The Ministry of Education, Culture and Research of the Republic of Moldova [623469]

The Ministry of Education, Culture and Research of the Republic of Moldova

Technical University of Moldova

Software Engineering and Automatics Department

REPORT

Topic:
​
Secure Application Development

“Electronic Register – eRegIsTry”

Prepared by:
​
Boaghi Vasile

FAF-172

​
Cîrna
ț
Nadejda

Dodon Ion

Munteanu Maria

Verebceanu Mirela

Company internship:
​

​
“M – Testing” SRL

Company mentor:
​
Tsyganovskiy Maxim

Supervised by:
​
Nastasenco Veaceslav

Chi
ș
inău, 2020

INTRODUCTION
4

1.1 Problem Definition
4

1.2 Actuality
5

1.3 Solution
6

1.4 Objective
6

1.5 Purpose
7

TIME LINE FOLLOWED
9

2.1 Estimations of the project
10

DOMAIN ANALYSIS
15

3.1. Analysis of other similar applications
15

3.2. Advantages and disadvantages of our app
17

3.3 SWOT Analysis.
17

SYSTEM ANALYSIS
19

4.1. Specifications of the application
19

4.2. System analysis with UML diagram
26

4.3 Software System Attributes
35

SYSTEM DESIGN
36

5.1. The general architecture of the system
36

5.2. Component and detailed designed
39

5.2. Graphical User Interface for web app
40

VULNERABILITIES
47

6.1 Security foundations
47

6.2 Web application security fundamentals
48

6.2.1 Network Security
49

6.2.2 Securing the web server
50

6.2.3 Application security principles
51

TESTING
55

CONCLUSIONS
61

BIBLIOGRAPHY
62

2

I.
INTRODUCTION

If
you
wonder
“What
makes
secure
software
different?”
you
would
realize
that
security
is

an
innate
property
of
the
software
which
was
expected
to
be
built
in.
Unfortunately,
most

applications
lack
security
today.
Taking
into
consideration
that
security
in
terms
of
infrastructure

technology
has
become
a
principal
attention
for
organizations
and
the
public
in
general.

Application
security
has
positive
and
negative
aspects
in
the
society.
The
need
to
increase

security
and
bring
better
standards
is
the
product
of
the
society
itself.
Each
company
wants
to

have
a
secure
app,
and
for
universities
it
is
not
an
exception.
Because
having
all
data
protected
in

an online system is more effective than store them on paper.

Recently
many
enterprises
of
education
system
have
transformed
paper
based
document

into
electronic
form
to
use
and
share
information
efficiently.
This
brings
benefits
like
far
better

control
and
management
of
documents,
efficiency
in
maintaining,
accessing
and
distributing

documents, because all information are stored in one place [1].

1.1 Problem Definition

The
Existing
system
is
a
manual
entry
for
the
students.
Here
the
attendance,
marks
and

topic
for
lesson
will
be
carried
out
in
the
hand
written
registers.
It
will
be
a
tedious
job
to

maintain
the
record
for
the
user.
The
human
effort
is
more
here.
The
retrieval
of
the
information

is not as easy as the records are maintained in the hand written registers.

It
is
a
problem
that
it
requires
a
lot
of
time
to
introduce
manually
all
necessary
data
in
a

manual
registry.
For
example
at
every
lesson
to
write
topic,
homework,
sometimes
list
of
student

and
is
needed
to
calculate
mark
average
for
them.
But
if
a
teacher
has
to
teach
the
same
object

for ten groups?

It
especially
constitutes
a
problem
for
​
students,
teachers
in
​
an
educational
institution
​
,

because
teachers
have
to
manage
a
handle
registry
and
students
do
not
know
their
marks,

homework
in
case
they
were
absent.
Also,
it
is
a
problem
for
administrations,
because
they
may

stored students personal data in paper form.

3

It should be used by
​
any educational institution where is required a handle registry.

The
problem
is
caused
by
the
risk
of
introducing
wrong
data
in
the
registry
and
also
that

this
process
takes
a
lot
of
time,
especially
when
there
are
many
people
for
whom
the
introducing

of
data
must
be
done
in
a
short
time
period.
Also,
security
and
privacy
are
not
develop
at
a
high

level.

We understand the problem on the basis of theories
​
:

●
People
waste
a
lot
of
time
by
introducing
all
information
initially
in
a
handle

registry after in database.

●
The
person
who
introduces
the
data
in
the
database
can
easily
make
mistakes
while

doing it.

●
There
a
systems
that
aren’t
secure,
personal
data
can
be
lost.
Privacy
is
a
weak

point.

●
Possibility to lose all data from a handle registry.

So,
it
is
a
problem
for
teachers
and
administration
from
schools,
colleges
and
universities

to
spend
a
lot
of
time
introducing
all
data
in
the
hand
register.
They
do
not
think
about
an

electronic register because it can be not secure that are data in manual registry.

The
problem
gets
deeper
when
considering
what
to
secure
and
how
to
do
it.
The
reason

for
security
is
to
keep
our
assets
protected;
such
security
can
be
implemented
at
different
levels

one
of
these
levels
is
the
application
that
is
the
least
protected
and
most
exposed.
Web

application
security
relies
on
network
security,
the
Operating
system
security
configuration
and

the
web
server,
as
the
whole
platform
does.
But
will
be
a
firewall
enough
to
keep
our
assets

secured?
We
use
methodologies,
principles
and
standards
to
provide
effective
security
solutions.

Now
you
may
wonder.
Am
I
vulnerable?
Am
I
coding
accordingly?
How
do
I
build
a
Secure

Web
Application?
How
can
I
protect
my
code
from
web
application
vulnerabilities?
How
do
I

find out if my application is hack-resilient? These answers can be found on this report.

1.2 Actuality

Computers
have
brought
great
transitions
in
the
world
of
business
today.
The
IT

technology
has
facilitated
the
efficient
use
of
a
computer
system.
This
has
resulted
in
increased

4

productivity.
Many
organizations
have
therefore
introduced
computer
systems
to
their
operations

and
therefore
the
computer
industry
is
growing
very
fast.
Computers
have
brought
radical

changes to the employment sectors and processing methods.

For
a
long
time
in
schools
and
universities
are
used
hand
registers,
so
making
their
usage

more
efficient
is
obviously
a
good
thing.
The
manual
system
used
in
running
School
involves

manual
data
entry
to
the
database.
Information
in
the
school
is
manually
collected
when
a
student

or
a
teacher
joins
the
school.
Every
student
is
supposed
to
fill
personal
details
on
a
registration

sheet
and
then
the
secretary
files
those
recorders.
The
timetable
is
prepared
manually
whereby

each lesson takes 90 minutes and the lesson is allocated to one teacher.

1.3 Solution

For
saving
time,
reducing
manual
work
and
avoiding
redundant
data,
has
been
proposed

that
a
computerized
system
will
be
the
most
effective
means
of
solving
the
problems
in
school.

Our
team
offers
as
a
solution
a
web
application
of
creating
online
register
instead
a
hand
one

with
a
high
level
of
security.
In
this
way
can
better
enhance
information
security
in
the

educational
organization,
users
requirements
are
given
the
highest
priority
when
developing
the

system and hence will most appropriately meet their requirements.

1.4 Objective

The
current
system
is
a
manual
operated
system
where
a
new
student
are
registered

manually
in
a
new
student
register
where
student
name
and
other
details
are
recorded.
After
the

student
is
assigned
his/her
class
another
record
is
written
down.
All
this
work
has
become

wastage
of
time
and
also
high
cost
of
operation.
So
without
an
Online
Registry
System,

managing
and
maintaining
the
details
of
the
study
process
is
a
tedious
job
for
any
educational

organization.
Online
registry
system
will
store
all
the
details
of
the
students,
teachers
and

administration,
including
their
educational
qualifications,
personal
details
and
all
the
information

related
to
their
resume.
The
person
who
will
be
in
charge
of
the
system
will
be
able
to
log
into

5

the system and able to register new students and also to track student information.

The
most
important
requirement
of
electronic
register
is
that
a
school
needs
it
to
manage

all
processes
carefully,
with
greater
accuracy
and
to
be
sure
that
all
the
data
are
stored
in
a
“safe

space”. An important thing is to make secure this “safe space” called electronic registry.

Through this online system we overcome many Problems.

●
Time, money and paper are saved.

●
Nothing is done manually.

●
Protected data.

1.5 Purpose

The
purpose
of
this
electronic
system
document
is
to
allow
the
registration
of
students
in

particular
courses.
It
is
intended
to
be
complete
specifications
of
what
functionality
the
registry

provides.
It
will
also
facilitate
keeping
all
the
records
of
students,
staff
and
administration,
etc.

So
all
the
information
about
a
registry
will
be
available
in
a
few
seconds,
and
no
one
else,

outside will have access to this data (only authorized people from organization).

