Skip to content

Development FAQ: Initial design and tests

Jason Puglisi edited this page Feb 9, 2019 · 5 revisions

1. What Web Application security mechanisms are involved in your topology? What security mechanisms would ideally be involved?

We have a few security mechanisms in place that help protect our web application. We have an NGINX reverse proxy server directing where traffic can access our web server and where it will be routed to. It prevents users from directly accessing other components in the network like the database. We are also planning to implement a authentication whitelist policy for the routes of our web server. The home or landing page is the only page whitelisted, meaning that unauthenticated users can access only that page without restriction. However, all outside traffic not going to the page will be blocked until they are a successfully authenticated user.

Lastly, we have added monitoring to the web server activity by logging requests made to pages on the web server as well as any login attempts. We can use the logs to determine how, when, and from where users are accessing our web application.

Ideally there would also be a web application firewall like ModSecurity (https://modsecurity.org/) running in the environment. These products often require a lot of configuration and this particular solution isn’t suited toward the goals of this project. We would like to introduce a specific set of vulnerabilities into the application and this could hinder that effort.

2. What testing framework did you choose and why?

We are using Python’s pytest library as our testing framework. It allows us to write unit tests for individual methods inside our code base. We do this to ensure that the application behaves as we expect it to and it helps us protect the codebase from vulnerable code. To run tests that we write, we use the TravisCI tool into our Github repository. It automatically runs and verifies that our code passes the tests we wrote with the testing framework. Overall, this ensures that every commit in the project is tested and functional before it merged into the master branch.