Learning Objectives

In this assignment you will demonstrate:

• Familiarity with the vocabulary of secure software design
• The ability to research and articulate technical aspects of, and impacts of, some known vulnerabilities
• The ability to get through a number of Tom Scott videos on YouTube
• Initial familiarity with some secure design principles
• The ability to write classes that exhibit validation, immutability, and defensive copying

Read and Watch

Read (to get a feel for secure design by extreme repetition):

• The course notes on Security Fundamentals, Designing Secure Software, JavaScript, and Java
• This entire article (OWASP Security by Design Principles)
• This little blog post
• Another little blog post
• This little book chapter

Watch:

• Any five of the Tom Scott videos listed on the first page of course notes.

For Submission

Submit via BrightSpace, a PDF document with the answers to Problems 1-3 below and the URL of the shopping cart project described in Problem 4. Your shopping cart project should be hosted on GitHub, Replit, or some similar place online. Make sure I can run your code.

1. Since writing things down helps you retain information, provide well-written, precise definitions of the following terms, each in ten words or less: (a) Risk (b) Threat (c) Defect (d) Flaw (e) Bug (f) Vulnerability (g) Weakness (h) Failure (i) Exploit (j) Integrity (k) Authentication (l) Authorization. The effort put into composing short definitions should increase your fluency with the terminology. Craft the answers yourself rather than getting a chatbot to do your work.
2. Give the titles and complete URLs of the five Tom Scott security-related videos you watched (to completion), together with a sentence or two on the purpose or lesson of each video. Make sure the purpose or lesson is accurate and truly central to the video.
3. A one-paragraph summary of each of the following (you might have to do research outside the assigned reading): Heartbleed, XSS, Billion-Laughs, CSRF. Hit on both the impact of each (economic, societal) and be very precise in your technical explanations. Where relevant, use actual quantities. Pictures are nice but not required. Make your summaries understandable to undergraduate computer science students in their second year. Chatbots might be helpful here, but understand what they say and, if they get way too wordy, clean up their output and put things into your own words.
4. Write a ShoppingCart class in Java, Python, C++, Go, Rust, Swift, or pretty much any language of your choice that supports classes (check with me first) together with good documentation and solid unit tests. Don’t use JavaScript or TypeScript since, well, we did this exercise in class in JavaScript. Although we are only beginning our formal study of secure programming constructs, your task in this assignment is to implement the following requirements as best you can. The readings for this assignment above should help get you in the right mindset. Later lectures and code-alongs will help you fine tune you work so secure programming becomes second nature to you.
   • The shopping cart class must (1) have its own id, (2) hold the id of the customer that the cart belongs to, and (3) the items in the cart along with their quantities
   • Provide a way for users to query the id, customerId, and items from the cart. Make sure that no one can change the cart indirectly by modifying the values you provided them (you may need to research “immutability” and “defensive copying”).
   • Provide a way for users to add, update, and remove items.
   • Ensure the id and customerId of the cart can NEVER be changed.
   • Provide a method to get the total cost of the items in the cart.
   • Shopping cart ids must be uuid4s. Find out how to generate them in the language of your choice.
   • All customer ids must have the following form: 3 letters, 5 numbers, 2 letters, a dash, and finally an A or a Q. Always check for valid customer ids.
   • Ensure you can never have a negative quantity for an item in the cart. Also put and upper bound on quantities as well (you should know why we need bounds like this, pretty much everywhere).
   • Make sure items you add to the cart are in an catalog.” Item names should also be length-bounded and the characters in the names restricted. Make sure any string content in your project is bounded as well.
   • Employ immutability everywhere you possibly can.
   • Throw exceptions where it makes sense to do so. Do not allow bad data to creep in, ever.
   • Other opportunities for “secure programming” may arise. Seize them. Implement them.

   Authentication and authorization is not part of this assignment.

   Try to use a popular unit testing framework for the language you choose. If you are not (yet) familiar with testing frameworks, you can write an executable script loaded with assert statements. Strive for complete coverage.

Grading

• For each definition, 1 point, all or nothing. Your writing must be accurate, precise, and grammatically correct. You must limit definitions to ten words. (12 points)
• For each video: 2 pts for giving the URL (encouragement to follow directions), 3 points for capturing the essence of the video. (5 points × 5 = 25 points)
• For each vulnerability: 1 points that it is in a paragraph form, 1 point for writing well, 3 points for being accurate and complete. (5 points × 4 = 20 points)
• For each program: 2 points for giving the link so I can find your code, 3 points that I can easily run the tests, 3 points that the whole file was formatted well (use an auto-formatter PLEASE), 3 points for good names, 8 points for type and bounds validation, 8 points for using immutability or defensive copying so as to not allow malicious updates, and the other 16 points are awarded for checking off every requirement. (43 points)