KOLEJ UNIVERSITI TUNKU ABDUL RAHMAN FACULTY OF COMPUTING AND INFORMATION TECHNOLOGY ACADEMIC YEAR 2018/2019 SEPTEMBER EXAMINATION INFORMATION TECHNOLOGY BAIT2183 SOFTWARE SECURITY WEDNESDAY, 12 SEPTEMBER 2018 ‘TIME: 9.00 AM ~ 10.00 AM (1 HOUR) BACHELOR OF INFORMATION TECHNOLOGY (HONOURS) IN INFORMATION SECURITY Instructions to Candidates: Answer ALL questions. All questions carry equal marks. This question paper consists of 2 questions on 2 printed pages.BAIT2183 SOFTW. ITY Question 1 a) Security Development Lifecycle (SDL) is a software development process that helps b) developers to build more secure software and address security compliance requirements while reducing development cost. The first two steps are: identify system objectives and apply functional requirements. (Identify the other FIVE (5) steps of the SDL. (5 marks) (ii) Appraise the importance of each SDL step in ensuring that security is built into the application. (7 marks) (Explain the term Threat Modelling. (2 marks) (ii) Give THREE (3) purposes for carrying out Threat Modelling as an activity in a company’s software security plan. (B marks) (iii) Describe the FOUR (4) tools used for Threat Modelling. (8 marks) (Total: 25 marks] Question 2 ®) b) E-commerce has become very popular for people who are always busy and desire a convenient way to shop. The most popular example of e-commerce is online shopping. However, e-commerce can also entail other types of activities, such as online auctions, payment gateways, online ticketing and internet banking. Given that Login User, Place Order and Make Payment are three use cases in an e-commerce system. (Illustrate with a diagram to show the THREE (3) above-mentioned use cases and TWO (2) corresponding abuse cases for each use case, (10 marks) (ii) Select ONE (1) of the abuse cases from Question 2 a) (i) and do the following: ‘© Describe how the threat may be carried out. (2 marks) ‘© Suggest and justify a mitigation strategy for the threat. (2 marks) Identify ONE (1) type of attack that usually occurs in an e-commerce system. Propose ONE (2) prevention strategy to counter this attack and provide justification to support the proposed strategy. (7 marks) Differentiate between White Box Testing and Black Box Testing. (4 marks) (Total: 25 marks] This question paper consists of 2 questions on 2 printed pages.