CAMPBELL UNIVERSITY
‘NORTH CAROLINA, U. S.A.
ACADEMIC YEAR 2016/2017
SEPTEMBER EXAMINATION
INFORMATION TECHNOLOGY BAIT2183(B)
SOFTWARE SECURITY
‘TUESDAY, 13 SEPTEMBER 2016 ‘TIME: 2.00 PM - 3.00 PM (1 HOUR)
BACHELOR OF SCIENCE DEGREE
Instructions to Candidates:
‘Answer ALL questions. All questions carry equal marks.
‘This question paper consists of 2 questions on 3 printed pages.a.
@.
@
)
(a)
@
(ii)
SECURITY
What is threat modelling and when should it be performed in a software
development project’s lifecycle? (4 marks)
Evaluate THREE (3) benefits that threat modelling brings to an
organization’s software security. (6 marks)
The following attack tree depicts the different ways in which a system may be
attacked to achieve a specific goal. An indication of whether special equipment is
required and the cost to attack is indicated in each leaf node,
Ld
B c BD E
SEIRM28,000 SEIRM12,000 "NSE/RM90,000
¥ 7c
"NSE/RM70,000
7 t 7 is
seiRMe0,000 | | NSE/RM90,000 SE/RM20,000
D Wr
NsE/RMs,000 | | NSERM0,000
SE ~ Special equipment required
NSE —No special equipment required
@
(id)
@
Identify all the paths which do not require any special equipment. (5 marks)
Which is the path with the cheapest attack requiring no special equipment?
Draw the attack tree for this scenario and show your calculation for the cost
of this attack. (10 marks)
[Total: 25 marks]
“Security often conflicts with other non-functional requirements.”
Write justifications to support the above statement by discussing the conflict,
between security and TWO (2) other non-functional requirements. (8 marks)
Propose FOUR (4) security techniques for the user authentication of an
online banking website. Elaborate on how your proposed design provides
good trade-off between security and the two non-functional requirements
that you discussed in part (i) (8 marks)
This question paper consists of 2 questions on 3 printed pages.BAIT2183(B) SOFTWARE SECURITY
Q2. (Continued)
(b)
A buffer overflow occurs when a program exceeds a buffer’s boundary and
‘overwrites adjacent memory locations as it is writing data to the buffer. Discuss
‘THREE (3) counter-measures for handling this security vulnerability. Your answer
should also include a discussion of each counter-measure’s effectiveness in
overcoming the problem. (9 marks)
[Total: 25 marks]
This question paper consists of 2 questions on 3 printed pages.