TABLE OF CONTENTS

CHAPTER ONE
1. INTRODUCTION.................................................................................................................... 4
1.1. INTRODUCTION................................................................................................................ 3
1.1.1 SECURITY VULNERABILITY BY DIFFERENT TYPES OF ATTACK..............................................3
1.2 PROBLEM STATEMENTS................................................................................................... 4
1.3 AIM AND OBJECTIVE......................................................................................................... 4
1.4 SCOPE AND LIMITATION.................................................................................................... 4
1.5 SOFTWARE SECURITY MEASUREMENTS.............................................................................4
1.6 OVERVIEW OF RESEARCH................................................................................................. 4
CHAPTER TWO............................................................................................................................. 5
2. LITERATURE REVIEW......................................................................................................... 5
2.1. OVERVIEW OF SECURITY VULNERABILITY AND SECURITY THREATS.......................................5
2.2. AVOID THREATS FROM SERVER AND WEB APPLICATION(CODE LEVEL)..................................5
2.3. STATISTIC OF DIFFERENT ATTACKS...................................................................................6
2.4. SOFTWARE RELIABILITY ENGINEERING...............................................................................7
2.5. SOFTWARE VULNERABILITY............................................................................................... 8
2.6. ENTITIES INVOLVED IN VULNERABILITY...............................................................................8
2.7. DISCLOSURE POLICIES.................................................................................................... 10
2.8. VULNERABILITY LIFE CYCLE............................................................................................. 10

CHAPTER THREE
3. COLLECTING VULNERABILITY DATA...............................................................................4
3.1 OTHER PUBLIC VULNERABILITY DATABASE.........................................................................3
3.2 FUTURE VULNERABILITY DATABASE...................................................................................3
3.3 CONCLUSION................................................................................................................... 4
CHAPTER FOUR........................................................................................................................... 5
4. RESEARCH MEHODOLOGY................................................................................................ 5
4.1. SOFTWARE DEVELOPMENT METHODOLOGY........................................................................5
4.1.1. AVOID THREATS FROM SERVER AND WEB APPLICATION(CODE LEVEL)..................................5
4.1.2. STATISTIC OF DIFFERENT ATTACKS...................................................................................6
4.1.3. SOFTWARE RELIABILITY ENGINEERING...............................................................................7
4.2. SOFTWARE VULNERABILITY............................................................................................... 8
4.2.1. ENTITIES INVOLVED IN VULNERABILITY...............................................................................8
4.2.2. DISCLOSURE POLICIES.................................................................................................... 10
4.2.3. VULNERABILITY LIFE CYCLE............................................................................................. 10
4.3. SUMMARY

Chapter One
Introduction

1.1 Introduction

A software vulnerability is the problem in the implementation, specification or configuration of a software system whose execution
can violate an explicit or implicit security policy. A large percentage of software is developed using unsafe programming languages
(e.g., C and C++) in the name of cost effectiveness, programmer familiarity, and performance. DaCosta, Dahn, Mancoridis,
Prevelakis 2003.

Software developers and auditors will get advantage from a tool to facilitate them to focus on their attention to check their piece of
code that probably cause to be the main source of security vulnerabilities.

Our research is that to include any class or function where input are most likely to contain a security vulnerability. Researcher will
validate every method and arguments that passes from this method as input from front end, Research have performed several
attempts of security hacking involving twenty five vulnerabilities in Object oriented programming (JAVA and .NET).This Dissertation
will describe the experiments, its results or conclusion of findings. Researcher’s finding is that more complex coding style gives
definite holes in security model. In addition to it, adding more security patches in .NET Code and security prevention technique and
API makes application slow in response.

Software complexity is often hypothesized to be the enemy of software security. Shin, A.Williams 2008.Now it is realized fact that
most of the security lack and vulnerability arise in designing of software. In this research, we will discuss what should be the current
practices of software development, vulnerabilities and mitigation factors. On the basis of the critical review, areas of research are
identified that insure software security further in this investigation.

A keyword search query on Shodan containing the term Jetty that retrieves the Internet addresses of 464 hosts that expose their
online services using this open-source vulnerable web server, for which the vulnerability description can also be accessed online.
Cadariu, Bouwers, Visser, van Deursen 2015

1.2 Problem Statement

 An automated scan has not been developed that catches several problems detected during manual analysis.
 .NET Code has several security vulnerabilities that has not been caught yet by software architects
 Many .NET code scanner is not available in market that can scan correct value of vulnerabilities.

https://stackify.com/what-is-c-reflection/
1.3 Objectives
An independent, point-in-time, assessment of web application will be made to find vulnerabilities from the perspective of a malicious
actor.
One of the objective of this research is to attack web application that is hosted in Public domain. Web application will be accessible
publically.
Third party APIS and DLL and DLL used internally in Base framework cannot scanned and can be the main cause of producing
vulnerabilities in code.

1.4 Aim of the Research:

Aim of this research is that host secure web application that cannot be hack due to Poor written code.

 Quantify the impact of successful attacks through active exploitation.

 Identify specific vulnerabilities that can be remediated to improve security.

1.5 Research Question:

Question 1: What are the reason that all problem not identified during manual analysis?
Question 2: What important can be done to improve analysis of security holes?
Question 3: How can manual analysis be improve to identify problem?

1.6 Scope:
Software vulnerability test effort is directed toward the identification of mostly occurring vulnerability in web applications
specially written in .NET. These vulnerabilities mostly consist in security issues like Session management, Configuration
management, Validation not handling properly, data protection issues, encryption and decryption algorithm faults or
weaknesses, authorization features, error handling, authentication, Logging and auditing.
 Most of the web application that contain sensitive data and transactions always remain in threat of hackers. Organizations
always lost a lot of customer’s confident, important transactions and payment Interference problem daily. Now it’s time to
give them web application that is very secure that should not be vulnerable to any unauthorized party. Making the network as
Ideal secure network is not a solution. In parallel to secure network, Developers will have to learn to write secure code and
we are doing research to find all types of vulnerabilities in code.
External penetration tests usually do not include the security assessment (Proxies, servers, firewalls) that are not externally
accessible by the Pen tester. Pen tester look at web server vulnerabilities that found externally. For new applications,
security tests include ethical hacking test cases (for example malicious inputs) with functional test cases. Security test plan
should be captured in security testing requirements.
1.7 Limitation
Lack of secure Memory wiping
Memory wiping is generally used to protect secure data or passwords from attackers with access to uninitialized memory.
Importance is that how other software uses initialized memory.
All Python software are vulnerable and exposes no API for developer to implement secure feature.
Even after using other technologies of Microsoft, development team cannot confidently say that software is hack proof or
does not contain any security holes. After implementing all security feature and even complex Algorithm, if Web application is
not hosted in Secure ISP or secure server then there is no surety that it will not hack. Sometime DDOS attack can be
unsuccessful if server has configuration to divert packets flood to some other servers and there is another method to avoid
heavy DDOS attack that server memory should have enormous space to spread attacking packets in server that will not
block the server traffic and website will not shut down.
Researcher cannot reach to the level of world’s dangerous hackers so at this level whole research will be demonstrate on
one application that will be hack for demo purpose only to check its vulnerability or in decent word , Pen testing will be apply
on application.
Pen testing will be perform by some known software but in real world there are hackers who use thousands of software to
attack or even they write their own code or software to hack.

Chapter Two
Literature Review
2.1 Background Study:
In this research, Researcher will evaluate useful approaches for better understanding of software security and vulnerability and
propose Software Scanner that will scan .NET Code for vulnerabilities.
Some information that characterized as “Engineering” data. It include when was vulnerability discovered, introduced, how the
source code changed it self during vulnerability. This approach states statistical analysis of vulnerabilities that have already
discovered. These approaches provide a vision to check number of vulnerabilities in the system, it is difficult to detect vulnerability
that’s why rate of vulnerability in statistical data is less.
No approach provide correct information that about number of vulnerabilities exist in a system. The goal is however impossible.
Estimates provided by this approach is rapidly become obsolete by discovering new vulnerabilities by using different latest tool to
detect vulnerabilities.
Different engineering researches utilizes many reasons of vulnerabilities that have been reported in a system, analysis can only be
performed on the system in which enough vulnerabilities have been found.
1) Security is important feature of the system and it goes through many different penetration testing process before it is deploy
to the server. Engineering approach will be applied internally in this case to collect vulnerable information.
2) If the System is available publically then interest to vulnerability is increased. Engineering approach will be increase internally
or externally, using public vulnerability database.

What is Network Security?

Network security is a field in Computer networking that secure computer network infrastructure. Network security is handled by
network Administrator or System Administrator, who implement security policy, hardware and software need to protect network and
resources accessed through network from unauthorized access. Network security relies on protection layer and consist of
component including security of software and network monitoring. All these feature work together to increase the overall network
security.
What are security checks during Software development process?

1) Incorporate Industry Standard security Model

2) Train Developers on Software Security
3) Assign responsibility to Software Security feature to separate team
4) Document Security Feature requirement gathering
5) Go through Risk management Process
6) Design Architecture and threat model
7) Perform Code review during development process.
8) Perform Penetration testing

What are Security Laps in Software architecture?

1) Several types of vulnerabilities are hard to find automatically such as access control problem, authentication issue, and
insecure use of cryptography. Current tools to scan small ratio of security flaws. However, Tools are getting improve day by
day
2) Auditing tool to audit at initial stage of application development will helped to prevent this situation to occur in future.
3) Detail auditing and soak testing of .NET Code caused this incident in the first place.

