CS361C Assignment 2

Due: Wednesday, February 19, 2014 at classtime

Please submit a hard copy of this assignment in class. If you can't be in class that day, send an electronic copy to the TA.

Note you can work with one other student on this project. Be sure to identify both members of the team and include a short paragraph explaining the contributions of each. There is no specific page limit; take as much space as you need to convey the information. You will be graded on the quality of your thought, not on your grammar or spelling. Nevertheless, you are expected to take care with those aspects.

The Assignment: Imagine that your proposal from Assignment 1 was accepted and you have been hired by MegaWazoo Corp. (though the nature of the organization doesn't really matter much) as an information assurance consultant. The company buys a variety of COTS software applications from numerous sources. Some vendors are questionable and some may even be controlled or influenced by parties hostile to your mission. One of your tasks is to put in place a "networthiness" program for applications. That is, before any particular application is deployed on the agency network, it is your task to certify that it is adequately secure. Is it even possible to know if it is absolutely secure?

It is infeasible to imagine thoroughly examining the code of all such applications; for many you may not even have the source code. So you need some automated tools to help with the task. There are a large number of tools available. Visit SecTools.org for one list of the top 125 security tools. This is an excellent source for information about available tools.

Your specific task for this assignment is to suggest a toolkit of 5 tools that your company should acquire from among the many possible tools in this marketplace. You should write a report to the agency's IT manager to justify your selection. You should assume that your reader will be technically literate but not an expert in security or in these tools. Your report should have the following sections:

  1. Introduction: short description of the problem and what this report is intended to accomplish.

  2. Environment: describe (invent) the computing environment of your agency. You can say, for example, that all of the computers are PCs running Windows or all use Linux or all are Macs, or some combination. The environment you choose will definitely affect which tools are appropriate. I suggest postulating the type of environment that you personally are most familiar with. You clearly should not choose PC-specific tools if you say that the agency is a Linux shop.

  3. Explain your selection criteria: What factors do you consider important in making your tool selections. Notice that the sectools.org website lists tools in various categories. It wouldn't make much sense to choose five vulnerability scanners, or five packet sniffers, etc. But there are more than five categories, so you'll have to select among them. Explain which categories you considered vital and why. Also explain what you're looking for in specific tools.

  4. Tools chosen: Describe the five tools you have selected. Briefly give the characteristics of each and the reason for your selecton of that tool. List factors that would be important to the IT manager receiving your report: is the tool difficult to obtain? is it actively maintained? is there an associated cost? etc. For each tool you select, I suggest you doublecheck the information on the sectools.org website from other sources to ensure it's current.

  5. Conclusion: List any observations about this exercise and whether you believe that the five tools you've chosen provide an adequately complete solution to the overall certification problem.
Note: you are not evaluating the security of the 5 tools; you're evaluating their usefulness. They will become part of your toolkit for your networthiness assessments.