Overview
In this assignment, you’ll conduct a dependency check, a type of static testing that detects vulnerabilities associated with library dependencies needed for the application. Static testing lets you identify vulnerabilities in the code without executing the code. In this assignment, you’ll do the following:
- Identify software security vulnerabilities by running code through a static tester.
- Identify potential mitigation techniques that have been used to mitigate against vulnerabilities associated with known exploits.
Scenario
You’re a senior software developer on a team of software developers. The team is responsible for a large web application that uses Spring Framework.
The software development team discussed the vulnerabilities in the code base from your manual code review. The team plans to mitigate against the vulnerabilities. The team also supports a new functionality that requires the addition of a new library. A best practice for ensuring secure code is to use a dependency check to check the refactored code base and the additional library. There are tools to help with dependency checks. You’ll integrate a dependency-check tool into your vulnerability assessment workflow.
Directions
To begin, open the Module Two Coding Assignment Code Base, linked in the Supporting Materials section, in Eclipse. Refer to the Uploading Files to Eclipse Desktop Version Tutorial, linked in the Supporting Materials section, for testing the code base in Eclipse. Then integrate the Maven Dependency-Check Plug-In for the code base.
Please note: Integrating the static testing tool was a non-graded task that you should have completed in the previous module. You may have already completed these steps.
Follow the instructions in the Integrating the Maven Dependency-Check Plug-in Tutorial, linked in Supporting Materials, to learn how to integrate and run the dependency-check plug-in into Maven for conducting static testing.
Use the instructions in the tutorial to identify the software security vulnerabilities, and document in the Module Two Coding Assignment Template, linked in What to Submit.
Specifically, you must address the following rubric criteria:
Run the dependency check
on the code base. Include a screenshot of the resulting HTML report in your Module Two Coding Assignment Template. Make certain the screenshot includes the scan information at the top of the dependency-check report.
Document the results
from the dependency check. In your Module Two Coding Assignment Template, make certain to include the codes and descriptions of each dependency that you found.
Analyze the results
to identify the best solutions for addressing dependencies in the code base. Summarize your findings in your Module Two Coding Assignment Template. You can refer to industry standard guidelines such as the Common Vulnerabilities and Exposures (CVE) and the National Vulnerability Database (NVD), both linked in Supporting Materials.
- Also consider why you should filter false positives from the dependency-check tool
- Discuss this in the Module Two Coding Assignment Template.
To learn about the dependencies and interpret the results from the report, click on each dependency listed as shown below.
Information about the dependency description, its severity, and potential solutions will also be available from the NVD. You can access this information by clicking on the matching Common Platform Enumeration (CPE), then selecting the Vulnerability ID.
What to Submit
Submit your completed
Module Two Coding Assignment Template. Your completed assignment should be 1 to 2 pages long. Make certain to include a screenshot of the HTML output from the dependency check. Summarize the dependency-check results and potential solutions. Sources should be cited according to APA style.