2.2 Different kind of vulnerabilities in .NET Code:

High Risk .NET Security Vulnerabilities:

SQL Injection affect many programming languages .NET application has also many threats Like Command Injection, SQL Injection,
Resource Injection, Connection String Injection, LDAP Injection, Path Injection, and Second Order SQL Injection.
Securing .NET Code:
Static code analysis solution, it stand prominent in .NET Testing solutions. It is not the only solution that keep .NET Code free from
security issues. Organizations can rely on this product to make their product mature and free from security issues. Incremental code
analysis and best fix make it deal for continuous integration.
Some of the most dangerous and common web application security that exist in ASP.net application is not related to C# or VB.NET
syntax. It comes from Web.Config file.
In correct configuration setting open up the security holes such as Cross site Scripting attack, Session hijacking or it may disclose
private data to attackers.
Web.Config file is designed in such a way that it’s setting can be change even application is host in Production...NET Configuration
file is operate in a hierarchal manner, any change to the Machine config file could affect all website that is hosted in that network.
1) Cookie less Authentication
Enable Cookie less authentication in ASP.ENT Application can lead to Session Hijacking issue
Vulnerable configuration of cookie less Authentication:

<configuration>
<system.web>
<authentication mode="Forms">
<forms cookieless="UseUri">
Secure configuration setting:
<configuration>
<system.web>
<authentication mode="Forms">
<forms cookieless="UseCookies">

When Authentication token or Session token appear in requested URL instead of secure cookie, an attacker within network can also
scan monitor security information and take over session and get into the logged in account as a legitimate user. Session hijacking is
very serious issue after authentication of user.
It is bit more dangerous if user has to enter in payment part of any online shopping, they enter into payment website and enter in it
with user id and password. On the other hand, Attacker again steal session and get into payment site and can access credit card
informations and billing informations.
Best way to avoid session hijacking in ASP.NET Application is to disable cookieless authentication and force user to use cookies to
store as authentication tokens.

2) Failure to get SSL for Authentication Cookies

Almost all web applications use the Secure Socket Layer (SSL) to encrypt data passed between Clients to Web Server.
Using SSL for application mean that attacker is using network Sniffers will not be able to interpret data. They can see only
encrypted and meaning less format of data that unreadable for humans. Developer should require form authentication cookie
from your web based applications configuration setting.

Vulnerable configuration of SSL attribute:

<configuration>
<system.web>
<authentication mode="Forms">
<forms requireSSL="false">
Secure configuration setting:
<configuration>
<system.web>
<authentication mode="Forms">
<forms requireSSL="true">

Cookie can be embed in the request URL. Disabling cookie less authentication token. Unless request send to webserver should be
encrypted, network attacker still be able to read authentication token form cookie. Attacker will be able to Hijack user’s session.
Why it is necessary to disable cookie authentication with application security. It is useless for those users who won’t accept cookies.
Setting RequireSSL attribute to true in web.config will use secure connection during transmission of authentication cookie to web
server.

3) Sliding Expiration Used

ASP.NET maintain session timeout to protect application’s security. Default timeout for session is 30 minutes. After 30 minutes,
user will be automatically logged out for that session.

Vulnerable configuration setting:

<configuration>
<system.web>
<authentication mode="Forms">
<forms slidingExpiration="true">
Secure configuration setting:
<configuration>
<system.web>
<authentication mode="Forms">
<forms slidingExpiration="false">

Sliding Expiration reduce the risk of application security in web application in case authentication token is stolen by attackers. When
it set to false, initial log out become period inactivity from the time of initial login.
Attacker can steal token only for specified amount of time that is mentioned in Config file. Attacker can’t login as session get time
out.
To prevent application security issue, you can disable sliding expiration by setting sliding Expiration attribute to false.

4) Non Unique Authentication Cookie

Cookie is more than just a value, It is a name-value pair. An improper chosen cookie name can cause application security
threat. It is as dangerous as storing cookie in dangerous location.

Vulnerable configuration setting:

<configuration>
<system.web>
<authentication mode="Forms">
 <forms name=".ASPXAUTH">
Secure configuration setting:
<configuration>
<system.web>
<authentication mode="Forms">
<forms name="{abcd1234 ...}">

Default value of Authentication Cookie is .ASPXAUTH.If one web application is deployed to web server than .ASPXAUTH is secure
cookie name. When Web Server runs multiple web applications, it become necessary to assign unique authentication cookie name
to every application. If names are not unique, then logged in user can gain access to all of them. Best way to confirm that all web
based applications on web server have their own of set of authorized users is to change the authentication cookie name to unique
cookie value. GUID is cookie value for application security.

5) Hardcoded Credentials in Configuration file

Vulnerable configuration Settings:

<configuration>
<system.web>
<authentication mode="Forms">
<forms>
<credentials>
...
</credentials>
</forms>
Secure configuration Setting:
<configuration>
<system.web>
<authentication mode="Forms">
<forms>
</forms>

Best practice is that creating software in the environment application should be deployed should not be same server in which it is
created.

Microsoft added a section to the Web.config file that you can use to quickly add test users to Web-based applications. For each test
user, the developer adds an element to the configuration file with the desired user ID and password as shown below:

<authentication mode="Forms">
<forms>
<credentials>
<user name="bob" password="bob"/>
<user name="jane" password="Elvis"/>
</credentials>
</forms>
</authentication>

Saving Login Credentials in Plain text in a configuration file is not secure, this should never use in production environment. Anyone
with read access to web.config file can take access the authenticated web application. It is possible to store encrypted password
value in Config file rather than storing password in plain text.In this case, User name is still not encrypted.Potential attacker perform
brute force attack against application.

2.3 Statistic of different attacks

The list below is based on a chart from the 2016 McAfee Labs Threat Report:
Seven Types of most common attacks:
1) Browser attack 36%
2) Brute force attack 19%
3) Denial of service attack 16%
4) SSL Attack 11%
5) Scan 3%
6) DNS Attack 3%
7) Back door attack 3%

Labs, McAfee. (2016). McAfee Labs Threats reports.

Available at:
https://www.mcafee.com/sg/resources/reports/rp-quarterly-threats-dec-2016.pdf

Security vulnerability by different types of attacks:

Microsoft. (2015). Microsoft Blogs.
Available at:
https://technet.microsoft.com/en-us/library/cc959354.aspx#mainSection
Eavesdropping
Computer network communication occurred in “clear text” and unsecured format, Attacker can easily gain access to interpret the
traffic or listen. When attacker starts eavesdropping on network communications, it is referred to as sniffing or snooping. Monitoring
the network called eavesdropper and it is biggest security problem that enterprise can suffer a lot even after stolen data from
network attacker can sell to its competitor that can cause end of any company. Without using encryption policy, company’s data can
be read by hackers as it traverses the network.
Data Modification
Data modification or alteration is the next step of harming your data after gaining access to server or computer. Hacker can modify
the data or sending/receiving packets without the knowledge of sender and receiver. Data from Database can be alter if attacker is
in Data Server or attacker can alter chat between two parties or send unreasonable email from your outlook if he gained access to
any computer.
IP Address Spoofing
In most of the networks and OS IP Address consider as unique entity or valid entity and person or computer can be recognized by
IP Address, falsely assumed IP Address is possible – identity spoofing. Sometime Attacker can construct valid IP Packets that
shows it originated from valid Network or may be from the same Corporate IP Network.
After gaining access to the network with valid IP Address, the attacker can alter the data.
Password-Based Attacks
Most operating security plans is password based and can be gained access by breaking the network which mean user name and
password of the system. Old fashioned network or older application can’t protect identity information. It might allow as eavesdropper
to gain access to network by predicting as a valid user.
When an attacker finds valid user account or administrative level rights, attacker can create accounts for desired access.
After gaining access to corporate network, an attacker can do any of following:
 Obtain list of valid users, computer name and network information.
 Change server and network configuration including access control.
 Alter or delete data.

Compromised Key attack

Key may be secret code to interpret secured information. Although getting key is really a challenge for attacker but it is possible.
Obtained key by this process is called Compromised key.
Attacker use this compromised key to gain access to secured communication without knowing sender and receiver about this
attack. Attacker can decrypt or alter data with the help of compromised key.
Sniffer Attack
Sniffer is device or application that can monitor, read network packets or capture network data exchanges. If packet is not
encrypted than attacker can view full vision of data without any difficulty even sometime encapsulated packets can be destroy, read
and open unless those packets are encrypted.
By using sniffer, an attacker can do following things:
 Analyse corporate network and gain necessary information and may be crash entire network
 Read all communication if it is not encrypted and modify packets in between.

Application Layer Attack

Application layer attack target application’s server by causing defect in application or a server’s operating system. Attacker takes
advantage of this situation, gaining control of application, network or system and can do following things:
 Delete, add, and modify data or operating system.
 Install Virus program to application or in system that keep copying to any one’s machine or server.
 Introduce sniffer program to scan network and gain access or information that eventually crash or corrupt your system and
network.
 Terminate your data applications or operating system
 Disable security control in network servers to ease future attacks.
Malware
Attackers love to use malware to gain computer access .Malware can be seen in email attachment and if it is clicked mistakenly
then you had a close call with malware.
Malware can be recognized by various forms of harmful software and once it sits in your computer it monitor all actions that is
performing in computer like keystroke and sending confidential data from computer or network to desired network location.
Malware can be install by various mean into computer but it need user’s action to do install rats or malware in user’s system. It can
include download files, clicking link mentioned in email, open an attachment that contain malware in that files.

SQL Injection Attack

It is a query language used to communicate with database. This type of attack usually targets database server, using malicious
code to get Database information. This is extremely harmful if Databases contain credit card information of customers. SQL
Injection attack also called SQL vulnerability that allow SQL server to run malicious code.
Cross Site Scripting (XSS)
Sql Injection attack is possible by badly written code that interact database and sometime vulnerable websites target application’s
database and steal important user informations such as user credentials and other sensitive data but if hackers directly hit website’s
online users, they opt for XSS attack.
It inject harmful or malicious code in website and effect can be seen by that particular user not all users can feel attack. While if
malicious code inject in website then every user who visit website can be infected.
One of the most common attack of XSS is that attacker put embedded link or video in Comment section of Blog. On clicking to that
link run malicious code.
Any sensitive information that user submit to website like user credentials or Credit card information or other private data can be
hacked by XSS.