Overall,
it
will
make
an
easier
job
for
the
administrator
and
the
student
of
any

organization.
The
main
purpose
of
this
document
is
to
illustrate
the
requirements
of
the
project

and is intended to help any organization to maintain and manage its student’s personal data.

eRegIsTry
basically
has
three
main
modules
for
proper
functioning
Admin
module
is
has

rights
for
creating
any
new
entry
of
faculty,
teacher
and
student
details.
Teacher
has
a
rights
of

making daily attendance, putting marks and set homework for students.

For
achieving
our
goal
and
scope
we
proposed
the
following
steps,
in
order
to
solve
the

problem we face. Therefore, we will:

● Explore:

→ Other similar applications with online registry;

→ Different programming languages.

● Analyze:

6

→ The strong points and weakness of the application.

→ The tools that will be used: for management, development, testing.

→ Similar application.

→ Types of vulnerabilities.

→ Analyzing existing libraries that could help to create our app.

● Discuss:

→
Which
functionalities
we
must
include
for
application
according
to
the
analysis

of the similar applications.

→
Which
Management
System
we
will
use
for
the
database:
Microsoft
SQL
or

MySQL.

→ Which fields we will have from manual registry.

→ How we will make a secure application.

→ Which programming languages are more friendly for us to develop the app.

● Create:

→ The UML diagram of our application

→ The nonfunctional mock-ups of the app.

→ A database for our app

→ The functional mock-ups.

→ Tests cases.

● Explain:

→ Why will this application be useful?

→ When will this application be useful?

→ Who will use the application?

→ How often will people use this application?

● Design:

→ The mock-up of the application.

7

II.
TIME LINE FOLLOWED

Week
1:
​
Inception
Phase
​
–
For
initial
full
weeks
we
did
thorough
research
on
the
idea
for
the

project.
To
come
up
with
proposing
the
development
of
some
software
which
was
new
to
most

of the people and which belonged to our domain of development expertise.

Week
2:
​
Elicitation
Phase-
coming
up
with
a
problem
statement
as
to
make
an
online
secure

registry
for
educational
institutions.
Using
which
techniques?
And
doing
the
requirement

analysis for online registry.

Weeks
3-4:
​
Learning
Phase-
For
the
implementation
of
this
project
was
need
advanced

knowledge
of
the
Java,
Spring
MVC
framework,
Tomcat
and
Hibernate
tools,
so
we
gave
two

weeks for studying.

Weeks
5:
​
Specification
Phase-
We
Finalized
the
specifications
of
our
system
as
in
it’s
Database

requirements,
memory
requirements,
developing
environment
and
developing
platform

finalizing. Using MySQL database and Hibernate we finalized for development environment.

Week
6:
​
Negotiation
Phase-
In
this
the
previously
analyzed
and
specified
hard
and
fast
criteria

were
negotiated
a
little
amongst
ourselves
so
as
to
keep
project
in
doable
range
and
avoid

lagging behind the submission checkpoints given by mentor.

Week
7:
​
Elaboration
Phase-
Design
and
architecture
methodology
were
finalized.
We
finalized

to
use
Extreme
Programming
methodology
and
architecture
for
our
system.
System

requirements,
which
were
analyzed
in
the
elicitation
phase,
were
further
elaborated
using
user

interface diagrams, sequence diagrams and use case diagrams.

Weeks
8:
​
Sub
structure
layout-
modules
to
be
used
in
the
Application
were
finalized.
The

parameters
for
the
connection
between
modules
were
formulated
and
flow
as
designed
by
use

case diagrams was planned and fixed.

Week
9:
​
User
interface
design-
UI
plays
an
important
role
in
making
customers
buy
our
product

so
we
made
sure
we
had
a
proper
amount
of
time
and
efforts
on
UI
design.
At
the
end
of
this

8

week
screens
design
were
finalized
and
we
started
working
on
interface
side
by
side
to
our
main

coding of the App.

Week
10:
​
System
implementation-
when
all
the
data
and
implementation
method
was
finalized,

we
started
developing
individual
modules
in
this
week.
We
have
used
in
total
3
modules.
We
did

unit testing of these modules as soon as they were coded.

Week
11
​
:
Integration
Phase-
​
Integration
of
all
the
individual
modules
was
done
in
this
phase.

As
all
the
requirements
were
clear
integration
was
easy
and
testing
of
the
whole
system
was
done

for different values and surfaces

Week
12:
Tried
to
figure
out
limitations
of
our
system
and
came
up
with
methods
to
rectify
them.

This methods will be included in the documentation part in the future scope of the project.

Week 13-14:
​
Report making and presentation was undertaken.

2.1 Estimations of the project

For
a
better
project
management
firstly
must
be
done
the
estimations
of
the
project.
This
help
the

team
to
be
organized
and
to
finish
the
project
on
time.
Our
project
estimations
are
represented
in

the Table 2.1.

Table 2.1 Estimations

Organization:Technical University of

Moldova,The Faculty of Computers,

Informatics and Microelectronics,The

Department of Automatics and

Informatics,FAF-172

Name:
​
eRegIsTry

Estimate Valid

For: 3 months

Description: To create an application,

a web one, that will be an electronic

registry with different roles of

authentication. Target group are

schools, colleges, and universities.

Purpose: 1.To save time of teachers and people from the

administration of this institution.

2.To save paper and trees.

3.To avoid some mistakes that as usually is done in a

simple registry.

4. To have a secure registry.

5. To protect data and provide a high level of security.

Estimator:
​
Munteanu Maria

9

Date Required By: 13.12.2019

Requestor: Veaceslav Nastasenco Title: mentor E-mail:

vnastasenko@alliedtesting.com

Completion Date: 03.12.2019

Requested Date:
​
13.12.2019

Work Estimation Details

Optim
istic

Most

Likely

Pessi
mistic

Supporting Document

Links:
​
(Enter Links to

Requirements,

Specifications, or other

supporting documents

in this column)

SDLC Phases

Activity/Task

Effort

Hrs

Effort

Hrs

Effort

Hrs

Duration

Initiation/Admini
stration

30.09-01.10

Status Meetings

1.0

1.0

0.5

Status Reporting

2.0

2.0

2.0

Planning

01.10-06.10

Requirements/Scope

Review

4.0

3.5

3.5

Resource

Requirements

Review

8.0

10.0

11.0

Assumptions and

Constraints

Specification

2.0

3.0

3.5

Analysis

08.10-17.10

Functional Impact

Analysis

5.0

6.0

7.0

Process Model

Review and Update

4.0

5.0

6.0

Functional

Requirements

Specification

7.0

8.0

10.0

http://bit.ly/2E2hQwW

Use Case

Development

4.0

5.0

6.0

Test Plan

Specification

2.0

3.0

3.5

10

Work Estimation Details

Optim
istic

Most

Likely

Pessi
mistic

Supporting Document

Links:
​
(Enter Links to

Requirements,

Specifications, or other

supporting documents

in this column)

SDLC Phases

Activity/Task

Effort

Hrs

Effort

Hrs

Effort

Hrs

Duration

Analysis

08.10-17.10

Architectural

Requirements

Specification

2.0

3.0

2.5

Security

Requirements

Specification

1.0

1.0

1.0

Application Impact

Analysis

10.0

11.0

12.0

Risk Analysis

3.0

3.5

4.0

Design

17.10-24.10

Technical Design

Development

6.0

6.5

7.0

http://bit.ly/3494dGV

Logical Database

Design

2.0

3.0

3.5

Prototype

Presentation

3.0

4.0

4.5

Design Acceptance

2.0

2.0

2.0

Construction and

Implementation

25.10-04.12

Coding

35.0

37.0

38.0

http://bit.ly/358DIm4

Unit Testing

10.0

12.0

12.4

Test Plan Updates

10.0

12.0

13.0

Test Data Validation

5.0

5.5

6.0

Software

Configuration

Management

5.0

7.0

8.0

11

Work Estimation Details

Optim
istic

Most

Likely

Pessi
mistic

Supporting Document

Links:
​
(Enter Links to

Requirements,

Specifications, or other

supporting documents

in this column)

SDLC Phases

Activity/Task

Effort

Hrs

Effort

Hrs

Effort

Hrs

Duration

Construction and

Implementation

25.10-04.12

Release/Build

Updates

10.0

11.0

12.0

Technical

Documentation

6.0

7.0

8.5

User Documentation

2.0

3.0

4.0

Testing

01.12-11.12

Test Environment

Setup

20.0

22.0

23.0

Test Plan

Finalization

10.0

11.0

12.0

QA Testing

15.0

16.0

16.5

Documentation

Validation

10.0

11.0

12.0

Integration Testing

2.0

3.0

4.0

Performance Testing

2.0

3.0

4.0

Prepare for app

presentation

12.12-24.12

Final Documentation

Review

10.0

12.0

13.0

Preparation for final

presentation

8.0

9.0

10.0

Demo Video

4.0

4.0

4.0

Work Estimate

Totals

232.00

266.00

289.90

12

Estimate

Assumptions:

1.The Requirements/Scope Review can be modified during the project as it can be

improved. 2. It’s not obligatory that the product look as the mock-ups we did at the

Design phase. 3.We must review all the activities/tasks of all phases we already

passed to be sure we didn’t skip anything. 4.Some activities/tasks will be divided

into small subtasks in order that all members will be implied in the process of app

development.

