Learning Outcomes tested in this assessment (from the Module Descriptor):
Knowledge & Understanding:
Demonstrate in-depth knowledge and understanding of current best practice in the design and development of Object Orientated systems
Intellectual / Professional skills & abilities:
Design a system using advanced object orientated principles and methods, such as Behavioural, Creational and Structural design patterns, ensuring a high level of quality and data security.
Implement and test Object Orientated programmes using advanced techniques ensuring a high level of quality and data security.
Critically evaluate the effectiveness of implemented Object Orientated applications
Personal Values Attributes (Global / Cultural awareness, Ethics, Curiosity) (PVA):
Demonstrate a professional understanding of the importance of software quality in the development of applications.
Assessment Criteria/Mark Scheme:
See Appendix A for assessment criteria. Note that this work is worth 100% of the module and that the marks total 100 marks.
Nature of the submission required:
Individual work: The individual report should be a single document, and it must be in PDF format. You are required to upload this using Turn-it-in (ELP) as an originality report is required. Your work must be uploaded no later than 2nd January 2021. You should name this file so that it is clearly your individual work and should contain your student ID as part of the document name.
Group work: A ZIP file should be created that contains your entire Visual Studio project, including the test project. Justifications of choices made such as patterns used and the data access layer need to be in a PDF document called justifications. The document should be in the root of the folder, you also need to supply a file which contains a list of all names and student ids of the group members “group.txt”.
Each C# software component should have the names of the group members within the comments at the top of the code. The ZIP file should also contain files for your Design (Task 2) and Testing (Task 4) these should be in PDF format and need to be legible (easy to read) it is your responsibility to check the PDF files are legible.
Please note that the compression format has to be zip, you must not use: ‘rar’, ‘7z’ or compression formats.
Late work carries a penalty. Even if you are one minute late, the penalty has to be applied. Please make sure you give yourselves plenty of time to upload the work. Multiple submissions are possible.
It is your responsibility to check that you have uploaded the file correctly to the ELP. After uploading the file to the ELP, download the file and check that the contents are what you expect.
Referencing Style:
Where you have used words from someone else (quotations), they should be correctly quoted and referenced in accordance to the Northumbria Harvard System. You will be required to submit the report for the work via turn it in.
Cite them Right can be found here
Group work
The size of a group can be between two and six students, no groups may be larger than six but may be less; you are expected to form your own groups by the end of teaching week 4. One member of each group must email the module tutor giving the names of the group members. Anyone without a group at the beginning of week 6 will be assigned to a random group. In the rare event that a group is not working well together it may be disbanded. The module tutor will have final say when this occurs, It will only happen if there is sufficient documented proof that one member is not contributing to the work, in such eventualities it will be expected that each member does the remaining work on an individually basis, Alternatively students may be able to join another group who is willing to accept you and that there is still enough time to make a sufficient contribution to the new group. In such cases the module tutor must be notified.
Expected size of the submission:
Expected size of written work is stated on the individual sections.
Academic Misconduct:
You must adhere to the university regulations on academic misconduct. Formal inquiry proceedings will be instigated if there is any suspicion of misconduct or plagiarism in your work. Refer to the University’s regulations on assessment if you are unclear as to the meaning of these terms. The latest copy is available on the university website. Quote or paraphrase other work with caution. Please discuss with the module tutor if you are unsure what is expected.
Handbook of Student Regulation can be found here
Fair use of code from the internet:
You are not permitted to use templates from the internet; any group which uses a template to create the architectural foundation of their work will be formally investigated for academic misconduct, all the work must be your own.
Small amounts of code can be taken and modified from the internet however all occurrences must be clearly indicated in the comments section at the top of each class. You must including in the comments section a reference to the original source. Methods and properties should also be marked as “copied from: URL” or “biased on: URL” if they have originated from an external source.
Monitoring of assessment progress:
You are required to use github as a repository for your assessment. Your progress on the assessment will be monitored it is important that the group work is started early, groups which have not made sufficient progress can expect emails, you will be required to give the module tutor access to the github project at the commencement of the technical part of the assessment.
