On completion of this unit the student should be able to respond to a teacher-provided case study to analyse an organisation’s software development practices, identify and evaluate current security controls and threats to software development practices, and make recommendations to improve practices.
-- VCE Computing Study Design 2024-2028
Informal assessment: Notes, Quizzes, Practice SAC
Formal assessment: a SAC where students answer structured questions in response to a teacher provided case study.
Goals are broad statements that help set an organisations culture and priorities
Objectives are specific and measurable in service to the larger org goals
Sub-organisations / Departments should also have Goals and Objectives that follow and support the larger goals
Legislation 🛝, Frameworks (incomplete) 🛝
Privacy Act 1988 (Privacy Amendment Act 2012) (Federal)
Applies to all levels of Government, Contractors
Organisations with >$3M turnover, medical info, or sell/distribute personal information
Consequences of breaking this law are fines (and loss of reputation, etc)
Privacy and Data Protection Act 2014 (Vic)
Applies to Vic Governments and Contractors
Copyright Act 1968 (Federal)
TODO 🛝
ETHICAL != LEGAL
Ineffective security practices
Use of artificial intelligence during development
intellectual property
Copyright issues
Details
Social Impact - displaces/changes jobs & can produce unhealthy work environments
Inequitable access and training - could exaggerate social inequities (financial, racial, social, accessibility, etc...)
Creates a reliance on technology - adds risk and requires ongoing maintenance and updates.
Creates large amounts of data that can be exploited, lost, etc...
Environmental impact - energy use and e-waste
SofDev Environment Vulnerabilities & Security Controls 🛝 (incomplete)
Vulnerabilities
Use of application programming interfaces (APIs)
Malware
Unpatched software
Poor identity and access management practices
Man-in-the-middle attacks (Computerphile video)
Insider threats
Cyber security incidents
Risks present from software acquired by third parties
Ineffective code review practices
Use of combined development, testing and production environments
Version Control
Identity and access management
Encryption: Symmetric and Asymmetric; In transit and at rest
Code Review
Software Updates and Patches
Separated Dev, Test and Prod environments
Anti-Malware
Physical Security Controls (no longer in study design)
Barriers, Locks, Biometrics, Access Logs, Cameras, Guards/Receptionists
Security Appliances (Firewalls, VPNs, IPS)
Backups, Uninterruptable Power Supplies
TODO 🛝
Defining security requirements
Identifying and mitigating threats
Confirming threats have been mitigated
Criteria for evaluating the security of software development practices within an organisation
How the internet works (from Wires to Secure HTTP) - code.org videos
Online Data Security (CSP on Khan Academy)
TODO :)
See the strong privacy policy at code.org as they mainly deal with student data which is inherently more sensitive
Analyse the privacy policy at repl.it to see how well it might meet the APPs
See BitWarden for clearly written terms & privacy policy
Explore Win10 updates - what types of security issues are fixed and how often are updates released?
PayID data breach - 13 Australian banks 2019, 98000 details lost
PTV SQLi vulnerability - teen white-hat hacker investigated [1, 2]
Not in the Dot Points but are still in the Glossary:
Spam Act 2003 (Summary from ACMA)
Charter of Human Rights and Responsibilities Act 2006 (Vic)
Health Records Act 2001 (Vic)
every organisation in Victoria that deals with medical information is bound by the Act.
Provides for right to privacy and access to your info, framework for complaints. AND mandatory reporting rules
11 Health Privacy Principles (similar to the APPs)
Web App risks - old study design
SQL Injections (SQLi)
Cross-site scripting (XSS = JS Injection)
The fix for both injections is to sanitize ALL user input, but that's not always so easy :)
SQL and XSS challenges [dead link] -
Denial of Service attacks, botnets, etc... (not in study design)
Physical Security @ Google Cloud (video) (Data Center Locations)
Morris Worm - the first Internet worm
Pegasus spyware - NSO Group software used by governments and others. Guardian Jul 2021
European Privacy Law: GDPR [Summary: oaic.gov.au, csoonline]
Have I been Pwned - check your own email
Equifax data breach - a MASSIVE and damaging breach
Ashley Madison data breach - embarrassing for those involved
In the EU there is the General Data Protection Regulation (GDPR. 2016) - which is a very strong set of privacy rules, although similar in spirit to the APPs. Because all websites are basically international, they need to comply to the strongest rules out there, which is why you now get Cookie notices everywhere.
The GDPR is a lot stronger than the US law - which lead to things like EU-US Privacy Shield - a framework for sharing data between the two countries. This recently (2020) was decided to be insufficient as it (and similar SCCs) "do not necessarily protect data in countries where the law is fundamentally incompatible with the Charter of Fundamental Rights of the EU and the GDPR, like the US." [Wiki]