Estimate

Constraints:

1.We must be organized and guided by these estimations and don’t miss

activities/tasks of any SDLC phase.

Estimate Risks:

1.We will not succeed to finish any tasks on time, so that it can influence the entire

estimates of the project. 2.Some tasks take more time because of low level of

knowledge. 3.The commercial parametric models commonly used for developing

software estimates, whose knowledge bases have been built up over time based on

more classical software development of unique software code. 4.A member leaves

the project.

Notes:

P.S Wish to all members good luck!

Table 2.1 Estimations

13

III.
DOMAIN ANALYSIS

3.1. Analysis of other similar applications

Analyzing
how
many
applications
of
online
registry
are
on
Play
Market
is
proven
the

importance
of
such
application.
In
table
3.1
are
shown
some
particular
applications
of
such
type,

their
strong
and
weak
features
and
the
similarities
with
our
application.
To
prove
that
such
type

of
application
are
a
real
requirement,
was
analyzed
the
number
of
downloads.
The
range
of

downloads varies between 5K+ and 5M+ downloadings.

Table 3.1 Analysis of similar apps

App

Info

Strong points

Weaknesses

Similarities

“
​
Teacher's

Gradebook –

Additio
​
”

From planning to grading

your students, Additio App

centralizes all your classroom

management in a simple and

easy-to-use app.

Additio App helps simplify

your classroom management,

organize lessons and

collaborate with peers. It is

integrated with Google

Classroom and Microsoft for

Education and can organize

and link resources in any

format, even from Google

Drive and Microsoft

OneDrive.

(
​

Portada

en/schools/
​
)

– Powerful digital

gradebook.

– Lesson planner per

sessions and curricular

units with customized

templates.

– Customized reports.

– Works offline on

mobile devices.

– Communication with

students and their

families.

– Export data to Excel

and PDF.

– A flexible multi-device

tool available on web

version, tablets and

smartphones.

– Calculate average.

–
​
Here is a

period of time to

use free, then

you have to pay

to use it.

– Record of

attendance.

– Very easy to use

and import data.

– Have different

user roles.

– Can log in with

email.

“
​
TrackCC Class

Management
​
”

Is the definitive school

management tool. TrackCC is

designed for all types of

schools. It has three types of

notifications: App, email,

text.

–
​
Share notes in real time

with students and

guardians / advisors

–
​
Single teacher or

multi-teacher

– Have to pay for

using this app

after free trial

will end

–
​
Track points &

grades.

– Record student

attendance.

– Forgot

password.

14

App

Info

Strong points

Weaknesses

Similarities

Also, it can provide statistics

per student per class

(including his mark and

attendance).

(
​
https://www.trackcc.org/
​
)

– Statistics view shows

all data in a graphical

format

– Students & parents get

a consolidated student

report.

– App works both online

& offline

-Different roles of

users.

“
​
Google

Classroom
​
”

Classroom is a free service

for schools, non-profits, and

anyone with a personal

Google account. Classroom

makes it easy for learners and

instructors to connect—inside

and outside of schools.

Google Classroom ties

Google Drive
​
,
​
Google Docs,

Sheets and Slides
​
, and
​
Gmail

together to help educational

institutions go to a paperless

system.

(
​
https://classroom.google.com
/u/0/h
​
)

–
​
Teachers can add

students directly or share

a code with their class to

join. It takes just minutes

to set up.

– Classroom allows

teachers to send

announcements and start

class discussions

instantly. Students can

share resources with

each other or provide

answers to questions on

the stream.

– sometimes

could crush;

– Adding students

into the class.

–
​
Students can see

all of their

assignments and

all class materials.

“Moodle”

With customizable

management features, it is

used to create private

websites
​
with online courses

for educators and trainers to

achieve learning goals.

Moodle (acronym for

modular
​

​
object-oriented

dynamic
​
learning

environment
​
) allows for

extending and tailoring

learning environments using

community-sourced plugins.

(
​
https://moodle.org/
​
)

– Browse the content of

your courses, even when

offline

– Receive instant

notifications of messages

and other events

– Quickly find and

contact other people in

your courses

– Upload images, audio,

videos and other files

from your mobile device

– View your course

grades

–
​
It's slow and

unresponsive at

times.

– The UI is not a

user friendly.

– Student can see

his grade,

homework and

school material.

– Different role of

users.

– Forgot

password.

15

The
new
application
is
simpler
than
the
analyzed
ones.
The
application
is
available
on
Browsers,

because
it
is
a
web
site.
Is
used
a
lot
of
functionalities,
but
does
not
use
payment
method.
Also,
for
user
is

created a comfortable interface.

3.2. Advantages and disadvantages of our app

Advantages:

●
A powerful secure tool to monitor data and track all information.

●
Costs
Less
in
Time
and
Money
​
:
Your
institution
will
save
hundreds
of
hours
of
time

spent
by
staff
to
enter
and
update
records,
as
well
as
saving
parents
time
in
completing

forms.

●
Information
Stored
Centrally
​
:
Your
school
can
keep
all
information
in
a
central

location with seamless integration.

●
Easier
iInitial
Set-up
​
:
Because
of
friendly
user
interface,
the
initial
set-up
will
not
take

much time for introducing stuff self in this program.

Disadvantages

●
Does not include information necessary for billing.

●
People
who
don't
have
Internet
Access:
Perhaps
the
biggest
disadvantage
is
that
not
all

of the people at your school may have access to the Internet easily.

●
Computer
Outages:
​
Any
problem
with
your
computer
network
can
potentially
cause

problems
in
the
online
school
registry
too.
That
might
happen
if
there
are
many
people

trying to register at the same time.

3.3 SWOT Analysis.

STRENGTHS:

●
Document recording is maintain in unique repository;

●
Personal data can’t be lost.

16

●
Privacy and security are at a high level.

●
All
the
information
about
students
are
stored
in
Database,
and
it
is
easier
to
find

someone.

●
Information
about
lessons
are
also
stored
in
system
and
it
is
easier
for
accounting
to
view

report of hours worked.

WEAKNESSES:

●
Needs Internet connection.

●
Lack of people that have knowledge of working with this system.

OPPORTUNITIES:

●
Permanency in information technology, this mean modernization.

●
To track information according Name, Group or other information about student or staff.

THREATS:

●
Possible management incompetence;

●
Old Office work regulation.

17

IV.
SYSTEM ANALYSIS

This
section
provides
software
requirements
to
a
level
of
detail
sufficient
to
enable

designers to design the system and testers to test the system.

4.1. Specifications of the application

This
section
contains
all
of
the
functional
and
quality
requirements
of
the
system.
It
gives

a detailed description of the system and all its features.

A
software
requirement
specifications
or
SRS
is
a
description
of
a
software
system
to
be

developed.
The
software
requirements
specification
lays
out
functional
and
non-functional

requirements,
and
it
may
include
a
set
of
use
cases
that
describe
user
interactions
that
the

software must provide.

Functional
requirements
are
supported
by
non-functional
requirements
(also
known
as

"quality
requirements"),
which
impose
constraints
on
the
design
or
implementation.
Generally,

functional
requirements
are
expressed
in
the
form
"system
must
do
<requirement>,"
while

non-functional requirements take the form "system shall be <requirement>."

To
derive
the
requirements,
the
developer
needs
to
have
a
clear
and
thorough

understanding
of
the
products
under
development.
This
is
achieved
through
detailed
and

continuous
communications
with
the
project
team
and
customer
throughout
the
software

development process[2].

Why is it important to specify functional and non-functional requirements?

Software
requirements
specification
establishes
the
basis
for
an
agreement
between

customers
and
contractors
or
suppliers
on
how
the
software
product
should
function.
Software

requirements
specification
is
a
rigorous
assessment
of
requirements
before
the
more
specific

system
design
stages,
and
its
goal
is
to
reduce
later
redesign.
Used
appropriately,
software

requirements specifications can help prevent software project failure.

18

Requirement Specification (SRS)

The following subsections of the SRS document provides an overview of the Entire SRS.

●
Purpose
​
: The purpose of the project is to provide online registry.

●
Scope
​
: The website display all information from a handle registry in a secure place.

●
Benefits
​
:
This
website
reduces
the
manual
work,
maintaining
accuracy,
increasing

productivity.

Non-functional requirements

Non-functional
requirements
are
often
called
quality
attributes
of
a
system.
Other
terms

for
non-functional
requirements
are
"qualities",
"quality
goals",
"quality
of
service

requirements",
"constraints",
"non-behavioral
requirements",or
"technical
requirements".

Informally
these
are
sometimes
called
the
"ilities",
from
attributes
like
stability
and
portability.

Qualities—that is non – functional requirements—can be divided into two main categories:

1.
Execution
qualities,
such
as
safety,
security
and
usability,
which
are
observable
during

operation (at run time).

2.
Evolution
qualities,
such
as
reliability,
maintainability,
and
scalability,
which
are

embodied in the static structure of the system.

