AIVScan

I'm currently working as part of a team on a new Web-based security scanning tool. We're in the second part of the two-part Senior Project course series at Drexel University, loosely following the Software Development Life Cycle (SDLC). By the beginning of the Fall Semester, we should have a working prototype. 

The Web app that we're writing, called AIVScan (AIV stands for "Am I Vulnerable?") is intended to take the user's Internet-facing IP address and scan it for common vulnerabilities (open ports, running services, outdated software, etc.). AIVScan will then send the user a concise report detailing the vulnerabilities, if any, and provide suggestions on how to improve their security posture. 

Those are the basics. 

How will AIVScan actually work? At the heart of AIVScan will be the open source Network Mapper (Nmap) security scanner. We plan to use Nmap in conjunction with our database to take the user-submitted IP address and subject it to some predefined arguments. The details of what type of Nmap arguments we will be using are still up in the air, but we have the basic process down as follows:

1. The user navigates to the AIVScan website
2. The user creates a profile (required) that consists of username (email address) and password prior to conducting first scan
3. A link is generated and sent to the user-provided email address for verification (to avoid having AIVScan abused for DDoS attacks)
4. User follows link, verifies profile/account creation, and is then given the opportunity to conduct their first scan
5. User initiates scan
6. User IP address is obtained automatically (denying the option to manually provide IP addresses is intended to further reduce AIVScan's potential for abuse by hackers).
7. User IP address is passed to Nmap on the server with predefined arguments.
8. IP address is scanned
9. Output is generated and sent to an XML report detailing user vulnerabilities and suggested course of action
10. Report is sent as email to user

That's the basic gist of what AIVScan will is supposed to do. Obviously there are a lot of variables to attend to. At this point, we are hoping to have a functional Version 1.0 by the Fall. Most of the work remains to be done at this point. To date, my largest contribution has been designing the website (using Twitter Bootstrap on GitHub as a template). I am going to be responsible for the remainder of the front-end and user interface. My lack of programming experience is foremost on my mind right now, but I think that I can make a worthy contribution to the team if I make sure and devote enough time to the project. To that end, I've been reasserting myself toward learning Java. 

The other members of the team preferred to avoid Java--they are doing a lot of the back-end work in Python. But for me, sticking with Java has a secondary purpose besides AIVScan, and that's Android OS. All Android is done in Java. I got derailed in my earlier attempts to break into Android development, but I've gotten Eclipse IDE back up and running and partnered with a friend to begin hacking out some basic applications. That's for another post, though. 

In the meantime, I guess I'm going to try and work on not sucking at Java.