Denial of Service Attack (DDOS attack)

Flooding of traffic in website more than it is capable to handle cause denial of service attack (DOS). In other word, overloading
website’s server by number of users to put load on server that is incapable to handle that much amount of user traffic and as a
result website shut it down for all users.
DOS attack can be performed by many computers and from different networks at a same time .For best result attackers sits on
different countries and perform attack from different network and entirely different IP . High speed internet is required to attack.
It is difficult to overcome the attack influences on the server because attacker appear from different region of the world and flood
different IP on server.

Session Hijacking and Man in the Middle Attacks

Using internet mean there are a lot of transactions going on back and forth from user’s network server to web server (Where
browsed website is deployed).for every request to web server , it generate unique token or Session for that particular user for that
period of time. You will be recognized by the session web server assigned to you .Keep in mind session can be assigned when you
register to website or login to that particular web site.
Session between user’s machines and remote web server is completely unique for that user and it must be private between two
parties but in Session Hijacking. An attacker can hijack the session id and gain access to unauthorized information on the web
server. There are too many ways to steal Session ID from network for example they can hijack by XSS attack also.

1.2 Related Study:

1) Static Code Analysis to Detect Software Security Vulnerabilities

Dejan, Baka and Kai Petersen. 2017) proposed method SAT. Static analysis tool (SAT) as a security threat, Coding fault represent
major security threats and SAT has capability to detect Security faults in application. Faults that should have been detected have
slipped through the static analysis process. However SAT is used to detect the slip and it is automated process.
Baka,Dejan.2009.Static Code Analysis to Detect Software Security Vulnerabilities.
Available at :
https://www.researchgate.net/profile/Kai_Petersen/publication/221548746_Static_Code_Analysis_to_Detect_Software_Security_Vu
lnerabilities_-_Does_Experience_Matter/links/555b31dc08ae6943a87946a8/Static-Code-Analysis-to-Detect-Software-Security-
Vulnerabilities-Does-Experience-Matter.pdf

Advantages of this Research Journal:

 SAT is fast and expensive.
 The tool Coverity Prevent has a 20% false positive rate. Case study proved that developers with the knowledge of SAT has
given good results as compare to non SAT developers. The combination of SAT(Tool) and security experience in developers
almost triple the number of correct security in software.
 Static analysis can be done at initial stage of software development while dynamic dynamic analysis can be done at later
stage when software is able to execute.

Drawbacks of this Research Journal:

We have found that average developers do not correctly identify the security warnings of SAT and only developers with specific
experiences are better than chance in detecting the security vulnerabilities.

2) Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities
ay-Evan , J. Tevis, JohnA and Hamilton, Jr. proposed method Software Scanner.

Software security checker with proactive capabilities would go beyond the standard auditing steps. It would identify general coding
practices that are inherently insecure in the source code and recommend alternative approaches like design patterns or algorithm.
Evan, Tevis.2004. Methods for the Prevention, Detection and Removal of Software Security Vulnerabilities.

Available at: https://pdfs.semanticscholar.org/ecfc/ac8b7886425c9398e7cd593d94f40ad87bc1.pdf

Advantages of this Research Journal:

 Static code security checkers parse through and scan the source code, looking for potential security problems. The process
is similar to virus scanners.
 The checker software is aware of known potential problems and searches for them based on encoded rules and entries in a
database and it suggest possible remedies as well.
 After the code analysis is complete, it produces a list of potential flaws sorted by risk.

Drawbacks of this Research Journal:

There is some limitation in current checker software.
 First, an automated scan has not been developed yet that catches many of the problems detected during manual analysis.
 Second, the scanners don't know the particulars of functions contained in libraries supplied by various domain specific
applications.
Third, most checkers scan at most two languages.

3) An Empirical Model to Predict Security Vulnerabilities using Code Complexity Metrics

Yonghee Shin and Laurie Williams proposed method Complexity metrics.
Mozilla Java Script Engine (JSE) open source for our case study because the source code, faults, and vulnerability information are
publicly available and the amount of faults and vulnerabilities reported are enough.

Shin, Yonghee. Williams, Laurie (2008). An Empirical Model to Predict Security Vulnerabilities using Code Complexity Metrics.
Available at: https://collaboration.csc.ncsu.edu/laurie/Papers/p315-shin.pdf

Advantages of this Research Journal:

 The measures of complexity for the vulnerable functions and the faulty-but-non-vulnerable functions in the three older
versions of JSE (v1.0.2, v1.0.7, and v.1.5) were also significantly different in the nine complexity metrics.
 Nesting complexity was the best distinguishing factor among the nine complexity metrics in JSE.
 Complexity metrics can be used as a complementary way to find vulnerable locations in software artefacts that static
analysis tools cannot detect and to direct further inspection and testing.
Drawbacks of this Research Journal:
 This result indicates that nesting complexity can be a differentiating factor of vulnerable functions from faulty functions in
JSE. Therefore, giving more attention to highly nested functions than to other functions in security inspection could be an
efficient strategy.

4) Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs

Michael Gegick, Laurie Williams proposed method Pattern matching of every attack.

Researchers have constructed attack patterns that can illuminate security vulnerabilities in a software-intensive system design.
Attack patterns in a text-based format.

Gegick, Michael . Williams, Laurie. (2005). Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs.

Available at: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.452.6799&rep=rep1&type=pdf

Advantages of this Research Journal:
 These attack patterns can be reused to identify vulnerabilities in software systems.
 Software engineers match attack patterns to system designs to identify potential vulnerabilities.
 Software Engineers were asked to match our attack patterns to a given system design
Drawbacks of this Research Journal:
 Fixing the vulnerabilities after the coding phase can be more costly than if the vulnerabilities were known in advance.
 The scope of this study was limited to common software application logic problems.
 Many of the attack patterns may match to a system design thus creating an overwhelming number of warnings to developers.

5) Mapping Software Faults with Web Security Vulnerabilities

José Fonseca, Marco Vieira proposed introduced method of security patches.

Security patches have been introduced from which six widely used for web applications. Open source application has been selected
for the study case.

Fonseca, José. (2008). Mapping Software Faults with Web Security Vulnerabilities.

Available at: http://bdigital.ipg.pt/dspace/bitstream/10314/3531/1/JFonsecaDSN2008.pdf

Advantages of this Research Journal:

 Software patches itself scanned for security vulnerabilities. Every patch is also inspected in depth to gather the precise
characteristics of the code.
 LAMP, this kind of setup is also responsible for a large number of reports of security flaws.
 We believe that the type of language/technologies involved will influence the distribution of faults over the ODC types when
we are analysing security faults
Drawbacks of this Research Journal:
 The five classes of ODC fault types are too broad and they do not have enough detail for the precision needed by the
present field study.
 We find that attacker could inject both vulnerabilities XSS and SQL Injection with one fault type that was not detected during
our study with any of patch.
 Fault happened due to wrong Logical Expression.

6) A Flexible Information Flow Architecture for Software Security

Michael Dalton, Hari Kannan and Christos Kozyrakis introduced method of FPGA prototype.

Researcher presented an FPGA prototype for Raksha that provides a full featured Linux workstation for security analysis.
Dalton, Michael. (2007). A Flexible Information Flow Architecture for Software Security.

Available at: http://www.sis.pitt.edu/jjoshi/courses/IS2620/Spring09/Dalton.pdf

Advantages of this Research Journal:

 It can detect Directory Traversal, Command Injection, Sql Injection, Cross Site Scripting, Low level Buffer overflow attack.
 Raksha provides a framework that combines the best of both hardware and software DIFT.
 Raksha facilitates the integration of hardware and software security techniques that protect real-world software from a wide
range of attacks.
 The third difference is that Raksha supports user-level handling of security exceptions
  Software can directly access the tags or the policy configuration registers only when trusted mode is enabled. Tag propagation
and checks are also disabled when in trusted mode.
 Raksha is well suited to detect such high-level vulnerabilities as they tend to be precisely defined.

Drawbacks of this Research Journal:

 We also showed and evaluated how low overhead security handlers can be used to address the shortcomings of
hardware security analysis in a performance-efficient manner.

7) Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

Katrina Tsipenyuk, Brian Chess and Gary McGraw introduced method of Error detection and logging taxonomy.
Error detection and logging taxonomy has been introduced in this paper. In fact, all of the errors included in our taxonomy are
amenable to automatic identification using static source code analysis techniques.
Primary goal is to organize sets of security rules that can be used to help software developers understand the kinds of errors.
Researcher split the phyla into “seven-plus-one” high-level kingdoms that make sense to a majority of developers.
Seven kingdoms are following that has main structure
1. Input Validation and Representation
2. API Abuse
3. Security Features.
4. Time and State.
5. Errors
6. Code Quality
7. Encapsulation
Tsipenyuk, Katrina. (2005). Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors.
Available at: http://ieeexplore.ieee.org/abstract/document/1556543/

Advantages of this Research Journal:

1) When put to work in a tool, a set of security rules organized according to this taxonomy is a powerful teaching mechanism.
2) Our taxonomy includes coding errors that occur in a variety of programming languages.
3) Some of our phyla are framework-specific not language specific.
4) Taxonomy check following errors:
• Buffer Overflow
• Command Injection
• Cross-Site Scripting.
• Format String.
• HTTP Response Splitting.
• Illegal Pointer Value
• Integer Overflow
• Log Forging
• Path Manipulation
• Process Control
• Resource Injection
• Setting Manipulation
• SQL Injection
• String Termination Error
• Struts
• Struts
• Unsafe JNI

Drawbacks of this Research Journal:

 These are sort of table maintained for those common error that is already caught but languages and framework changes daily.
Daily new API emerge in market then this taxonomy methodology is not able to handle it.
 It will not realize the security hole as error.