Reflective writing:
Tasks 5 and 6 are reflective writings; although many of you are aware of what reflective writing is. Past evidence indicates that some students do not understand what is required. It is not about ‘book work’ where your answer is basing on external sources, although you should use some academic papers to support your arguments. These questions are about what you and your group have done and what you have learned from the process. You are required to indentify positives and weaknesses in the group work. Use the theory covered in the module to effectively aid you in this reflective evaluation of your work. The reflective commentary should be critical; you should identify what when wrong and demonstrate you have learned from the process.
Extensions and Illness:
Please make sure that all group items are held in a central repository so that it does not rely on a single individual. If someone in your group is ill then you must all discuss the possibility for extensions with Ask4Help. Module tutors and Course leaders cannot grant extension, you must go to Ask4Help.
Individual and Group components
Each task clearly states if the task is individual or group work. Submission of individual work will be at the same time as group work however these will be separate submission.
Peer Assessment and Group Diary
In order to complete the group work you will need to work with other students. It is important that you evenly distribute the work between yourselves and work effectively with each other. You are required to keep a diary so that you log and minute all communication and meetings. The diary will be required as part of the evidence in the portfolio. Given the current situation regarding covid-19 you will be required to hold group meetings using software such as zoom or teams.
You must also supply one peer-assessment form for each group member. This will need to be agreed and signed by each group member. Social distancing will complicate the process. It is expected that with the individual work each member supplies a copy of all the peer assessments, and that everyone submits the same values on these documents. This will be sufficient to acknowledge you agree with the marks for each member including your own.
If the diary and/or individual peer assessment forms are missing then the group part of this assignment, will be capped at 50%. Based on the peer assessment form you will be able to calculate a score of between 3 and 8 which measures your peers views of the quality of your team work in this task. We reserve the right to consult with you and potentially change the weightings (and in extreme cases marks) when this is felt necessary. We will not do this before the assignment is handed in. On the form each student’s performance in the team is graded by a number of criteria. Each criterion will be given a score of between 3 and 8. Once all the 9 criteria have been graded the average score across the criteria for the student will be determined. This is called Team Work Score, which will be between 3 and 8. Calculate this by adding up the score for each of the nine criteria and then dividing by nine. Once the peer assessment forms have been completed for all members of the group it is possible to determine the group average. This is calculated by adding up the Team Work Scores for all the group members and dividing the total by the number of group members. A weighting can then be calculated by dividing the students Team Work Score by the group average. The weighting applies to only the group component of the assessment. A student’s mark will be determined by multiplying the group mark by the weighting. This will be calculated to the nearest whole number
See ELP Document “Example_Peer_Assessment_Form”
Page Break
Assessment Scenario
Case Study: Quick Fix Dental Practice
Technology requirements
Application must be built using Visual Studio 2019 or Visual Studio 2017, professional or enterprise. The community edition is not suitable for this work, as it will not work with Entity Framework.
You must use the database built into visual studio as your data store, you should not use any other database.
The GUI must be built using windows forms (winForms). ASP or other presentational technologies are not permitted.
Patterns must be present in the technical solution, for example the presentational layer should use MVP. You are also required to use Entity Framework and LINQ.
Background
Radiant Smile Dental practice requires you to build a windows application to support dental practice. The dental practice only deals with NHS patients however it does offer a number of treatments not covered by the standard NHS services such: teeth whiting, dental implants.
Patients
When a patient is registered their details such as date of birth, name, address, email are captured and stored by the system. A medical questionnaire is given during the registration process. The questionnaire captures information regarding any medical conditions which may affect the treatment and any allergies the patient may have such as to latex or antibiotics.
When a patient visits the dental surgery a check is done to see when they last updated their medical history. If this was more than a year ago the system will prompt the reception staff to ask if they has been any changes to their medical history. If there has they will be required to fill in a new medical questionnaire.
All patients must provide the name and address of their GP practice. It is likely that many of the patients in the dental practice will be register to a small number of local GP practices.
NHS patients may be entitled to free treatment or they may pay a fixed free given the dental work undertaken. More detailed information can be found at https://www.nhs.uk/using-the-nhs/nhs-services/dentists/understanding-nhs-dental-charges/
All treatments private / NHS should be easily maintained by the practice staff. This may be the change of pricing in line with changes to the NHS fees. It could also include new private services or accommodate a change in price due to a special offer.