Security

The
security
requirements
deal
with
the
primarily
security.
The
software
should
be

handled
only
by
the
administrator
and
authorized
users.
At
registration
phase,
it
is
required
to

confirm
password,
that
is
encrypted
in
Database,
to
put
a
correct
email
that
are
working.
Only

the
administrator
has
the
right
to
assign
permissions
like
creating
new
accounts
and
generating

password.

Specific requirements in this area could include the need to:

● Utilize certain cryptographic techniques

● Keep specific log or history data sets

● Assign certain functions to different modules

19

● Restrict communications between some areas of the program

● Check data integrity for critical variable.

To
make
DataBase
more
secure
we
will
use
a
script
that
make
backup
for
DB.
This

backup
will
be
done
at
a
fixed
time
for
a
period
which
the
user
wants.
For
example
at
every

sunday evening at 6 o’clock, or each last day of the month at 8 pm.

​
Usability

The
system
User
Interface
(UI)
is
friendly
one
and
very
easy
to
use,
as
it
does
not
contain

any
complicated,
unreadable
or
incomprehensible
items.
It
contains
direct
interactions
with
user,

such
as
tapping
buttons,
selecting
buttons,
checkboxes.
Also
indirect
interactions,
for
instance

typing into a text field.

20

Reliability

The
system
will
not
crash
in
case
of
invalid
data
input,
meaning
that
the
system
is

“continuing
to
work
correctly,
even
when
things
go
wrong”.
Administrator
of
server,
can
easily

to
see
what
data
was
read.
In
case
of
network
or
server
connection
error,
the
system
will
display

a
message”Something
went
wrong”,
thus
the
user
can
check
the
settings
of
network
or
IP

address,
in
order
to
dispatch
the
issue
and
remove
it.
The
system
must
successfully
add
any

new
user
or
item
from
registry.
The
system
provides
a
password
enabled
login
to
the
user

to avoid any foreign entity changing the data in the system.

Scalability

As
the
system
grows
(in
data
volume)
as
many
information
are
processed
and
sent
to

server,
there
should
be
reasonable
ways
of
dealing
with
that
growth.
In
this
case,
the
admin
will

delete data from Database, without capability to recover them back.

Maintainability

The
system
will
be
built
using
components
that
are
as
independent
as
possible
to
make

system
easily
modifiable.
All
components
of
the
system
will
be
modular
and
be
as
independent

as
possible,
to
be
modified
for
new
use
cases,
repaying
technical
debt,
and
adding
new
features.

So the system will provide three design principles:

Operability

It is easy for operations teams to keep the system running smoothly.

Simplicity

It
is
easy
to
understand,
for
example
for
new
engineers
that
want
to
further
develop
the

system, as it does not contain so much complexity.

Evolvability

21

It
is
very
easy
for
engineers,
who
want
to
make
changes
to
the
system
in
the
future,

adapting
it
for
unanticipated
use
cases
as
requirements
change.
Also
known
as
extensibility,

modifiability, or plasticity.

Logical database requirements

This
will
stores
each
and
every
information
that
is
saved
by
the
user
whether
it
is
the
new

registration
or
an
old
one.
The
modification
or
the
updating
of
the
registration
is
also
very

quickly and efficiently updated in the database.

The
system
must
store
all
information
from
a
handle
registry
like
all
information
about

students,
in
which
group
they
are,
what
subjects
they
study;
information
about
teacher,
what

subject
they
teach,
at
which
time
they
have
lessons
and
information
about
administration.
All
the

data shall be stored in database tables.

Database
shall
contain
ten
entities:
administrators,
teachers,
students,
roles,
users,

users_roles,
registry,
lessons,
groups,
schedule.
In
this
entities
shall
be
stored
information
such

as: First and Last Name, group, marks, subjects, lessons, schedule.

The following diagram (Figure 4.1) represents the logical database design:

22

Figure 4.1 Database design

23

Constraints

Every
developed
application
needs
to
have
some
constraints
in
order
to
run
on
a
specific

machine.
Thus,
the
implemented
system
has
the
following
constraints
listed
bellow.
​
In
table
4.1

are represented the Functional and Non-functional Specifications of our web app
​
.

Table 4.1
​
Functional and Non-functional Specifications

Functional Specification

Non-functional Specification

Log in/out

English Language for UI

Add/Delete/Update students

Licensed tools: IntelliJ IDEA, MySQL

Add/Remove/Update lessons

UML Diagrams Tool: Enterprise Architect

Add theme for lessons

Spring framework, MVC (server side rendering)

Set schedule

Operating System: Windows, Ubuntu, MacOS

Add homework

Testing Results: Microsoft Excel

Forget password/Link confirmation

Project management on: Jira, Bitbucket

Non – functional specification details :

For this project should be done the following documents:

• Software Specification

• Non Functional Mockup

• Database Diagram

• Architecture document

• Installation document

• Document for using server app

Language for this scope must be used English language for UI.

Technologies and frameworks

• The web application and the server one will use the following technologies:

MySQL, Java, Jira, Bitbucket

24

• For storing the source code will be used Bitbucket tool/GitHub.

• For Tasks Management will be used Jira tool.

• For file/documents uploading and saver will be used Google Drive.

•For
communicating
and
sharing
the
documents
will
be
used
OneNote
Online,

PowerPoint Online from Office 365.

• For storing the results of testing: Microsoft Excel.

• We will use Enterprise Architect tool for create UML Diagram.

• IntelliJ IDEA for Java Spring MVC framework, Hibernate and Tomcat Server tools.

4.2. System analysis with UML diagram

For
a
better
representation
of
the
system
performance
are
used
UML
diagrams.
There
are

several
types
of
UML
diagrams,
but
the
most
explicit
ones
are:
Use
Case
diagrams,
Class

diagram, Sequence diagram, Activity diagram.

Use
Case
diagram
(Figure
4.2)
refers
to
system
behavior
and
describes
the
set
of
actions

that
the
system
and
user
should
perform.
In
this
project
was
developed
system
use
case
diagram,

used to specify external requirements and system functionality.

25

Figure 4.1 Use Case diagram

Elements
of
Use
Case
diagram
are
actors
–
Administrator,
Teacher,
Student,
use
case,
and

include
relationship.
From
this
diagram
you
can
see
that
Administrator
has
access
to
add
and
edit

administrators,
teachers,
student,
schedule
and
registry.
Teacher
has
access
to
create
a
lesson,
to

add
subject,
to
evaluate
the
students
and
to
see
the
registry.
Student
has
access
only
to
see

schedule, and registry.

This
Data
Flow
Diagram
(Figure
4.2)
provides
information
about
authentication
of
the

user.
When
user
enter
his
user
name
and
password,
he
checks
his
access
role.
System
database
is

checked if the user indicates in the right way his role from his username.

26

​
Figure 4.2
​
Data Flow Diagram

In
UML
–
Unified
Modeling
Language
–
activity
diagrams
are
considered
behavior

diagrams,
because
they
describe
what
must
happen
in
the
system
being
modeled.
This
diagram
is

important
in
a
system,
because
it
shows
and
demonstrate
the
flow
and
the
logic
of
the
algorithm.

Also,
it
describes
the
steps
which
are
performed
according
to
Use
Case
UML
Diagram.
Another

important
feature
that
has
this
diagram,
is
that
it
illustrates
the
workflow
between
users
and
the

system.
It
is
useful
to
model
software
architecture
elements,
such
as
methods,
functions
and
set

of Operations.

In
the
following
diagram
(Figure
4.3)
is
represented
Activity
Diagram
of
web
application
for

Student:

27

Figure 4.3 Activity Diagram for Student

In
the
following
diagram
(Figure
4.4)
is
represented
Activity
Diagram
of
web
application
for

Teacher:

28

​
Figure 4.3. Activity Diagram for Teacher

In
the
following
diagram
(Figure
4.4)
is
represented
Activity
Diagram
of
web
application
for

Admin:

29

​
Figure 4.4 Activity Diagram for Administrator

This Activity diagram (Figure 4.5) shows the working of the Login scenario of the External user.

30

1.
Enter User Name: User is prompted to enter his unique user name.

2.
Enter Password : User is asked to enter his unique password.

3.
Validate
combination
of
username
and
password:
System
database
is
checked
to
find

and verify if the combination of entered username and password are valid.

Figure 4.5 Activity Diagram for Login Scenario

Basically,
when
the
user
wants
to
log
in
in
his
account,
he
must
first
enter
his
credentials

(username
and
password).
After
that,
the
controllers
and
database
will
take
care
of
checking
if

there
is
a
user
registered
with
that
username
and
has
that
password.
If
the
user
inputs
one
of
the

fields
incorrectly,
he
will
receive
a
message
saying
that
he
didn’t
inserted
a
matching
pair
of

username
and
password.
Of
course,
he
will
be
able
to
reset
his
password,
by
choosing
forgot

password
option,
where
he
must
enter
his
email,
where
he
will
receive
a
token
for
resetting
the

password, so he must enter the same twice (Figure 4.6).

