Printer Friendly

A Case Study of Adopting Security Guidelines in Undergraduate Software Engineering Education.

1. Introduction

Security is a term that you simply cannot get rid of. As computers become more and more prevalent in our daily lives it becomes even more important to safeguard these technologies. This is just as important as in the topic of software engineering. A vast majority of attacks make use of software vulnerabilities that are entirely preventable. It is stated by a pair of two leading experts, John Viega and Gary McGraw, "behind every computer security program and malicious attack lies a common enemy--bad software" [1]. Within the topic of software engineering, security is defined as the effort to create software in a secure computing platform. Software security prevents the following: leaks of confidential data, alternation of data without the knowledge of the system, and unauthorized access to the system [2].

Software must be designed as well as implemented so that the secured users can perform actions that are needed and have been allowed. Building secure software involves many requirements and polices which thus produce a set of laws, rules, and practices that users have to abide by. These policies would address the following: data security, information security, and content security [2]. Data security refers to protective digital privacy measures that are applied to prevent unauthorized access to computer, databases and websites [3]. Some examples of data security technologies include software/hardware disk encryption, backups, data masking and data erasure [3]. Information security is designed to protect the confidentiality, integrity and availability of computer system data from those with malicious intentions [4]. Content security or sometimes referred to as digital rights management is the use of software or other computer technology to manage the conditions under which copyrighted material in digital form can be accessed [5].

Almost all computers are connected to a local network or the Internet so every piece of the software deployed in a system is subject to potential adversaries. Several approaches in literatures have aimed atreducing potential software breaches [6]-[8] and the ones that integrate security aspects into Software Development Life Cycle (SDLC) are adopted most [6] [9]-[ll]. However, they may not be good resources for educating computer science students because complicated knowledge and procedures are involved in every phase of the SDLC.

This paper focuses on using existing products and selected security guidelines to explain and verify how to implement a secure application. We have selected 13 critical questions from several Java security guidelines to reflect most common security errors in students' codes. We then use these critical questions to assess every component in the selected capstone project. Each component will be scored using McCumber's Cube model which evaluates information security in terms of data confidentiality, integrity, and availability [12]. Possible solutions for each vulnerability are also suggested.

The remainder of this paper is organized as follows: Section 2 reviews related work. Section 3 brings up our motivation. Section 4 defines software security metrics adopted by this paper. Section 5 explains the approach of adopting security guidelines to identify software vulnerabilities. Section 6 presents background of the selected capstone project. Section 7 assesses every component in the capstone project and discusses our observations and suggestions. Section 8 lists our observations and suggestions. Section 9 concludes this paper and points out future work.

2. Related Work

Several literatures have studied and addressed strategies with regards to how to implement security within the software development process. For example Computer Emergency Response Team (CERT) began new research in 2009 in software security measures that build on CERT'S core competence in software and information security. The overall purpose of this research was to address the following questions which include: "how do I establish and specify the required/desired level of security for a specific software application, set of application software-reliant system, system of systems, supply chains, and other multi-systems environments" [13]. Also, "how do I measure, at each phase of the development or acquisition life cycle that the required and/or desired level of security has been achieved?" [13].

In addition, Jorge A. et al. have also researched this topic [14]. They both believe that most of the software developed in the world use classic methods which include: the classic Waterfall Model, Spiral Model, Capability Maturity Model Integration (CMMI), Team Software Process (TSP) and Personal Software Process (PSP) [6] [14]. All of these classic methods with regards to software development are mainly dedicated to the quality and consistency of the software development process and not security. They believe it is necessary to modify these classic evolutionary deployment models by adding computer science security. Their paper propose to add security through all the phases of the process. They have concluded that everything within the process of software development must be reviewed thoroughly [14].

The McCumber Cube methodology offers a structured approach to assessing while also managing security risk in IT systems [12] [15] [16]. This model relies on the implementer to identify information assets and then think of risk management in a deconstructed view across 3 different characteristics which include as follows: confidentiality, integrity and availability of critical information [12] [16]. The strength in this model is in the multidimensional view required to implement robust Information Assurance (IA) programs. Well-executed systems will include this IA model during all phases of the SDLC.

3. Motivation

We have observed several cases showing the consequences of software vulnerabilities [17] [18]. For instance, a report from Capers Jones reveals that there are a number of vulnerabilities in most commercial software with 10,000 function point size range and it will cost almost 50 cents out of every dollar to find and fix bugs [17].

Another report, released by B2B International and Kaspersky Lab in 2013, reveals that the average financial loss of IT security breaches suffered by large companies from a single serious incident was $649,000. For small and medium size companies, the average financial loss was $50,000. Meanwhile, they also indicated that vulnerabilities in the software ranked highest among all internal threats faced by companies during 2011-2013 and about 10% of these threats caused leaks of important business data [18].

These instances bring up our motivation of studying and engaging software security and quality knowledge into software engineering education. We make the assumption that with strong security knowledge gained during their undergraduate programming courses, our future software engineers will be able to eliminate most vulnerabilities within applications in the earlier stages of their SDLC process. As a result, many security breaches happened in today's software could be eliminated and financial loss associated with them could be saved and re-invested.