Checkups (15 minute appointment)
Checkups can be booked in one of three ways
When a patient comes to the end of a treatment plan of has had a check-up which requires no work they are offered an opportunity to book a six month check-up.
When they first register with the practice.
If they telephone in and ask for a check-up, a check is made to make sure they have not already had a check up within the last four months.
In the case of new patient or coming to the end of the treatment plan, the system must prompt the reception staff to ask the patient to make an appointment.
The system should identify any patients who have not visited the dental practice in the past six months and have no future appointments books. The system will produce a reminder letter which will be mailed out to the patient asking them to make an appointment. They will be contacted again is six months if they have not made an appointment and has not visited the dental practice.
Any patient who has not made contact with the dental practice for a two year period will be removed from the list of active patients.
Emergency Appointments
A practice holds 2 hours non advance appointments each day; these are for dental emergencies and are allocated on a first come first served basis.
Recording a treatment plan
A person will have 32 adult teeth, and when they are younger 20 baby teeth. During someone’s life the state of the teeth may change: all the way from a filling to an extraction.
The system should only record information only about a ‘treatment plan’ the work identified as needing to be carried out following an examination.
The dentist will fill out a visual representation on a pre-printed view of the teeth so that the patient is aware of what is going to be done. This visual representation is not recorded by the system instead the dentist makes professional medical notes. These medical notes will be short multi line text documents which are written in such as way that any trained dentist will understand.
Treatment plan consent and payments
Many NHS patients will pay a fixed free for the detail service which is split into three bands. Some patients are entitled to free treatment, depending on their individual circumstances. In both cases the patient signed a standard NHS form consent/treatment form, these are scanned and a copy is held on the system.
In the event of an emergency appointment this may be done immediately after the treatment is carried out.
Appointment Reminders
The practice has suffered from many missed appointments, patients forget about appointments which are often set weeks or months in advance. In order to try and solve this problem SMS text message is sent to the patient five working days before the appointment, and another is send the day prior to the appointment.
It is also policy to phone parents who have long appointments. Some dental work may require 40 or more minutes to complete. Patients who have long appointments are contacted by phoned by a member of the reception team to double check that they will be attending. This normally takes place two working days before the appointment.
A third party service is used to contact patients via SMS text messages. The system should provide the following text document which will be sent to the service. The text document contains a list of the reminders to the sent that day; it has the mobile phone number and the day/time of the appointment. This should be in the form of a comer delimited file.
The system will also produce the list of phone numbers, names and appointment details for all those who have a long appointment in three working days time. This will be processed by the reception staff during quiet periods. Reception staff should be able to mark those who have been successfully contacted, those who have not been contacted by the end of the day will appear on the following day’s list. No further attempts will be made if they are not contacted on the second consecutive day.
The practice operates a policy deregistering anyone who has missed three appointments within a rolling five year period, this will only happen when their current treatment plan has ended. There are exceptions such as any patient who has a memory problem or if anyone has missed an appointment due to illness or bereavement, even events such as a traffic is seen as an acceptable reason for missing an appointment. A clarification for any missed appointment will be sort on the next interaction with the reception staff. Your system must prompt the staff to ask and then record if it allowable or not. In the event of a non-allowable reason the system must check if there has been two more within the past three years. If so, the patients’ record will be marked as one to deregister. If not them a record is made of the missed appointment.
Staff
Staff have the ability to request flexible working so it is possible that some staff may work less than five days a week. Or that they only work the hours between 10am and 2pm. The practice diary which contains all the staff and appointments is held six months in advance.
Staff can also request holiday. It is normal that there will be appointments which have already been made for the period of the holiday. In these cases reception staff will be able to identify and contact the patients so that they can rearrange the appointment.
Staff sickness. Staff may become ill and be unable to work for a period of time. If a member of staff becomes ill then it may be possible to move some of the appointments for a day to other dentists and also use half of the allocation of emergency appointments.
The system should be able to identify from the treatment plan and type of appointment which patients should be dealt with as soon as possible and which can be moved a new appointment in the future. Patients undergoing root canal work or crows are priorities and an attempt is made to fit them into current weeks work, checkups are seen as lest priority and are rescheduled last. Contact information is listed for all the affected patients. The receptionist calls each one in the list which has been prioritised. They explain the situation and work with the patient to choose an alternative day and time.
