You have chosen to sponsor your bid up to a maximum amount of .
Task consists of software development task, an network analysis task and a risk
assessment. It will test the following module level learning outcomes:
Task details Instructions
Read the entire Task specification sheet thoroughly.
You must choose one of the projects detailed below and use that for their
Task, unless you have been given permission otherwise.
Each Candidate must identify at least 4 security issues with their chosen project and fix at
least 2 major issues. You find and fix more security issues if you wish and credit will be
given for the range of security issues that you have identified. Credit will also be given
for finding vulnerabilities that nobody else has found
The security issues may be design issues, implementation issues or a mixture of the
All fixes must be implemented in a secure manner. The design, implementation and
testing of the fixes must be given in your final report.
All Candidates must perform a pen test of their DVL VM (with all the services running)
using, as far as possible, the framework given in the lecture (some stages will obviously
not be appropriate and you may omit those stages).
All Candidates must present a technical and a management report of their findings. The
reports should contain the following
o An overall summary of what the software chosen does (both reports)
o An overall summary of the results of the pentest (both reports)
o A high level design of the software (technical report)
o A detailed design of changes made (technical report)
o A detailed justification of changes made, showing how they comply with secure
coding guidelines (technical report)
o A detailed list of services running on DVL (technical report)
o A detailed summary of the implications of the vulnerabilities found in the pentest,
grouped in a logical manner (technical report)
o A high level list of recommended actions to take to resolve the vulnerabilities
o A detailed list of recommended actions to take to resolve the vulnerabilities
o A discussion of implications of not fixing the vulnerabilities (both pentest and
software) and of the resources required to fix the issues (management report)
All Candidates must hand in a short additional reflective report, reflecting on their learning
For this piece of Task you are expected to develop a system that closely follows the secure coding requirements. You can choose any of the following three projects:
Shimmer is a pair of small programs (a client and a server) that provide an
alternative to port knocking program and are used to hide a valuable port (such as
a hidden web server or SSH) on a public IP address.
Unlesbar is thought to be an electronic safe for sensitive data you want to keep in
a safe place.
OpenStego is the free Steganography solution. Steganography is the science of
hiding secret message inside another larger and harmless looking message. You
should use the latest version of OpenStego
These projects have been chosen because they are known to have security issues. If you want to choose a different project altogether, you will need to get approval from Faye Mitchell or Mark Green in advance. Note that Task submissions that have not been approved will be severely marked down for not obeying Task guidelines.
You must submit paper and electronic copies of the technical and management reports and electronic copies of the code and reflective report.
Electronic copies of the original code and your modifications (clearly commented)
The Technical report
The Management report
The reflective report
55% of the marks will be allocated to the software aspects. 35%of the marks to the penetration aspect. 10% to the reflective report.
Please see attachment.