Modify an existing Java Web
application that violates several Payment Card Industry guidelines and recommendations.
Your task is to locate the issues, identify what is wrong and then fix the code.
You will discuss each issue in terms of why the issue may cause a security vulnerability, and how you specifically
fixed the issue.
The current code, uses Java JSP and
Servlets to allow a user to login to their account and view credit card data stored in the database.
The functionality is relatively simple but several PCI compliance rules have been violated that will
prevent the application from being approved by a PCI software auditor.
You should first load up the
application, populate the database and make sure the application is working in your environment as expected.
The application uses the Java Derby relational database. The script used to populate the application
is attached as well as the Java web project itself. You should be able to open the existing project using NetBeans.
However; you may need to load the Derby
drivers to the libraries for the project.
Once you have the database loaded,
you can try the application. (This assumes you have properly installed the Java EE when you installed NetBeans).
Email:firstname.lastname@example.org Password: mypassword
Review the code and perform analysis as needed.
You should experiment with
application as well as reviewing the code to identify possible areas of
security concerns. You don’t have to be an expert in JSP/Servlets,
html or css to be able to find some of the issues that you have read about in the PCI documentation.
However; it is recommended you experiment with the code so you have a baseline familiarity with the
model and know how the JSP and servlets communicate with each other.
Focus on the PCI compliance issues
found in sections 6 through 9 (see attached jpg file) as you look for issues.
There are multiple issues and you
should work to fix and document as many as possible.
Provide all of your modified Java
code, your modified database script and a word document describing how you
addressed each issue. You should clearly describe the code and what PCI compliance
issue were violated and how you fixed it. You should provide screen captures as needed to support your findings and improvements.