Task 1 Research Question (Individual Work) 30 marks
This task is an individual task and covers the following learning outcome.
Demonstrate in depth knowledge and understanding of current best practice in the design and development of Object Orientated systems
Question for section one and two
“Most systems require user authentication, identify the technical approach you would use to storing the password information so that a user was able to authenticate themselves at a later date. You discuss a range of approaches and any weaknesses with the indentified approaches.”
The research is split into three sections,
Section one
The initial part you will be limited in your usage to a single source of information, namely “stack overflow”. This initial investigation should take approximately 1 hour to complete. And will be undertaken during the lab session. See Appendix B for information regarding how to capture the information. If you miss the lab you can still do the exercise and forward the information to the module tutor for analysis.
(5 marks)
Section two
This second part answers the same question however it should be only done after the lecture on security. You must document the work in the same way as you did for section one, using the layout from Appendix B. Part one documented finding information on stack overflow in this section. You also need to write a short summary identifying the technical measures you would take and give a reference to any code examples which you would use as a basis for implementing the solution.
(5 marks)
Word Limit 300
Section three
Identify possible technical solutions to security protecting information in the properties of a class prior to it being persisted on a database. Additionally you should consider and outline any implications any of the possible solutions may have on the winder functionality or performance the application.
(20 marks)
Word Limit 1500
References from good-quality, relevant literature must be used in order to strengthen any points that you raise in your discussion. This only relates to sections two and three of this question.
Task 2 UML Designs and OOP considerations (Group work) 10 marks
This task assesses the learning outcome.
Design a system using advanced object orientated principles and methods, such as Behavioural, Creational and Structural design patterns, ensuring a high level of quality and data security.
Produce an implementable class diagram for the system you are developing, this should show your final design of the software components and clearly show architectural patterns used in the development of the system. It should not be post implementation diagram created by visual studio. You are expected to use Design Patterns in the creation of you product, and you are also expected to show layering of the application, patterns should be considered in each of the layers for example you are expected to use a presentational Patten in the interface layer. This work should only include the requirements which you are expecting to implement during the time-box.
(5 marks)
You must provide a justification for any of the patterns you have chosen to implement. Outlining reasons why the choices have been made. You should also include any patterns which you believe could be beneficial to the software architecture, but which you decided not implement. A rational for their exclusion should be given. (5 marks)
Word Limit 300
Task 3 Implementing the technical Solution (Group work) 20 marks
In this task the following learning outcome is assessed.
Implement and test Object Orientated programmes using advanced techniques ensuring a high level of quality and data security.
You are not expected to try and implement the entire system. Agile methods require a subset of requirements to be taken into a time-box for development. You can apply MoSCoW to list of requirement, this will help you decide on what requirements you plan to implement. However you are expected to pick requirements which work together so that you can demonstrate a working subsection of the entire system, you should use vertical development.
You are expected to develop the application using the standard three layer model and the domain and presentation layer should contain some of the patterns covered in the module.
Entity Framework must be used to persist the objects. It is your choice on how you use the technology. It is recommended not to use Database first as this will have architectural consequences to your system.
The system must be implemented using Visual Studio 2017 or 2019 and be written in C#. As stated earlier only windows forms may be used and the application must use the inbuilt database.
You may include instructions as to use which would include any valid logon details or user details that you have created.
The code is marked on the following aspects:
Scope technical implementation (5 marks)
Quality of the solution, including architecture patterns used. (13 marks)
Task 4 Testing (Group work) 10 marks
In this task the following learning outcome is assessed.
Demonstrate a professional understanding of the importance of software quality in the development of applications.
It is expected that there is sufficient level of unit level testing within the layers of the application. It is important that each class and method has an associated testing component. You should also carry out some testing at system level making sure that the system performs the needed system functionality. You should use both positive and negative testing.
Visual Studio provides an inbuilt testing framework, you are expected to automate as many of the tests as possible using the inbuilt unit testing framework. If you have used dependency injection/mock objects to isolate classes you should make this clear in your testing strategy.