31

​
Figure 4.6 Sequence Diagram for Login Scenario

32

Besides
the
user,
who
will
be
able
to
change
his
information,
of
course
not
the
whole,

admin
will
also
will
be
able
to
do
that,
and
moreover,
he
will
be
able
to
change
user's
role.
In

order
to
do
that,
he
will
access
the
list
of
students/teachers,
he
will
choose
a
target,
and
then
he

will
be
able
to
change
some
information.
Of
course,
at
the
end
when
he
will
press
update
button,

he
will
receive
a
confirmation
message.
If
he
will
click
on
the
yes
button,
the
database
will

update
user’s
fields,
and
if
the
user
will
be
logged
in
at
that
point,
he
will
be
logged
out
in
order

to update new information in database. See more details in the picture below (Figure 4.7).

​
Figure 4.7 Sequence Diagram for updating information

Users
will
be
deleted
only
by
admins
and
maybe
some
teachers.
In
order
to
do
that
they

will
access
list
of
students/teachers,
select
them,
and
then
delete.
Of
course
as
in
the
previous

case
with
updating
info,
they
will
receive
a
confirmation
message,
in
order
not
to
delete
an

unnecessary user. (Figure 4.8)

33

​
Figure 4.8 Sequence Diagram for removing a user

To
create
a
schedule,
teachers/admins
must
fulfill
some
fields,
like
day,
the
starting
time

of
the
lesson,
the
end
time
will
be
generated
automatically,
then
select
group
which
has
a
lesson

in
that
time,
a
subject
of
course
and
the
teacher
that
is
teaching
the
group
that
was
selected
at
the

subject that was selected. (Figure 4.9)

Figure 4.9 Sequence Diagram for creating schedule

34

4.3 Software System Attributes

The online registry deals mainly with hardware devices and installed software

components on devices. The System performs many tasks. It consists of a web based system

used by Teachers, Administrators and Students of the university. The system helps to record

students’ personal details, publish time table, preview student result, select subjects for the

semester. Therefore the web based part is expected to run on various operating system platforms.

The applications of the system will run on the web server connected to the database server.

Internet is a worldwide interconnection of all smart communication devices that have a

valid IP. There should be installed browser software to access internet. If the user accesses the

system, directly through the internet connection the user has to install dongle or modem or

relevant device and WiFi or etc… to connect with the system.

Physical arrangement of devices in a typical network, shows that the only software a

client need is to access this system is a browser.

For using our online registry will be need some specific set of servers and devices. Such

as: Server to host web applications and web service applications. Database server to store and

manage data. Personal computer, notebook to access the website. Modem/ router/ switch/ hub/

Wi-Fi network/ cable network etc… and also need an Internet Service Provider to have the

internet connectivity. Above devices are communicating with each other. Personal computer

communicates with web server and the database server through HTTP protocol. It communicates

with mail server through the SMTP protocol. Cable network or Wi-Fi network is also a

communication method using in connecting different network components

35

V.
SYSTEM DESIGN

5.1. The general architecture of the system

MODULE DESCRIPTION

The
system
should
be
designed
in
such
a
way
that
only
authorized
people
should
be

allowed
to
access
some
particular
modules.
The
records
should
be
modified
by
only

administrators
and
no
one
else.
The
user
should
always
be
in
control
of
the
application
and
not

vice
versa.
The
user
interface
should
be
consistent
so
that
the
user
can
handle
the
application

with ease and speed. The application should be visually, conceptually clear.

ADMINISTRATOR MODULE

Student
Details:
In
this
module
deals
with
the
information
about
the
student,
his
academic
and

personal
data.
Admin
can
add
a
new
student
in
a
group,
can
modify
his
personal
information
and

can delete the student.

Staff Details:

●
It helps to allot the subject and the subject code to the particular staff.

●
It provides the facility to have a username and password to the staff .

Time table details:

●
It
will
retrieve
the
subject
information
from
the
subject
database
and
assign
time
table

to the staff.

●
It
will
help
the
admin,
staff
to
make
the
entry
of
attendance,
put
marks
and
set
the

homework, based on the subject and period allotted to the respective staff.

STAFFS MODULE:

Lessons details
​
:

●
It
assists
the
staff
to
mark
attendance
to
the
students
for
their
subject.
This
will

authenticate the staff before making the entry.

36

●
It provides the facility to put mark for students during the lesson.

STUDENT MODULE:

Lesson details:

●
Here
students
can
view
information
about
the
lesson,
where
and
which
will
be
the

next lesson. Also, he can view his marks.

The
online
registry
will
be
developed
under
two
main
architectural
styles/
patterns.

Development
of
the
project
will
be
done
in
MVC
architectural
style
and
also
3
tier
Client/Server

Architecture.
Client
can
browse
the
internet
and
access
the
online
registry
provided
within
the

local area network of the University.

MVC Architecture Style (Model – View – Controller):

MVC
Style
separates
presentation
and
interaction
from
the
system
data.
The
system
is

structured into three logical components that interact with each other.

The Model component – Manages the system data and associated operations on that data.

The View component – Defines and manages how the data is presented to the user.

The
Controller
component
–
Manages
user
interaction
and
passes
these
interactions
to
the
View

and the Model.

We
will
use
this
MVC
Style
for
our
Online
Registry
System
because,
there
are
multiple

ways
to
view
and
interact
with
data.
Also
used
when
the
future
requirements
for
interaction
and

presentation
of
data
are
unknown.
In
some
software
systems
the
code
between
the
process
logic

and
interface
are
mixed.
This
will
reduce
the
modularity
of
application
and
make
the
system

more
difficult
to
maintain.
To
avoid
this
problem
we
have
decided
to
use
MVC
architectural

style
to
separate
the
application
logic
with
the
interface.
The
main
advantage
of
this
is
style

allows
the
data
to
change
independently
of
its
representation
and
vice
versa.
Support
presentation

of the same data in different ways with changes made in one representation shown all of them.

Three-Tier Client Server Architecture:

In
a
client
server
architecture,
the
functionality
of
the
system
is
organized
into
services,

with
each
service
delivered
from
separate
server.
Clients
are
users
of
these
services
and
access

37

servers to make use of them.

We
will
use
this
3
–
Tier
Client
Server
Architecture
because,
when
data
in
a
shared

database has to be accessed from a range of locations.

Data Tire

The
data
tire
maintains
the
applications
data
such
as
Users’
data
,
Departments’
data
,

subjects’
data
,
courses’
data
,
time
tables’
data
and
the
SQL
queries
.
It
stores
these
data
in
a

relational
database
management
system
(RDBMS).
All
the
connections
with
the
RDBMS
are

managed in this tier.

Middle Tire

The
middle
tier
(
web
/
application
server
)
implements
the
business
logic,
controller

logic
and
presentation
logic
to
control
the
interaction
between
the
applications’
clients
and
data.

Business
rules
enforced
by
the
business
logic
dictate
how
clients
and
cannot
access
application

data and how applications process data.

Client Tire

The
client
tire
is
the
applications
user
interface
connecting
data
entry
forms
and
client

side
applications.
It
displays
data
to
the
user.
User
interact
directly
with
the
application
through

user
interface.
The
client
tier
interacts
with
the
web/
application
server
to
make
requests
and
to

retrieve data from the database. It then displays to the user the data retrieved from the server.

Example of the 3-tier architecture in the online registry:

If
an
admin
needs
to
view
the
list
of
current
students,
first
he
has
to
login
to
the
system.

Then
he
has
to
click
“Utilities”
option,
after
he
has
to
choose
“Student”
option.
Then
system
will

display
the
information.
In
this
process,
Login
screen,
users’
main
screen
and
List
of
students

combination
summary
screen
are
defined
into
the
Client
tier,
data
for
login
information
and

profile
information
and
SQL
queries
for
those
information
are
maintained
into
the
Data
tier
and

controller
logic
for
login
process
and
loading
profile
information
from
the
database
are
defined

in Middle tier.

In
the
online
registry,
there
are
a
number
of
different
processes,
such
as
database
server

process,
web
server
process,
connections
between
above
servers
likewise.
When
sending
mails

38

there
should
run
a
mail
server.
SMTP
protocol
is
using
to
communicate
with
mail
servers.
They

should communicate with each other well to perform the functions of the whole application.

5.2. Component and detailed designed

Design decisions applied whole application:

○
Object
oriented
software
development
methods.
Was
used
because
of
the
following

reasons:

●
Improved software maintainability.

●
Faster development

●
Lower cost development

●
Improved software development productivity

●
Higher quality software

○
Three-Tier
Client
Server
Architecture.
As
more
users
access
the
system
a
three-tier

solution
is
more
scalable
than
the
other
solutions
because
you
can
add
as
many
middle
tiers
as

needed
to
ensure
good
performance.
Moreover,
security
is
also
the
best
in
the
three-tier

architecture because the middle layer protects the database tier.

○
MVC
Architectural
Pattern.
It
should
interact
with
other
machines
or
users
effectively.

