Nόmisma νόμισμα
Description
Vόμισμα or in English, “nόmisma”, is the ancient Greek word for “money”. Nόmisma is a money-tracking application, which is intended for use to track expenses while travelling. This application was developed as a group project for my Special Topics course on Secured Software Coding. The purpose of this project was not focused on the application itself, but rather on the process of secure coding practices, techniques, planning and testing.
Role & Responsibilities
In terms of what I contributed to the application, I worked on input validation and tested the input/output of the program to verify its correctness. I also worked on editing the MySQL connection code so that it could access our database. Additionally, I performed final tests on the program in search of possible issues that were left unhandled.
In addition to my contributions to our application, I also did research and planning on how to code with security in mind. As part of coding securely, I found that it is important to create have an intent that addresses security requirements, privacy requirements, tracking security flaws during development, quality gates, security and privacy risk assessments, design requirements, attack surface analysis and reduction, and all the subcategories or concerns that may fall within these subjects.
Learning Outcomes
From this experience, I learned that even if a code is planned for and created with secure techniques, it is also important to expect and prepare for possible errors or breaches. This means that it is important for a development team to also have a team that is dedicated to incident response so that any flaws in the code that can lead to a security breach can be dealt with in a manner that can minimize any potential negative impact.
I also learned about various methods for testing and reviewing secure code. This includes dynamic analysis, which is done by performing checks on functionality to monitor our application for privilege issues, connection issues, and other critical security problems. Another method for checking secure code is fuzz testing, which is performed by deliberately inducing program failure by introducing malformed data to reveal potential security issues with minimal resource investment. When checking code, I also learned that it is important to perform an attack surface review to ensure that design or implementation changes to an application have been taken into account, and to also identify any new attack vectors that may have emerged as a result of such changes are identified and mitigated.