KOLEJ UNIVERSITI TUNKU ABDUL RAHMAN
FACULTY OF COMPUTING AND INFORMATION TECHNOLOGY
ACADEMIC YEAR 2021/2022
‘APRIL/MAY EXAMINATION
INFORMATION TECHNOLOGY BAIT2183
SOFTWARE SECUR]
WEDNESDAY, 18 MAY 2022 TIME: 9.00 AM — 11.00 AM (2 HOURS)
BACHELOR OF INFORMATION TECHNOLOGY (HONOURS) IN INFORMATION SECURITY.
Instructions to Candidates:
Answer ALL questions.
“This question paper consists of 4 questions on 3 printed pages.BAIT2183 SOFTWARE SECURITY
ion 1
a) Stack Smashing is the term referring to the exploitation of a stack buffer overrun vulnerability
Referring to the C++ code below, choose ONE (1) option and provide an explanation if there
are stack smashing vulnerabilities. (7 marks)
Option 1: Yes. There are vulnerabilities,
Option 2: No issue with Vulnerabilities
void callee(char * text)
{
cin >> text;
}
void caller()
callee("some text”
}
b) The S.T.R.LD.E methodology was developed in 2002 by Microsoft Corp. to enable software
engineers to more accurately and systematically identify defects in code they are evaluating.
Describe SEX (6) components of S.T.R.L.D.E and illustrate ONE (1) example in your answer
for each component? (18 marks)
[Total: 25 marks}
Question 2
a) The goal of the Security Development Lifecycle (SDL) is to produce superior systems that
meet and exceed all users’ expectations and demands. Identify SEVEN (7) steps of Security
Development Lifecycle (SDL) in building a secured system, (21 marks)
'b) Security objectives are goal constrains that affect the confidentiality, integrity, and availability
of your data and system, Describe TWO (2) security objectives in Software Development
Lifecycle and include an explanation in your answers. (4 marks)
(Total: 25 marks}
‘This question paper consists of 4 questions on 3 printed pages.BAIT2183 SOFTWARE SECURITY
Question 3
2)
b)
a
Defensive Programming is the practice of coding with the mindset that errors are inevitable
and that something will go wrong and lead to unexpected conditions within the program.
Based on your own understanding, provide THREE (8) criteria of good defensive
programming, (6 marks)
Dereferencing a null pointer or entering an infinite loop can create the conditions for an
attacker to take advantage of poor error handling code, Describe poor code quality that leads
to unpredictable behavior from a user's and an attacker's perspective? (4 marks)
‘The most common security activity of a software engineer is to write code that is lacking
vulnerabilities. How would you apply the security features into code to minimize the
vulnerabilities and illustrate ONE (1) example in your answer? (6 marks)
Code Review is the process of looking through all the codes for defects. Explain THREE (3)
benefits of code review in for identifying vulnerabilities during software development,
(9 marks)
(Total: 25 marks]
Question 4
Computer security hinges on the strength of the password. How would you practise FOUR
(4) various security techniques to prevent password theft? Include examples in each
technique, (16 marks)
Web applications are a critical aspect of business and everyday life. By using web
applications, both businesses and individuals can simplify and get more things done with
fewer resources. Briefly describe the method for the aspect below in order to develop secure
designs for web applications.
(Authentication (marks)
(ii) Configuration Management (marks)
Exception Management (marks)
(Total: 25 marks]
‘This question paper consists of 4 questions on 3 printed pages.