8) Reducing Software Security Risk Through an Integrated Approach

David P. Gilliam, John C. Kelly and Matt Bishop introduced method of VMatrix.

The assessment instrument is a collection of tools and procedures to support development of secure software. The toolset also will
include a property-based testing tool to slice software code looking for specific vulnerabilities using signatures from the VMatrix.
Gilliam, David P. (2001). Reducing Software Security Risk Through an Integrated Approach.

Available at: https://trs.jpl.nasa.gov/bitstream/handle/2014/14276/00-0691.pdf?sequence=1

Advantages of this Research Journal:

 Property-based testing can take advantage of the specifications of vulnerabilities in VMatrix to detect problems. The key is to
represent the vulnerability in the low-level specification language.
 If non security properties (such as safety) are of interest, the testers will have access to TANG to perform similar testing for their
own set of properties. But the focus of this study is on security-related properties.
 Model checkers provide error traces.

Drawbacks of this Research Journal:

 The matrix contains the problems of greatest concern to NASA at the moment because its NASA research fund to find vulnerability in
software applications.

9) Prioritizing Software Security Fortification through Code-Level Metrics

Michael Gegick, Laurie Williams, Jason Osborne and Mladen Vouk introduced method of predictive models.

Researcher created predictive models to identify which components are likely to have the most security risk. Data has been mined and
analysed data from a large commercial telecommunications software system containing over one million lines of code that had been deployed
to the field for two years.

Gegick, Michael. (2008). Prioritizing Software Security Fortification through Code-Level Metrics.

Available at: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.458.5904&rep=rep1&type=pdf

Advantages of this Research Journal:

 Research has been conducted a case study on a large commercial2 telecommunications software system comprised of over 1.2 million
source lines of code (SLOC).
 Researchers created a software tool, Vulture that mines a bug database for data that predict which components will likely be vulnerable.
They performed an analysis with Vulture on Bug zilla, the bug database for the Mozilla browser, using imports and function calls as
predictors. They were able to identify 50% of all of the vulnerable components in Mozilla.

Drawbacks of this Research Journal:

 The failures were identified during late-cycle system testing and post-delivery.
 Weak or absent logging for important components was considered a security vulnerability to prevent non-repudiation.
 Analysis included only 3.7% of the organization’s faults making statistical analyses difficult and reducing the confidence in our models.
 The models that fit our system may not fit all software systems due to differences such as architecture, programming language, and
developers.
 Additionally, system and feature-level testing may not be adequate for detecting all vulnerabilities while using other techniques.

10) Finding Security Vulnerabilities in Java Applications with Static Analysis

V. Benjamin Livshits , Monica S. Lam introduced method of static analysis approach.
Researcher proposed a static analysis approach based on a scalable and precise points-to analysis. Their approach is to finds all
vulnerabilities matching a specification in the statically analyzed code.
About 75% of all attacks against Web servers target Web-based applications.
Livshits, V. Benjamin. (2005). Finding Security Vulnerabilities in Java Applications with Static Analysis.
Available at: https://www.usenix.org/event/sec05/tech/full_papers/livshits/livshits_html/

Advantages of this Research Journal:

 Static analysis found 29 security vulnerabilities in nine large, popular open-source applications, with two of the vulnerabilities
residing in widely-used Java libraries.
 Many attacks described in the previous section can be detected with code auditing.
 Making the potential vulnerabilities easy to examine and fix as part of the development process.
  The advantage of static analysis is that it can find all potential security violations without executing the application.
 This tool is distinctive in that it is based on a precise context-sensitive pointer analysis that has been shown to scale to large
applications.
 This paper proposes a tool based on a static analysis for finding vulnerabilities caused by unchecked input.

Drawbacks of this Research Journal:

 Without a precise analysis, these tools would find too many potential errors, so they only report a subset of errors that are
likely to be real problems. As a result, they can miss important vulnerabilities in programs.

Study of Existing System:

Take three existing scanner (application) and give review about it
Tool 1: Java Static Analysis Tool
It Integrate with Eclipse and following Screenshot available of the Tool.
Summary of Test Result:

Analysis of Tool:

 It’s worth noting we can run PMD at the project level or at individual class level.
 Eclipse will display a brief description of the issue and possible remediation how to solve it.
 This mature and quite well-established tool analyses source code for possible bugs, suboptimal codes and
other bad practices
Weaknesses in System:
 It’s impossible to prioritize the issues.
 User need to run it manually.

 Developers can’t track it over time and centralize the results of your different tools

Tool 2: Fortify
Analysis of Tool:
 Reduce the risk of a data breach.
  Meet Compliance requirements of customer.
 Increase the speed of Security Software Delivery.
 Software is cost effective and secure.
Weaknesses in System:
 It is time consuming if conducted manually.
 Automated tools produce false positives and false negatives.
 There are not enough trained personnel to thoroughly conduct static code analysis.
 Automated tools can provide a false sense of security that everything is being addressed.
 It does not find vulnerabilities introduced in the runtime environment.

Tool 3: Acunetix
Analysis of Tool:

 Allows you to locate and fix the vulnerability faster because of the ability to provide more information about the vulnerability, such as source
code line number, stack trace, affected SQL query.
 We can significantly reduce false positives when scanning a website because we can internally understand the behavior of the web application
better.
 Can alert you of web application configuration problems which could result in a vulnerable application or expose internal application details.
E.g. If ‘custom errors’ are enabled in .NET, this could expose sensitive application details to a malicious user.
 Detect many more SQL injection vulnerabilities. Previously SQL injection vulnerabilities could only be found if database errors were reported or
via other common techniques.

Weaknesses in System:
 An automated vulnerability scanner will identify input parameters and will try to inject specific patterns to identify vulnerabilities on the target
website. This is done through the scanner’s vulnerability checks.
 SQL Injection and Cross-Site Scripting, there may be chance of injecting garbage data in the website’s database.
 If the target website being scanned by the automated vulnerability scanner is vulnerable to email flooding or mass mailing attacks, it is highly
likely that a number of emails will be produced as a result of the automated scanning of the pages and forms

Chapter Three
Research Methodology
Introduction
Every learned knowledge is a product of either a conscious or unconscious search. The conscious search is
usually continuous and directed towards a particular direction for a particular insight on a subject matter.
The conscious search in this context may be referred to as Research. Therefore, Research entails following some
methodology to look into a subject matter 16r the purpose of gaining new or modified knowledge.

Methodology describes the procedures to be followed for a successful research. In the scientific world,
therefore, Research Methodology is a standard defining the systematic processes required for a
particular investigation with the purpose of discovering knowledge or establish principles envisaged by
experience, theorization or observation (Argawal, 2015). This chapter of the report shall discuss the chosen
Software and Research Methodologies as well as provide the analysis of data acquired from opinion
samples of the research.
3.1 Software Development Methodology
In the today's world, where life and computing are almost becoming inseparable due to the ubiquitous nature
of computing devices and software that run on them, the Software industry has thus assumed a new status
where it is considered one of the most important industry driving the economy of nations of the world.
Computing has found its place in diverse areas such as Agriculture, Health, Security, Manufacturing,
Education, etc. This has increased the competition among the software industries seeking to monopolize
the market. Some of the factors that determine the chance of succeeding this

Competition include:
 The user needs the software product meet.
 How early is the software product brought to market?
 The marketing strategies
 The quality and usefulness of the software product.
 The development model used.
 And how adaptive such a model is to the changing requirements of users.

Software Development Methodologies also called Software Development Life Cycle (SDLC) may classified
as either traditional or modern. For example, the Waterfall, Iterative, Spiral, Big Bang, V -Model, etc. are
traditional SDLC methodologies; while Agile, Rapid Application Development (RAD), R ational Unified
Process, Prototyping model, etc. are considered modern SDLC methodologies. All these methodologies,
specify a unique series or activities to be followed to ensure success in the process of system development.
The models, either traditional or modern, are suitable and for particular Categories of systems. That is, one
may not adequately serve or achieve the whole goals for all kinds of stems to be developed. Therefore, in
addition to the aforementioned factors, the choice of which Methodology to use is also influenced by the
industry, development team, system to be developed, or clients for which the system is being developed
(Waters, 2007). All of these methodologies have a number of standard phases. The phases may be
summarily grouped into Planning, Analysis. Design and Implementation invalid source specified. As shown in
Figure 3.1; or broadly grouped into Initiation. System Concept Development, Planning, Requirements Analysis,
Design, Development, Integration and Testing, Implementation, Operation and Maintenance, and
Disposition.

Since the rapid changes in environment influences changes in the requirements of a software product, it
becomes very important that the chosen software development methodology be adaptive so as to keep to the
competition. Therefore, for the purpose of this research, Agile Software Development Life Cycle Methodology
is chosen. This choice is influenced principally be the fact the security systems are often under attacks,
making requirements to constantly change; the user on the order hand requires security of transactions
irrespective of what attacks the system is experiencing. The agile methodology would fit this kind of system
properly.
 Figure 3.1: Simplified SDLC (Dennis, Wixom, & Roth, 2012)

Objectives of Research:
The main purpose of research is to discover answers of many questions by the mean of
scientific procedures. Main aim and objective of research is to find out the truth which is
hidden from human eye and knowledge and has not been discovered yet.
Each research study has its own purpose and fulfilments, some of the research
objectives fall into following groups:
 1) To gain knowledge and familiarities into particular topic. Researcher cannot start
research without knowing its background and usually it is practise that researcher
chose topics in which they are already familiar and they have many experiences
on it.
2) Researcher knows very well that how can he/she portrait characteristics of
particular individual or situation or event.
3) Analysed the frequency of occurrence of some events or problems.

