Personal Project – Security Engineering Home Lab
This is a personal project focused on building a functional, security-conscious application for managing employee records. It demonstrates practical implementation of security engineering concepts such as authentication, access control, logging, and detection of abnormal behavior in internal systems.
The project is designed for internal use (HR department scenario) and is not exposed to the Internet. It aims to provide a hands-on understanding of security engineering practices in a controlled environment.
- Application Layer: Handles business logic and user interactions.
- Data Storage Layer: Stores employee records; only accessible through the application layer.
- Clients: Interact with the application layer; have authenticated access with role-based permissions (standard or admin).
Key Characteristics:
- Create, read, update, and delete employee records.
- Separation of application logic and data storage.
- Authenticated and authorized access for different user roles.
- Internal network deployment only.
- Logging and detection logic for tampering, DoS, and repudiation events.
- Dockerized deployment for easy setup and experimentation.
Threats were identified using the STRIDE framework. Focus was placed on high-impact/high-likelihood threats. Key observations:
- Spoofing: Mitigated via authentication. Medium likelihood for data layer; high impact if bypassed.
- Tampering: Requests validated against whitelists. Logs detect deviations. Preserved intergrity of data in transit using TLS.
- Repudiation: Logging implemented for user and system actions to ensure traceability.
- Information Disclosure: Mitigated via TLS for data in transit.
- Denial of Service: Application-level rate limiting implemented. System resource monitoring in place. Requests validated against whitelists.
- Elevation of Privilege: Role-based access enforced; potential bypass mitigated conceptually.
Note: This is a personal lab project done by an undergraduate. The threat model is conceptual and aimed at learning rather than production-grade security.
| Threat | Control Type | Implementation Highlights |
|---|---|---|
| Tampering | Logical/Preventive | Input validation with whitelist, configure to use TLS |
| Tampering | Logical/Detective | Compare requests against valid patterns to detect anomalies |
| Tampering | Logical/Corrective | Block, restrict or rate-limit sources showing tampering behavior, configure to use TLS |
| Tampering | Logical/Recovery | Periodic backups to restore integrity |
| Repudiation | Logical/Preventive | Activity logs for application and data storage interactions |
| Information Disclosure | Logical/Preventive | TLS for data in transit |
| DoS | Logical/Preventive | Application-level rate limiting, input validation with whitelist |
| DoS | Logical/Detective | Monitor request patterns and system resource usage to detect anomalies |
| DoS | Logical/Corrective | Block, restrict or rate-limit suspicious sources |
| DoS | Logical/Recovery | Restart or reboot if needed |
- Languages & Scripting: Python, Bash
- APIs & Libraries: FastAPI, Textual, loguru
- Security Tools: OpenSSL, TLS
- Database: SQLite
- Containerization: Docker, Docker Compose
- Task Automation: Cron
- Web Server: Uvicorn
Deployment Method: Docker Compose
- Detection is performed from logs only; no external SIEM integration.
- Rate limiting implemented at the application layer instead of firewall.
- TLS integrity verification not implemented (low-level, outside app scope).
- Focused only on the most critical security threats identified in the first threat modeling iteration.
- Install the required libraries:
pip install -r ./requirements.txt- Create a
.envfile and add the JWT secret key:
# Create the file
touch ./.env
# Add the JWT secret (generate a strong random key with `openssl rand -hex 32`)
JWT_SECRET=<your_secret_key_generated_with_openssl_rand_-hex_32>- Build and start the environment:
docker compose up -d --build- Add the following entry to the
hostsfile:
127.0.0.1 app-server.internal- Run the client interface:
python ./src/client.pyDefault Credentials:
-
Standard user:
username: john,password: 1234 -
Admin user:
username: mark,password: 5678
-
Implement alerting and automated response for detected anomalies.
-
Integrate TLS verification for internal communication flows.
-
Extend detection logic for additional threat scenarios.
-
Introduce further non-repudiation mechanisms for auditability.
-
Consider external SIEM integration for centralized monitoring.
This project serves as a personal learning exercise for applied security engineering. While functional and demonstrating core security principles, it is intended for educational purposes and should not be considered production-ready.