For
more
efficient
interaction
system
should
have
flexible
interfaces.
MVC
can
be
taken
as
a

popular
and
easy
to
handle
web
application
development
style
that
has
the
feature
of
separating

the
presentation,
Business
&
intermediate
logics.
Ease
to
coding
and
provide
well
defined

interfaces within each logic.

Design Patterns and Techniques used

○
​
Abstract
factory
Pattern
–
is
creational
design
pattern
that
provides
a
way
to

encapsulate
a
group
of
individual
factories
that
have
a
common
theme
without
specifying
their

concrete
classes.
Abstract
factory
pattern
offers
the
interface
for
creating
a
family
of
related

objects without explicitly specifying their classes.

In
our
application
the
design
pattern
will
be
applied
in
creating
different
user
accounts

which are the different factories. It will also be used to keep the system

○
​
Singleton
Pattern
–
is
a
creational
design
pattern
and
is
one
of
the
simplest
patterns
in

39

the
field
of
software
engineering.
It
involves
only
one
class
which
is
responsible
to
instantiate

itself,
so
that
it
creates
no
more
than
one
instance.
The
singleton
pattern
is
useful
when
access
to

limited resource needs to be controlled.

In the online registry this pattern will be used for database manager.

○
​
Observer
Pattern
–
is
a
behavioral
pattern
which
defines
a
one-to-many
dependency

between
objects
where
a
state
change
in
one
object
results
with
all
its
dependents
are
notified
and

updated
automatically.
This
pattern
may
be
used
in
all
situations
where
more
than
one
display

format
for
state
information
is
required
and
where
it
is
not
necessary
for
the
object
that
maintains

the state information to know about the specific display formats used.

Observer pattern will be used in the online registry for the operations of the system users.

○
​
Adapter
Pattern
​
–
is
a
structural
pattern
that
translates
one
interface
for
a
class
to
a

compatible
interface.
This
will
convert
the
interface
of
a
class
into
another
interface
that
the
user

expects.
Adapter
gives
the
opportunity
for
the
classes
with
incompatible
interfaces
to
work

together.

This
pattern
will
be
used
in
the
online
registry
when
displaying
information
from
the

database.

○
​
Techniques
Used
Prototyping:
​
In
designing
the
online
registry
prototyping
will
be

used
to
demonstrate
underpinning
concepts
of
the
designing
and
for
user
interfaces.
This

technique
will
provide
the
opportunity
for
the
system
users
to
experiment
with
the
software
to
a

certain extent during the development process.

5.2. Graphical User Interface for web app

In
our
online
registry
there
are
three
types
of
user,
but
the
main
users
are
Admin.
When

the
user
first
runs
the
electronic
register,
the
page
displays
the
page
with
the
university
logo
and

the
news
section
(Figure
5.1).
By
scrolling
down
the
user
can
find
on
the
bottom
left
the
link
to

the login page and on the bottom right the link to register as an Admin (Figure 5.2).

After
a
new
user
was
registered,
the
confirmation
by
e-mail
of
the
registered
person

follows
(Figure
5.3).
Once
the
profile
has
been
validated,
the
user
can
access
the
login
page
and

40

log
in
to
his
account.
If
the
user
has
forgotten
the
password,
he
can
click
on
the
"Forgot
your

password?"
which
redirects
you
to
another
page
where
you
enter
your
email
address.
(Figure
5.4)

Later on this address will come a token that allows the password to be reset (Figure 5.5).

Depending
on
the
role
of
the
user,
it
has
different
privileges.
Below
is
attached
the
screen

(Figure 5.6) which shows us that access is restricted.

Also
the
user
can
see
the
schedule
of
all
the
groups
which
are
represented
by
different

colors (Figure 5.7).

Admin
has
the
role
of
registering
a
new
admin,
teacher,
student,
group,
subject,
schedule.

And also can modify information about this entities. (Figure 5.8, 5.9, 5.10, 5.11, 5.12, 5.13)

Teacher
can
add
a
new
lesson,
set
homework
(Figure
5.14,
5.15),
put
the
mark,
and
only

he has access to the registry.

Student can see only his schedule, mark, lesson, topic, homework.

Figure 5.1 Main screen

41

Figure 5.2 Registration a new administrator

Figure 5.3 Receive a mail confirmation

42

Figure 5.4 Login page

Figure 5.5 Forgot password

Figure 5.6 Receiving a mail for reset password

43

Figure 5.7 Reset password

Figure 5.8 Administrator’s data

Figure 5.9 Update admin’s data

Figure 5.10 Delete an admin

44

Figure 5.11 Registration a new group

Figure 5.12 Registration a new subject

Figure 5.13 Registration a new record in schedule

Figure 5.14 Access is restricted

45

Figure 5.15 Completing the registry

Figure 5.16 Adding a new lesson

46

VI.
VULNERABILITIES

A
Web
application
can
be
described
as
a
program
that
is
developed
in
order
to
perform

specific
processes.
There
are
a
bunch
of
technologies
available
today
to
help
us
develop
these

applications.
Some
of
them
include
Ajax,
PHP,
JavaScript,
Perl,
ASP.NET
and
much
more.
A

web
application
normally
handles
the
user’s
input
in
an
external
script
and
performs
routines.

Normally,
this
routine
includes
database
data
collection.
The
final
result
is
return
to
the
user

depending on the type of task involved.

Web
application
security
is
defined
as
the
methods,
principles
and
implementation
used

to
prevent
and
identify
security
threats.
Security
can
be
understood
as
an
effective
measure

solution against threats.

A
threat
is
considered
a
malicious
danger
that
can
exploit
vulnerabilities
against
our

resources.
In
web
application
this
security
weakness
is
the
result
of
poor
coding,
mistakes
in
the

development
and
bad
design
techniques.
However
in
order
to
code
our
applications
in
a

hack-resilient way, consider the following:

– To have organizational Management.

– Use testing tools.

– Follow Methodologies for development.

– Use standards, policies. [3]

6.1 Security foundations

As
described
earlier
web
application
relies
on
Information
security
principles,
some
of

these principles include the following:

Confidentiality
​
– only allow access to data for which the user is permitted.

Integrity
​
– make sure that unauthorized users will not access data.

Availability
​
– ensure data availability to the users when required. [4]

Based
on
Microsoft
Web
Application
Security
Fundamentals
resources,
authentication,

authorization and auditing is included.

Authentication
explains
the
process
of
identifying
user
correctly
based
on
their
rights.

47

Authentication addresses the question: who are you?

Authorization
explains
the
permission
for
those
who
has
access
over
their
resources,
in

other
words,
what
you
can
do
with
those
resources
are
like
making
changes
in
your
account,

modifying files and database tables.

Auditing
explains
that
a
user
cannot
deny
operations
such
online
transactions,
or
other

processes. [3]

6.2 Web application security fundamentals

"A
vulnerability
in
a
network
will
allow
a
malicious
user
to
exploit
a
host
or
an

application.
A
vulnerability
in
a
host
will
allow
a
malicious
user
to
exploit
a
network
or
an

application.
A
vulnerability
in
an
application
will
allow
a
malicious
user
to
exploit
a
network
or

a host."
￣

​
Carlos Lyons, Corporate Security, Microsoft

To
summarize,
Security
must
be
addressed
at
three
levels:
network,
host,
and
application.

A
weakness
at
any
layer
can
be
exploited
by
an
attacker.
[3]
Web
application
security
is
intended

to
be
applied
to
these
three
levels
because
they
are
dependant
on
each
other
to
have
a

hack-resilient
application.
See
figure
6.2
for
a
brief
summary
and
a
reference
that
shows
how

web application attacks are the most exposed and least protected.

48

Figure 6.2 Web application vulnerability.

*Img source: [
​
http://hh.diva-portal.org/smash/get/diva2:610574/FULLTEXT01.pdf
​
]

6.2.1 Network Security

The
main
principle
is
that
network
security
must
be
implemented
to
protect
our
assets,

since
network
infrastructure
such
as
routers,
switches
and
firewalls
have
to
be
well
configured
to

be
secured
against
attacks.
It
is
very
important
to
protect
our
network
not
only
from
attacks
to
the

TCP/IP
but
also
to
the
interfaces
with
strong
passwords.
Another
goal
is
to
ensure
the
traffic

integrity. [5]

The
router
is
responsible
for
IP
packets
forwarding.
One
of
its
tasks
is
to
block

unauthorized
traffic
and
the
first
point
of
attacks
in
our
network.
If
we
don’t
have
access
to
the

router
settings
there
is
not
much
to
do
about
the
network
security
of
this
device
than
to
contact

our
ISP
to
obtain
information
about
the
security
they
implement
at
the
network
layer.
[5]

Otherwise
some
security
configurations
and
measurements
that
could
be
implemented
are
to

control
administrative
access,
make
sure
it
has
the
latest
software
and
patches
updates,
auditing,

logging
and
implement
intrusion
detection.
The
switch
main
function
is
to
improve
the
network

performance of the administrative side.

