INCS 870 Project Proposal
Baichuan Zhao Hong Zhu
Department of Computer Science Department of Computer Science
New York Institute of Technology New York Institute of Technology
Vancouver, Canada Vancouver, Canada
[email protected]
[email protected]
[email protected]
Abstract—This is a penetration test project proposal. The
project will conduct application penetration testing within an
isolated development environment.Through this project, we
expect to significantly enhance the security of the target
application and prevent potential security threats.
Keywords—plan, scope, tools, resource, pentesting.
I. PROBLEM STATEMENT
This project addresses the urgent need to identify and
mitigate potential vulnerabilities in that company ’ s
application.
II. PROJECT OBJECTIVE
This is a collaborative project with external company,
aimed at identifying potential vulnerabilities that could lead to
data loss or intrusion for the company’s application.
III. DESCRIPTION AND METHODOLOGY OF THE PROPOSED
PROJECT
We will carry out the project in 4 stages:
A. Stage 1 Project scoping and tool chain setting up
During this stage, we focus on information gathering and
setting up the necessary toolchain to support the subsequent
stages of the project. We have defined the following tasks for
this stage:
 Figure out the project scope and confirm the target with
the company.
 Implement the project proposal and initial testing
framework.
 Setting up the development environment and necessary
tools.
 Setting up the communication channel with the
company.
 Figure out the API types such REST or SOAP.
B. Stage 2 Vulnerability identification and information
gathering
During this stage, we will focus on threat modeling and
testing modularization. We have defined the following tasks
for this stage:
Tianrui Huang
Department of Computer Science
New York Institute of Technology
Vancouver, Canada
 Review code and develop environment to figure out the
workflow of the application
 Identify the security mechanism within the develop
environment such as, User Management, Authentication
and so on.
 Modularize the penetration testing viewpoints such as
Application security mechanism vulnerability, API
usage vulnerability.
 Study the tools and related scripts to prepare the
penetration testing
C. Stage 3 Attacking and workaround finding
During this stage, we focus on the vulnerability finding. We
have defined the following tasks for this stage:
 Find potential vulnerability from the following
viewpoints such as Application security mechanism
vulnerability, API usage vulnerability , Static code
vulnerability , Data transmission vulnerability.
 Propose the walkaround and remediation for the
findings.
 Communicate the findings with the company when we
have findings
D. Stage 4 Reporting and project closing
During this stage, we focus on the final report. We have
defined the following tasks for this stage.
 Summarize the finds and testing to prepare the final
report.
 Project close and lesson learnt outline.
IV. PROJECT SCHEDULE AND MILESTONE DESCRIPTION
The project contains the following stages:
 Stage 1, Project scoping and tool chain setting up
The anticipating due date for this stage is : 2024/9/11
 Stage 2, Vulnerability identification and information
gathering
The anticipating due date for this stage is: 2024/10/02
 Stage 3, Attacking and workaround finding
 The anticipating due date for this stage is: 2024/11/2  The development environment is isolated from the live
application, eliminating any concerns about downtime.
 Stage 4, Reporting and communication
 Any findings will be shared with company via Slack
The anticipating due date for this stage is: 2024/11/13
and email.
 We will hold biweekly catch-up meetings initially,
transitioning to weekly meetings in the next phase after
information gathering.
VI. RESOURCE
The application is scanned through AWS , we will use any
appropriate open source tool to execute the penetration testing
such as:
 Kali Linux(Test platform)
 OWASP ZAP(For discovering security vulnerabilities in
Web applications)
 Metasploit(Automated Penetration Testing Framework)
 Burp Suite(For API vulnerabilities)
 Wireshark(Testing data stream encryption)
SonarQube(For static analysis of source code) and so on.
REFERENCES
[1] J. Lindner, “Cybersecurity in The Car Industry Statistics •
WorldMetrics.org,” WorldMetrics, May 03, 2024.
https://worldmetrics.org/cybersecurity-in-the-car-industry-statistics
(accessed Jun. 30, 2024).
[2] ZAP. “ZAP – Getting Started.” *ZAP Proxy*, Sep. 10, 2024. [Online].
Available: https://www.zaproxy.org/getting-started/. [Accessed: Sep. 10,
2024].
[3] “Postman documentation overview | Postman Learning Center,”
Fig. 1. Penetration testing project phase overview Postman Learning Center, Oct. 19, 2023.
https://learning.postman.com/docs/introduction/overview/
V. RULE OF ENGAGEMENT [4] “API Tools & Resources | APIsec Univeristy.”
https://www.apisecuniversity.com/api-tools-and-
We have communicated the company and defined the resources?_gl=1*5r2v2m*_ga*OTI0ODc5MjEuMTcyNTEyNzYzMQ..
following engagement rules for the Pentesting: *_ga_5BW457TWST*MTcyNjE5ODUzOS4yMi4wLjE3MjYxOTg1Mz
kuMC4wLjA.
 The pentesting team is only authorized to access the
Dev Environment which is shared from company.