-
-
-
- Introduction to security
- Secure development
- Security certification
- Security Exam
- Field properties concerning security
- Developing user groups securely
- Security considerations for user interface
- Secure file organization
- Securely using the request
- Cross Site Scripting (XSS)
- Other options concerning secure development
- Security analysis
- Secure deployment
- Secure application management
- Scrambling of testdata
- Anonymization of personal data
- Using robots.txt
- Permission settings
- Security measures
- Data encryption
Security Exam
To obtain your "Crossmarx Security Certificate" and become a "Certified Crossmarx Security Developer", you will need to pass the following test to show that you know how to develop an application with the Crossmarx Application Platform in a secure way.
You will receive access to an application from Crossmarx which contains vulnerabilities. The application is called "Academy Security". It will be your task to look through the application and identify the vulnerabilities as well as give an appropriate mitigation.
Some context about the application. The purpose of the application is a forum for logged in members. Not logged in visiters are not allowed to do anything. There are 3 user groups and a couple of accounts. We will give you the login information of each account:
- Super user group: Administrator
Email: admin@test.nl
Password: IAmAdmin - User group: Moderator
Email: moderator@test.nl
Password: 1@mModerator - User group: Regular
Email: jane@test.nl
Password: 1@mJanineDoe - User group: Regular
Email: johnny@test.nl
Password: 1@mJohnnyDoe
There are 30 vulnerabilities in the application. See https://studio.crossmarx.nl/page/1271/security-certification for Crossmarx references. Think of the OWASP top 10 for web development. There are NO vulnerabilities in JavaScript/CSS files. Files written with Apache Velocity may contain vulnerabilities.
To record your progress, please keep track of each vulnerability you find and write down the following:
- Where did you find the vulnerability?
- What is wrong?
- What would be right?
Some vulnerabilities we consider more important and are mandatory to be found. These are most closely related to the OWASP top 10 for secure web development and concern data security. If you have found all mandatory vulnerabilities and a certain number of less crucial vulnerabilities, you will receive our "Crossmarx Security Certificate" and become a "Certified Crossmarx Security Developer". In other words, you don't have to find all 30 vulnerabilities.
You may fail this test. If that's the case we will discuss why we thought that was necessary, as well as any possible solutions.
Thank you for participating in this test. Good luck!