49

The
switch
forwards
packets
to
the
network
segments
or
hosts.
Some
measurements

includes
Virtual
local
area
network(Vlan)
configuration
and
access
control,
encryption,
control

access
to
the
administration
OS
of
the
switch
to
prevent
intruders
to
do
misconfiguration,
disable

services that are not in use such as TFTP, limitation of the ACL’s access.

The
firewall
allows
or
blocks
traffic
at
the
port,
monitors
the
coming
traffic
requests
and

prevents known attacks against our servers.

Some
configuration
performed
in
the
firewall
includes:
Patches,
updates,
filters,
auditing,

logging
perimeter
and
Intrusion
detection.
As
other
network
devices
its
OS
should
be
regularly

updated and be controlled by administrative access. [5]

Security
begins
with
an
understanding
of
how
the
system
or
network
that
needs
to
be

secured works. The most known network threats are

– Denial of service.

– Session hijacking.

– Spoofing.

– Sniffing.

– Information gathering. [5]

6.2.2 Securing the web server

Web
servers
are
vulnerable;
we
are
in
need
of
methodologies
to
prevent
from
attacks.
But

why
do
we
need
to
focus
on
web
application
to
prevent
attacks
or
exploits?
Regardless
of
the
OS

that
our
web
server
uses
being
IIS,
.net
or
Apache,
security
configuration
must
be
performed
at

this level to diminish the vulnerability levels.

The
main
threats
to
a
Web
server
are,
Profiling,
denial
of
service,
unauthorized
access,

lack
of
privileges
set
up,
arbitrary
code
execution,
viruses,
worms,
and
Trojan
horses.
A
brief

summary of these vulnerabilities at the web server level can be seen from the figure 6.2.2.

50

Figure 6.2.2 Web server vulnerabilities

*Img source: [
​
http://hh.diva-portal.org/smash/get/diva2:610574/FULLTEXT01.pdf
​
]

The
process
of
securing
our
Web
server
involves
a
list
of
steps
such
as
updates,

monitoring,
file
and
directory
permission,
ports
configuration,
registry
configuration,
log
files,

server certificates and much more.

6.2.3 Application security principles

It
seems
that
the
most
exposed
and
least
protected
part
of
the
platforms
is
the
web

application
that
is
the
code
content
that
in
principle
handles
request/process
to/from
the
server.

To
have
a
better
approach
of
a
model
that
can
represent
adequately,
web
application
security

measures,
is
necessary
to
organize
and
prioritize
the
web
application
needs
based
on
the

51

infrastructure, technology and coding principles.

Well
known
application
architecture
is
the
model-view-controller;
Known
as
MVC
and
it

is implemented mostly with Apache and used in frameworks such as CodeIgniter.

In
MVC
architecture
we
can
find
the
view
that
represents
the
front-end
code,
it
can
be

understood
as
the
HTML
output
for
the
user.
The
controller
is
considered
as
the
gate
of
the

workflow,
the
code
that
handles
the
logic
and
process
to
ensure
the
safety
of
the
output
by
the

view
code.
The
controllers
in
the
server-side
helps
to
validate
the
user
input
data
against
known

security
issues
before
parsing
the
data
to
the
model
for
process,
this
ensures
the
integrity
of
the

output form the view controller.[4]

Finally
the
Model
can
be
seen
as
a
method
to
deal
with
the
processes
to
ensure
that
the

code
is
not
exposed
but
to
be
preventive.
This
is
why
the
Model
is
responsible
for
the
prevention

of SQL injection.

The
responsibility
of
the
model
is
to
test
the
data
against
business
rules.
For
example,
if
a

model
stores
data
in
a
flat
file,
the
code
needs
to
be
checked
for
OS
injection
commands
if
the

flat
files
are
named
by
the
user
as
well
If
the
model
stores
data
in
an
interpreted
language,
such

as SQL. [4]

Appropriate
syntax
and
calls
by
the
model
to
the
data
server
must
be
as
secure
as
possible

since
the
weakest
holes
are
found
with
dynamic
queries
by
unverified
user
input.
The
best

performance
and
highest
security
is
often
obtained
through
parameterized
stored
procedures,

followed
by
parameterized
queries
(also
known
as
prepared
statements)
with
strong
typing
of
the

parameters and schema.

Minimize
network
traffic
for
a
multi-stage
transaction
or
to
remove
security
sensitive

information
from
traversing
the
network
is
one
of
the
major
reasons
for
using
stored
procedures.

[4] Stored procedures are not always the best solution to the problem anyway.

The
following
relevant
security
principles
explained
below
can
help
us
to
achieve
a
better

planning and security implementation:

–
A
secure
infrastructure
(network)
as
explained
previously
is
necessary
to
ensure
that
the

application level is secured, the same rule apply for our web services as well. [5]

–
Review
the
architecture
of
the
application.
The
design
of
our
application
is
very

52

important
for
the
security.
Critical
parts
of
our
code
that
handles
process
like
the
authentication,

management, input validation, data stored code must be examined with major care. [6]

–
Do
not
trust
Security
through
Obscurity.
Explained
as
a
weak
security
control,
nearly

always
fails
when
it
is
the
only
control
this
means
that
the
security
of
key
systems
should
not
be

reliant upon keeping details hidden. [4]

–
Control
input
validation.
This
is
one
of
the
most
common
ways
attackers
exploit.
Some

attacks
include
SQL
injection,
XSS,
code
injection.
A
form
can
be
easily
validated
but
the

question
is
if
it
has
the
right
method,
which
input
is
allowed
or
rejected.
As
good
developer’s
one

good
way
to
control
validation
is
to
validate
our
users
first
at
the
gate
and
not
rely
on
the

client-side validation but on the server validation instead.

One
typical
example
is
that
the
input
will
lead
to
a
SQL
query.
So
far
known
this
is
the

most
vulnerable
method
for
SQL
injection
attacks.
How
are
we
validating
queries
to
the
database

is the question that answer the problem of this type of attacks primary.

–
How
is
the
application
authenticating
and
how
the
code
handles
the
requests
is
one
of

the
most
important
steps
in
the
security
process
not
only
for
the
code
itself
but
for
problems

related
to
weak
passwords,
non-encrypted
credentials
in
the
server
or
SQL
tables,
over
privileged

accounts
and
long
sessions.
[3]
It
is
really
easy
to
gain
access
to
systems,
network
devices,

server’s
telnet
sessions,
databases,
and
every
system
that
requires
a
password.
There
are
several

login tools available that can be used for legal or testing purposes, one is HYDRA.

–
The
Least
privilege
principle
is
about
reducing
the
user
privilege
to
perform
process,
for

file
system
permissions,
CPU
limits,
memory
and
the
network.
How
your
application
is

authorized
inside
the
database
and
how
access
to
system-level
resources
is
controlled.

Authorization
vulnerabilities
can
result
in
information
disclosure,
data
tampering,
and
elevation

of privileges. [6]

–
Minimize
as
much
as
possible
the
attack
surface
area.
As
a
security
measure
to
reduce

the
attack
surface
area
is
it
better
to
review
the
code
for
those
areas
of
vulnerabilities
that
may
be

eliminated
just
by
creating
user
authentication
or
eliminating
a
function
in
the
code
that
leads
to

exposure. [4]

For
example,
a
web
application
implements
online
help
with
a
search
function.
The

53

search
function
can
be
vulnerable
to
SQL
injection.
If
the
help
feature
was
limited
to
authorized

users,
the
attack
is
reduced.
If
the
help
feature’s
search
function
incorporates
data
validation

routines; the ability to perform SQL injection is reduced.

–
Insecurity
of
external
systems.
Many
companies
use
the
process
and
models
of
external

third
party.
Now
how
can
we
influence
or
control
their
process?
I
believe
there
is
no
security

warranty
on
this,
because
their
policies
and
developers
may
not
follow
our
standard,
that’s
why

third party partners can expose our system security. [6]

–
Sometimes
simplicity
over
complex
coding
techniques
will
help
in
case
we
are
in
need

of a simple approach. For example to use of global variables. [4]

–
After
one
security
issue
has
been
discovered,
it
must
be
corrected
and
it
is
necessary
to

run
specific
testing
tools
according
to
the
root
cause
of
the
problem
and
develop
the
right

solution for the problem.

Improving
web
application
security
means
to
know
our
threats,
after
this
we
can
analyze

our
applications.
One
good
security
approach
is
to
follow
Windows
threat
model
process
that
is

based on knowing our threats to know what to secure and how to.

54

VII.
TESTING

Security
testing
is
a
​
Non-Functional
Testing
process
which
is
meant
to
determine
that

the
security
mechanisms
of
an
information
system
protects
data
and
maintains
functionality.
In

order
to
check
whether
the
web
application
is
or
not
secured,
there
should
be
provided
security

testing.
To
ensure
that
no
one
can
hack
and
login
to
the
application
without
any
authorization,

there
have
been
executed
several
tests,
like
determining
that
each
type
of
user
login
in

application as their role, secured from SQL injections, etc.

The
test
framework
for
the
application
is
the
following
one,
as
a
programming
language,

Java, also such software tools like Cucumber, JUnit, ChromeDriver.

