Artemis Financial is a financial consulting company that creates personalized financial plans for its customers. The company requested Global Rain to examine their current RESTFUL web application for security vulnerabilities. As a financial organization, Artemis Financial handles significant amounts of its customers’ personal and financial data. This data can be extremely harmful if it is stolen or compromised, and is its protection is subject to international, national, and state regulations. Therefore, it is crucial to ensure that any code operating with this information is designed and implemented in a safe and secure manner. By doing so, a company protects itself from legal issues while also developing trust from its customers.
Reviewing Artemis Financial’s code and implementing additional security features, such as a checksum verification system, was a relatively simple process. Conversely, performing dependency checks is difficult because false positives and correct fixes for a detected vulnerability are not always obvious. Additional steps in improving the application’s security included ensuring that the application complies with modern security standards, such as using HTTPS, and performing multiple security tests. Testing was the central part of the security assessment strategy, helping identify vulnerabilities, implement mitigation techniques, and verify that these techniques work and the application was both functional and secure. OWasp’s dependency check tool was particularly useful as it provides a list of suspected vulnerabilities and links to appropriate mitigation techniques. This tool will serve as an important part of future security assessment assignments.
Overall, this assignment demonstrates my broad understanding of the key principles of secure coding and familiarity with relevant tools. It showcases my ability to work with a variety of tools, including OWasp’s dependency check, cryptographic certificate generation and application, familiarity with the Java programming language, and testing, both manual and automated. Additionally, it shows my ability to explain these principles and key decision making processes related to application and code security.