CAMPBELL UNIVERSITY

NORTH CAROLINA, U. S. A.

ACADEMIC YEAR 2020/2021

SEPTEMBER/OCTOBER EXAMINATION

INFORMATION TECHNOLOGY BAIT2183(B)

SOFTWARE SECURITY

SATURDAY, 3 OCTOBER 2020 TIME: 2.00 PM – 5.00 PM (3 HOURS)

BACHELOR OF SCIENCE DEGREE

Instructions to Candidates:

Answer ALL questions in the requested format or template provided.

● This is an open book final online assessment. You MUST answer the assessment questions on
your own without any assistance from other persons.
● You must submit your answers within the following time frame allowed for this online
assessment:
o The deadline for the submission of your answers is half an hour from the end time of this
online assessment.
● Penalty as below WILL BE IMPOSED on students who submit their answers late as follows:
o The final marks of this online assessment will be reduced by 10 marks for answer scripts
that are submitted within 30 minutes after the deadline for the submission of answers for
this online assessment.
o The final marks of this online assessment will be downgraded to zero (0) mark for any
answer scripts that are submitted after one hour from the end time of this online assessment.
● Extenuation Mitigating Circumstance (EMC) encountered, if any, must be submitted to the
Faculty/Branch/Centre within 48 hours after the date of this online assessment. All EMC
applications must be supported with valid reasons and evidence. The UC EMC Guidelines apply.

FOCS Additional Instructions to Candidates:

• Include your FULL NAME, STUDENT ID and PROGRAMME OF STUDY in your
submission of answers.
• Read all the questions carefully and understand what you are being asked to answer.
• Marks are awarded for your own (original) analysis. Therefore, use the time and information to
build well-constructed answers.

This question paper consists of 4 questions on 4 printed pages.

 2
BAIT2183(B) SOFTWARE SECURITY

STUDENT’S DECLARATION OF ORIGINALITY

By submitting this online assessment, I declare that this submitted work is free from all forms of
plagiarism and for all intents and purposes is my own properly derived work. I understand that I have
to bear the consequences if I fail to do so.

Final Online Assessment Submission

Course Code:
Course Title:
Signature:
Name of Student:
Student ID:
Date:

This question paper consists of 4 questions on 4 printed pages.

 3
BAIT2183(B) SOFTWARE SECURITY

Question 1

a) Security development lifecycle (SDL) is a process that standardizes security best practices across
a range of products and applications. It consists of 7 important phases to help in software
development.

Draw a diagram to discuss the significance of each SDL phase in ensuring that security is built
into the application. (17 marks)

b) Compare and contrast between white hat and black hat. (8 marks)
[Total: 25 marks]

Question 2

a) In the fault model for web applications, a transaction between a web user and a web server has
three main components: the web server, the web client and the network. Some main issues to be
considered are as follows:

(i) A malicious user can tamper with all data that is stored on the web client.

(ii) All network traffic from the web client must be validated and treated as untrustworthy.

(iii) The user has access to all client-side source code.

(iv) The client can discover details about server-side implementation.

Evaluate the security problems caused by the above-mentioned issues and propose approaches
for solving the problems. (16 marks)

b) Describe the THREE (3) main security goals for a security development lifecycle (SDL).
(9 marks)
[Total: 25 marks]

Question 3

a) The DeliveryToU.com website has the following rules for its customers:

• Password should be at least 8 characters in length.

• Password should contain at least one character from each of the following groups:
o Lower case alphabets
o Upper case alphabets
o Special characters
o Numbers

One main problem with the given password rules is that such passwords are not usable at all as
they are difficult for users to remember.

This question paper consists of 4 questions on 4 printed pages.

 4
BAIT2183(B) SOFTWARE SECURITY

Question 3 a) (Continued)

(i) Suggest TWO (2) methods together with ONE (1) example in which
DeliveryToU.com can make authentication both usable and secure at the same time.
(4 marks)

(ii) Write justification for each proposed method in Question 3 a) (i). (4 marks)

b) The attack tree is useful for evaluating a system’s security based on various threats. Consider the
attack tree shown below. The cost to attack is indicated in the leaf nodes. Identify the cheapest
path and the most expensive path. Show how you derive your answer.
A

B C D

E F J K
RM1,000 RM8,000 RM7,000 RM4,000

G H I
RM2,000 RM3,000 RM6,000
(17 marks)
[Total: 25 marks]

Question 4

a) A buffer overflow occurs when a program exceeds a buffer’s boundary and overwrites adjacent
memory locations as it is writing data to the buffer.

(i) Identify TWO (2) potential impacts of the buffer overflow on security vulnerability.
(4 marks)

(ii) Discuss THREE (3) counter-measures that can be put in place to prevent the security
vulnerability. (9 marks)

b) Software security testing is essential to identify defects and vulnerabilities during the
development phases.

Propose TWO (2) types of security testing and elaborate how your suggested security testing
can help to reveal flaws in the security mechanism of a software program. (6 marks)

c) “Program testing can be used to show the presence of bugs, but never to show their absence!”

Write justifications to support the above statement by discussing the importance of software
security testing. (6 marks)
[Total: 25 marks]

This question paper consists of 4 questions on 4 printed pages.