4. Software Security Metrics

Several literatures have proposed the metrics of measuring software quality or security [19] [20]. In this paper, we assume that a potential vulnerability exists if a defect in the code leads to the violation of data confidentiality, integrity, and availability. Where, defect is defined as any issue that causes incomplete executions of the software. Thus, this assumption could be rewritten as:

A defect z e {vulnerability} ifz leads to the violation of data confidentiality, integrity, and availability. We also define the vulnerability density ([V.sub.D]) as the number of vulnerabilities in one line of code (LOC). Therefore, we have

where, V is the number of vulnerability and S is the size of the software in the unit of one LOC. Vulnerability density could be used to measure the programming in terms of how secure the code is. If other conditions are the same, a program with a higher vulnerability density is likely to be compromised more often.

5. Adopting Security Guidelines to Identify Software Vulnerabilities

To identify potential vulnerabilities in the application, this paper adopts security guidelines from several resources which emphasize on Java security design and implementation. As shown in Table 1, we create a 3-column table to address the criteria for identifying software vulnerabilities. A list of 13 critical questions derived from several existing Java security guidelines [2] [7] [8] [21] [22] is presented in the first column. These 13 questions are used to assess every component in the application to see whether there exist vulnerabilities in such a component. Explanations of every critical question are presented in the second column. Last, potential vulnerabilities of every component against the three security characteristics (i.e. confidentiality, integrity, and availability) addressed in the McCumber Cube model are listed in the third column. We examine most components including variables, methods, and classes in the application thoroughly to see whether any of them violates these security characteristics and to count the number of vulnerabilities as well as the vulnerability density of the application.

6. Capstone Project Background

Since focusing on software engineering education, we choose a computer science capstone project as the sample to examine common security vulnerabilities appearing in students' projects. The application is selected from last year's senior computer science capstone course. The goal of this project was to create an application for computerized stock trading. The student team developed their own algorithms to implement their trading strategy with how they buy or sell stocks. The algorithms are based on the trading strategies including high-frequency trading, day-trading, and investment. High-frequency trading strategy is where stocks are only held for a fraction of second or a few seconds. Day trading is a strategy where stocks may be purchased and sold several times in the same day. Finally investment strategy; where the holding period may be a few days, weeks, or even a holding period for a long-term capital gain.

The capstone project consists of 5 Java classes: M3_Main, Wallet, Stock, Transactions, and TradeDecision. M3_Main class is the main class that interacts with other classes in the product. Wallet class handles all transactions that happen within the wallet whenever the application buys or sells stock based on their own algorithm. Stock class handles all information regarding the stocks depending on the application buying or selling based on the algorithm. Transactions class is used for transactions made between the automated buying and selling of stocks while also allocating enough money within the wallet when the application buys a stock. TradeDecision class is used for the trade decision between how stocks are bought and sold within the application. The project has totally about 2036 lines of code.

7. Vulnerability Assessment for the Capstone Project

Below these 3-columntables (Tables 2-11) provide in depth critiques of this capstone project which includes its classes, variables, and methods. In these tables, column 1 displays the details of variables or methods in each class; column 2 explains the meanings of variables or methods in the 1st column; and column 3 indicates the critical questions that compromise variables or methods in the 1st column.

8. Observations and Suggestions

In this research, we observe that there are several common security vulnerabilities appearing in the capstone project. We have analyzed them and addressed our suggestions below:

* Accessibility of class, method, and variable should be addressed properly to protect data confidentiality, integrity, and availability.

* Resources must be closed properly after released to protect data confidentiality, integrity and availability.

* Resources must be monitored with special syntax and identifier to protect data confidentiality, integrity and availability.

* Inner classes should be avoided to protect data confidentiality, integrity and availability.

* Static variables should be avoided to protect data integrity.

* Sensitive information should not be included in any part of codes and should be encrypted to protect data confidentiality.

At the end, 123 potential vulnerabilities (51 variables and 72 methods) are identified and classified in the capstone project with total of about 2036 lines of code. Therefore, the vulnerability density of this project can be estimated as:

[V.sub.D] = [123]/[2036] [approximately equal to] 6%

This 6% vulnerability density is relatively high while comparing with most commercial applications [19]. However, we have to take into account that this represents students from last year's computer science capstone course, who lack in software security awareness and quality knowledge. After the software security and quality knowledge have been introduced to a new group of students in this year's senior computer science capstone course. Students in the new group are capable of identifying and rewriting these 51 variables and 72 methods. The revised project has eliminated most vulnerabilities listed on the Table 12 and has the vulnerability density close to 0%. That is [V.sub.D] [approximately equal to] 0%.

9. Conclusions

After the study conducted on this capstone project we can now see and understand the underlying vulnerabilities that lie within this Java code. It is evident that the variables and methods within each of these classes are feasible to exploit within the application. It is also evident that the developers of the capstone project, while implementing, they were not aware of the threats they posed on themselves while developing. The very focus of this paper is to conduct a vulnerability assessment of this Java code to reveal its vulnerabilities. As you can see by using the guidelines above it is apparent that this application can pose many threats which include the following: integrity, confidentiality and even the availability of the entire application.

For example the use of public variables being created can pose threats of the following just listed. This was exemplified throughout the application time and time again. Another constant vulnerability that was found throughout the Java code included using static field variables. Since static variables can be modified by other classes in the same scope, data integrity can be violated throughout the application. This vulnerability was exemplified in almost every class throughout the application, which can have serious impact to the core of the program. Constantly understanding and being aware of the threats that may occur throughout developing is very important in all applications and languages no matter what you're programming in.

Having awareness throughout implementation of an application by using the guidelines and taking the time to cautiously implement will have great benefits, while also providing a more secure application. Again, the vulnerability assessment results confirm that the capstone project can be exploited to be able to carry out intellectual and also component penetrations. And this result also confirms the importance of our approach for adopting security guidelines into undergraduate software engineering education.

