Ssd Unit 11
Published:
Learning Outcomes Achieved
- Critically analyse development problems and determine appropriate methodologies, tools and techniques to solve them
- Design, develop and adapt programs and to produce a solution that meets the design brief and critically evaluate solutions that are produced
Project Reflection
The following section explains the differences between the submitted project, and what was initially planned.
Omissions and changes
Originally, it was intended that the application would be deployed to Heroku, with the aim of preventing DDoS attacks. This was not done in the final application because it would have increased risk. Since the application uses a web frontend, HTTPS becomes a necessity for security. This would require the purchase of an SSL certificate and additional setup, which was not feasible during development.
I intended to use regexploit, however, this was not done due to time constraints. Regex wasn’t used, it could have been used client-side, but I was relying on the validation/sanitation provided by Django. I wasn’t sure if it would therefore provide any benefit.
Encryption was also a feature which differed from the original design. Although it was intended for all communications to be encrypted with SHA, it was found to be unnecessary as the use of JWT provided sufficient encryption.
One thing which the team decided on doing was implementing the website as a standalone application, as opposed to using more of Django’s functionality. The reason for this was that it would have required more time from Suresh and Victor, and thus it was agreed that I would develop the website from scratch, as a standalone application. The disadvantage of this was that it then meant that there would be no templating or dynamic rendering for the HTML- rendering would have to be done with DOM manipulation via jQuery. In retrospect, I think we should have leveraged Django. The reason is because Django implements a lot of security features by default, meaning that the overall security would be more reliable since it’s driven by a well-supported, open-source framework. Implementing security from scratch can lead to an increased risk of vulnerabilities, which is what I had to do. The only challenge then would have been time management and learning how to use that functionality, and by extension, Django.
Obfuscation was also not present, although it was mentioned in the README. Obfuscation
Testing also differered. We did not have decision table testing as initially planned. I could not find a good use case for it within my responsibilities, primarily because the frontend was only responsible for passing data to the underlying Django application. It could have been used
Personal Contributions
In terms of my contributions, I managed the project by setting milestones, checking progress and deciding which features to build and which to skip. Additionally, I was responsible for building the web frontend, implementing CircleCI along with SonarCloud (although Suresh had to install both as he was the repo owner), and I did some work on the Django code ensuring that it worked as expected with the website. I assisted my teammates with research and commenting code, to highlight areas where we focused on securing the application.
The website development helped me learn about the perspective I need to take when I develop software. When I started work on the website, I approached from the perspective is that security is a habit (which is my own intuition about creating secure software during the coding phase). Every time I wrote something new, I asked myself if what I’m writing widens the threat surface, and if it does, how can it be secured? I feel that this helped me write a consistently secure website, because I questioned functionality as I wrote it. This also helped me cultivate attention to detail, and later in development, I found areas for improvement because I developed the habit of thinking critically about the software. Something I would like to do is take this line of thinking further, and see if industry follows a similar approach. To do this, I would need some time to watch conference recordings, talks, and read blogs, and thus I will do so once I have time.
Towards the end of development, I took initiative and learned how to write unit tests for Django to ensure that various aspects of the API’s behavior was tested. Additionally, I also worked on securing the CircleCI pipeline by using environment variables to get the unit tests operational in the cloud.
I was most proud of the above 2 points because they are evidence of my understanding of the course material and willingness to implement that understanding. In the design document, I discussed how CI/CD can improve the security of software but can also widen the attack surface- I was presented with a challenge because the CircleCI build container needed access to specific variables for the tests to run. The easiest option would have been to add the necessary variables directly to the circleci file in the repository, but that would have meant that anyone who views the repository could see sensitive information. Instead, I opted to learn how to use CircleCIs environment variables functionality, and figured out how to combine that with python vars (which allows us to keep sensitive information out of source code). As a result, the environment variables are hidden in CircleCI, cannot be read back even from CircleCI itself, and the CircleCI yml file in the repository has no sensitive information. I think this is a perfect example of how secure software development would look in the real world, and what kind of problem solving would be needed to make it happen.
The teamwork aspect of these projects was unique in the sense that all communication was done via digital channels. The development process was overall smooth as we spoke to each other on a weekly basis, posting updates where necessary. What I was really interested in is how digital/productivity tools influenced our work. We relied a lot on Discord and Slack. We had worked using Trello for a bit, but it became less used as time continued. What I wonder is how we could have leveraged Trello better, and when time permits, I’d like to research and revisit this idea. I think there was a missed opportunity because it was mainly used a to-do list, but it could have supported more things, such as being a quick reference for key information such as APIs.
This reflection helped me achieve learning outcomes 2, because I revisited some of the development problems that the team faced, which required critical evaluation to find solutions which would ensure the final application remains secure. I also achieved learning outcome 3 because I critically evaluated the final product and found areas for improvement.
Summary Post
This week, students were asked to create a summary post. This helped me consolidate my knowledge gained over the past 3 units.