CAMPBELL UNIVERSITY ‘NORTH CAROLINA, U. S.A. ACADEMIC YEAR 2016/2017 SEPTEMBER EXAMINATION INFORMATION TECHNOLOGY BAIT2183(B) SOFTWARE SECURITY ‘TUESDAY, 13 SEPTEMBER 2016 ‘TIME: 2.00 PM - 3.00 PM (1 HOUR) BACHELOR OF SCIENCE DEGREE Instructions to Candidates: ‘Answer ALL questions. All questions carry equal marks. ‘This question paper consists of 2 questions on 3 printed pages.a. @. @ ) (a) @ (ii) SECURITY What is threat modelling and when should it be performed in a software development project’s lifecycle? (4 marks) Evaluate THREE (3) benefits that threat modelling brings to an organization’s software security. (6 marks) The following attack tree depicts the different ways in which a system may be attacked to achieve a specific goal. An indication of whether special equipment is required and the cost to attack is indicated in each leaf node, Ld B c BD E SEIRM28,000 SEIRM12,000 "NSE/RM90,000 ¥ 7c "NSE/RM70,000 7 t 7 is seiRMe0,000 | | NSE/RM90,000 SE/RM20,000 D Wr NsE/RMs,000 | | NSERM0,000 SE ~ Special equipment required NSE —No special equipment required @ (id) @ Identify all the paths which do not require any special equipment. (5 marks) Which is the path with the cheapest attack requiring no special equipment? Draw the attack tree for this scenario and show your calculation for the cost of this attack. (10 marks) [Total: 25 marks] “Security often conflicts with other non-functional requirements.” Write justifications to support the above statement by discussing the conflict, between security and TWO (2) other non-functional requirements. (8 marks) Propose FOUR (4) security techniques for the user authentication of an online banking website. Elaborate on how your proposed design provides good trade-off between security and the two non-functional requirements that you discussed in part (i) (8 marks) This question paper consists of 2 questions on 3 printed pages.BAIT2183(B) SOFTWARE SECURITY Q2. (Continued) (b) A buffer overflow occurs when a program exceeds a buffer’s boundary and ‘overwrites adjacent memory locations as it is writing data to the buffer. Discuss ‘THREE (3) counter-measures for handling this security vulnerability. Your answer should also include a discussion of each counter-measure’s effectiveness in overcoming the problem. (9 marks) [Total: 25 marks] This question paper consists of 2 questions on 3 printed pages.