You've been commissioned to create a prototype of a note sharing app. The app should allow users to save notes they've written. They should also be able to share notes with specific users.
The stakeholders would like the prototype to be deployed online using a hosting service such as Heroku. The company they represent has been involved in a major security scandal recently involving broken access control; as such, they are extremely concerned about security and have asked that, alongside the software, you create a short report explaining how you've ensured your application is protected against the OWASP Top 10 security vulnerabilities.
It's likely you will offload some of the work to a library or framework. For example, you might not deal with SQL directly but instead use an ORM such as Sequelize or Entity-Framework. In this case, you should research how these components protect against the relevant security threats (e.g. SQL injection for an ORM, XSS for a front-end framework etc.) and include this in your report.
| ID | Priority | Description |
|---|---|---|
| F1 | Must | Users must be able to create an account with a username and password |
| F2 | Must | Users must be able to create, read and delete private notes |
| F3 | Should | Users should be able to give read-access to existing notes to other users by specifying their username |
| ID | Priority | Description |
|---|---|---|
| NF1 | Must | The application must be secure against the OWASP Top 10 vulnerabilities |
| NF2 | Must | The steps taken to protect against the OWASP Top 10 must be included in a separate document |
| NF3 | Must | The application must be accessible online (i.e. be deployed) |
| NF4 | Must | The application must meet modern accessability standards |
| NF5 | Must | The application's UI must be constructed using a component-based approach |
| NF6 | Should | The application should include a set of unit and integration tests (including testing for security) |
| NF7 | Should | The application should be responsive (e.g. to different screen sizes) |
The company shareholders have insisted that the prototype you create is penetration tested. An expert pen-tester (peer in your cohort) will review the documentation you've created and your src code, then attempt to hack into your application.