6000CMD Security Suggested Report Template
Coursework Report
Module: 6000CMD Security
Assignment Title: E-commerce Platform. Security Analysis and Design
Table of Contents
1. Introduction
2. Part 1: Security Analysis
o 2.1 High-Level System Design
o 2.2 Security Considerations & Threat Modelling
o 2.3 Authentication and Authorisation Strategies
o 2.4 Data Protection and Secure Design Decisions
o 2.5 Security Audit & Analysis
3. Part 2: Design and Implementation
o 3.1 Component Design & Information Flow
o 3.2 Secure Implementation Details
4. Conclusion
5. References
6. Appendix
o Appendix A: Link to GitHub Repository
1. Introduction
Instructions:
Start with a brief introduction to the project. Explain that this report details the design, development, and
security analysis of a prototype e-commerce platform. for 'Amazing Bargain Central Ltd.', as required by the module coursework.
Briefly outline the structure of the report, mentioning that it is divided into two main parts: the security
analysis and the design/implementation details. This sets the scene for the reader. Your introduction should be concise and to the point.
Part 1: Security Analysis
2.1 High-Level System Design
Instructions:
Give a high-level overview of your application's architecture. What is your tech stack (e.g., Python with Flask/Django, Node.js with Express, etc.)? How do the main parts of the system (front-end, back-end, database) connect?
You don't need to go into massive detail here, but a simple block diagram could be useful to help the reader understand the overall structure of your prototype.
2.2 Security Considerations & Threat Modelling
Instructions:
This is a crucial section. For each key feature of the e-commerce site, identify potential security issues and threats. Think like an attacker. How could these features be abused?
You should structure your discussion around the requirements from the brief:
• User Accounts: (e.g., Weak passwords, credential stuffing, insecure account recovery).
• Product Management (Seller & Admin): (e.g., Cross-Site Scripting (XSS) in product descriptions, SQL Injection in search fields, price manipulation).
• Reviews & Image Uploads: (e.g., Stored XSS in reviews, uploading malicious files disguised as images, insecure handling of file uploads).
• Purchasing/Transactions: (e.g., Insecure Direct Object References (IDOR) to view other users' orders, Cross-Site Request Forgery (CSRF) on the purchase action).
• Logging and Analytics: (e.g., Data privacy issues, logging sensitive information like passwords by mistake).
2.3 Authentication and Authorisation Strategies
Instructions:
Discuss and evaluate the different strategies you considered for managing users.
• Authentication: How do you verify who a user is? Compare different methods (e.g., session-based authentication with cookies vs. token-based authentication like JWT). Justify your final choice, using literature to support your arguments about which is most suitable for this application.
• Authorisation: Once a user is logged in, what are they allowed to do? Explain how you will implement different access levels for the three user roles: Customer, Seller, and Admin. A Role- Based Access Control (RBAC) model is expected here. Describe the permissions for each role.
2.4 Data Protection and Secure Design Decisions
Instructions:
Based on the threats you identified, discuss the specific design decisions you made to protect the system and its data.
• Password Management: Explain how you will store user passwords securely. You must discuss hashing and salting, and justify your choice of hashing algorithm (e.g., bcrypt, Argon2).
• Session Management: How will you keep track of a logged-in user securely? Discuss things like secure cookie attributes (HttpOnly, Secure, SameSite), session timeouts, and invalidating sessions on logout.
• Data Handling: How will you protect against injection attacks and XSS? Discuss input validation
(checking data on the server-side) and output encoding (making sure data is displayed safely in the browser).
2.5 Security Audit & Analysis
Instructions:
After building your prototype, you need to test its security. In this section, describe the static and dynamic analysis tools you used (e.g., Bandit for Python code, OWASP ZAP Proxy for dynamic testing).
Present the issues you found in a clear format, perhaps a table. For each issue, you must discuss its
severity (how bad is it?), its potential impact (what could an attacker do with it?), and the mitigation (how did you, or would you, fix it?).
Part 2: Design and Implementation
3.1 Component Design & Information Flow
Instructions:
Provide a more detailed look at the design of specific components. This section must include diagrams to show how information flows through the system for key processes.
For example, you could include:
• A sequence diagram showing the steps for user login.
• A data flow diagram showing how a product review is submitted, stored in the database, and then displayed on the site.
3.2 Secure Implementation Details
Instructions:
This is where you show how you put the security theories from Part 1 into practice. Provide the specifics of how you addressed the key security issues.
For each point, include code examples from your prototype and a justification for your approach, supported by references to security best practices or academic literature.
Good examples to cover include:
• Your implementation of password hashing.
• The code that handles user sessions and authorisation checks.
• Code showing your use of parameterised queries (prepared statements) to prevent SQL injection.
• How you sanitise user input from reviews before storing or displaying it to prevent XSS.
4. Conclusion
Instructions:
Summarise the work you have done. Briefly recap the project's goals, the key security measures you implemented, and the findings from your security audit.
You can also briefly mention any limitations of your prototype and what future work could be done to improve the system's security further.
5. References
Instructions:
Provide a list of all the books, articles, and online resources you referred to in your report. Use a consistent referencing style. (e.g., Harvard, APA).
6. Appendix
Appendix A: Link to GitHub Repository
Instructions:
Provide the full link to your private Coventry University GitHub repository containing the source code for your application. Please ensure you have added the teaching staff as collaborators so they can access it.
Repository Link: [Insert your GitHub repository URL here]