Motivation in Research:
What make people to motivate on research or to start investigation on any area?
This is the fundamental question of research. There are possibly many motives to do
research. Motives can be one or it can be many.
1) Desire to get Research Degree like PHD along with its consequential benefits.
2) Some may be like to tag their name along with Doctor Like Doctor abc.
3) Some may be want to teach degree classes as a professor in any well-known
university.
4) Desire to face previously unsolvable challenge. For example real practical
problem to initiate research.
5) Desire to get intellectual feeling of joy after doing some creative work.
6) Desire to serve whole humanity.
7) Desire to get respect from society.
It is not necessary that researcher has covered all aspect of motivation to do research.
Some are may be missing in the list. Many more factors such as employment
conditions, directives of government, curiosity about anything to find the fact, social
awakening and thinking.

1) Observations
2) Research techniques
 Personal Interview with IT Security staff from any domain company.
 Statistical Analysis (Charts)
 Questionnaires
3) Methodology will involve design, development and analysis of security layers in
Airline system.
4) Implementation of Airline ticketing and online booking system where online
payment will be made. Basically Level of security will be measure at login page
and Payment page. It will be web based application.
5) Following Tool and Technology will be use.
 ASP.NET MVC
 HTML
 CSS3
  Jquery
 Visual Studio 2015
 Sql Server 2012
Research can also be define as a systematic and scientific search for relevant
information in particular topic. It can be say that research is art of scientific investigation.
Meaning of research is “Careful investigation or inquiry or search for new facts in any
branch of knowledge”.
Redman and Mory define that research is an “effort to gain veil knowledge”. Some
people says that research is a movement, a movement from unawareness to be awared
one. It is actually voyage of discovery. Curiosity is the mother of all knowledge and the
methods, which human being obtain the knowledge of specified topic that is unknown to
whole world, it can be term as research. Research is an academic activity and it can be
technical and non-technical knowledge.
Clifford Woody says about research that it consist of redefining problems, hypothesis or
suggesting solutions, Organising data, Collection and evaluation of data, finding
research conclusions and at the end careful testing to determine whether it fit the
formulating hypothesis.
M.Stephenson and Slesinger defined research as “the manipulation of things, symbols
or concepts for the purpose of extend, verify or correct knowledge.
Researchers always contribute to exceed the knowledge ahead or get the knowledge
that is unknown to the world yet. It is the participation in existing research to add more
knowledge or start a new research in new dimension to let the world know about it.
Finding the truth with the help of study, experiments, and comparisons. In short, Search
of knowledge through systematic method of finding solution of problem is called
“Research”.

3.1.1 Rationale of the Chosen Methodology

Agile Development methodology was chosen for this research
work following approaches and principles of development which are
usually satisfying to both the customer and other stakeholders. In this
section, some of the benefits of this methodology arc presented and
then a proper introduction to the overall concept of Agile Development
is later discussed in the next section.
  Transparency:

Agile methodology gives an exceptional opportunity to

customers to be incorporated all through the project, from
sorting out segments to cycle organizing and audit Sessions to
progressive software assembles containing new prospects. This
in regard, obliges customers' to understand that the work is in
progress in return for this included point of
Preference of transparency.

 Early and Predictable Delivery:

The use of Gantt chart, in calculating the estimated and precise completion
date fall here, new components are taken as quick as possible, with an
unusual state of reliability. This in return buys more time and chance to
ensure a better implementation and testing of the product sooner than
arranged if it meets adequate business value.

 Focuses on Business Value:

Allowing the Client or Customer to choose their required elements,

enable the team to comprehend the most important and critical
elements or components that the Customer’s business needs and
can he able to deliver the components that provide more
business value.

3.1 Software Development Methodologies

1) Waterfall Model

In software development
industry somehow,
 developer and development team have to bump into the waterfall model.
Waterfall model is beneficial or not, risky or less risky, old or new technology,
sometime development team has to adopt waterfall methodology.
It is consider as traditional method of adopting software development process in
software engineering. Waterfall work as linear flow having specified sequence to
perform software development. It is usually perform module by module
development and next level of module remains depend on previous model till
the end of project.
Moreover, in this methodology, changes may occur after the testing phase or
after release of product. Client realize that they need some other features also
and some time that change is not possible at the end of entire project. It may
cause defects in other modules also that was working fine till release.

Pros:
 Easy to understand and fully functional
 Detailed documentation helps to understand and develop(Even to new
developer in the team)
 Save time
 Allow easy and detailed testing and data analysis.

Cons:
  It is not applicable for project under maintenance, it is helpful for products
that is going to develop from scratch.
 It won’t allow addition of new feature (either small or big) in the middle of
development phase.
 Team cannot determine outcome of project.
 Always create fuss for long projects like ERP and so on

2) Prototype Methodology
It is a specialized software development process in which developers initiate
sample to validate its functional essence to the customers and do essential
changes before creating the final solution.
In fact, best part of this methodology is that it tend to resolve different type of
issues occurring with the waterfall method.

Pros:
1) Give clear idea about the function of project from the initiating process of the
software.
2) It reduce the risk of failure in a software functionality.
3) It focus on detailed requirement gathering and overall analysis.
Cons:
1) There is a change in increase in management cost.
2) Too many meetings and involvement of clients can affect software development
processing.
3) Too many changes in the middle of software development can affect the
workflow of software.

4) Agile Software development Methodology

The agile software development methodology is used for clear and well-
organized project management that allow iteration of changes.
Such type of a methodology is highlighted for managing many software
engineering projects. Another good thing is that it minimizes danger of software
failure in short time boxes that is known as iterations, which last from six to eight
weeks.

Pros:
1) Adaptive approach of software development that respond to changes easily.
2) It allows direct communication between team and business users or product
managers and in this way it maintain transparency.
3) It help in develop quality product by giving the product to testing and find and
resolve bugs prior to finalization of project.

Cons:
1) There is a less documentation of product functionality and all focuses are on
development of software.
2) Outcome or deadline is not clear in the scenes that there is a chance of getting
off-track
 4) Rapid Application Development
It aimed to provide quick results, rapid application development give marvellous
development processes with the essence of other development approaches. This
methodology is introduced to take the maximum advantage from the
development of software. There is no doubt that it is designed to add the
workability of the whole software development procedure for the participation of
active users.

Pros:
1) Make the development process effortless.
2) It allows Business users to take quick review.
3) It encourage feedback from end users for improvement.

Cons:
1) Completely dependent on team for good performance.
2) It work on the system module by module to confine on this methodology.
3) It require skilled and experienced persons to handle complexities.
4) Not suitable for small application or small budget applications.
 5) Dynamic system Development Model Methodology

This methodology is derived from the rapid application development

methodology, it works on iterative and incremental approach that focus on the
involvement of business or end users at each stage of development cycle.
Main purpose of this methodology is to provide software development within
specified time and allocated budget.

Pros:
1) Strong grip on the software development process to users and software
development team.
2) Functionality of each deliverable is quick.
3) It offer easy access to end users for developers.

Cons:
1) This methodology is costly and dedicated for big budget projects.
2) It is not suitable for small organizations.
 6) Spiral Models

Highly sophisticated design of spiral model is meant to reduce early risk in the
project. As the development process start, developers initiate on a smaller level
and can explore risk in the beginning.

Further on, developers intended toward a plan for iterating of the spiral.
Accomplishment of any spiral life cycle model based on observant, consistent
and familiar management of the project.

Pros:
1) Risk factor considerably reduced by adopting this methodology.
2) It is excellent for large scale project.
3) It allows to add new function later.
4) Suitable for highly risky projects with varies in business need.

Cons:
1) This model is costly for software development.
2) Failure in risk analysis and it may damage the whole project.
 3) It is not appropriate for low risk project. In other word, no need to use that
methodology, if there is no risk involve in the development process.
4) There is a chance to continue this project and never finish.

7) Extreme Programming Methodology

Extreme programming methodology is currently known as XP methodology. It is
basically used in very unbalanced atmosphere. It enable tractability within this
modelling procedure.
Basic aim of this XP model is to reduce the cost of software. Price of changing
the requirements on the future stage of project is whooping.

Pros:
1) It focuses on customer involvement.
2) Establish clear plans and schedules.
3) Developers are specially committed to that particular project.
4) Equipped with modern methods of quality software development.

Cons:
 1) Effectiveness depends on how many no of people involved in particular project.
2) It require frequent meeting between end users and development team.
3) It is necessary for excessive development changes.
4) Exact possibilities of future outcome are really unknown.

8) Feature Driven Development

It is an iterative methodology of software development and aimed at serving large

number of team working on object oriented based project.
This model is effective for the companies that are on phase based on iterative
approach.
It is called as FDD methodology and it deal with variation of complexities and it is
highly function able.

Pros:
1) It is useful for bigger and complex project with continuous success.
2) 5 easy procedures bring outcome in a better manner.
3) It is programmed for easy development and built for pre-set standard of
software development.
Cons:
1) It is not suitable for small size project and for single developer of application.
2) It is totally dependable on the leading developers.
3) No Proper document is provided to software owner about software usability.

9) Joint Application Development Methodology

Joint application development methodology is a requirement specification and UI

expansion approach that is needed to the end users, clients and developers
attend off-site conference to emphasis and confirm software system.
This is effortlessly proficient through a sequence of planned workshops called
JAD sessions. It seems that emphasis on the business difficulty.

Pros:
1) Allows for simultaneous groups and bunch of excessive information.
2) Generate huge amount of valuable information in short span of time.
3) It support immediate resolving of differences with reasonable assistance.

Cons:
1) It require excessive amount of time for scheduling and planning.
2) It require significant amount of effort and time.
3) It need highly skilled and trained experts, which is tough to find.

