Online appointment booking systems are commonly treated as simple workflow applications, although they process credentials, personal information, appointment metadata, administrative decisions, and payment-adjacent data. When security is introduced after implementation, repeated weaknesses can remain in the architecture, including weak authentication controls, unvalidated input, broken access control, insecure design assumptions, fragile session handling, and incomplete auditability. This paper presents the Secure Appointment Booking System (SABS) as an academic secure software engineering case study. The study develops a traceable security argument by connecting functional requirements, misuse cases, mitigating use cases, architectural controls, implementation evidence, and black-box validation. The work maps the selected controls to NIST SSDF, OWASP Top 10, CISA Secure-by-Design principles, Saudi National Cybersecurity Authority (NCA) control expectations including ECC 2-2024 and national cybersecurity control (NCC) alignment, and Saudi Personal Data Protection Law (PDPL) considerations. The implemented prototype uses a React single-page application, an ASP.NET Core API, and a SQL Server persistence layer. Security controls include password hashing, JWT-based session handling with revocation records, role-based access control, server-side input validation and sanitization, server-side sandbox payment validation, and append-only audit logging. Validation used 32 scenario-based black-box tests across authentication, booking, administration, audit, payment, and workflow modules; all tests passed within the academic prototype scope. The paper does not claim production certification or formal compliance. Instead, it demonstrates how a small software project can make security claims more scientific, bounded, and defensible by linking threats, controls, evidence, and residual risk.
Alshahrani et al. (Sun,) studied this question.