All tests must also be documented in a test plan, it is not enough to just have test project, it must documented in a plan.
Task 5 Evaluation of the development process (Individual Work)
15 marks
In this task the following learning outcome is assessed.
Critically evaluate the effectiveness of implemented Object Orientated applications
Demonstrate a professional understanding of the importance of software quality in the development of applications.
Many iterative methodologies incorporate an evaluation step at the end of each development time-box. The purpose is to reflectively evaluate the development increment so that lessons can be learned, and improve the development process in future increments. In this section you are required to critically evaluate development process and the tools used.
Critically evaluate the approach your team used in selecting what requirements in implement in the development time box, you should consider the logical grouping of the functionality and if you choose to many or two few requirements to implement.
Teamwork, you need to critically evaluative how you’re team worked together in producing the technical solution. How you self organised yourselves. If any problems occurred they should be listed as well as any attempt to reach a resolution.
Tool evaluation: Critically Evaluate: the development environment, database chosen and the use of testing tools in the development of the system.
Approximately 700 words
Task 6 Evaluation of the technical solution (Individual Work)
15 marks
In this task the following learning outcome is assessed.
Critically evaluate the effectiveness of implemented Object Orientated applications
Critically evaluate the Design and Implementation in relation to the object orientated principles covered in the module. You must consider the patterns you have used and discuss if they were effective and also identify any patterns you have not implemented but believe to be relevant.
Discuss the choice of Data Access implementation. Was Entity Framework directly used or did you impose your own unit of work and repository patterns. You need to justify and reflect on the choice you made.
Critically evaluate your application in terms of security. You do not need to discuss password security which you covered in the research question. However you should focus on the security needs of the application from the data perspective. You should use what you discovered from task one section three in order to give some specific recommendation related to this application.
Word limit: 1000.
Page Break
Page Break
APPENDIX A
Marking criteria
Task 1 section one Research Question (Individual Work) 5 marks
Grade | Criteria |
5 | Excellent filtering of the URL, may show a narrowing down quickly to the more suitable answer |
4 | Very good range of URLs. |
3 | A good range of material covered from stack overview but it limited in the number/range of URLs covered |
2 | Poor range of stack overflow URls or ones which are not from stack overflow |
1 | Weak research showing little reading and selection. |
0 | missing |
Task 1 section two Research Question (Individual Work) 5 marks
Grade | Criteria |
5 | An outstanding selection of the correct technology needed to protect passwords, with implementation example from an external source. External source should give a detailed description and be from a reputable known source. |
4 | Answer is correct however the implementation or source may ether lay lack detail or be from a less well reliable source. |
3 | Answer has a reasonable choice but may not be the most optimal. |
2 | Answer has chosen a poor choice one which may exhibit security issues or may be missing an implementation. |
1 | Weak work: poor choice and missing elements. |
0 | Missing. |
Task 1 section three Research Question (Individual Work) 20 marks
The criteria used for marking will include:
The quality and scope of the literature survey.
The principle arguments and conclusions of the work undertaken.