Acknowledgements

Dr. Yen-Hung Hu is an Associate Professor in the Department of Computer Science at Norfolk State University. Prior to joining the NSU, he was the Director of the Information Assurance Center at Hampton University and PI of the NSF CyberCorps: SFS HU GETS-IA program. Charles Scott is a graduate student in the Department of Computer Science at Hampton University and a scholarship recipient of the NSF CyberCrops: SFS: HU GETS-IA program.

References

[1] Raman, J. (2006) Regulating Secure Software Development. University of Lapland Printing Centre, Rovaniemi.

[2] Sinn, R. (2008) Software Security Technologies: A Programmatic Approach. Thomson Course Technology, Boston.

[3] Janssen, C. (2010) Data Security. Techopedia. http://www.techopedia.com/defrnition/26464/data-security

[4] Janssen, C. "Information Security (IS)". Techopedia. http://www.techopedia.com/defmition/10282/information-securitv-is

[5] "Digital Rights Management". The Free Dictionary. http://www.thefreedictionarv.com/Content+security

[6] Grembi, J.C. (2008) Secure Software Development: A Security Programmer's Guide. Thomson Course Technology, Boston.

[7] Oracle, "Java SE Security Documentation". http://www.oracle.com/technetwork/iava/index-139231.html

[8] Long, F., Mohindra, D., Seacord, R.C., Sutherland, D.F. and Svoboda, D. (2011) The CERT Oracle Secure Coding Standard for Java, Addison-Wesley Professional.

[9] What Are the Software Development Life Cycle Phases? http://istqbexamcertification.com/what-are-the-software-development-life-CYcle-sdlc-phases/

[10] Howard, M. and Lipner, S. (2004) The Trustworthy Computing Security Development Lifecycle. IEEE 2004 Annual Computer Security Applications Conference, Tucson.

[11] Davis, N. (2006) Secure Software Development Life Cycle Process. Carnegie Mellon University, Pittsburgh. https://buildsecuritvin.us-cert.gov/articles/knowledge/sdlc-process/secure-software-development-life-cvcle-processes.

[12] Maconachy, W.V., Schou, C.D., Ragsda, D. and Welch, D. (2001) A Model for Information Assurance: Integrated Approach. Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, United States Mlitary Academy, West Point, New York, 5-6 June 2001.

[13] Allen, J. (2010) Measuring Software Security. Carnegie Mellon University, Pittsburgh.

[14] Ruiz-Vanoye, J.A., Diaz-Parra, O., Arias, M.D.I.A.B. and Saenz, A.C. (2013) A Model for Evolutionary Software Development with Security (MESS) Applied to an Electrical Research Institute. Mexican Journal of Scientific Research, 2, 2-22.

[15] Whitman, ME. and Mattord, H.J. (2012) Principle of Information Security. 4th Edition, Thomson Course Technology, Boston.

[16] "Review: McCumber Cube Methodology," Protect Your Bits, 5 October 2009. http://protectvourbits.wordpress.com/2009/10/05/review-mccumber-cube-methodology/

[17] Jone, C. (2012) Software Quality Metrics: Three Harmful Metrics and Two Helpful Metrics.

[18] Lab, K. (2013) Global Corporate IT Security Risks: 2013.

[19] Alhazmi, OH., Malyiya, Y.K. and Ray, I. (2006) Measuring, Analyzing and Predicting Security Vulnerabilities in Software Systems. Computer & Security, 26, 219-228.

[20] Mohagheghi, P., Conradi, R., Killi, OM. and Schwarz, H. (2006) An Empirical Study of Software Reuse vs. Defect-Density and Stability. Proceedings of the 26th International Conference on Software Engineering, Edinburgh, 23-28 May 2006, 282-292.

[21] CWE, CWE-844: Weaknesses Addressed by the CERT Java Secure Coding Standard. Common Weakness Enumeration. https://cwe.mitre.org/data/definitions/844.html

[22] Oracle, Secure Coding Guidelines for the Java Programming Language, Version 4.0. http://www.oracle.com/technetwork/java/seccodeguide-139067.html

Yen-Hung Hu (1), Charles Scott (2)

(1) Department of Computer Science, Norfolk State University, Norfolk, Virginia, USA

(2) Department of Computer Science, Hampton University, Hampton, Virginia, USA

Email: yhu@nsu.edu, chazzscott15@gmail.com

Received 20 September 2014; revised 22 October 2014; accepted 18 November 2014

http://dx.doi.org/10.4236/icc.2014.214003
Table 1. Critical questions, explanations, and potential software
vulnerabilities.

