Sse - QB

Question Bank template for Admitted Batches - 2019-20, 2020-21 & 2021-22
GITAM
GITAM Institute of Technology
Programme : B.Tech Branch: Computer Science & Engineering
Sub Code : 19ECS448
Sub Name : Secure Software Engineering
Semester : VIII
Admitted Batch : 2019-2020
SECTION – A
(Short Answer Questions for 2 marks)
Unit – 1 :
Q.No. Question CO PO BL Marks
Category – 1: Easy Questions
1 What properties should be followed
3 1 1 2
throughout SDLC to assure security?
2 What are requirements engineering? 1 1 1 2
3 List the core properties of secure 4 1 2
1
software.
4 Why is security a software issue? 1 1 2 2
5 What are the sources of software
2 1 1 2
insecurity?
Category – 2: Moderate Questions
1 List the processes and practices that
2 1,2 1 2
affect software security.
2 Bring out the difference between
1 1 2 2
cyclomatic complexity and NPath.
3 How threats during software operation 1
1,3
2 2
can affect its security? Explain.
4 Compare functional and non- 5 2 2
1
functional requirements.
5 How threats during software
development can affect its security? 1 1,3 4 2
Explain.
Unit – 2 :
1 Draw a misuse case diagram for ATM 1 1,3 3 2
security.
2 Brief the importance of requirements 5 1 1 2
engineering
3 Draw a misuse case diagram for car 1 1,3 3 2
security.
4 What are the problems encountered 5 1,2 1 2
by requirements engineering?
5 Compare any 2 requirements 3 1 3 2
elicitation methods.
1 Draw a misuse case diagram for 1 1,3 3 2
money theft from one’s bank account
using OTP.
2 What are quality requirements in 4 1 1 2

software engineering?
3 Draw a misuse case diagram for 1 1,3 3 2
malicious request from client to
server.
4 Define SQUARE process model. 2 1 1 2
5 How to design misuse cases for a 1 1 1 2
software?
Unit – 3 :
1 Bring out the differences between
structured and unstructured external 2 1 2 2
threats?
2 List the CAPEC attack classes. 4 1 1 2
3 How three aspects of risk impact
determination help in quantifying the 5 1 2 2
risk?
4 Why mapping of threats and
vulnerabilities is important in risk 2 1 3 2
classification?
5 Bring out the differences between
2 1 2 2
external and internal threat actors?
1 What factors are considered in the risk
likelihood 5 1,4 2 2
Estimation? Why?
2 How to find all the areas in the
software that operate at an elevated 1 1,3,4 3 2
privilege level.
3 List the activities of risk analysis
2 1 1 2
methodology.
4 Analyse the advantage when
conducting vulnerability assessment 5 1,4 3 2
at the architectural level.
5 How software characterization helps
5 1,2 3 2
in risk analysis? Identify.
Unit – 4 :
1 What are the three main categories of
2 1 4 2
race conditions? Enumerate.
2 What is a race condition bug? How it
2,4 1,2,3 4 2
can be avoided?
3 What is a buffer overflow bug? How it
2,4 1,2,3 4 2
can be avoided?
4 Categorize the problems detected by
static code analysers with at least 5 3,5 1 4 2
problems.
5 Distinguish the two classes of
3,5 1 4 2
quantitative software metrics.

1 What is an exception validation bug?
2 1,2,3 4 2
How it can be avoided?
2 Compare and contrast s/w testing and
3,5 1 4 2
s/w security testing.
3 What is an input validation bug? How
2 1,2,3 4 2
it can be avoided?
4 side effects of overrunning a buffer
2,4 1 4 2
depend on what issues? List.
5 What is a SQL injection bug? How it
2 1,2,3 4 2
can be avoided?
Unit – 5 :
1 Organizational resilience is achieved
through the following outcome,
1 1,3 5 2
“Reduced risk of a business
interruption”. Justify.
2 Compile the five fundamental activity
1 1,3 6 2
stages of RMF.
3 Security is considered an integral part
2,3 1,3 5 2
of normal strategic. Justify.
4 Discuss the don’ts by an organization
2,3 1,3 6 2
in composing its ESSF.
5 Security is managed as an enterprise
2,3 1,3 5 2
issue. Justify.
1 Security is addressed as part of any
2,3 1,3 5 2
new project initiation. Justify.
2 Discuss the common pitfalls in
2 1,3 6 2
adopting an ESSF.
3 Security is treated as a business
2,3 1,3 5 2
requirement. Justify.
4 Discuss the list of goals achieved by an
organization using risk measurement 1 1,3 6 2
metrics.
5 Plan a list of activity for resisting
4,5 1,3 6 2
attack in a software.
SECTION – B
(Essay Questions for 8 Marks)
Unit – 1:
1 Explain the core properties of secure
4 1 1 8
software with a neat diagram
2 Write a detailed note on different types 1 8
5 1
of requirements.
3 What is an attack pattern? Compare
attack resistance, attack tolerance, 1 1,3 2 8
and attack resilience
4 What are the influential properties of

