CS 4401 (A12): Software Security Engineering
Assignment: Designing and Conducting a Security Review

Due: Thursday, October 11 by 2pm (when class starts) under Turnin assignment review.

This course has tried to teach you how to look at software systems from a security perspective. Ideally, you should be able to identify potential security issues in systems that you are helping to develop. This final assignment asks you to synthesize what you have learned throughout the course: specifically, you must describe how you would conduct a security review of a software system, at each of the design and implementation phases. In addition, you may apply your review criteria to an actual system design.

For this exercise, we will use the human-resources salary data system from 101companies.org. The system link summarizes the relevant features. For this assignment, we care about the "Behavioral" and "UI" features (first and last segment). Ignore the meta-level, quality, and structure feature lists.

If you choose to do this assignment, you should complete at least the security review plan portion. Applying your review plan to one of the actual 101companies contributions is optional.

A Security Review Plan

NOTE: This part of the assignment earns points towards the following outcomes (the same ones as the threat-model assignment):

Write a security review plan detailing what you will look for in reviewing each of the design and implementation of an implementation of the salary system. A security review plan details the aspects of security that are relevant to the application, the application's requirements around each aspect, and the detailed checks that should be taken against both the design and the implementation of each aspect.

What Aspects Should I Cover?

Figuring out which aspects matter for the salary data system is part of your task here. You could approach this by considering the various topics covered in the course this term (listed on the syllabus page) and the issues raised in the threat modeling lecture. Synthesize those issues into the list of high-level aspects; some issues will show up only as checks under other aspects (that's fine).

How Detailed Should My Checks Be?

Your checks indicate whether you understand the components of each security aspect, and where problems might arise. You should provide enough checks to convey that you understand each aspect beyond its definition. Basically, you should hit the major ways in which a typical system design or implementation mitigates against problems with your chosen aspect.

Individual checks should be precise enough that someone else could take your review document and conduct the review by asking your questions. To that end, a check that says "make sure the data is secure" is fairly useless. Be precise -- what about the data (how it is handled, stored, etc) should a third party be looking for?

What Format Should I Use?

Your review plan should be in outline form, with one section per major security aspect you want to consider. Within each section, provide a couple of sentences about the application's requirements around that aspect, and a list of the concrete things you would check for in each of the design and implementation. For example, if you were reviewing a distributed system application and performance was an important aspect of the system, your review would include a section like:

        A. Performance

        Requirements: System should provide requested content within 10ms,
        regardless of where the user is physically located.

        A.1 Design-Level Checks
          * Data replicated on geographically-distributed servers
          * Servers can communicate at a rate of at least 1Gbps.

        A.2 Implementation-Level Checks
          * Used log(n) sorting algorithms 

What to Turn In

Submit a single typeset document (Word or PDF) with your analysis.

Executing your Plan Against Real Code

NOTE: This part of the assignment earns points towards the following outcomes (the same ones as the patch assignments):

For this part of the assignment, pick one of the 101companies implementations that covers all (or most) of the relevant features (behavioral and some sort of interface, either visual or command-line). Evaluate your chosen implementation against your review plan.

Specifically, for each item in your plan, indicate whether your implementation satsifies the criterion.

Both kinds of descriptions should be technically precise. Again, using performance evaluation as an analogy, a good evaluation would say "The system used bubble sort, which scales poorly to the amount of data in the system; an n-log(n) algorithm such as heapsort would have been a better choice". You are welcome to mention specific libraries for the language of your chosen implementation, if applicable.

Which of the 101Companies should I Choose?

Choose one that has enough content for you to conduct a meaningful evaluation, and that uses a language you are comfortable reading. You earn points for reflecting on issues; an implementation that covers more of the features of the system simply gives you more to work with. Some of the implementations are fairly limited, whereas others do cover most of the functionality.

I have not had a chance to filter through the implementations. I heartily encourage you to use the discussion board or a wiki page on myWPI to share positive/negative comments on the feature-richness of various implementations. For example, those planning to do this part of the assignment may want to organize themselves to check out a few implementations each and report back on the results to others.


Submit your evaluation on a copy of your review plan from the first part. You can simply add sentences or comments interleaved with your review criteria. Keeping the same format as your original document will greatly aid us in grading. We would like the evaluation in a separate document from the review plan, however, so we can easily separate out your plan from your evaluation during grading.


Your score on this assignment will add points to the outcomes listed above; this assignment does not change the target points on those outcomes. As a result, a few thoughtful reflections that show you really know how to think about security and code will earn more points than lots of shallow and vague comments. You may choose to focus your evaluation only on some parts of your chosen implementation. Issues that were not in the two turnout projects will be worth more than issues covered in previous projects.

What to Turn In

Submit a copy of your review plan with your evaluation included. (So if you submit this part, you will turn in a total of two files for this assignment)