Assignment Information
Module Name: Security
Module Code: 6005CEM
Assignment Title: Coursework 1
Assignment Due: 18:00 UK Time
Assignment Credit: 10
Word Count (or equivalent): 1500 Words
Assignment Type:
Percentage Grade (Applied Core Assessment). You will be provided with an overall grade between 0% and 100%. You have one opportunity to pass the assignment at or above 40%.
Assignment Task
For this assignment you are expected to produce a report, giving details of a security audit of a web application. The audit will be a crystal box test, and you will be supplied with the source code, and the means to run the site.
The application will have several vulnerabilities, from the topics covered during the module, this may not just include technical flaws, such as SQLi, but also legal and ethical factors.
IMPORTANT NOTE: You will not be penalized if you do not find all of the issues. Audit can be difficult, and it seems wrong to penalize you for missing a subtle bug. Marks are given for the justification of audit methods, finding common problems, and the discussion of issues found.
The report should contain the following sections.
Part 1: Audit methods
This section of the report should introduce the audit methods chosen, and provide justification for their choice. Why is this method appropriate for the task? What are the strengths and weaknesses of each of the methods chosen?
You are free to use any audit method you feel is appropriate, this can include (but is not limited to):
- Manual Code Review
- Automated source code scanning
- Automated application scanning
Part 2: Audit Results
This section of the report should present the results of the security audit. You are expected to give an overview of the issues found in the code, along with an analysis of its severity, and suggestions for mitigation.
A suggested format for each issue is:
- Brief description of the problem, and the method used to identify it.
- Analysis of the issue, including discussion of its possible impact and severity.
- Suggestions for mitigation. How could the developers address the problem?
The report should be suitable for a technical audience, you are expected to include a introduction, conclusions and make use of the literature to support your arguments. References should be in the APA format
Submission Instructions:
Submit the coursework by the due date using the link on Aula.
Your assignment should be submitted as a single document (i.e. Word, PDF or Markdown).
If you make use of additional materials (such as Github, or supporting videos) you should include a clear link to the supporting material in your report.
Important: In the case of Github repositories, they should be set to private, with the relevant teaching staff added as collaborators. Having a publicly available repository could lead to an academic misconduct case being raised against you, as people have been known to steal work from other students repos.
Marking and Feedback
How will my assignment be marked?
Your assignment will be marked by the module team
How will I receive my grades and feedback?
Provisional marks will be released once internally moderated
Feedback will be provided by the module team alongside grades release
You can access your feedback on turnitin.
What will I be marked against?
Details of the marking criteria for this task can be found at the bottom of this assignment brief.
Assessed Module Learning Outcomes
The Learning Outcomes for this module align to the marking criteria which can be found at the end of this brief. Ensure you understand the marking criteria to ensure successful achievement of the assessment task. The following module learning outcomes are assessed in this task:
1) Critically evaluate a range of encryption and authentication methods for a given set of requirements.
4) Critically evaluate the security of an IT ecosystem.
Assignment Support and Academic Integrity
If you have any questions about this assignment please see the Student Guidance on Coursework for more information.
Spelling, Punctuation, and Grammar:
You are expected to use effective, accurate, and appropriate language within this assessment task.
Academic Integrity:
The work you submit must be your own, or in the case of groupwork, that of your group. All sources of information need to be acknowledged and attributed; therefore, you must provide references for all sources of information and acknowledge any tools used in the production of your work, including Artificial Intelligence (AI). We use detection software and make routine checks for evidence of academic misconduct.
Definitions of academic misconduct, including plagiarism, self-plagiarism, and collusion can be found on the Student Portal. All cases of suspected academic misconduct are referred for investigation, the outcomes of which can have profound consequences to your studies. For more information on academic integrity please visit the Academic and Research Integrity section of the Student Portal.
Support for Students with Disabilities or Additional Needs:
If you have a disability, long-term health condition, specific learning difference, mental health diagnosis or symptoms and have discussed your support needs with health and wellbeing you may be able to access support that will help with your studies.
If you feel you may benefit from additional support, but have not disclosed a disability to the University, or have disclosed but are yet to discuss your support needs it is important to let us know so we can provide the right support for your circumstances. Visit the Student Portal to find out more.
Unable to Submit on Time?
The University wants you to do your best. However, we know that sometimes events happen which mean that you cannot submit your assessment by the deadline or sit a scheduled exam. If you think this might be the case, guidance on understanding what counts as an extenuating circumstance, and how to apply is available on the Student Portal.
Administration of Assessment
Module Leader Name: Dr. David Croft
Module Leader Email: ac0745@coventry.ac.uk
Assignment Category: Written
Attempt Type: Standard
Component Code: Cw1
Assessment Marking Criteria
Audit Methods
Aligns to MLO4
Weighting: 40% |
Audit Results
Aligns to MLO1 and 4
Weighting : 50% |
Report Structure.
Doesn’t align to MLO’s but its important.
Weighting: 10% |
||
80 to 100% | As 70+ with exceptional analysis, and justification of audit methods chosen | As 70+ with exceptional analysis and discussion of issues found. | As 70+ with exceptional presentation and analysis, good use of references to support arguments. | |
70 to 79% | Multiple audit methods chosen covering both static and dynamic analysis.
Clear justification for the methods chosen, taking into account the type of audit, code base used etc. Choice of methods is supported by the literature.
Good analysis of the strengths and weaknesses of the methods chosen, discussion and analysis of how different methods can complement each other, and help provide a more comprehensive test.
Clear subsection, summarising decisions made. |
Multiple issues found and discussed using appropriate audit methods.
Clear description of each issue, presenting and analysing the code / design flaws that lead to it.
Clear discussion of the risk associated with the issue. Discussion of the wider security context, supported by the literature. Appropriate risk rating system used
Appropriate suggestions for mitigation given, including suggested fixes for problems.
Clear summary section, highlighting all issues found, and associated risks
|
Clear report structure, headings match the marking criteria.
Introduction / Conclusions provide context to the report, giving relevant background to topic, and providing a clear summary of results. Good use of references to support arguments made. |
|
60 to 69% | Multiple audit methods chosen covering both static and dynamic analysis.
There is some justification for the methods chosen, but it may not take into account the literature / specifics of the audit to be performed.
Good analysis of the strengths and weaknesses of the different methods presented.
Clear sub section, summarising decisions made.
|
Multiple issues found and discussed, using appropriate audit methods.
Clear description of each issue, presenting the code / design flaws that lead to it.
Clear discussion of the risk associated with the issue. Appropriate risk rating system used
Appropriate suggestions for mitigation given. Suggestions are given in the context of the system
Clear summary section, highlighting all issues found, and associated risks |
Clear report structure and presentation.
Appropriate introduction and conclusions, summarising reports contents, wider context of the report discussed. Good analysis of reports contents, with use of references to support arguments. |
|
50 to 59% | One or more audit methods presented. There is a brief description of the method, and some limited justification for the choice / discussion of strengths and weaknesses.
Limited summary section, |
Multiple issues found, although audit methods used may be limited, or obvious issues missed.
Good discussion of each issue, overview of the problem is given.
Risk associated with issue is discussed, although this is general with limited context for the site under consideration.
Appropriate suggestions for mitigation given, although these are general, and have limited context for the site under consideration.
Limited / no summary section. |
Clear report structure and presentation.
Appropriate introduction and conclusions, summarising reports contents. Limited use of references to support arguments. |
|
40 to 49% | One or more audit methods presented.
Limited discussion and justification of the audit methods.
Limited or no discussion of the strengths and weaknesses of the methods chosen.
Reason for choosing methods is not clear.
|
Limited number of issues found, issues are limited to only technical problems with the code.
AND / OR
Limited or no discussion of the risk associated with the problem. Appropriate risk rating system not used.
AND / OR
Suggestions for mitigation are generic, and have no context for the site being evaluated. |
More than one of:
Poor report structure and presentation Introduction / conclusions limited to re-iterating coursework brief with no context added. Limited use of references to support arguments made |
|
Fail
30, 35% |
Limited attempt at this section.
One audit method presented, with no justification for the choice. |
Limited attempt at this section
Limited number of issues found, no discussion of context for issue, risk analysis or suggestions for mitigation. |
Poor report structure and presentation,
Introduction and conclusions limited to re-iterating the coursework brief Limited use of references to support arguments |
|
Fail 0 to 29% |
Limited or No attempt at this section | Limited or no attempt at this section | Poor report structure and presentation, literature not used to support arguments made. |