security testing of HTTP request/responses; however, this is not a substitute for the need for actual source code review. Physical code reviews of an application’s source code can be accomplished manually or in an automated fashion. Given the common size of individual programs (often 500,000 lines of code or more), the human brain cannot execute a comprehensive data flow analysis needed in order to completely check all circuitous paths of an application program to find vulnerability points. The human brain is suited more for filtering, interrupting and reporting the outputs of automated source code analysis tools available commercially versus trying to trace every possible path through a compiled code base to find the root cause level vulnerabilities. There are many kinds of automated tools for identifying vulnerabilities in applications. Some require a great deal of security expertise to use and others are designed for fully automated use. The results are dependent on the types of information (source, binary, HTTP traffic, configuration, libraries, connections) provided to the tool, the quality of the analysis, and the scope of vulnerabilities covered. Common technologies used for identifying application vulnerabilities include: Static Application Security Testing (SAST) is a technology that is frequently used as a Source Code Analysis tool. The method analyzes source code for security vulnerabilities prior to the launch of an application and is used to strengthen code. This method produces fewer false positives but requires access to an application’s source code and requires expert configuration and lots of processing power. Dynamic Application Security Testing (DAST) is a technology, which is able to find visible vulnerabilities by feeding a URL into an automated scanner. This method is highly scalable, easily integrated and quick. DAST’s drawbacks lie in the need for expert configuration and the high possibility of false positives and negatives. Interactive Application Security Testing (IAST) is a solution that assesses applications from within using software instrumentation. This technique allows IAST to combine the strengths of both SAST and DAST methods as well as providing access to code, HTTP traffic, library information, backend connections and configuration information. Some IAST products require the application to be attacked, while others can be used during normal quality assurance testing. Application security metrics https://www.checkmarx.com/2015/05/15/application-security-metrics-where-andwhy-to-begin/ Topic 2 – Application Security Metrics: Why? Metrics offer a practical approach to helping make decisions about which parts of your program are working and which need to be fine-tuned or replaced – all with the business goals at top of mind. With an application security program in place, the only way to keep the continued support of upper management is by offering up quantifiable numbers and data tied into the goals and objectives of your organization as a whole. The right metrics will help your organization: ï‚· Fully understand the security risks of core business processes and applications ï‚· Verify your compliance and that the correct security controls are in place ï‚· Identify points of strength and points of improvement in your program ï‚· Decide which issues need to be addressed and how to best resolve them Determining the correct measurements for your business will take time to perfect. With so much data at your fingertips, mining through and filtering out the most important metrics will be the next challenge. But by identifying what you and your program stakeholders value highest in the business and what applications are most businesscritical, you’ve already taken a big step towards proving yourself to the board. The great news is that the information is there, sitting in your dashboards and on you and your teams minds. Now you just need to know what you’re looking for and how to weave it together into something that makes sense to yourself and the board. Without measuring your security activities, you’re not looking at the big picture. Metrics are important because the quantify the otherwise unquantifiable practice of securing your organization’s applications. They help justify your application security program, including the people and the solutions working for it. Vulnerability metrics The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. Two common uses of CVSS are prioritization of vulnerability remediation activities and in calculating the severity of vulnerabilities discovered on one’s systems. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities. The NVD supports both Common Vulnerability Scoring System (CVSS) v2.0 and v3.0 standards. The NVD provides CVSS ‘base scores’ which represent the innate characteristics of each vulnerability. We do not currently provide ‘temporal scores’ (metrics that change over time due to events external to the vulnerability) or ‘environmental scores’ (scores customized to reflect the impact of the vulnerability on your organization). However, the NVD does provide a CVSS score calculator to allow you to add temporal and environmental score data. This calculator contains support for U.S. government agencies to customize vulnerability impact scores based on FIPS 199 system ratings. Topic 3 – How can you improve the improve NVD CVSS ‘base scores’? and CVSS score calculator? Possible way to look at https://www.firecompass.com/blog/metrics-vulnerability-management-program/ Mobile application testing https://en.wikipedia.org/wiki/Mobile_application_testing Mobile application testing is a process by which application software developed for handheld mobile devices is tested for its functionality, usability and consistency. Mobile application testing can be an automated or manual type of testing. Mobile applications either come pre-installed or can be installed from mobile software distribution platforms. Mobile devices have witnessed a phenomenal growth in the past few years. A study conducted by the Yankee Group predicts the generation of $4.2 billion in revenue by 2013 through 7 billion U.S. smartphone app downloads. Additionally, wearable application testing is an interesting market. Bluetooth, GPS, Sensors, Wi-Fi are some of the core technologies at play in wearables. A lot of importance is needed here for field testing, user focus, and looking at areas where hardware and software need to be tested in unison. Residency Project Option 2 Equifax is one of the three major credit bureau that stores personal and business credit profile information. 1 . Organizations rely on Equifax credit data in order to make pertinent financial lending decisions. In 2017, Equifax revealed that a data breach exposed the sensitive personal information of 143 million Americans 2 . In 2018, Equifax budgeted to spend $200 million on security and technology projects for the year 3 . Assume that you work for an Information Technology Security firm in Atlanta and your company has been hired to provide a threat model of Equifax consumer and business data and provide remediation to address the security issue. Key Deliverables Your Company Information Company profile Leadership profile and expertise Equifax Equifax company background and history â–ª Discuss Equifax 2017 data breach Discuss the impact of the security incident https://www.equifax.com/about-equifax/ 2 https://www.ftc.gov/equifax-data-breach 3 http://fortune.com/2018/09/07/equifax-data-breach-one-year-anniversary/ Discuss the scope of consumers and businesses affected? o Discuss how Equifax handled the security incident. Discuss how the government handled the security incident Threat Model Proposal â–ª Propose strategies and discuss a threat model for managing Equifax consumer and business data. Identify Threats â–ª Find and discuss at least three threats to Equifax information systems using one of the threat model strategies. *NOT threat types! One for data flow, one for data store, one for a process. Manage and Address Threats â–ª Discuss and recommend at least two remediations per threat identified in the earlier section. Closing Section â–ª Discuss the likelihood of another data breach and recommend what Equifax needs to do to be prepared and possibly avoid it. Residency Project Option 3 Topics Application Security Metrics Mobile Application Testing Penetration Testing Integration Testing Static Application Security Testing (SAST) Interactive Application Security Testing (IAST) Dynamic Application Security Testing (DAST) Port Scanning Host Discovery Ethical Hacking Vulnerability Scanning Vulnerability Metrics Assignment Please select a topic from above and write a 10-page paper that must include the following: ï‚· Discuss the methodology of the test/metric/technique chosen and how it works. ï‚· Discuss the strengths and weakness of the test, metric, or technique. ï‚· Discuss how the test, metric, or technique would work in a High-Level Programming Language and/or in machine code. Please provide two real world scenarios to explain this. ï‚· Provide two examples using programming language or machine code that will show how your test, metric or technique would work in your real-world scenarios (one example for each scenario). Your examples should be complete. ï‚· You can use open source tools to give complete examples on how your test, metric, or technique would work. ï‚· You can use the NIST source tools and owasp.org as your starting point. ï‚· Provide a detailed explanation about each of your coding examples, and discuss the strengths and weaknesses in your code, and what can be improved. ï‚· Discuss what you have learned from this assignment and how you will apply it moving forward.