Project Overview

This project is designed to help Agora Tutoring improve its cybersecurity posture by addressing key vulnerabilities identified in a recent security assessment. Students will work to evaluate, recommend, and implement specific repairs in alignment with the OWASP Top 10 vulnerabilities, enhancing Agora's ability to protect sensitive data and prevent unauthorized access.

Project Goal

The main objective of this project is to guide students through real-world cybersecurity repair processes, focusing on areas like access control, cryptography, injection prevention, and logging. By the end of this project, students will have contributed to a safer and more robust platform for Agora Tutoring.

Project Tasks and Activities

1. Broken Access Control

• Issues: Insufficient role-based access controls allow unauthorized access to sensitive data.
• Repairs: Implement stricter role-based access controls (RBAC), enforce mandatory access verification, and audit access logs for unauthorized attempts.

2. Cryptographic Failures

• Issues: Weak encryption practices, such as insecure algorithms or poor key management, could lead to data breaches.
• Repairs: Upgrade to secure encryption standards, ensure encryption for data in transit and at rest, and implement strong key management practices.

3. Injection Attacks

• Issues: Susceptibility to SQL, NoSQL, and other injection attacks through unsecured data inputs.
• Repairs: Use parameterized queries, sanitize inputs, and conduct regular code reviews to prevent injection vulnerabilities.

4. Security Misconfiguration

• Issues: Misconfigured servers, default passwords, and exposed configurations increase risk.
• Repairs: Securely configure all servers, update default settings, restrict unnecessary features, and automate security patching.

5. Vulnerable and Outdated Components

• Issues: Use of outdated or unsupported third-party libraries and dependencies.
• Repairs: Regularly update libraries, use dependency-checking tools, and establish an upgrade policy for critical dependencies.

6. Identification and Authentication Failures

• Issues: Weak authentication mechanisms, including lack of multi-factor authentication (MFA).
• Repairs: Implement MFA, enforce password complexity requirements, enable session timeouts, and set account lockouts after failed login attempts.

7. Software and Data Integrity Failures

• Issues: No integrity checks for software updates, increasing risk of tampered code.
• Repairs: Use hashing for data integrity, verify software updates, and apply secure CI/CD processes.

8. Security Logging and Monitoring Failures

• Issues: Insufficient logging of security events, leading to delayed incident detection.
• Repairs: Enhance logging for custom events, automate alerting, and establish regular log reviews to detect suspicious activities.

9. Insecure Design

• Issues: Lack of secure design practices, such as threat modeling, leading to overlooked security weaknesses.
• Repairs: Adopt a secure SDLC with built-in threat modeling and regular security assessments in the design phase.

10. Cross-Domain JavaScript Source File Inclusion

• Issues: Inclusion of third-party JavaScript files from external sources, which may introduce malicious code.
• Repairs: Apply Subresource Integrity (SRI) checks, download critical scripts to local servers, and minimize third-party dependencies.

11. Console Logging of Sensitive Information

• Issues: Console logs reveal sensitive information that can aid attackers.
• Repairs: Remove sensitive information from logs, avoid console.log() in production, and enforce logging policies to protect data.

12. Insufficient Logging for Custom Events

• Issues: Missing detailed logs for custom events like changes in user roles, authentication settings, and critical system activities.
• Repairs: Expand logging for key events and monitor authentication and authorization activities to track unusual patterns.

13. Server-Side Request Forgery (SSRF)

• Issues: SSRF vulnerabilities could allow attackers to manipulate server requests to gain unauthorized internal access.
• Repairs: Validate and restrict URLs or server requests, employ network segmentation, and use firewalls to prevent unauthorized internal access.

14. Backup and Data Recovery

• Issues: Insufficient backup strategy for critical databases (e.g., MongoDB), risking data loss.
• Repairs: Implement regular, automated backups with verification checks, store backups securely, and routinely test recovery processes.