4 1 1 8
secure software? Explain in detail.
1 Write a detailed note on functional and
non-functional requirements with its 5 1 2 8
differences.
2 Describe the problems of non-
1 1,2 2 8
secure systems.
3 Illustrate the sources of software
2 1,2 2 8
insecurity?
Category- 3: Standard Questions
1 What is Software Assurance Case?
Build a SAC model for ATM 5 1,3 3 8
authentication and explain its claims.
2 Explain the integration of security
architecture with the core
3 1 2 8
properties of secure software with a
neat diagram.
3 Describe the attack pattern
1 1 2 8
components.
Unit – 2:

1 How Candidate Prioritization Methods
can be evaluated? Draw an example
2 1 3 8
table and explain it with any 3
Candidate Prioritization Methods.
2 Draw a misuse case diagram for car
security. Explain each actor and its 2 1 1 8
use case.
3 Draw the matrix for Candidate
Prioritization Methods VS Candidate
2 1 2 8
Prioritization Methods evaluation
criteria and explain it.
4 Explain the importance of
requirements engineering and quality 2 1 1 8
requirements
1 Write any 4 requirements elicitation
methods. Illustrate the difference 3 1 2 8
between them.
2 Explain the 9 steps in SQUARE
2 1 1 8
process model with a neat table.
3 Compare and contrast the
requirements elicitation evaluation 3 1 2 8
criteria with a neat table and explain.
1 Why candidate prioritization methods
are used? Explain Binary Search
2 1 1 8
Tree, 100-point method and Theory-
W.
2 Draw the matrix for requirements
2 1 2 8
elicitation methods VS requirements
elicitation evaluation criteria and

explain it.
3 Describe the SQUARE process model
2 1 1 8
with a neat table.
Unit – 3:
1 Explain the 6 activities of risk
3 1,2 2 8
analysis methods
2 Explain any 5 principles of software
security. How does one compensate 3 1 2 8
the other?
3 What are the issues and challenges
faced by a software architect during
3 1,2 2 8
design phase? Explain the concerns
and its associated process.
4 What is threat analysis? How NIST
framework is used in this context? 3 1,2 2 8
Describe.
1 What is risk likelihood estimation and
their factors? Describe the model for
3 1,2 3 8
calculating likelihood from those
factors.
2 Bring out the differences between 5
threat sources in NIST framework for
threat identification and
3 1,2 2 8
characterization with a neat table.
Compare each source against its
motivation and threat actions.
3 What is risk impact determination?
Explain its methods. How risk
3 1,2 2 8
exposure statement can be generated?
Draw a neat table to illustrate it.
1 How risk analysis is carried out?
Explain it with a one-page system
software architecture diagram which
3 1,2 3 8
shows major components, their
interactions, trust zones, potential
attackers and attack vectors.
2 List the 2 largest concurrency-related
vulnerabilities and explain it.
3 1,2 3 8
Construct a set of rules that can be
applied to avoid those 2 vulnerabilities
3 Compare the following. Attack
Resistance Analysis Ambiguity 3 1,2 2 8
Analysis Dependency Analysis
Unit – 4:

1 Classify the different functional
4 1 4 8
testing techniques with a neat table.
2 What is risk-based testing? How

testing is conducted for negative 4 1,2 4 8
requirements?
3 Classify the different functional
4 1 4 8
testing techniques with a neat table.
4 How static code is reviewed based on
static code analysis and metric 4 1,2 4 8
analysis? Explain.
1 How will you analyse security in the
following levels of system testing?
Explain.
4 1 4 8
a) Stress testing
b) Penetration testing
Blackbox testing
2 What is risk-based testing? How
testing is conducted for negative 4 1,2 4 8
requirements?
3 Classify the common software code
vulnerabilities with known solution 4 1,2 4 8
approaches.
following levels? Explain.
a) Unit testing, where individual classes,
methods and functions are tested
4 1 4 8
b) Testing libraries and executable files
Integration testing, where the goal is to
test whether software components work
together as they should
2
following levels of system testing?
Explain.
4 1,2 4 8
c) Stress testing
d) Penetration testing
Blackbox testing
Unit – 5:

1 Explain the common pitfalls in
adopting the ESSF for an 2,3 1,2 5 8
organization.
2 Explain the “Who, What, When”
structure in framing a solution for 2,3 1 5 8
ESSF.
3 Explain Competencies for Effective
Enterprise Software 2,3 1 5 8
Security
4 Explain the Risk Management 5 8
Framework in detail. 1 1

1 Discuss the Software development life
cycle with defined security 4 1 6 8
touchpoints with a neat diagram.
2 Discuss the following maturity of
practice.
a) Protecting Information 5 1 6 8
b) Audit’s Role
Operational Resilience and Convergence
3 Discuss the following maturity of
practice.
c) Legal view 5 1 6 8
d) Software engineering view
Exemplars
1 Discuss the process and product
measures of secure development in 4 1 6 8
detail.
2 How security influences project scope
2,3 1 5 8
and resources? Explain.
3 Discuss the multilevel-loop nature of
1 1,2 6 8
the RMF with a neat diagram.

Sse - QB

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sse - QB

Uploaded by

Copyright:

Available Formats

Question Bank template for Admitted Batches - 2019-20, 2020-21 & 2021-22

2 What are quality requirements in 4 1 1 2

Category – 2: Moderate Questions

4 What are the influential properties of

Q.No. Question CO PO BL Marks

elicitation evaluation criteria and

Q.No. Question CO PO BL Marks

2 What is risk-based testing? How

Q.No. Question CO PO BL Marks

Category – 2: Moderate Questions

You might also like