Critical Question                  Explanation

Q. 1. Limit the accessibility of   Use an access modifier to limit their
classes, interfaces, methods, and  accessibility. The four access
fields                             levels are:
                                   * Default: visible to the package. No
                                   modifiers are needed.
                                   * Private: visible to the class only
                                   * Public: visible to the world
                                   * Protected: visible to the package
                                   and all subclasses.
Q.2. Use a try-with-resources      The try-with-resources statement
statement to safely handle         ensures that each resource is closed
closeable resources.               at the end of the statement.
Q.3. Avoid using try-catch-        Ordinary try-catch-finally block can
finally block.                     raise some issues: such as failing to
                                   close a resource because an exception
                                   is thrown as a result of closing
                                   another resource, or masking an
                                   important exception when a resource
                                   is closed.
Q.4. Use the same type for the     Use different types in a conditional
second and third operands in       expression may cause unintended type
conditional expressions.           conversions.
Q.5. Avoid using static field      Static variables are class variables,
variables.                         not instance variables Science any
                                   other class in the same scope can
                                   access the static variables, it is
                                   very difficult to secure them.
Q.6. If possible make public       Otherwise, attacker may change the
static fields final                value.
Q.7. If possible, use              Contents of the mutable object can be
immutable objects.                 changed.
Q.8. Avoid storing user-given      Contents of the mutable objects can
mutable objects directly.          be changed. Clone the objects before
                                   processing them internally.
Q.9. Avoid using inner classes.    After compilation, any class in the
                                   package can access the inner class.
                                   Meanwhile, private filed of the inner
                                   class will be converted into
                                   non-private to permit access by the
                                   inner class.
Q.10. Avoid using the clone()      Inappropriate use of the clone()
method to copy untrusted method    method can allow an attacker to
parameters                         exploit vulnerabilities by providing
                                   argument that appear normal but
                                   subsequently return unexpected
                                   values. Such objects may consequently
                                   bypass validatior and security
                                   checks [22].
Q. 11. Make secure classes         Otherwise, malicious developers can
un-cloneable.                      instantiate a class without running
                                   its constructors [2].
Q.12. Avoid embedding sensitive    Malicious developers can obtain such
information                        a sensitive information
Q. 13. Prevent constructors        Constructors that call override
from calling methods that          methods give attackers a reference
can be overridden                  to the object being constructed
                                   before the object has even been
                                   fully initialized

Critical Question                   Potential Vulnerabilities against
                                    Security Characteristics in the
                                    McCumber Cube Model:
                                    Confidentiality, Integrity,
                                    Availability

Q. 1. Limit the accessibility of    If wrongly declared, data
classes, interfaces, methods, and   confidentiality, integrity, and
fields                              availability may be violated.
Q.2. Use a try-with-resources       When resources are not closed
statement to safely handle          properly, data confidentiality,
closeable resources.                integrity, and availability may
                                    be violated.
Q.3. Avoid using try-catch-finally  When resources are not closed
block.                              properly, data confidentiality,
                                    integrity, and availability may
                                    be violated.
Q.4. Use the same type for the      When types are not the same, data
second and third operands in        integrity may be violated.
conditional expressions.
Q.5. Avoid using static field       Since static variables can be
variables.                          modified by other classes in the
                                    same scope, data integrity may be
                                    violated.
Q.6. If possible make public        If value changed, data integrity
static fields final                 may be violated.
Q.7. If possible, use immutable     If contents changed, data integrity
objects.                            may be violated.
Q.8. Avoid storing user-given       If contents changed, data integrity
mutable objects directly.           may be violated.
Q.9. Avoid using inner classes.     If other classes in the package can
                                    access the inner class, data
                                    confidentiality and integrity may be
                                    violated. If private filed of the
                                    inner class changed, data integrity
                                    may be violated.
Q.10. Avoid using the clone()       Data confidentiality and integrity
method to copy untrusted method     may be violated.
parameters
Q. 11. Make secure classes          This may violate data
un-cloneable.                       confidentiality and integrity.
Q.12. Avoid embedding sensitive     This may violate data
information                         confidentiality.
Q. 13. Prevent constructors from    This may violate data integrity
calling methods that can be
overridden

Table 2. Vulnerability assessment for variables in the M3_Main class.

Variable                     Description

public static String         Setting static string variable to the word
accountPassword = "hello";   string "hello"
public static String         Public static String variable setting
secQuestion1Answer = "";     itself to empty quotes
public static String         Public static String variable setting
secQuestion2Answer = "";     itself to empty quotes
public static boolean        Public static Boolean variable names
accountInitialized = false;  "accountlnitialized" which is then set
                             to false
public static boolean        Public static Boolean variable names
policyChecked = false;       "policyChecked" which is then set to false
public static Wallet         Sets static object Wallet for the wallet
myWallet = new               within the application. Set
Wallet(1000000);             value of 1 million.
Timer timer = new timer();   Creating object called timer
Calendar now;                Using calendar class for market times
int hour;                    of operation integer variable named
                             "hour" used for time for market hours of
                             operation
int minute;                  Integer variable named "minute" used for
                             time for market hours of operation
int day;                     Integer variable named "day" used for
                             time for market hours of operation
Stock stock;                 A stock object
public static boolean        Boolean variable that sets "MarketlsOpen"
marketlsOpen = false;        to false
public boolean               Boolean variable that sets "stockisOwned"
stocklsOwned = false;        to false
public int x = 0;            Public integer variable "x" set to 0
public static int            Public static integer variable
rowCount = 0;                "rowCount" to 0

Variable                                           Critical Questions
                                                   Associated With This
                                                   Variable

public static String accountPassword = "hello";    Q.1, Q.5, Q.6, Q.12
public static String secQuestion1Answer = "";      Q.1, Q.5, Q.6
public static String secQuestion2Answer = "";      Q.1, Q.5, Q.6
public static boolean accountInitialized = false;  Q.1, Q.5, Q.6
public static boolean policyChecked = false;       Q.1, Q.5, Q.6
public static Wallet myWallet = new                Q.1, Q.5
Wallet(1000000);
Timer timer = new timer();
Calendar now;
int hour;                                          Q.1
int minute;                                        Q.1
int day;                                           Q.1
Stock stock;
public static boolean marketlsOpen = false;        Q.1, Q.5, Q.6
public boolean stocklsOwned = false;               Q.1, Q.5
public int x = 0;                                  Q.1
public static int rowCount = 0;                    Q.1, Q.5, Q.6

Table 3. Vulnerability assessment for methods in the M3_Main class.

