See attached
CYB 240 Project Two Guidelines and Rubric Recommendations Report CYB 240 Project Two Guidelines and Rubric Recommendations Report Overview A security analyst’s responsibility in the software development life cycle (SDLC) is not to write code, but to interface with programmers. Secure programming is not necessarily in the skill set of many programmers. Therefore, it is your job as a security analyst to help identify areas of concern. For this project, you are in the role of a security analyst collaborating with a larger software development team and you are creating a recommendations report to the development team. You will be describing areas of concern and how to avoid them based on your role as the security analyst. You will also be explaining the value you add participating in the SDLC. The project builds off of skills you practiced in the Project Two Stepping Stone, which will be submitted in Module Three. The project will be submitted in Module Seven. In this assignment, you will demonstrate your mastery of the following course competency: CYB-240-02: Describe the fundamental principles and practices of application security Scenario In a course announcement, your instructor will provide you with a scenario on which you will base your work. Use the scenario to address the critical elements. Prompt Select two known development issues/vulnerabilities relevant to the project in the scenario. You can use the issues or vulnerabilities you identified as part of the Project Two Stepping Stone submitted in Module Three. You must address the critical elements listed below in your recommendations report. The codes shown in brackets indicate the course competency to which each critical element is aligned. I. Development Issue/Vulnerability One A. Describe why the OWASP element selected is a potential area of concern for the development team. [CYB-240-02] B. Recommend techniques or methods to apply a specific fundamental security design principle to avoid the development issue/vulnerability. Justify the relevance of the fundamental security design principle you select. [CYB-240-02] 1 II. Development Issue/Vulnerability Two A. Describe why the OWASP element selected is a potential area of concern for the development team. [CYB-240-02] B. Recommend techniques or methods to apply a specific fundamental security design principle to avoid the development issue/vulnerability. Justify the relevance of the fundamental security design principle you select. [CYB-240-02] III. Discuss the value of a security practitioner equipped with the fundamental security design principles in preventing security issues during the SDLC. [CYB-240-02] Project Two Rubric Guidelines for Submission: Your submission should be 2 to 3 pages in length and should be written in APA format. Use double spacing, 12-point Times New Roman font, and one-inch margins. Use a file name that includes the course code, the assignment title, and your name—for example, CYB_123_Assignment_Firstname_Lastname.docx. Critical Elements Exemplary (100%) Proficient (85%) Needs Improvement (55%) Not Evident (0%) Value Development Issue/Vulnerability One: Potential Area of Concern [CYB-240-02] Meets “Proficient” criteria and addresses critical element in an exceptionally clear, insightful, sophisticated, or creative manner Describes why the OWASP element selected is a potential area of concern for the development team Addresses “Proficient” criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 18 Development Issue/Vulnerability One: Techniques or Methods [CYB-240-02] Meets “Proficient” criteria and addresses critical element in an exceptionally clear, insightful, sophisticated, or creative manner Recommends techniques or methods to apply a specific fundamental security design principle to avoid the development issue/vulnerability, including a justification of the relevance of the fundamental security design principle selected Addresses “Proficient” criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 18 Development Issue/Vulnerability Two: Potential Area of Concern [CYB-240-02] Meets “Proficient” criteria and addresses critical element in an exceptionally clear, insightful, sophisticated, or creative manner Describes why the OWASP element selected is a potential area of concern for the development team Addresses “Proficient” criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 18 2 Critical Elements Exemplary (100%) Proficient (85%) Needs Improvement (55%) Not Evident (0%) Value Development Issue/Vulnerability Two: Techniques or Methods [CYB-240-02] Meets “Proficient” criteria and addresses critical element in an exceptionally clear, insightful, sophisticated, or creative manner Recommends techniques or methods to apply a specific fundamental security design principle to avoid the development issue/vulnerability, including a justification of the relevance of the fundamental security design principle selected Addresses “Proficient” criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 18 Preventing Security Issues [CYB-240-02] Meets “Proficient” criteria and addresses critical element in an exceptionally clear, insightful, sophisticated, or creative manner Discusses the value of a security practitioner equipped with the fundamental security design principles in preventing security issues during the SDLC Addresses “Proficient” criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 18 Articulation of Response Submission is free of errors related to grammar, spelling, and organization and is presented in a professional and easy-to-read format Submission has no major errors related to grammar, spelling, or organization Submission has some errors related to grammar, spelling, or organization that negatively impact readability and articulation of main ideas Submission has critical errors related to grammar, spelling, or organization that prevent understanding of ideas 10 Total 100% 3 CYB 240 Project Two Guidelines and Rubric Recommendations Report Overview Scenario Prompt Project Two Rubric CYB 240 Project Two Scenario One You are a newly hired analyst for a health insurance company with a central office and several satellite offices. The central office administers all back-end servers and pushes out all communications to satellite offices via a web interface. The organization has requested a security analyst be part of a new web application development from the start of the project to advise on possible security risks. The application is used as an interface with the patient information system, and it is used by internal employees only. A member of the IT team has reviewed the design documents for the new development project, and has provided the following list of system specifications: ● Three-tiered system: ○ MySQL Database Current system specifications: ■ Proper authentication to access data in table ■ Communication with transaction server done through PHP ○ Microsoft Transaction Server Current system specifications: ■ Transaction server has administrative access to MySQL database ■ Communication to the database is done over company network ■ Communication to the web server front end is done over the internet ■ Components sent to web server front end are in XML format with weak metadata ■ Transactions sent to web server are unencrypted and 1-1 (not batched) ○ Web Server Front End Current system specifications: ■ Data displayed on webpages is in clear text using HTTP protocols ■ Log-on access to web server is via client-side scripting