SSAS - System report

System characterization

We will give an explanation of how the system is built up, and why we decided to design it the way we did.

System overview

The system is used to share pictures between various users. This is done in a feed like way, i.e people can see what others are sharing (assuming they are friends), and can comment on their pictures.

System functionality

Components and subsystems

List all system components, subdivided, for example, into categories such as platforms, applications, data records, etc. For each component, state its relevant properties.

Backdoors

Describe the implemented backdoors. Do not add this section to the version of your report that is handed over to the team that reviews your system!

Additional material

Risk analysis and security measures

Information assets

Describe the relevant assets and their required security properties. For example, data objects, access restrictions, configurations, etc.

Threat sources

Name and describe potential threat sources. The server is exposed to following threats... in order to avoid them we did..

The picture sharing web application is exposed to many dangerous threats, which can have a critical impact on both server and application itself. One of them is the SQL injection. A code injection technique, which is used to attack data-driven applications. It allows an attacker to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.({SQL} Injection) In order to make it unfeasible for an adversary to perform such attack we have hardened the code by using the Prepared Statement technique. It is a database management system feature, which consists of following phases: <picture> An example of applied Prepared statement in the “registration.jsp” file. In this case it was used to harden the “SELECT” query. <picture>

Another possible threat is the XSS (Cross-site scripting). This method enables attackers to inject client-side scripts into web pages viewed by other users. Cross-site scripting attacks use known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely. Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site.

Risks and countermeasures

Impact
Impact Description
High
Medium
Low
Likelihood
Likelihood Description
High
Medium
Low
Risk level
Likelihood Low Medium High
High Low Medium High
Medium Low Medium Medium
Low Low Low Low

Detailed description of selected countermeasures

Risk acceptance