Method                    Description

public void start(Stage   Method that requests the PolicyPrompt FMXL
stage) throws Exception   which is shown to the user before the
                          application is started. SetTitle object for
                          the title application which is presented at
                          the beginning of the application.
public static void        Public method to make sector table within
makeSectorTable()         database. Pulls this information from a
                          webpage named YahooFinanaceScript. This
                          information is pulled and updates in 15
                          minute intervals.
public static void        Public static method that starts the PHP
startPhp()                which is a scripting language used for
                          website development. The connection is opened
                          and then the stock information is pulled line
                          by line and then printed out.
public static void        This method restarts the database which is
restartDatabase()         pulled from the Yahoo Finance Script which
class startTask extends   now has been named Finesse.php.
TimerTask{                This startTask class extends the TimerTask
@Override                 of the program and it called every certain
public void run() {       amount of minutes to basically check if the
}                         market is open or not and then runs on
}                         another thread. A run method determines if
                          the market is open or close based on the
                          times of 9:30 am-4:00 pm M-F.
public static Stock       This public static method purpose is to
connectToDatabas (String  connect to the database within the
query, int t)             application. vMethod pulls necessary
                          information: Symbol, Name, Percent Change,
                          Price, Price2, Price3, Days High, and the
                          Days Low.
public void strategy()    This is the strategy method that runs the
                          trading strategy of the application. The
                          stock is updated from the sandp500 and if the
                          stock is in portfolio (the stock that we own)
                          and if the stock is in the watchlist (the
                          stocks we are watching, not owned) each
                          strategy is performed.
public static void        The main method within this application
main(String[] args)       because this application is deployed by
                          JavaFX. The main serves only as fallback in
                          case the application cannot be launches
                          through deployment artifacts.
public void               This method simply updates the account.
updateAccount()           The method updates watch list tab, portfolio
                          tab, and also update past tab method

Method                                  Critical Questions
                                        Associated with This
                                        Method

public void start(Stage stage) throws   Q.1,Q.2, Q.3
Exception
public static void makeSectorTable()    Q.1,Q.2, Q.3
public static void startPhp()           Q.1,Q.2, Q.3
public static void restartDatabase()    Q.1,Q.2, Q.3
class startTask extends TimerTask
{                                       Q.9
@Override
public void run() {
}
}
public static Stock connectToDatabas    Q.1,Q.2, Q.3
(String query, int t)
public void strategy()                  Q1, Q.2
public static void main(String[] args)  Q1
public void updateAccount()             Q1

Table 4. Vulnerability assessment for variables in the wallet class.

Variable                 Description

double cash              Double variable for cash within application
double startValue        Double variable for the started value within
                         the wallet of application
double annualReturn = 0  Double variable for annual return value which
                         is initialized to 0
double AccountValue = 0  Double variable for the account value which
                         is initialized to 0
double marketValue = 0   Double variable for market value which is
                         initialized to 0
double spMoney           Double variable for amount of money allocated
                         to spend per day
double avMoney           Double variable for amount of money available
                         to spend per stock

Variable                 Critical Questions Associated
                         with This Variable

double cash                   Q1
double startValue             Q1
double annualReturn = 0       Q1
double AccountValue = 0       Q1
double marketValue = 0        Q1
double spMoney                Q1
double avMoney                Q1

Table 5. Vulnerability assessment for methods in the wallet class.

Method                           Description

                                 This method starts the value of the
public Wallet(double start)      wallet while also setting the start
                                 value to the double value "Cash". The
                                 amount of money allocated to spend per
                                 day (spMoney) and the amount of money
                                 avaible to spend per stack (avMoney) is
                                 run through a series of calculations.
public void setStartDayValue()   Public method that sets the start day
                                 value of the wallet.
public double getStartDayValue(  Public double method to get the start
                                 day value of the wallet.
public double getCurrentValue()  Public double method to get current
                                 value of the wallet. The current value
                                 is then returned.
public String getDailyReturn()   This String method returns the daily
                                 return within the wallet which is how
                                 much money you have successfully made
                                 in the same day. The daily return is
                                 current value subtracted by the start
                                 day value.
public double getCash()          Public double method to return the
                                 amount of cash within the wallet.
public void setCash(double c)    Public void method which sets the
                                 amounts of cash.
public double getStartValue()    Public double method that returns
                                 the start value within the wallet
                                 Public double method that will return
public double getAnnualReturn()  the annual value which is calculated
                                 by account value divided by start value
                                 raised to the (365/1), thus the number
                                 of days in a year divided by the
                                 number of days since account started.
public double getAccountValue()  Public double method that returns the
                                 account value which is calculated by
                                 adding the cash to the market value of
                                 the stock.
public void setMarketValue       Public void method that sets the
(double mv)                      market value. This market value is
                                 expecting a double.
public double getMarketValue()   Public double method that returns the
                                 market value.
public double getSP()            Public double method to return
                                 spending money per day
public void setSP(double s)      Public void method to set spending
                                 money per day.
public double getAV()            Public double method that returns
                                 the amount of money to spend per
                                 transaction when buying
public void setAV(double d)      Public void method to set the amount
                                 of money to spend per buy transaction,

                                       Critical Questions
Method                                 Associated with
                                       This Method

public Wallet(double start)               Q.1
public void setStartDayValue()            Q.1
public double getStartDayValue()          Q.1
public double getCurrentValue()           Q.1
public String getDailyReturn()            Q.1

public double getCash()                   Q.1
public void setCash(double c)             Q.1
public double getStartValue()             Q.1

public double getAnnualReturn()           Q.1

public double getAccountValue()           Q.1

public void setMarketValue(double mv)     Q.1

public double getMarketValue()            Q.1
public double getSP()                     Q.1
public void setSP(double s)               Q.1
public double getAV()                     Q.1

public void setAV(double d)               Q.1

Table 6. Vulnerability assessment for variables in the stock class.