There are several security testing techniques:

1.
​
SQL
Injection
:
​
Entering
a
single
quote
(‘)
in
any
text-box
should
be
rejected
by
the

application.
Instead,
if
the
tester
encounters
a
database
error,
it
means
that
the
user
input
is

inserted in some query and that is executed by the application.

2.
​
Cross
Site
Scripting
(XSS):
​
The
tester
should
additionally
check
the
web
application
for

XSS
(Cross-site
scripting).
Any
HTML
e.g.
<HTML>
or
any
script
e.g.
<SCRIPT>
should

not be accepted by the application.

3.
​
Ethical
Hacking
:
This
​
helps
identify
potential
threats
on
a
computer
or
network.
An

ethical
hacker
attempts
to
bypass
the
system
security
and
search
for
any
vulnerability
that

could be exploited by malicious hackers aka Black hats.

4.
​
Password
Cracking
:
​
Hackers
can
use
a
password
cracking
tools
to
crack
passwords.

Until
a
web
application
enforces
a
complex
password
(long
password
with
a
combination
of

numbers, letters, and special characters), it is easy to crack.

5.
​
Penetration
Testing
:
​
A
penetration
test
is
an
attack
on
a
computer
system
with
the

intention
of
finding
security
loopholes,
potentially
gaining
access
to
it,
its
functionality
and

data.

55

6.
​
Risk
Assessment
:
​
This
is
a
process
of
assessing
and
deciding
on
the
risk
involved
with

the type of loss and the possibility of vulnerability occurrence.

7.
​
Security
Auditing
:
​
A
security
audit
is
a
systematic
evaluation
of
the
security
of
a

company’s
information
system
by
measuring
how
well
it
conforms
to
a
set
of
established

criteria.

8.
​
Security
Scanning
:
​
This
is
a
program
that
communicates
with
a
web
application
through

the
web
front-end
in
order
to
identify
potential
security
vulnerabilities
in
the
web
application,

OS and Networks.[11]

Example of testing result:

Feature file example:

Feature:
​
Reset functionality on login page of Application

Scenario Outline:
​
Different role valid login

Given
​
Open the Chrome and launch the application

When
​
Enter the Username
​
"<username>"
​
and Password
​
"<password>"

Then
​
Check the credential "
​
<name>
​
"

Examples:

| username | password | name |

| maria |

parola | maria |

​
Step Definition example:

import
​
org.junit.Assert;

import
​
org.openqa.selenium.By;

import
​
org.openqa.selenium.WebDriver;

import
​
org.openqa.selenium.chrome.ChromeDriver;

56

import
​
cucumber.api.java.en.Given;

import
​
cucumber.api.java.en.Then;

import
​
cucumber.api.java.en.When;

public
​

​
class
​
ValidLogin {

WebDriver
​
driver
​
;

@Given
​
(
​
"^Open the Chrome and launch the application$"
​
)

​
public
​
void
open_the_Firefox_and_launch_the_application()
​
throws
Throwable

{

driver
​
=
​
new
​
ChromeDriver();

driver
​
.manage().window().maximize();

driver
​
.get(
​
"http://localhost:8080/showLoginPage"
​
);

}

@When
​
(
​
"^Enter the Username \"(.*?)\" and Password \"(.*?)\"$"
​
)

public
​
void
enter_the_Username_and_Password(String
​
username
​
,
String
​
password
​
)
​
throws

Throwable

{

driver
​
.findElement(By.
​
xpath
​
(
​
"//div[@class='usernameField']//input[@name='username']"
​
)).sendKeys(
​
use
rname
​
);

57

driver
​
.findElement(By.
​
xpath
​
(
​
"//div[@class='passwordField']//input[@name='password']"
​
)).sendKeys(
​
pas
sword
​
);

}

@Then
​
(
​
"^Check the credential \"(.*?)\"$"
​
)

public
​

​
void
​
Reset_the_credential(String
​
name
​
)
​
throws
​
Throwable

{
driver
​
.findElement(By.
​
xpath
​
(
​
"//div[@class='loginBtn']//input[@name='logBtn']"
​
)).click();

Assert.
​
assertEquals
​
(
​
"User:
"
+
​
name
​
,

driver
​
.findElement(By.
​
xpath
​
(
​
"//div[@class='navbar']//a[contains(.,'maria')]"
​
)).getText());

System.
​
out
​
.println(
​
"This step click on the Reset button."
​
);

}

}

Runner example:

package
​
testsRunner;

import
​
org.junit.runner.RunWith;

import
​
cucumber.api.CucumberOptions;

import
​
cucumber.api.junit.Cucumber;

@RunWith
​
(Cucumber.
​
class
​
)

58

@CucumberOptions
​
(features=
​
"features/validLogin.feature"
​
,glue={
​
"stepDefinition"
​
})

public
​

​
class
​
ValidLoginRuner {

}

Result:

Also,
there
have
been
done
performance
testing,
using
JMeter
tool
(Figure
6).
By

analyzing
the
number
of
students
in
the
university,
means
that
on
average
per
faculty
are
almost

2000
students.
But
let’s
take
a
maximum
number
of
students,
teachers
and
administrators
from
a

faculty, for example 10000 users.

Figure 6. JMeter tool

And obtain the following Summary Report, with an Error%: 42.61%. (Figure 6.1)

59

Figure 6. Testing of maximum users per university (10000)

But let test the maximum admissible number of users at a moment (Figure 6.2):

Figure 6. Testing of maximum users per faculty (2000)

For 2000 users which access the application at the same time, the Error% is 0.0

So,
from
doing
this
performance
test
cases,
we
can
say
that
all
people
from
a
faculty

easily can access at the same moment eRegIsTry.

60

VIII.
CONCLUSIONS

Our
team
have
worked
on
this
project
following
the
Agile
methodology
using
JIRA

software
in
the
“Allied
Testing”
company,
mentored
by
Veaceslav
Nastasenco,
and
Maxim

Tsyganovskiy
for
11
weeks.
Consisting
of
5
members,
the
tasks
in
our
team
were
delivered

proportionally .

We
have
worked
on
the
project
related
to
developing
an
online
registry
for
educational

institutions.
For
developing
the
application,
first
of
all
was
analyzed
several
applications
and
the

market
requirement
for
such
type
of
application.
Also
done
some
research
on
what
tools
and

frameworks
will
be
better
to
use
for
our
requirements,
specifying
them
in
Software

Specifications.
We
gain
new
programming
skills
in
Java
–
Spring
MVC
framework,
MySQL

server – hibernate tool, and Tomcat Server.

This
report
discussed
development
of
web
application
security
principles
and

fundamental
information
that
can
help
us
to
prevent
web
exploits
in
our
system.
Web

applications
are
considered
the
most
exposed
and
least
protected,
thereafter
vulnerable
because

the standards somehow are not focused on security but more in the serve need functionality.

Security
threats
are
more
common
than
before
because
the
internet
has
become
today's

economy
most
valuable
tool
for
everyone.
So
there
is
indeed
need
to
protect
our
resources,
data

and
user
privacy
information.
As
technology
moves
forward
and
brings
new
strategies,
tools,

models and methods to increase security levels, hackers will be part of this never ending game.

During
our
practice
we
understood
how
to
separate
work
in
the
team,
how
to
work
on
big

project
how
to
structure
it.
We
learned
a
lot
about
Spring
MVC
framework
and
how
to
make
a

secure
application.
How
to
correctly
delivered
task
in
team.
We
are
thankful
to
our
mentors
and

company for such an opportunity.

61

BIBLIOGRAPHY

[1] Y-H. YAO, A.J.C. Trappey, P-S, Ho, “XML=based ISO9000 electronic document management

system”,
​
Robotics and Computer Integrated Manufacturing
​
, vol.19, pp.355-370, 2003

[2]
​
https://www.inflectra.com/ideas/topic/requirements-definition.aspx

[3] J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha

Murukan Microsoft Corporation http://msdn.microsoft.com/enus/library/ff648636.aspx [Retrieved:

2012-11-17]

[4] OWASP Foundation, A Guide to Building Secure Web Applications and Web Services 2.0 Black Hat

Edition July 27, 2005 [Retrieved: 2012-11-22]

[5] J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha

Murukan Microsoft http://msdn.microsoft.com/enus/library/ff648651.aspx [Retrieved: 2012-11-19]

[6] J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha

Murukan http://msdn.microsoft.com/en-us/library/ff648650.aspx [Retrieved: 2012-12-08]

[7] https://www.owasp.org/index.php/Testing:_Introduction_and_objectives [Retrieved: 2012-12-09]

[8] OWASP Foundation, 2010 The ten Most Critical Web Application Security Risks.

http://www.owasp.org/index.php/Top_10 [Retrieved: 2012-11-19]

[9] https://www.owasp.org/index.php/Top_10_2010-A9 [Retrieved: 2012-12-13]

[10]
​
http://tryqa.com

[11]
​

​
https://www.toolsqa.com/software-testing/security-testing/

62