KOLEJ UNIVERSITI TUNKU ABDUL RAHMAN FACULTY OF COMPUTING AND INFORMATION TECHNOLOGY ACADEMIC YEAR 2021/2022 ‘APRIL/MAY EXAMINATION INFORMATION TECHNOLOGY BAIT2183 SOFTWARE SECUR] WEDNESDAY, 18 MAY 2022 TIME: 9.00 AM — 11.00 AM (2 HOURS) BACHELOR OF INFORMATION TECHNOLOGY (HONOURS) IN INFORMATION SECURITY. Instructions to Candidates: Answer ALL questions. “This question paper consists of 4 questions on 3 printed pages.BAIT2183 SOFTWARE SECURITY ion 1 a) Stack Smashing is the term referring to the exploitation of a stack buffer overrun vulnerability Referring to the C++ code below, choose ONE (1) option and provide an explanation if there are stack smashing vulnerabilities. (7 marks) Option 1: Yes. There are vulnerabilities, Option 2: No issue with Vulnerabilities void callee(char * text) { cin >> text; } void caller() callee("some text” } b) The S.T.R.LD.E methodology was developed in 2002 by Microsoft Corp. to enable software engineers to more accurately and systematically identify defects in code they are evaluating. Describe SEX (6) components of S.T.R.L.D.E and illustrate ONE (1) example in your answer for each component? (18 marks) [Total: 25 marks} Question 2 a) The goal of the Security Development Lifecycle (SDL) is to produce superior systems that meet and exceed all users’ expectations and demands. Identify SEVEN (7) steps of Security Development Lifecycle (SDL) in building a secured system, (21 marks) 'b) Security objectives are goal constrains that affect the confidentiality, integrity, and availability of your data and system, Describe TWO (2) security objectives in Software Development Lifecycle and include an explanation in your answers. (4 marks) (Total: 25 marks} ‘This question paper consists of 4 questions on 3 printed pages.BAIT2183 SOFTWARE SECURITY Question 3 2) b) a Defensive Programming is the practice of coding with the mindset that errors are inevitable and that something will go wrong and lead to unexpected conditions within the program. Based on your own understanding, provide THREE (8) criteria of good defensive programming, (6 marks) Dereferencing a null pointer or entering an infinite loop can create the conditions for an attacker to take advantage of poor error handling code, Describe poor code quality that leads to unpredictable behavior from a user's and an attacker's perspective? (4 marks) ‘The most common security activity of a software engineer is to write code that is lacking vulnerabilities. How would you apply the security features into code to minimize the vulnerabilities and illustrate ONE (1) example in your answer? (6 marks) Code Review is the process of looking through all the codes for defects. Explain THREE (3) benefits of code review in for identifying vulnerabilities during software development, (9 marks) (Total: 25 marks] Question 4 Computer security hinges on the strength of the password. How would you practise FOUR (4) various security techniques to prevent password theft? Include examples in each technique, (16 marks) Web applications are a critical aspect of business and everyday life. By using web applications, both businesses and individuals can simplify and get more things done with fewer resources. Briefly describe the method for the aspect below in order to develop secure designs for web applications. (Authentication (marks) (ii) Configuration Management (marks) Exception Management (marks) (Total: 25 marks] ‘This question paper consists of 4 questions on 3 printed pages.