Variable                              Description

SimpleStringProperty rec;             Simple String rec variable that
                                      gets the buy time stamp of the
                                      stock
SimpleStringProperty rec2;            Simple String rec2 variable that
                                      gets the sold time stamp of the
                                      stock
SimpleStringProperty type;            Simple String type variable that
                                      is used for the type of stock
SimpleStringProperty name;            Simple String name variable that
                                      is used for the name of stock
SimpleStringProperty symbol;          Simple String symbol variable that
                                      is used for the symbol of the
                                      stock
SimpleStringProperty sector;          Simple String sector variable that
                                      is used for sector of the stock
SimpleDoubleProperty                  Simple Double percentChange
percentChange;                        variable used to find percent
                                      change for each stock
SimpleDoubleProperty curPrice;        Simple Double curPrice variable
                                      used for the current price of
                                      each stock
SimpleDoubleProperty prevPrice1;      Simple Double prevPrice1 variable
                                      used for getting the price of the
                                      stock each time the application
                                      refreshes
SimpleDoubleProperty averagePrice;    Simple Double averagePrice
                                      variableused for the average price
                                      of the stock throughout the day
SimpleIntegerProperty count;          Simple Double count variable used
                                      for counting of all the stock
                                      price updates
SimpleDoubleProperty sumPrice;        Simple Double sumPrice used to
                                      get the average which is
                                      sumPrice/count = averagePrice
SimpleDoubleProperty prevPrice2;      Simple Double prevPrice2 variable
                                      used for getting another price of
                                      stock after refreshing
SimpleDoubleProperty                  Simple Double purchasePrice
purchasePrice;                        variable used for the purchase
                                      price of the stock
SimpleDoubleProperty accVal;          Simple Double accVal variable used
                                      for the account value
SimplelntegerProperty quantity;       Simple Integer quantity variable
                                      used for the quantity of the
                                      stocks
SimplelntegerProperty quantity2;      Simple Integer quanity2 variable
                                      used for the quantity of the
                                      stocks
SimpleBooleanProperty owned;          Simple Boolean owned variable used
                                      for the owned stocks that the
                                      application has bought
SimpleDoubleProperty total Value;     Simple Double totalValue variable
                                      used for total value of the stock
SimpleDoubleProperty net, daysHigh,   Simple Double net, daysHigh, and
daysLow                               daysLow variables used for the net
                                      of the stock, also used to get the
                                      day's high and day's low of the
                                      stocks
SimpleDoubleProperty purchase Value,  Simple Double purchase Value,
sellPrice, profit, total Cost         sellPrice, profit, and totalCost.
                                      Variables used for the purchased
                                      price of the stock, the sell price
                                      of the stock, the profit of the
                                      stock, and the total cost of each
                                      stock

                                      Critical Questions
Variable                              Associated with
                                      This Variable

SimpleStringProperty rec;               Q.1
SimpleStringProperty rec2;              Q.1
SimpleStringProperty type;              Q.1
SimpleStringProperty name;              Q.1
SimpleStringProperty symbol;            Q.1
SimpleStringProperty sector;            Q.1
SimpleDoubleProperty percentChange;     Q.1

SimpleDoubleProperty curPrice;          Q.1
SimpleDoubleProperty prevPrice1;        Q.1

SimpleDoubleProperty averagePrice;      Q.1

SimpleIntegerProperty count;            Q.1
SimpleDoubleProperty sumPrice;          Q.1

SimpleDoubleProperty prevPrice2;        Q.1

SimpleDoubleProperty purchasePrice;     Q.1
SimpleDoubleProperty accVal;            Q.1
SimplelntegerProperty quantity;         Q.1
SimplelntegerProperty quantity2;        Q.1
SimpleBooleanProperty owned;            Q.1

SimpleDoubleProperty total Value;       Q.1
SimpleDoubleProperty net, daysHigh,     Q.1
daysLow
SimpleDoubleProperty purchase Value,    Q.1
sellPrice, profit, total Cost

Table 7. Vulnerability assessment for methods in the stock class.

