Prototype for The International Space Station (ISS) and NASA by The B Team (Group 2), as part of the Secure Software Development module.
The prototype is demo application that allows admins on the ISS to generate and assign reports to admins at NASA. NASA admins are then able to read these reports.
Note: [Dev] indicates that it is relevant for development in relation to the source code. [Tip] is a reminder or helpful hint. If a few different python versions are installed, the python commands may need to be python3 or another equivalent instead. Similarly, if a few different pip versions exist, pip3 may need to be used in place of pip.
Prerequisites: Python 3.11+
The initial setup includes creating a virtual environment which in this case is called .venv, then activating the virtual environment, then within the virtual environment, installing the required packages from the requirements.txt file. This is performed by running the following commands in a terminal:
PowerShell
python -m venv ./.venv
./.venv/scripts/Activate.ps1
pip install -r requirements.txtBash
sudo apt update
sudo apt install python3.10-venv
python3 -m venv foo_env
source foo_env/bin/activate
pip3 install -r requirements.txt[Tip] Always make sure to activate the virtual environment before running any other commands:
PowerShell
./.venv/scripts/Activate.ps1Bash
source foo_env/bin/activate[Tip] If running Linux, make sure to have Django downloaded onto your virtual environment, and to have downloaded django-cryptography and django-csp before trying to migrate the server (Matthes, 2021; PyPi, 2022; Mozilla, 2016). Alternatively, the required packages can be installed individually like this:
PowerShell
pip install django
pip install django-cryptography
pip install django-cspBash
pip3 install django
pip3 install django-cryptography
pip3 install django-cspRun initial migrations and start server:
PowerShell
cd ssd2023
python manage.py migrate
python manage.py runserverBash
cd ssd2023
python3 manage.py migrate
python3 manage.py runserverEvery time there are changes to the models that need to be propagated into the database, run the following commands:
PowerShell
python manage.py makemigrations missions
python manage.py migrateBash
python3 manage.py makemigrations missions
python manage.py migrateTo log in to the backend database, a super user needs to be created:
PowerShell
python manage.py createsuperuserBash
python3 manage.py createsuperuserBackend database (accessible via http://localhost:8000/admin)
Although it is more secure to share credentials via a password manager such as LastPass (2023), for the purpose of testing this prototype, two sample users' login credentials has been included in the table below. Their (and other users') details can be modified (e.g. resetting passwords) in the back-end database when logged in as the superuser, which was created in an earlier step.
| Username | Password | User (Employee) Type |
|---|---|---|
| justin.thyme | password | ISS Admin |
| sam.widge | password | NASA Admin |
Navigate to http://localhost:8000/ on a browser (e.g. Edge, Chrome). Below are screenshots of the ISS and NASA prototype website user interface. The following is an example for the ISS Admin user Justin Thyme (username: justin.thyme).
Log in page
Logging in with username justin.thyme
Home page view as an authenticated user (Justin Thyme)
Create mission
Manage mission and optional generate report
The pylint linter is used to analyse the source code.
Output result of the ssd2023 module via running command pylint ssd2023:
-------------------------------------------------------------------
Your code has been rated at 10.00/10 (previous run: 9.81/10, +0.19)Output result of the missions module via running command pylint --load-plugins pylint_django missions:
************* Module missions
missions\__init__.py:1:0: E5110: Django was not configured. For more information run pylint --load-plugins=pylint_django --help-msg=django-not-configured (django-not-configured)
************* Module missions.admin
missions\admin.py:5:0: E5142: User model imported from django.contrib.auth.models (imported-auth-user)
************* Module missions.models
missions\models.py:4:0: E5142: User model imported from django.contrib.auth.models (imported-auth-user)
************* Module missions.tests
missions\tests.py:3:0: E5142: User model imported from django.contrib.auth.models (imported-auth-user)
************* Module missions.migrations.0001_initial
missions\migrations\0001_initial.py:52:0: C0301: Line too long (109/100) (line-too-long)
missions\migrations\0001_initial.py:58:0: C0301: Line too long (128/100) (line-too-long)
missions\migrations\0001_initial.py:1:0: C0114: Missing module docstring (missing-module-docstring)
missions\migrations\0001_initial.py:1:0: C0103: Module name "0001_initial" doesn't conform to snake_case naming style (invalid-name)
missions\migrations\0001_initial.py:9:0: C0115: Missing class docstring (missing-class-docstring)
------------------------------------------------------------------
Your code has been rated at 9.07/10 (previous run: 9.00/10, +0.07)This application was designed with security features (django, 2023) in mind.
The following features have built-in Django support:
- Administration portal with user authentication and database models
- SHA-256 encryption algorithm, salt and hashing of passwords
- User session management via cookies
- Database injection attack filter
The following commands were added to settings.py to achieve input santisation measures, session management, and data encryption:
# Content Security Policy
CSP_DEFAULT_SRC
CSP_STYLE_SRC
CSP_FONT_SRC
CSP_SCRIPT_SRC
CSP_IMG_SRC
CSP_FORM_ACTION
CSP_FRAME_ANCESTORS
# XSS protection
SECURE_BROWSER_XSS_FILTER
# X-Frame-Options
X_FRAME_OPTIONS
# X-Content-Type-Options
SECURE_CONTENT_TYPE_NOSNIFF
# SSL
SECURE_SSL_REDIRECT = False
# Cookie Security
CSRF_COOKIE_SECURE
CSRF_USE_SESSIONS
CSRF_COOKIE_HTTPONLY
LANGUAGE_COOKIE_HTTPONLY
SESSION_COOKIE_HTTPONLY
SESSION_COOKIE_SECURE
SESSION_COOKIE_SAMESITE
# HTTP Strict Transport Security
SECURE_HSTS_INCLUDE_SUBDOMAINS
SECURE_HSTS_SECONDS
# Logging
LOGGING
In addition, AES encryption of social security numbers was added with the django-encryption module.
The above were added to application based on attack reports generated by Zaproxy during automatic and manual scanning techniques:
Intial Report
Final Report
It should be noted that the security vulnerabilities found in the final report can be addressed by configuring the production server. please see the following documentation for assistance, if needed:
- CSP: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP (Mozilla, 2023)
- X-Content-Type-Options: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP (Webhint, n.d.)
- Server Leak: https://crashtest-security.com/server-version-fingerprinting/ (Kiprin, 2021)
The cross-domain URL has been neutralized using integrity and crossorigin modules, which can be seen in base.html.
Access controls were handled by the admin (superuser) on the admin back-end (see http://localhost:8000/admin) and comprised of:
Admin (superuser) permissions include but are not limited to:
- add and delete users
- edit users' statuses
- edit existing users
- create user groups
- add users to groups
- add and remove user permissions
- reset passwords
ISS Admin permissions
NASA Admin permissions
Mission Reports
Permissions to view and generate reports can be demonstrated using the instructions in the User Interface section.
Firstly, the use of Django in the prototype was not apart of the original proposal. It was later added to provide the most realistic prototype possible, and to allow for more enhanced vulnerability testing via Zaproxy which requires the use of a host .
Boundary validation was thus substituted for Django in-built input validation modules, which can be reviewed in the Security Features section above.
Multi-factor Authentication (MFA) was included in the prospectus, but was not able to be included in the prototype due to time constraints. This will be added in the the production version of the application.
There are also differences between the class diagram and the classes ultimately written in models.py. The class diagram has the following classes:
- Report
- Satellite
- Project
- Mission
- Division
- Employee
While the prototype models.py has:
- Employee
- Division
- Mission
- MissionReport
- SecurityClearance
This prototype is meant to demonstrate the ISS Admin's ability to generate and send reports to the NASA Admin. As a result, satellite engineer and NASA employee classes were out of scope for this aspect of this prototype.
As satellite data must be input by the ISS engineer, access to this data will be configured on the production server in the production version of the application.
Likewise, NASA employee access to report content will be added as needed in the production version of the application.
To run the unit and integration tests:
PowerShell
python manage.py testBash
python3 manage.py testOutput of the tests:
Found 13 test(s).
Creating test database for alias 'default'...
System check identified no issues (0 silenced).
.............
----------------------------------------------------------------------
Ran 13 tests in 17.343s
OK
Destroying test database for alias 'default'...- Django (2023a) Writing Your First Django App, Part 1. Available at: https://docs.djangoproject.com/en/4.2/intro/tutorial01/
- Django (2023b) Working with Forms https://docs.djangoproject.com/en/4.1/topics/forms/
- Django (2023c) Security in Django https://docs.djangoproject.com/en/4.2/topics/security/
- Kiprin, B. (2021) Web Server Information Leakage Security Assessment | CrashTest Security. Available at: https://crashtest-security.com/server-version-fingerprinting/
- LastPass (2023) Password Management from Anywhere. Available at: https://www.lastpass.com/
- Matthes, E. (2019) Python Crash Course: A Hands-On, Project-Based Introduction to Programming. San Francisco, USA: No Starch Press.
- Mozilla (2016) Installing django-csp. Available at: https://django-csp.readthedocs.io/en/latest/installation.html
- Mozilla (2023) Content Security Policy. Available at: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- Pypi (2023) pylint 2.17.2. Available at; https://pypi.org/project/pylint/
- Pypi (2022) django-cryptography 1.1. Available at: https://pypi.org/project/django-cryptography/
- Vincent, W. (2022) Django Login and Logout Tutorial | LearnDjango. Available at: https://learndjango.com/tutorials/django-login-and-logout-tutorial
- Webhint (n.d.) Use X-Content-Type-Options Header Available at: https://webhint.io/docs/user-guide/hints/hint-x-content-type-options/
- ZAP (2023) Active Scan. Available at: https://www.zaproxy.org/docs/desktop/start/features/ascan/