Agora Tutoring - Cybersecurity: Vulnerability Remediation
Project scope
Categories
Cloud technologies Website development Security (cybersecurity and IT security) Software development DatabasesSkills
cryptography code review nosql multi-factor authentication server-side role-based access control (rbac) authorization (computing) algorithms encryption mongodbProject Overview
This project is designed to help Agora Tutoring improve its cybersecurity posture by addressing key vulnerabilities identified in a recent security assessment. Students will work to evaluate, recommend, and implement specific repairs in alignment with the OWASP Top 10 vulnerabilities, enhancing Agora's ability to protect sensitive data and prevent unauthorized access.
Project Goal
The main objective of this project is to guide students through real-world cybersecurity repair processes, focusing on areas like access control, cryptography, injection prevention, and logging. By the end of this project, students will have contributed to a safer and more robust platform for Agora Tutoring.
Project Tasks and Activities
1. Broken Access Control
- Issues: Insufficient role-based access controls allow unauthorized access to sensitive data.
- Repairs: Implement stricter role-based access controls (RBAC), enforce mandatory access verification, and audit access logs for unauthorized attempts.
2. Cryptographic Failures
- Issues: Weak encryption practices, such as insecure algorithms or poor key management, could lead to data breaches.
- Repairs: Upgrade to secure encryption standards, ensure encryption for data in transit and at rest, and implement strong key management practices.
3. Injection Attacks
- Issues: Susceptibility to SQL, NoSQL, and other injection attacks through unsecured data inputs.
- Repairs: Use parameterized queries, sanitize inputs, and conduct regular code reviews to prevent injection vulnerabilities.
4. Security Misconfiguration
- Issues: Misconfigured servers, default passwords, and exposed configurations increase risk.
- Repairs: Securely configure all servers, update default settings, restrict unnecessary features, and automate security patching.
5. Vulnerable and Outdated Components
- Issues: Use of outdated or unsupported third-party libraries and dependencies.
- Repairs: Regularly update libraries, use dependency-checking tools, and establish an upgrade policy for critical dependencies.
6. Identification and Authentication Failures
- Issues: Weak authentication mechanisms, including lack of multi-factor authentication (MFA).
- Repairs: Implement MFA, enforce password complexity requirements, enable session timeouts, and set account lockouts after failed login attempts.
7. Software and Data Integrity Failures
- Issues: No integrity checks for software updates, increasing risk of tampered code.
- Repairs: Use hashing for data integrity, verify software updates, and apply secure CI/CD processes.
8. Security Logging and Monitoring Failures
- Issues: Insufficient logging of security events, leading to delayed incident detection.
- Repairs: Enhance logging for custom events, automate alerting, and establish regular log reviews to detect suspicious activities.
9. Insecure Design
- Issues: Lack of secure design practices, such as threat modeling, leading to overlooked security weaknesses.
- Repairs: Adopt a secure SDLC with built-in threat modeling and regular security assessments in the design phase.
10. Cross-Domain JavaScript Source File Inclusion
- Issues: Inclusion of third-party JavaScript files from external sources, which may introduce malicious code.
- Repairs: Apply Subresource Integrity (SRI) checks, download critical scripts to local servers, and minimize third-party dependencies.
11. Console Logging of Sensitive Information
- Issues: Console logs reveal sensitive information that can aid attackers.
- Repairs: Remove sensitive information from logs, avoid
console.log()
in production, and enforce logging policies to protect data.
12. Insufficient Logging for Custom Events
- Issues: Missing detailed logs for custom events like changes in user roles, authentication settings, and critical system activities.
- Repairs: Expand logging for key events and monitor authentication and authorization activities to track unusual patterns.
13. Server-Side Request Forgery (SSRF)
- Issues: SSRF vulnerabilities could allow attackers to manipulate server requests to gain unauthorized internal access.
- Repairs: Validate and restrict URLs or server requests, employ network segmentation, and use firewalls to prevent unauthorized internal access.
14. Backup and Data Recovery
- Issues: Insufficient backup strategy for critical databases (e.g., MongoDB), risking data loss.
- Repairs: Implement regular, automated backups with verification checks, store backups securely, and routinely test recovery processes.
Providing specialized, in-depth knowledge and general industry insights for a comprehensive understanding.
Providing access to necessary tools, software, and resources required for project completion.
Scheduled check-ins to discuss progress, address challenges, and provide feedback.
Supported causes
Quality educationAbout the company
Executive Summary:
Agora Tutoring is an online marketplace akin to Kijiji, equipped with a map function similar to Uber, specializing in connecting students with local tutors for in-person educational sessions.
Company Overview:
Agora Tutoring is an online dedicated platform that connects students with local tutors for in-person educational sessions. By focusing exclusively on face-to-face interactions, Agora Tutoring aims to foster a more personalized and effective learning experience. The platform serves as a bridge between students seeking tailored educational support and independent tutors looking for meaningful teaching opportunities in their local areas.
Services:
Agora Tutoring provides a user-friendly web platform where students can search for and connect with tutors across a variety of subjects and educational levels. The service is designed to facilitate in-person tutoring engagements, enabling direct interaction and hands-on learning that virtual platforms cannot replicate.
Business Model:
Agora operates on a subscription-based model where users pay a monthly fee to access the platform and connect with tutors. Tutors, as independent contractors, set their own rates and schedules by connecting through Agora Tutoring. This model ensures a steady revenue stream for the platform while also providing tutors with a consistent flow of potential students.
Target Market:
The platform primarily targets students at all academic levels who prefer or require in-person tutoring to achieve their educational goals. This includes K-12 students, college students, and adult learners seeking professional development or personal enrichment in specific subjects. Parents looking for reliable and accessible tutors for their children are also a key demographic.
Strategic Goals:
Agora Tutoring aims to become the leading provider of in-person tutoring services within local communities. Strategic objectives include expanding its user base, increasing the number of tutors on the platform, and enhancing the overall user experience with features that make scheduling and session management more efficient for both students and tutors.
Competitive Advantage:
Agora Tutoringโs commitment to exclusively in-person tutoring sessions sets it apart in an era where virtual platforms are prevalent. This focus on local, face-to-face interactions not only improves learning outcomes but also builds a sense of community and trust among users. Additionally, the subscription model offers users unlimited access to potential tutoring, providing flexibility and value that single-session fees cannot match.