10) Lean Development Methodology

Lean development model emphasis on the development of effortlessly

manageable software. Extra ordinary designed development technique is more
intentionally dedicated than any other form of agile methodology.
Objective of this approach is to improve software within one-third of the time, with
very limited budget and fewer amount of essential workflow.
Pros:
1) Low budget and time require to complete software development.
2) Allow earlier product delivery.

Cons:
1) Effort of team determine success of software development process.
2) Unskilled business analyst can be severely problematic.
3) Too much flexibility leads developer to lose focus on work and it may leads to
track off from deadline.

11) Rational Unified Process Methodology

Rational Unified Process Methodology (RAP) is a current evolution of software
process. This methodology expand the process into four different stages that
include scrutiny and design, business modelling, enactment, testing and finally
deployment. The model assist software developer for stating guidelines, specs
for all features and stages of software development.

Pros:
1) Give priority on documentation writing.
2) It removes the project risks after engaging customer at every meeting.
3) It has less requirement for integration.

Cons:
1) Need highly skilled software developers.
2) Development process of this methodology is complicated.
3) Integration too many modules may lead to confusion.
4) It is complicated to understand.

12) Scrum Development Methodology

Bright side of this methodology is that it is applicable to all kind of project like
small projects to large scale projects. Excellent development by using this
methodology is suitable for those projects who is in alteration process
continuously.
The scrum software development model initiate with short span planning,
meeting and completes with conclusion review. This methodology prompt
 development of software that consist of series of iterations to develop required
software. It is a perfect approach because of its effortlessness bring on track the
progress of project.
This methodology deal with variety of complexities and need expert hands.

Pros:
1) Decision making are in the hand of the team.
2) Too many lengthy business requirement document is not considered during
adoption of this methodology.
3) Light control method emphasis with constant updating.

Cons:
1) It is not suitable for large scale projects.
2) Require highly skilled and expert team and there is no space for low skilled
person in the team.
3.1.2 Agile Development Life Cycle

There are several branches of agile software development methodologies.

 Agile modelling
 Adaptive software development
 Disciplined Agile Delivery
 Extreme programming
 Scrum
 Kanban
 Feature driven development
 Dynamic systems Development
 Lean Software Development

Basic goal of agile methodology is to adapt change and deliver workable software
in every sprints during specified time. However, all software development
methodologies have some variations in the way it defines the phase of software
development. Even though the goal is same, each team’s process description flow
may vary on project to project.

A Complete Agile methodology includes concept/Idea, development, testing/UAT,

release, Live to production and retirement phases.

The Agile Process Flow

 Concept > Projects are visualize and prioritized.
 Inception > Team member of that project identified and initial environment and
requirement usually collected from product managers and it get discussed
among team members.
 Iteration Development > Software development team work together to deliver
workable software based on iteration requirement.
 Release > Quality assurance / Testing, documentation of technical development
related stuff, internal and external training and final release of iteration into
production.
 Production Environment > Software deploys to Live environment and ongoing
support of that software.
 Retirement > End of life activities, including notification to end users and
migration.

This view shows full Agile life cycle model within any organization. In any
organization there may be different projects operating simultaneously, different
 sprints logged into different product lines and team member need to deal with
variety of customers (Internal or external) with different range of business needs.

3.1.3 Extreme Programming

What is Extreme Programming?

XP is efficient, light weight, flexible, low risk, predictable, scientific and fun to develop a software.
Extreme programming or XP was developed or invented and adopted to resolve specific needs of
software development of small teams in the change requirements or Agile Environment. Extreme
programming is Agile Software development methodologies. It provide certain methodologies and
rules to guide the team. Team is expected to self-organize. Extreme programming provide some
basic practises that are:
 All adopted practise is simple and easy to understand or easy to adopt and complete in
nature.
 Combination of these practises or methodology produce more complex behaviour.

Embrace Changes
A key point of Extreme Programming is the cost of change the program and it can be
constant over time.
It can achieve by following:
 Emphasis on taking continuous feedback from end users.
 Design and redesign with short iterations.
 Coding and Quality assurance frequently.
 Remove bugs in earliest that reducing cost.
 Keep the customer intact throughout the development
 Deliver workable product to the customer.
Extreme Programming in a Nutshell
Extreme programming involves following:
 Write unit test before starting development and keep running all of the tests
running during development of that module. Unit testing usually performed by
development team to eliminate most obvious bugs and later Automation testing
performed to make sure application is free from all front end and logical bugs and
it help to reduce cost.
 Development starts with simplest design and code the specified features and
redesigning if required.
 Pair Programming with two programmers in same screen by taking control to
computer one by one. One who looks the screen and coding of developer give
continuous feedback and inputs to improve the code and remove bugs that may
be avoided by the developer who is coding at screen.
 Integration of all code from source control and testing the whole system
repeatedly to check if error occur at nay instance.
 Introduce minimal working system into the production and upgrade it when
required.
 Intact customer all the time during sprints and receive feedback constantly.
Iteration facilitates the changes as the software develop with change requirements.

Why is it called “Extreme”?

Extreme programming practises to extreme levels and take the effective principles.
 Code review is effective and it reviewed at all the time.
 Continuous regression testing is going on till the end of project.
 Development team needs to do refactoring daily.
 Integration testing is important as Integrate the code and test daily several times
a day.
 Short iterations are effective as the team plan for release and iteration planning.

Extreme Programming Advantages

Extreme programming helpful to solve many problems that often faced by software
development projects.
 Cancelled Projects > Focus on continuous business users involvement and it
ensure transparency about the difficulty and Timeline of project and provide
immediate resolution of any issues.
 Slipped Schedules > Achieve development cycles that make sure timely
deliveries.
 Costs involved in changes > Broad and ongoing testing to make sure particular
changes are not breaking the existing functionality. Live projects always take
sufficient time to accommodate changes so that current system should not affect.
It need careful and nonstop testing.
  Production Defects > Unit testing perform to detect and fix the bugs soon as
possible.
 Missed the required functionality of business domain > Behaving business
users as a part of the team ensure continuous communication and clarifications.
 Staff turnover > Team collaboration ensures energetics and good intentions.
Team spirit is required in all methodology to develop correct software
development within time.
 Business Changes > Changes are consider a fact that cannot denied by any
development team and accommodate changes at any time.

3.1.4 Research Design

Highlight the process that how an investigation will take place and how data
will be collected, what tool will be used to analyze the collected data.
3.2.1 Qualitative Research technique
Data Collection approaches for Qualitative research include following:
1) Direct interaction and communication with individual person on one to
one basis.
2) Direct interaction and communication in a group setting.
Data Collection by Qualitative research is not easy methods and it is time
consuming therefore data is usually collected from smaller samples.
Therefore qualitative research is more expensive.
Benefit of Qualitative approach is that the gathered information is high
quality and give deep insight for research.
Methods for collecting Qualitative data are following:
1) Focus groups
2) Interviews with individual person
3) Observations
4) Research action
3.2.2 Difference between Qualitative and Quantitative
Research technique

Table 3.1 Difference between Qualitative and Quantitative Research Technique

3.3.1 Research Questionnaire

Questionnaires are one of the most potent tools for collection of data
regarding a topic of interest. Its use for definite questions with the
definite or open answers allows opinions to be gathered in a structured
form that supports and makes analysis easier. Therefore, this research
work employed its use. 'The research sought opinions from far and
wide on the subject matter by using google form so as to allow most
internet users who often are the victims of identity theft. Eavesdropping,
and phishing.
The following section presents the questionnaires and the objective of
the asked. It then presents the analysis of the responses using
percentages and pie-chart as the pictorial view of the results. The
sample of the questionnaire is provided in Appendix A, the sample
google form questionnaire in Appendix B. Sample received a
response in Appendix C and sample google form response summary
in Appendix D.

3.3.1 Result and Analysis of Questionnaire Response

The questionnaire was developed using google forms and the
link was posted on social media such as WhatsApp groups,
Facebook, LinkedIn.
Questions:
1) Do you have any idea about Security Vulnerabilities in Written
Code especially in .NET?

Options Responses Percentages

No 28 30.77%
Partially 24 26.37%
Yes 39 42.86%
Total 91 100%

Question one sought to find out the familiarity about Security

vulnerabilities in Developer’s written Code and how and where
they have used the concept. Result showed in above table
shows that most respondent have definite idea of concepts,
more have some idea, and no idea at all. The implication of this
could be the most of the respondents might have experienced
and read about these facts.

2) Do you have any idea Buffer overflow and XSS attack in web
application?

Options Responses Percentages

No 12 13.19 %
Partially 17 18.68 %
Yes 62 68.13 %
Total 91 100%

Question two sought to find the respondents knowledge of the

concept of Different types of security attack in web application
like XSS Attack and buffer overflow attack.
3) Have you experienced Buffer overflow attack in your hosted
web application?

Options Responses Percentages

No 23 23.19 %
Partially 20 28.58 %
Yes 48 48.23 %
Total 91 100%

Question three sought to find the experience of Vulnerability

attack in their own hosted applications. Some were not sure
that some kind of attack has been performed on web
application or hosted server. (It include in Partial List)

4) Do you know which attack will be dangerous for Web

application (Buffer overflow, XSS attack or Session Hijacking)?

Options Responses Percentages

No 32 33.29 %
Partially 30 38.38 %
Yes 27 28.33 %
Total 91 100%

Question four sought to find the basic knowledge about

harmfulness or danger of attack. Most of IT Guys don’t know
about these attacks or some know it from its name only. They
were unaware of which attack is harmful for web application or
Hosted server.

5) Do all attacks actually require a botnet in order to succeed?