Method                                Description

public Stock (String sym, String n,   Constructor for normal stocks.
double perCha, double cPrice, double  This method takes in the symbol,
pPricel, double pPrice2, double dH,   the percent change, current
double dL)                            price, pricel, price2, day's low
                                      and also day's high.
public Stock (String sym, String n,   Constructor for Portfolio
double perCha, double cPrice, int q,  transactions. Takes in information
double pPrice, String time)           about stocks which includes: the
                                      symbol, percent change, current
                                      price, quantity, price, and the
                                      time when it was bought.
public Stock (String s, String t1,    Constructor for History of all
int q, double buy, double tc,         stocks when transactions are
String t2, int noSell, double         made. Method takes in symbol,
sell, double prof, double n)          quantity, net, purchase price,
                                      totalCost, quantity, sold price,
                                      and profit of stock.
public SimpleBooleanProperty          Method within Watch-list to
watchlist PropertyO                   return the stocks owned
public double getDaysHigh()           Double method to return the
                                      day's high of the stock
public double getDaysLow()            Double method to return the
                                      day's low of the stock
public String getRec()                String method to return the
                                      time of which the stock was
                                      bought.
public void setRec(String d)          Void method to set the sell time
                                      of which a stock was sold at.
public void setRec2(String d)         Void method (setRec2) to set the
                                      sell time of which a stock was
                                      sold at.
public String getRec2()               String method (getRec2) to return
                                      the time of which the stock was
                                      bought at.
public String getType()               String method to return trade
                                      type of stock
public void setTotalValue()           Void method that sets the total
                                      value of the stock. User quantity
                                      return method multiplied by
                                      current price return method.
public double getTotalValue()         Double return method to return the
                                      total value of stock
public int getQuantity()              Int return method to return the
                                      quantity of each stock
public SimpleIntegerProperty          Return SimplelntegerProperty
quantityProperty()                    method to return the quantity
                                      value
public void setQuantity(int q)        Setter method to set the quantity
                                      of the stocks using the Simple
                                      InetegerProperty
public String getSymbol()             Return method to get the symbol
                                      of stock
public SimpleStringProperty           Method using SimpleStringProperty
symbolProperty()                      to return the symbol of stock
public String getName()               String method to return the name
                                      of the stock
public SimpleStringProperty           Method using SimpleStringProperty
nameProperty()                        to return the name of the stock
public String getSector()             String method to return the sector
                                      of the stock
public SimpleStringProperty           Method using SimpleStringProperty
sectorProperty()                      to return the symbol of the stock
public double getPercentChange()      Double method to return the value
                                      of the percent change over time
                                      with stock
public SimpleDoubleProperty           Method using SimpleStringProperty
percent ChangeProperty()              to return the percent change of
                                      the stock
public double getCurPrice()           Double method to return the
                                      current price
public SimpleDoubleProperty           Method using SimpleStringProperty
curPriceProperty()                    to return the current price of the
                                      stock
public double getPrevPricel()         Double method to return the
                                      previous price of a stock
public SimpleDoubleProperty           Method using SimpleStringProperty
prevPricel()                          to return the previous price of
                                      the stock
public double getPrevPrice2()         Double method to return the 2nd
                                      previous price of a stock
public SimpleDoubleProperty           Method using SimpleStringProperty
prevPrice2()                          to return the 2nd previous price
                                      of a stock
public void setPurchasePrice()        Method to set the purchase price
                                      of the stock
public double getPurchasePrice()      Double method to return the
                                      purchase price of the stock
public SimpleDoubleProperty           Method using SimpleDoubleProperty
purchase PricePropertyO               to return the purchase price of
                                      the stock
public double getSellPrice()          Double method to return the sell
                                      price of the stock
public SimpleDoubleProperty           Method using SimpleDoubleProperty
purchase SellPropertyO                to return the sold price of the
                                      stock
public SimpleDoubleProperty           Method using SimpleDoubleProperty
accountValue()                        to return the account value
public void setPurchaseValue()        Method using the getQuantity and
                                      getPurchasePrice methods to set
                                      the purchase value of the stock.
public void setNet(double n)          Method to set the Net value of
                                      the stock
public double getNet()                Double method to return the net
                                      of the stock
public double getTotalCost()          Double method to return the
                                      total cost of a stock
public double getProfit()             Double method to return the profit

                                                     Critical Questions
Method                                               Associated with
                                                     This Method

public Stock (String sym, String n, double
perCha, double cPrice, double pPricel, double           Q.1
pPrice2, double dH, double dL)
public Stock (String sym, String n, double
perCha, double cPrice, int q, double pPrice,            Q.1
String time)
public Stock (String s, String t1, int q, double
buy, double tc, String t2, int noSell, double sell,     Q.1
double prof, double n)
public SimpleBooleanProperty watchlist                  Q.1
PropertyO
public double getDaysHigh()                             Q.1
public double getDaysLow()                              Q.1
public String getRec()                                  Q.1
public void setRec(String d)                            Q.1
public void setRec2(String d)                           Q.1

public String getRec2()                                 Q.1

public String getType()                                 Q.1
public void setTotalValue()                             Q.1

public double getTotalValue()                           Q.1
public int getQuantity()                                Q.1
public SimpleIntegerProperty quantityProperty()         Q.1
public void setQuantity(int q)                          Q.1

public String getSymbol()                               Q.1
public SimpleStringProperty symbolProperty()            Q.1
public String getName()                                 Q.1
public SimpleStringProperty nameProperty()              Q.1
public String getSector()                               Q.1
public SimpleStringProperty sectorProperty()            Q.1
public double getPercentChange()                        Q.1

public SimpleDoubleProperty percent                     Q.1
ChangeProperty()                                        Q.1
public double getCurPrice()                             Q.1
public SimpleDoubleProperty curPriceProperty()          Q.1

public double getPrevPricel()                           Q.1
public SimpleDoubleProperty prevPricel()                Q.1

public double getPrevPrice2()                           Q.1
public SimpleDoubleProperty prevPrice2()                Q.1

public void setPurchasePrice()                          Q.1
public double getPurchasePrice()                        Q.1
public SimpleDoubleProperty purchase                    Q.1
PricePropertyO                                          Q.1
public double getSellPrice()                            Q.1
public SimpleDoubleProperty purchase                    Q.1
SellPropertyO
public SimpleDoubleProperty accountValue()              Q.1
public void setPurchaseValue()                          Q.1

public void setNet(double n)                            Q.1
public double getNet()                                  Q.1
public double getTotalCost()                            Q.1
public double getProfit()

Table 8. Vulnerability assessment for variables in the transactions
class.