Grade | Criteria |
90-100 % | Demonstration of an Exceptional answer to the question, work contains sufficient high quality sources of information which are correctly referenced in the Harvard style. Work should contain no unsupported statements. Answer is near perfect with a detailed and balanced argument and an exceptional conclusion. |
70-89 % | Demonstration of an outstanding answer to the question, work contains no major flaws with only major issues with unsupported statements. High quality sources of information which is correctly referenced in the Harvard style. The answer should be detailed and concise, work should reflect a balanced and objective approach and with an outstanding conclusion. |
60 -69 % | Demonstration of a very good answer to the question, majority of the important statements should be supported with references to high quality academic sources. The answer should be detailed and concise, and balanced there may be some of the important points omitted due to lack of scope. |
50 - 59 | Satisfactory work exhibits a fair understanding of principles underpinning the questions but it is lacking one some depth, such as exhibiting poor referencing or a lack of reading. Work may show some omissions and may not fully address the questions.. |
40 – 49 | Weak Unsatisfactory answer which is not balanced lacking any true depth and shows little in the way of reading. There may be some attempt to answer the question but it may contain flaws and significant omissions. |
0 – 39 | Work is incomplete and/or irrelevant. Work may sure significant sections which are highly derived. |
Task 2 UML Designs and OOP considerations (Group work) 10 marks
Implementable Class Diagram showing patterns and layers 5 marks
Justification of the patterns used or their absence 5 marks
Grade | Criteria |
80-100 % | Outstanding or exception diagram which clearly shows the system layers and the patterns used in the system. Narrative clearly explains the use of patterns and the reasons for the adoption or omission from the work. |
60-79% | Work is of good or very good quality. Diagram is clear however it lacks depth in the range of patterns chosen and/or considered. The rational for inclusion of omission has some minor weaknesses |
50-59% | Diagrams contain flaws which would affect the implementation. Patterns may not be well considered and the narrative explaining the rational lacks depth. The application layers are not clearly defined. |
0-49 % | Diagrams are incomplete or non-implementable and or the consideration of pattern is either missing or is poor. |
Task 3 Implementing the technical Solution (Group work) 20 marks
The criteria used for marking will include:
scope Quality of technical implementation 15/20
Justification and implementation of data access layer 5/20
Grade | Criteria |
80-100 % | A reasonable set of requirements are implemented given the time frame. Importantly the scope of requirements should not be at the cost to the quality. The system demonstrates excellent or outstanding engineering principles such as the use of patterns in the all three layers of the application. Presentation layer should use a pattern to separate responsibilities or presentation and control.
|
70-79 % | Work is good or very good, the scope or the requirement may be limited but the engineering excellent. Or the scope may be high with a reduction in the level of the engineering principles applied. However the work overall is still very competent and has few problems such as a lack of patterns. |
50-69% | Quality of the application and/or the engineering has problems such as failure to consider patterns in the presentation layer. Code may suffer from problems with the way the engineering principles have been applied. |
0-49 % | Scope of the application is poor, significant issues with the engineering principles which are being applied. There is little consideration of the implementation of patterns. |
Task 4 Testing (Group work) 10 marks
The criteria used for marking will include:
Test plan based on user requirements both negative and positive testing's
Tool based unit testing also with test plan.
Grade | Criteria |
80-100 % | Outstanding or Excellent Testing. Use of dependency injection and mocks where needed, positive and negative in nature. Tests must be at a unit and systems level, and be fully documented and unit level should be fully implemented in Visual Studio in built test suite. |
60-79% | Very good testing, covering a good range unit tests however it may lack some testing or many lack some negative testing. |
50-59% | Scope of the testing is incomplete this may be due to poor choices of presentation pattern or a lack of scope in the tests chosen. Documentation is poor regarding test. |
0-49 % | Testing in incomplete or missing. |
Task 6 Evaluation of the development process (Individual Work) 15 marks
Required items to evaluate
Critically evaluate selecting requirement.
Teamwork
Tool evaluation
Grade | Criteria |
80-100 % | Outstanding or exceptional evaluation. Well balanced critical evaluation covering all three aspects. Work should identify problems and where applicable this may require quotes from the literature to back up the students statements. Clear evidence that the student has understood weaknesses and has learn from them. |
60-79% | Good or Very good evaluation however it may lack some degree of balance or critical evaluation in some areas or maybe not as strong one of the three aspects required. |
50-59 % | Critical evaluation is lacking in depth. May contain some degree or inaccuracy or misconception. |
0 – 49 % | Missing key elements. Irrelevant material or poor non critical reflection of the work. |
Task 7 Evaluation of the technical solution (Individual Work) 15 marks
Required items to evaluate
Design and Implementation in relation OO (patterns and principles).
Grade | Criteria |
80-100 % | Overall an excellent evaluation of the technical solution, Identification and reflection of the weaknesses, as well and the achievements. This must include the OO considerations such where patterns were used to good effect or missing or incorrectly used. Security must be discussed including what needs to be protected via encryption this must not be ‘book work’ but directly related to the implementation. |
70-79% | Good or very good. Weaknesses should be identified however there may be some degree of limited scope in the identification of what patterns could have been applied or some degree or lack of depth relating to the problems of applying cryptography to the system. |
50-19 | Satisfactory evaluation lacks some important items or lacks depth especially in offering alternatives or identification of weaknesses. Security evaluation has weaknesses in scope or type of security being recommended is limited in the understanding of the effect it will have on the application. |
0-49 % | Evaluation missing key elements and/or alternatives. The work lacks depth and/or lacks critical evaluation. |
Page Break
APPENDIX B
Capturing use of
Research in to the use of Stack overflow for security
Purpose
This task forms part of your assessment, the data which you capture will also be used to write a research paper. The use of the data for research purposes is purely voluntary. You will be asked to complete a consent form and will have until the start of semester 2 to withdraw your consent. You may also withdraw or not permit the use of the data you capture to be used in the research, you will not have to giving any reason and doing so will not have any consciences for yourself.
This exercise should not take more than an hour to complete and it will be undertaken in the lab during before week 11. There are four tasks in total, they need to be done in sequence and once completed they should not be amended based on the subsequent tasks. It is also vital that tasks 1 to 3 take place before week 11 lecture, and that task 4 be completed after week 11 lecture. Details on how to submit the work will be given later, however it will be collected in prior to the end of semester. You should also submit the work as part of the assessment.
You will be asked to conduct some research on Stack Overflow (not other websites), the nature of the research is specifically related to the way passwords are stored for authentication purposes. This is a very well known area of security and most developers will have had some exposure to creating a secure logon. The research should not encompass the following; TLS/SSL or password strength criteria. It should only be concerned with the way the password will be processed prior to being stored on a database for the purposes of user authentication. This is often described as a ‘cryptographic transformation’, i.e. transforming it from an insecure string into a secure binary format.
The current best practice will be discussed in week 11 therefore it is vitally important that first part of the investigation is done prior to this lecture otherwise it will contaminate the results of this study, and render the results useless. Equally it is important that the last task is done after the security lecture of week 11.
The main purpose of this research is to evaluate the effectiveness of stack overflow in providing a solution to a common security problem, and how prior knowledge affects the effectiveness of searching and finding an appropriate solution. It is therefore important that you capture your usage of Stack Overflow during the investigation.
Your job is to find the most appropriate technical solution for the problem of password storage. I will ask you to record the pages you look at on stack overflow (URL) along with information about the usage of the page: (percentage read, whether you fully read the page or skim read the page, and weather you found the page useful and relevant).
Page Break
The Problem.
Single factor authentication relies heavily on the use of passwords to authenticate users. Although other authentication techniques do exist single factor password authentication is the mainstay of the e-commerce and commercial arena. As previously stated you are not asked to look at the security of the connection between the client and the server(TLS/SSL) and you are not being asked to look at policy such as frequency of password change or criteria for password strength. You are however, being asked to identify the technical solution for the transformation from a clear plain text string into the binary format which will be stored on the database. There are various ‘cryptographic’ transformations that can be used, some are keyed, some are none keyed, and some are reversible while others are not. The purpose is for you to choose the most appropriate cryptographic transformation.
The following is a list of tasks you have been asked to complete. Please note some information will be used about your prior experience however no information regarding your name or student ID will be stored. The information is relatively generic and therefore is anonymous in nature.
Task A ) Captures information about your background as a developer. Including any industrial experience you have gained.
Task B ) Captures any prior knowledge and/or preconceptions you may have regarding password security.
Task c) Before the lecture on security. Investigate the problem, capturing information about the pages you look at and proposed solution based on investigation.
Task d) After the lecture on security. If you believe you have already chosen an optimal solution you need to write in the section (OPTIMAL SOLUTION ALREADY FOUND) else use stack overflow again and repeat the activity of undertaken in task C.
Page Break
Part A) Your Background
Where were did you study for your undergraduate Computer Science degree?
Obtained in UK.
Obtained outside of the UK.
Obtained at Northumbria University.
Delete those which are not appropriate.
Industrial Experience
Did you do a placement year as part of your degree?
YES NO (delete the one which is not appropriate)
How many years industrial experience do you have (including a placement year)?
Full time years : Enter 0 if none.
Part time years : Enter 0 if none.
Please use real numbers not integers.
Page Break
Part B)
Pre-existing knowledge of password security may improve your ability to search and sort for a solution on stack overflow. Therefore, it is important that you state any prior knowledge/preconceptions you have regarding the transformation a string password should go through prior to being saved on a database.
For example, I believe that the password should go through a ……….….. prior to being saved in the database. OR I really have no idea what should be done.
Page Break
Part C) Task
The problem, passwords are a necessary part of user authentication although other mechanism to exist they are typically not viable for most computer systems and web application. There are a number of different technical solutions to storing password information for the purposes of user authentication. Your task will be to find which one you believe to be an optimal technical solution, you do not need to code this but you do need to indicate which techniques would be used to store the password securely. The resource you need to use for this task is the popular developer site Stack Overflow. For each page you look at, you need to record the URL and the following information. I expect that there will be a number of pages you will look at before you decide on a solution. Please place them in chronological order of when you viewed then. Starting with the first page at the beginning, add then in chronological order with the final URL and the end. In case of missing URL or out of sequence documentation of the process, please open your browser history and cut-and-paste the section related to stack overflow at the end of this section.
Search Term Used followed by the URLs read under that search term
Way page was read
Skim read the page and did not read anything in detail
Skim read the page and read some sections in detail
Read more than half of the page in detail
Read the entire page in detail
Usefulness of page (at the time of reading)
Page was very useful
Page was moderately useful
Page was only partly useful
Page was not useful.
Subjective conclusions of the page
Trusted the content and opinions on the page
Trusted some of the content and opinions on the page
Trusted few of the content and opinions on the page
Trusted none of the content and opinions on the page.
Please give a few words to explain your subjective judgment of the page.
The following is an example.
Page URL | https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords |
The way page was read
| A |
Usefulness of page | D |
Subjective conclusions of the page
| B |
Comments on the subjective score | The page was only of passing interest and not really relevant to the question. |
Please copy the following template for each page you look at.
Page URL |
|
The way page was read
|
|
Usefulness of page |
|
Subjective conclusions of the page
|
|
Comments on the subjective score |
|
Task C outcome
From your research above please detail the cryptographic transformation you believe is needed prior to storing the password in the database. You should pick one you would use if developing this functionality for a real client. If the transformation requires parameters state the parameters required. You do not have to give code example only information about the cryptographic transformation you would choose and a short sentence or two on why you think this is the best choice.
Which of the URL was most useful in finding this solution?
Page BreakTask D
This task should be completed after week 11 lecture on cryptography and security.
Having had the lecture, have you already found the optional solution from Task C?
Please delete as appropriate: YES NO
If you have answered NO then please conduct the same activity as in Task C and find the solution you would use on Stack Overflow.
Search Term Used followed by the URls read under that search term
Way page was read
Skim read the page and did not read anything in detail
Skim read the page and read some sections in detail
Read more than half of the page in detail
Read the entire page in detail
Usefulness of page (at the time of reading)
Page was very useful
Page was moderately useful
Page was only partly useful
Page was not useful.
Subjective conclusions of the page
Trusted the content and opinions on the page
Trusted some of the content and opinions on the page
Trusted few of the content and opinions on the page
Trusted none of the content and opinions on the page.
Please copy the following template for each page you look at.
Page URL |
|
The way page was read
|
|
Usefulness of page |
|
Subjective conclusions of the page
|
|
Comments on the subjective score |
|
Task D outcome
Please detail the cryptographic transformation you would pick for the development of a real commercial based system. You need to outline the
Which of the URL was most useful in finding this solution?
Page Break
Consent form
Agreement to participate
I, (print name)
agree to take part in this research project.
I have had the purposes of the research project explained to me.
I have been informed that I may refuse to participate or withdraw my consent simply saying so and without giving a reason, and without prejudice.
I have been informed that I have until 1st of February 2020 to withdraw my consent. As this is the date the data will be consolidated and anatomized.
Participation is voluntary and participation or none participation will have no effect on the module outcomes.
I have been assured that my confidentiality will be protected as only anonymous data is being captured and presented in the final work.
I agree that the information that I provide can be used for educational or research purposes, including publication.
I understand that if I have any concerns or difficulties I can contact Mark Hurrell at the Northumbria University (Mark.Hurrell@Northumbria.ac.uk).
I assign the copyright for my contribution to the researcher for use in education, research and publication.
0 comments:
Post a Comment