 Options Responses Percentages

No 32 22.18 %
Partially 30 51.38 %
Yes 27 26.44 %
Total 91 100%

Question five sought the knowledge of IT users that is it

necessary to require Botnet in all kind of attack. Most of the IT
person was correct, Botnet is not required in all kind of attack
but however 26 percentage persons replied wrongly as it shows
little knowledge about Security vulnerability.
3.3 Summary
After reading above Research techniques and software development
methodologies, Researcher can conclude that there are various technique
and methodology available to proceed with his/her Research that obviously
can be proof by any software. Researcher is participating in research alone
(not in group) so almost all Software development methodologies failed to
adopt. However, Researcher chose Scrum methodology in order to
complete every sprint on time.
As far as Interviews are concerned, this is very sensitive topic and
disclosure of vulnerability by Internet service Provider Admin or any
organization is not possible. In other word, not any single organization is
able to tell the truth about attacks on their servers or attack in any particular
application.

Chapter Four
Collection of Vulnerable Data
Statistical analysis of vulnerabilities or accuracy of VDMS relies upon that
how accurate is the vulnerability data. Reliability engineering assumes that
SRMS have been applied before or during testing and in settings where the
collection of failure data is the integral part of testing environment.
Unfortunately, most of vulnerabilities were not found during testing (Pre-
release) of software development. Even if they are found, it consider as
system fault during testing. That is the reason, vulnerabilities may be often
detected after the product release, when the collection of important data is
much more difficult.
Vulnerability research is made frequently base on public vulnerability
database. NVD (National Vulnerability database) is used for almost all of
the research made on VDMs. However, the NVD is not designed to
vulnerability discovering model, it has four important short comings that are
incomplete inclusion, chronological inconsistency, lack of documentation
and multiple entries for a single detection.
4.1 Other Public vulnerable Data Base
As a Researcher, we know that NVD is used for remainder of VDM
literature but it is not only public database. In addition to the NVD, some
other databases are most prominent that include “Bugtraq” that run by
same organization as the Bugtraq mailing list and another is Open Source
Vulnerability database (OSVDB).
4.2 Upcoming/Future Vulnerability Data Base
Before assessing or measuring software security, Researcher need an
accurate source of data. We need Next Gen Vulnerability Data Base. At
this point Researcher wants to propose some requirement of such
database. Next Gen Database store all sort of event or black movement
and it must be log in that database. It may include release, injection,
detection of vulnerability, disclosure to vendor, available to public, applying
patch and scripting dates. Every field should contain precision of the date.
For example approximate within three weeks because most of the
information is found on internet, each precision date will contain evidentiary
URLs and the date of evidence entry.
One of the challenge of these Next Generation database will be to log
separately to distinguish easily between vulnerabilities and vulnerability
detection events. It should log both information. It should log to URL in
Database that distinguish same vulnerability from same application in
different Vulnerability Database. It will help to distinguish different yet
similar vulnerabilities and detection events.
All Public Vulnerabilities database must be maintained for many years
because it was useful for VDMs These Database is more likely to evolve
over time. All public database should also document, each data field should
be maintain that how it is obtain and accurate it is. Date of last version
since then software is no longer tested, need to check if it contain ay
vulnerability. These information will help research community to gain better
understanding of vulnerability holes like how it prevalence changes over
time and how they are found.
4.3 Conclusion
Existing VDM literature is relies upon inaccurate and inconsistent data from
Public Vulnerable Database, which were never used for any purpose. This
data does not necessarily represent vulnerability detection events. The
VDM used in Database literature is not appropriate for modelling
vulnerabilities. Researcher cannot model vulnerability discovery until we
have a database design usage in mind. Security providing organizations
should design and implement next generation Vulnerability database to get
high quality vulnerable database that can be used by many other vendors
to evaluate their software by looking into that security holes.

Chapter Five
SOFTWARE SPECIFICATION AND REQUIREMENTS
5.1 Introduction

Software requirement provides the specification of what software product

must accomplish to be successful. It provide dimensions to develop
software as it provide the description of software product. It help to set the
basis on which risks, schedules and cost can be determined to access the
feasibility of software development .every software requirement at its
basics must include functional and non-functional requirements. Other
requirements such as security, reliability, availability, performance,
dependability, supportability, usability, hardware and development platform
requirement may include. Therefore, this chapter discussed and present
the software requirements of the proposed system for this research work.

5.2 Functional Requirements

Functional requirements specify what a system must accomplish and
probably the steps of how to accomplish its task. Some of the functional
requirements of this system shall but not limited to following.
 Improving security of Login Module and process.
 Developing API for login and registration module that is suitable for
system security.
 Develop necessary algorithm that is necessary to secure the system.
 Implement Graphical user interface that accept data from user,
process and validate it and save in Database.
 The security aspect of the system shall employ the use of
cryptography.
 Software Security Scanner will scan developed login module to check
the vulnerability in writing code by developers.
 Login Module will be corrected after every scan and finding issue in
written Code.
5.3 Non-Functional Requirements

Non Functional requirements specify those attributes that may not be

necessary for the success of the system but it is required to enhance user’s
experience. This usually specify how some of the function of the system
are accomplished. It include such requirements as usability, acceptability,
manageability, recoverability, scalability, performance and more. Non
Functional requirements of the system would not limited to following:
 System should be robust and be able to recover from error.
 The system should be responsive with high throughput and less
latency.
 The system should be flexible and available all the time.
  The Graphical user interface should be designed such that they
remain conventional and what the user are used to. It should be
highly usable.
5.4 Hardware Requirements
The successful implementations of any software has necessary that
hardware requirement should meet. The system develop during this
research work are no exception. Therefore, following provide some of the
requirements necessary for the developed systems.
5.5.1 Server Hosting Hardware requirements
 8 core opteron
 16-32 GB Ram
 4 x 1 TB Drives (some kind of RAID)
 Gigabit LAN Rackform nServ A161
 Opteron 6128 2.0 GHZ , 8-Core
 Integrated IPMI 2.0 with Dedicated LAN.
 LSI 9260-4i 6GB/s SAS/SATA RAID.
 4 x 1 ITB Seagate Constellation ES Optical Drive. Low Profile DVD +
- RW Drive Power.
 350 watt power supply.
5.5.2 Development Platform Requirements
A Standard software system also has development platform requirements.
The system developed during this research work is no exception.
Therefore, the following development platform were the requirements that
had to be met.
5.5.3 Software Security Scanner Requirements
Research has been done to find vulnerability in .NET Code. Software
scanner will be able to scan security vulnerability in every type of .NET
project or Code.
 ASP.NET MVC 5
 64 bit operating system
 Internet Information Service
 Web API
5.5.4 Other Requirements
In addition to the aforementioned requirements, the system shall also
require the following to function to enhance availability.
 Constant Power Supply
 Reliability and updated Anti-Virus.
 Physical security of the data/computer where system is hosted.

Chapter Six
SYSTEM ANALYSIS AND DESIGN
Introduction

System analysis and design is concerned with the activities of developing

high quality systems. It involves studying the module of existing systems
with the view of improving it and it also define architecture, components,
modules, interfaces and data of the system to satisfy the specified
requirements. (Gary & Harry, 2012).The success of any system depends
on how well the analysis and design is done. When this is properly done, it
ensure satisfaction of end users through high quality experience of users.
Therefore, it is a major requirements for this research work as it develop
system that shows list of Scanning of Vulnerabilities in .NET Code.
This chapter shall discuss the processes of the current state-of-the-
art system in the direction the researcher wishes to take and then
present the design of the proposed system which is hopeful to
improve the security of .NET Application.

6.1 Analysis of the Existing System

The State-of-the-art system in the direction the researcher wishes to

improve security of .NET Code, especially when it comes to Payment
module or online financial modules. (More, pooja, Leena, & Kumar,
2015).However, currently, scanning of security vulnerability have not
fully implemented proposed in the research.
6.1.1 .NET Code Scanner for security vulnerabilities

.NET Code scanner will be developed to scan any .NET Project

or .NET code to check for security vulnerabilities.
Scanner software will check Syntax of .NET application. Sometime
small mistake that was ignorable for developer can cause buffer
overflow.
Researcher will scan one of the .NET MVC Project .Project will
contain only Login and Registration Module.
With the help of penetration testing, Security vulnerability will be
checked then researcher will analysis defect in writing code.
Major area of research is to find and collect all vulnerabilities in .NET
Code. Collection of vulnerabilities will be possible by penetration
testing and include collection of those drawbacks in .NET Security
Code Scanner.
However, there is a chance to miss any vulnerable code criteria to
include in .NET Code scanner.
Several version of that software will make it stable to check maximum
code level vulnerabilities.

6.1.2 State-of-the-Art System

To solve the problem of web application hacking, application must be

free from all bad practises of code that cause buffer overflow.
Researcher is not including vulnerabilities in third party DLLS or
APIS. Security scanning will be perform only in .net written Code.
 Figure 6.1 Existing Code Scanner

When User press Scan Button, it scan entire .NET Project class by
class and method to method.
6.2 Design of the Proposed Systems
The design of the proposed systems is the next here, the design of our
proposed system is presented in previous chapter. Phase of the analysis of
an existing software are not the target of this research. Therefore, our
system modifies the preceding framework after observing. The proposed
framework does not use emails to ensure real-time processing.
Our proposed design of system require scan the .NET Project in a way that
maximum vulnerabilities in software code can be caught by the Scanner.
Researcher will write Code in a traditional way and pen testers will test the
system. Experimented system will be test repeatedly and it will be checked
that it become victim or not. Every time system will be tested by various
ways and researcher will clean the code in a standard way to avoid it to
become vulnerable.
On the web Applications, C# code and more usually ASP.NET is commonly
vulnerable internet world.
Some vulnerable code samples are following:
https://stackoverflow.com/questions/3940576/exploitable-c-sharp-functions
In Line Queries:

This type of code also make the system vulnerable.

OS Command Injection:
This type of code is vulnerable to command injection because second
parameter Process.Start() is taking extra command passed from it using
“&” character to batch multiple command.