Variable                        Description

static Stock tStock             Static tStock variable used throughout
                                the Transaction class
Double totalCost                Double totalCost variable used for total
                                cost of stocks
Double acctValue                Double acctValue variable used for
                                account value of transactions
Int rowCount = 0                Int rowCount variable set to 0
boolean flag = false;           boolean flag variable set to false
protected double cost = 0;      protected double variable named cost
                                set to 0
static boolean bought = false;  static boolean variable named bought
                                set to false
static boolean held = false;    static boolean variable named held set
                                to false
int maxNumshares;               integer variable named maxNumshares
                                for the maximum number of share for
                                each stock

                                Critical Questions
Variable                        Associated with This
                                Variable

static Stock tStock               Q.1
Double totalCost                  Q.1
Double acctValue                  Q.1
Int rowCount = 0                  Q.1
boolean flag = false;             Q.1
protected double cost = 0;        Q.1
static boolean bought = false;    Q.1, Q.5
static boolean held = false;      Q.1, Q.5
int maxNumshares;                 Q.1

Table 9. Vulnerability assessment of methods in the transactions class.

Method                          Description

public Transaction(Stock s)     Transaction constructor which sets s to
                                the variable made tStock
                                This protected method is for purchasing
                                stocks. When stock is bought it is ran
protected void buy(double c)    through a number of if statements that
                                allocates and set the available money
                                to spend per buy transactions. The
                                number of shares is set and if there is
                                not enough money available in the wallet
                                the user is presented with an
                                "insufficient funds".
protected void sell(double c,   This method is for selling stocks. It
int q, double purch, String t)  retrieves the stock name and calculates
                                total cost of the stock. The cash is
                                then updated within the wallet based
                                on transaction.
protected void hold()           When the decision is made hold a stock
                                the name of the stock is returned and
                                the variable held is set to true this
                                holding the stock.
                                This method records all data within
protected void log(String       transactions. It records the time, date,
t, String sym, double p,        and year and also the name of the stock.
int qty, double total)          This includes: symbol of the stock,
                                current price, percent change, and the
                                quantity of each stock which is all
                                added to the portfolio.
private static void             Private method that is used for
p(String s)                     printing the variable s which is made
                                within the constructor above in the
                                class
public void updateTable         This method updates table which is
(String query)                  connected to the database and is made
                                to return the necessary data. If
                                statements check connection.

                                             Critical Questions
Method                                       Associated with This
                                             Method

public Transaction(Stock s)                  Q.1
protected void buy(double c)                 Q.2
protected void sell(double c, int q, double
purch, String t)
protected void hold()
protected void log(String t, String sym,
double p, int qty, double total)             Q.2
private static void p(String s)
public void updateTable(String query)        Q.1, Q.2, Q.3

Table 10. Vulnerability assessment for variables in the Trade_Decision
class.

Variables                 Description

public static int d = 0;  public static integer d variable set to 0

Variables                 Critical Questions Associated with
                          This Variable

public static int d = 0;  Q.1, Q.5, Q.6

Table 11. Vulnerability assessment for methods in the Trade_Decision
class.

Methods                Description

                       This method is run through for stocks within the
                       watch list. Here we use three different prices
public static int w    that are refreshed constantly which are then ran
Strategy(Stock stock)  through a number of if statements to determine
                       if the stock should be bought, or left alone.
                       This method is run through when stocks are in
public static int p    the portfolio. Again they have used three
Strategy(Stock stock)  different prices that are ran through a number
                       of if statements; each refreshed 3 different
                       times to determine if the stock should be sold
                       or held within the portfolio.

                                           Critical Questions
Methods                                    Associated with This
                                           Method

public static int w Strategy(Stock stock)  Q.1
public static int p Strategy(Stock stock)  Q1

Table 12. Suggestions for eliminating common software security
vulnerabilities.

Critical Question  Reasons Causing Vulnerabilities

Q.1                Classes are public
Q.1                Methods are public
Q.1                Variables are public
Q.2                Resource is not proper closed
Q.2                More than one resource operations in
                   the try-catch-finally block
Q.5                Static variables
Q.9                Inner class
Q.12               Sensitive information

Critical Question  Suggested Solutions

                   The product should make all classes package-private,
Q.1                since they are in the same package (M3 Application)
                   and not served as an API or interface for external
                   classes.
                   This implementation is not appropriate. Methods in
Q.1                the product should obtain at least default access
                   modifier privilege. Most of them should be in
                   private access modifier privilege, since they are
                   used internally.
Q.1                Variables should limit the accessibility. In this
                   product, most variable should be in private access
                   modifier privilege.
Q.2                This product should use try-with-resources
                   statement to ensure each resource is closed at the
                   end of the statement.
Q.2                Since several exceptions may be thrown, some
                   exceptions will be masked.
                   Since other classes in the same scope may be able
Q.5                to access and modify a static variable, this variable
                   should better be claimed as final static.
Q.9                Since there are some security issues related to
                   inner class. It is better to move inner classes to
                   outer classes.
Q.12               Use Java security APIs to handle sensitive
                   information.
COPYRIGHT 2014 Modern Science Publishers
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2014 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Hu, Yen-Hung; Scott, Charles
Publication:Journal of Communications and Computer Engineering
Article Type:Case study
Date:Dec 1, 2014
Words:7300
Previous Article:A Scheme for Mining State Association Rules of Process Object Based on Big Data.
Next Article:Re-Evaluating Media Richness Theory in Software Development Settings.
Topics:

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters