@@ -6,6 +6,7 @@ Answer: Having all your code mixed into one file without any structure could in
What could you have done if you had more time?
There were several things I really wanted to implement with the project, sadly it was quite time consuming considering also I had no experience with HTML/CSS/JS and just a slight understanding of flask from earlier. I believe I should have had correct/better fitting data types for each attribute, considering we are dealing with delicate data, having the correct data types is important for the security of our app/database. Having a password security check such as min. length, banning certain characters, and maybe requiring 1 capitalized letter and a symbol per password. Finish implementing the message app, so that everything is functional as desired. Better handling of cookies/tokens, making it possible to change users?
Refactor the code better and order how all the libraries/modules are imported since it is not pleasing to look at all now.
2B- Documentation
• a brief overview of your design considerations from Part A
...
...
@@ -69,7 +70,6 @@ There are several things that could have been done and were done. Adding a sense
The original application had very few limitations, any user could practically do whatever they wanted, by for instance being able to see all messages without any restrictions, the SQL queries behind every message request was visible to every user as well, this is obviously faulty or rather incomplete security measures.
In my application I strived to remove anything that could be a liability away from the front-end of the app, meaning removing the SQL queries behind the application for instance. You are required to sign-up and login afterwards in order to enjoy the application. Adding private messages and those messages being exclusively available to the users they were intended for was a nice implementation as well. I wished to implement Access Control Lists (ACL’s) with different roles in order to have privilege structure, which in my opinion should be a must in every kind of application.
• How can you know that you security is good enough? (traceability)
Hard to define something as secured enough, cyber security is a never-ending field of new technologies being developed and different ways of people thinking and coming up with new attacks and hopefully ways to get around those attacks. I would define it in terms of minimizing the attack window, covering at least the most common vulnerabilities to prevent SQLI, XSS, etc. Furthermore, since any application can have security breaches, traceability is a vital feature. Traceability is very key, because if a security breach were to happen, we could trace back the source of the attack and hopefully unravel whatever damage the attacker did. Prevention is still the best way to go about cyber security instead of a reactionary kind of approach.
