Skip to main content

Practical example: building a social sharing platform

Documenting your project upfront requires time and research, but gives enormous amount of insights and knowledge for the whole team to advance with.

In this article we're continuing where we left off my previous article "Documentation of a project" by providing examples for the documentation focus areas I explained and we're also making sure that we're not tumbling down a rabbit hole where specs are written in stone and we're building this project in a waterfall way.

The Hotbrewd project

For this particular example I've chosen a project that has a couple of interesting challenges. It's a social media platform (lots of users) where people can check in their beverage at a specific location or establishment (geolocation), upload photos or videos of their drink (moderation) and share with friends (personal information, profiling). To make it a little entertaining, the more people share and tag, the more stickers they can unlock. Also brands and establishments can offer discounts for specials (marketing, monetisation).

The project feature requirements

Together with the business we define feature requirements. This is a list of requirements made from a business perspective. We need this list to ensure that we can build something the business wants and should contain verifiable criteria. In the case of Hotbrewd, the feature requirements are written out in a specification document. This can be a Word file, a Google document or as we like to use at In2it a wiki entry.

A wiki entry providing feature requirements

Defining technical requirements

Now that we know what the business wants, we can start defining the technical requirements. This sounds easier than it is because at this stage we only have a vague idea what kind of application we're going to build and how the technical infrastructure would look like. But we have no clue how many users will be on this platform, where constraints could be in the network or services or what kind of data is collected that needs protection.

To answer these questions, we are going to interview the developers, system administrators and business owners to note down their views, experiences and expectations. We are focussing closely on how they envision the application. Sketching out their visions helps to find commonalities amongst all stakeholders and to draft up a technical architecture schema.
Quickly after interviewing all stakeholders you can form an idea how the application architecture would look like

Security considerations

Now is a good time to define some security considerations! The business wants to build an application for the masses, but doesn't want to be in the news because sensitive data got stolen or the application got abused. With the help from security experts we can define areas of concern that everyone should be aware of. These areas are:

  • Network security
  • Systems security
  • Application security
  • Application abuse
Network security is required to ensure that only the application can access the underlying systems and only has a single entry point (the reverse proxy).

Systems security is oriented towards the operating system (OS) and its libraries or tools that are installed on the platform.

Application security focusses on ensuring that all components of the application are protected agains malicious attacks. Primary area of concern is the OWASP Top 10, a list of 10 most common attack vectors seen in web applications. But just as important are measures taken to ensure the application components can communicate safely and securely.

Application abuse is a risk based analysis of how the application could and would be abused, beyond the scope of the vision of the business. A potential abuse element is the fact people can upload photos and videos. The business would like users to upload shots of their coffees, but nothing prevents them to upload violent or provocative material. Another point of abuse could be stalking, because the application collects information where a beverage is consummated. And when you look at the whole application you come up with a very, scary list of all things that could be abused using the application as designed.

Working towards a POC

With all knowledge gathered, it's a good idea that you work to a first proof of concept (POC). This doesn't require a complete architecture or full infrastructure, but gives everyone a good idea how all things communicate together. And the business has something they can already start playing with the idea and work out how to improve the user experience.

Don't forget to keep meeting notes and add it to the documentation stack!

A first POC, doesn't have to be fancy but should contain the basic requirements

Your project backlog can now be filled with development tasks, security tasks, design tasks, testing tasks and so on. A simple Kanban board can really help out as it makes work visible in the organisation.
A simple Kanban board to make work visible
Now that we have work in the pipeline, an idea on paper and an application to protect, I'm going to take some time to write out all the security related issues I come across and I will put them in writing in my next article. Please keep sending your feedback, suggestions and comments as it helps me get better insights in web application security. See you all next time.


Popular posts from this blog

Speeding up database calls with PDO and iterators

When you review lots of code, you often wonder why things were written the way they were. Especially when making expensive calls to a database, I still see things that could and should be improved.
No framework development When working with a framework, mostly these database calls are optimized for the developer and abstract the complex logic to improve and optimize the retrieval and usage of data. But then developers need to build something without a framework and end up using the basics of PHP in a sub-optimal way.

$pdo = new \PDO( $config['db']['dsn'], $config['db']['username'], $config['db']['password'] ); $sql = 'SELECT * FROM `gen_contact` ORDER BY `contact_modified` DESC'; $stmt = $pdo->prepare($sql); $stmt->execute(); $data = $stmt->fetchAll(\PDO::FETCH_OBJ); echo 'Getting the contacts that changed the last 3 months' . PHP_EOL; foreach ($data as $row) { $dt = new \DateTime('2015-04-…

PHP Arrays - Associative Arrays or Hash Maps

Associative array or hash maps are listings of key and value pairs with a posibility to nest additional keys and values. An associative array is a very powerful construct within PHP.

In our previous article we discussed simple arrays, which in their turn are indexed associative arrays under the hood. Take the following example:

$array = [

Is in fact an indexed associative array under the hood:

$array = [
0 => 'apple',
1 => 'banana',
2 => 'chocolate',

But associative arrays can be so much more than just an indexed array, and you will find many database operations returning arrays where the fields of a table are the keys in the array while their values are also the values within the array.

$productRowData = [
'product_id' => 1234,
'brand_id' => 321,
'product_name' => 'Our awesome product',
'prodcut_description' => 'This is our most awesome product.&#…

Deploy Docker containers fast to Microsoft Azure

DEPLOY DOCKER CONTAINERS FAST TO MICROSOFT AZURE It’s hard to ignore the fact thatDockeris a way to move forward for rapid application development, distributed architectures and microservices. For developersDockeroffers great advantages as they can build their containers specifically for the task they work on. They grab a base image of a container, modify it for their purpose and prepare the functionality inside the container. Quality, testing and security teams now have a single instance to look at and ensure all functional and regulatory requirements are met. System engineers now don’t have to worry about providing a system with the required specs as the container is already provisioned for that purpose. But where do you deploy yourDockercontainers? You can set up your existing bare metal infrastructure to allow them to run containers, but this also means you need to learn about securing your container infrastructure, which is not an easy task. Luckily “the cloud” offers container …