Below pasted code are some sample of vulnerable code that .NET Code
scanner will identify wrongly written code? Every time .NET project will be
test by pen testing methods to check if it is vulnerable of buffer overflow is
affected or not.
Not Vulnerable:
Vulnerable:

6.2.1 Design of Deployed Application Server

.NET project for Login system is deployed in Separate dedicated server,

where security is already maintained for all kind of vulnerabilities. Database
schema designed using SQL SERVER 2014.Registeretd user can login to
the system where vulnerability will be checked by our pen testers.
6.2.2 Design of simplified Database schema
 Chapter Seven
System Testing
Introduction

System testing involves the activities carried out on the system

(either a software or hardware system) under consideration towards
ensuring that it is in Compliance with its specified requirements.
That is, it is an investigation conducted through the execution of
system components, and evaluating the attributes to provide
stakeholders with information ensuring that the system is of the
desired quality (cem, 2006). System testing shows to what extend
the system meets its requirements, how the system react to any
given inputs, how it is able to accomplish its tasks within a given
time frame, its usability, the possibility, and ease of installing the
system on its intended platform, and if it achieves general aim as

Desired by the stakeholders.

Therefore, system testing is a necessary requirement for any system

and the systems developed during this thesis work underwent testing
to ensure that the aim of the thesis has been achieved. It should also
be stated here that the systems developed were all software
products. Thus, the testing done was software testing.
 7.1 Software Testing Life Cycle
Software testing is also seen as an engineering process that should
have a defined process that should be followed for the effectiveness of
the process to ensure the accuracy of the results obtained. The defined
process is called Software Testing Life Cycle (STLC).

Software Testing Life Cycle is a series of activities defined as

phases that are carried out methodologically towards certifying
that a software product meets it to design and development
requirements. Though this defines a standard, it defers from
organization to organization due to the difference in development
methodologies and management approaches. However, a
generally recommended phase include requirement analysis, Test
planning, Test case development, Environment setup, Test
Execution and test cycle closure.

7.1.1 Requirement Analysis

During requirement analysis in the software testing life cycle,

the various stakeholders are usually contacted for the number of
question and answer session; and then the system requirements are also
studied carefully for better understanding for the purpose of identifying type
of test to be performed on the developed system, definition of testing
priorities and focus, preparation of Requirement Traceability Matrix (RTM),
identification of suitable test environment and detail, as well as feasibility .
Analysis. During this thesis work, the requirements of the systems were
used for the purpose of requirement analysis for software testing purpose.
7.1.2 Test Planning

The test planning phase of STLC involves defining the strategy to be

used during testing, the test schedules, and the test estimates required.
This is usually necessary and requires farsightedness. That is, it involves
the preparation of test strategy document for the different testing types to
be used, selection of the appropriate tool for the testing, the
approximation of test effort required, determination of roles and
responsibilities of the various testers and stakeholders, resource planning
and training.

For this thesis work, resource requirements included the internet, android
devices, computers, volunteer testers, and their time. The researcher relied
more on the internet subscription provided by the institution and also that the
tester would have computer and android devices since most of the volunteer
tester were hopeful to be students of institute.

7.1.3 Test Case Development

Test case development involves identification and development of various test

cases and scripts as well as test data. The test case usually have attributes
such as Test suite identification (TSID), Test case identification(TCID), Test
case summary (TCS), Related Requirements, Prerequisites , Test Procedures ,
Test Data, Expected Result , Actual Result , Status, Remarks , Created By ,
Created Data, Executed By, Date of Execution , Test Environment.

The following Test cases in table 7.1, in their simplified from where developed
for the systems implemented during the thesis work.
TCID TCS Prerequisite Expected Test
Result Environme
nt
BM001 User Creation User Name, After Browser
or Signup will Email, fulfilling
register user Password Validation,
as User will
authenticated allow to
user. enter in the
system.
MM001 Entering in the User unique User Login Browser
system after username account
entering such as Email created
correct user and Password.
login and
Password.
MM002 User Login on User Error Browser
Registration Name/Passwo Message or
system. rd as provided Validation
during account for wrong
creation. user name
or
password.
SEC00 Monitor data Traffic Tester is Browser
1 sent across monitoring of able to
wire a network via monitor
 sniffing could entire data
reveal an move
abundance of across
important network.
data.
SEC00 Looks for Programmer System will Browser
2 “Secret” typically be hack by
keyword stored getting
sensitive data sensitive
in a secret file data.
which could
be reverse
engineered by
hackers.
SEC00 Examine Sometimes Data Base Browser
3 credentials in username, or system
Plan-Text password, IP will hack
while address and easily by
communicatio key are stored plain text
n and information.
transmitted in
clear text
form.
SEC00 Exercise Error page or Inspect and
4 Error Pages condition verify those
and could reveal exposed
conditions much information
 information during error
which aid pruning
hackers in an page.
attack.
SEC00 Examine the If hackers Decrypt Browser
5 areas where recognize the Password
data is sensitive can easily
obfuscated obfuscated allow tester
parts which to enter in
contain the system.
crucial
information
such as
passwords,
they could be
decrypted
even if they
are
obfuscated.
SEC00 Examine URL During the Exposed Browser
6 for Sensitive absence of variable of
data SSL, the URL URL can
is readable in make the
clear text system
form. hackable.
SEC00 Look for Internal Server Windows /
7 internal servers name will Mac SERVER
 server names contain help directly
sensitive to enter not
information only in web
and their application
name could but in entire
aid an Server
attacker in (Hosting
attacking the environmen
internal t)
network.
SEC00 Looks for Sometimes Exposed Browser /
8 more an application Information Windows/MA
information returns too help C
returned than much hackers to
is needed information enter in the
unnecessarily system or
. even in
Hosting
environmen
t.
SEC00 Examine Binary file System will Browser
9 contents of could contain be hack
binary file sensitive after getting
information sensitive
information.
http://resources.infosecinstitute.com/net-penetration-testing-test-case-cheat-
sheet/#gref
7.1.4 Test Environment Setup

Test environment setup phase of STLC involves deciding the hardware and
software conditions required to perform testing of the software product. It
includes setting up a client-server network. If required and other necessary
things such as test data. For the purpose of this testing, a normal secure server
has been used to hose Registration system that is Demonstration project to
apply secure code and apply penetration testing.

7.1.5 Test Execution

During the test execution phase, the test team tests the software product based
on the test plan and test case developed. Identified bugs are corrected and
retested over again. Therefore, requirements traceability matrix is completed
with status of test for each requirements.

In this research, the test case were tested and user was also allowed to use
their function in the developed applications. Identified errors were corrected and
tested again.

7.1.6 Test Cycle Closure

At this phase, the test team identifies the test bottleneck for elimination during
the next testing exercise. Therefore, the test metrics is prepared, learned lesson
documents, qualitative and quantitative report on the testing process, analysis of
the test of the result, and preparation of closure report.

7.1.6 Testing methodologies

The quality of software product is ensured through testing. Though
recommended phase of testing exist, they do not define strict type of testing
approach. Therefore, different testing methodologies also called type of testing
exist.

STLC define phase, Software testing Methodology (STM) define the particular
strategies used in testing a software product. STM may be functional or non-
functional testing approach; all of which aim at ensuring that the software
product meets its specification and that no undesirable output are produced by
the system when tested again worst case scenarios. That is all testing
methodologies and also aim at ensuring that the code has no or too few bugs.

Both functional and non-functional testing methodology have different type

of testing. Software testing methodologies are best implemented
using a Spiral approach which manages requirements, test cases,
bugs, and other issues; providing traceability throughout the testing life
cycle. That is, it supports ease of defect tracking during testing and that
testing can start very in the design or Development phases of the SDLC.

7.2.1 Function Testing

Functional testing is divided into four major categories. They are unit
testing, integration testing, system testing, and acceptance testing.
These are described in brief and how they were applied in this research
work.
7.2.1.1 Unit Testing
Unit testing is concerned with the various modules or components that
collectively make up an application. It is usually developed by
developers during development to ensure that the
Various modules of the different systems making up the overall system were
thoroughly tested. This in part was because unit testing is most suitable for
Agile Development methodology and Object-oriented nature of the
applications every module ranging from payment request from merchant.
Closing of transaction by customer through developed.

7.2.1.2 Integration Testing

Integration testing is performed on modules that have been successfully
tested as units and integrated together' That is, after every integration of the
module or components is again tested to ensure that it performs as
expected.

During the integration of the different modules developed during this research
work, every or those was For example, when integrating the
Captcha module, S t e g a n o g r a p h y m o d u l e ,
encryption/Decryption module and security parameter
module, entry function was called with the requ ired parameters and the
output thereof was examined. Again the same entry function was called but
with wrong parameters either in number or data types.
7.2.1.3 System Testing
System testing involves testing the whole system after integration for errors and
bugs. This is also called black-box testing since the internal workings of the system
is not the major concern but input supplied to the system and the output generated
by the system.

Having integrated the various modules of the Registration System, and

OPAS; the whole system was tested by the researcher who is also the only
developer and then given the project to Final Penetration testing to find
vulnerabilities. The identified errors such as associated with Security issue
were corrected to enhance the usability of the various systems especially

7.2.1.4 Acceptance Testing

Acceptance testing is the last stage of functional testing where the software
product is tested by the expected users to ensure that it performs as specified
in the requirements and that the users are able to use the product comfortably,
the usability of the product.

In this Research work, Pen testers who tested the

systems were assumed to be the final major end users and they were given
google form to write their observation during testing.

7.2.1.5 Usability Testing

Usability testing aims at identifying the challenges users would have while
using the software Product. It is usually directed towards the User Interface
testing.

The implemented system, were assessed against usability, identified challenges

such as the ambiguous use of language were corrected.

7.2.1.6 Conclusion
The testing procedure passed from Penetration testing. External Pen testers
were hired for this purpose who tested the Registration system from their
Remote Location and prepared a list of Bugs and reason of raising bugs in
their Documents.