Sri Lanka Technology Campus (SLTC)

BACHELOR OF SCIENCE HONOURS IN

CLOUD COMPUTING / CYBER SECURITY / DATA SCIENCE /
SOFTWARE ENGINEERING

YEAR 4 SEMESTER I Examination

August / September 2024

CCS4352-Application Security

3 Hours

Answer All Questions

Instructions to Candidates
 This paper contains four questions on 13 pages.
 Answer all questions on the paper itself.
 This paper accounts for 60% of the module assessment.
 This is a closed book examination.
 All questions carry equal marks.
 Maximum mark attainable is 100. Marks assigned for each question is indicated
within brackets.
 If you have any doubt as to the interpretation of the wording of a question, make your
own decision, but clearly state it on the script.
 If a page or a part of this question paper is not printed, please inform the Supervisor
immediately.
 Candidate's registration number should be written clearly and legibly on all answer
sheets.
 Electronic devices capable of storing and retrieving text, including electronic
dictionaries, wrist watches, and mobile phones are not allowed.
 Candidates must not seek, give or receive assistance of any kind during the exam.
Any cheating, any attempt to cheat, assisting others to cheat, or participating therein,
or engaging in such improper conduct is a serious violation and will generally result
in disqualification of the candidate’s paper, and any other disciplinary action as may
be deemed appropriate.

1
Question 01 (25 marks)

1. It was decided to set up a Smart IoT Library to facilitate hands-on experimentation with
IoT devices. The purpose of establishing the library is to provide users with practical
experience in managing, configuring, and utilizing a variety of IoT technologies. The lab
supports technical skill development, innovation, and research by offering flexible
experimentation options and gathering user feedback to drive ongoing improvements. The
Smart IoT Library enables users to interact with IoT devices in a controlled and secure
environment.

There is an opportunity to take selected devices home for extended experimentation. Devices
can be borrowed for up to two weeks, with a maximum of ten devices per member. Any
damage incurs a replacement cost plus an additional fee. Some students use these devices to
demonstrate their skills at very competitive local and international competitions.

A team has been assigned to set up a web-based system for managing IoT devices for
both on-premises and home-based use. This system will facilitate users in viewing,
reserving, and managing a range of available devices.

a) Briefly discuss the concept of the information security triad. (3 Marks)

(1 *3 = 3 marks)
The CIA Triad is a foundational model in information security that encompasses three key
principles:
1. Confidentiality: This principle ensures that sensitive information is only accessible to
those who have the appropriate authorization.

2. Integrity: This principle ensures that information remains accurate and unaltered
during storage, transmission, or processing. It involves protecting data from
unauthorized modification or tampering.

3. Availability: This principle ensures that information and resources are accessible to
authorized users when needed. It involves maintaining system uptime and preventing
disruptions to data access.

2
 b) Describe the STRIDE threat modeling framework by Microsoft, used to identify
possible attacks and list the types of threats it addresses. (6 Marks)
(1*6)
he STRIDE threat modeling framework by Microsoft identifies potential security
threats in software systems. STRIDE stands for:

Spoofing: Pretending to be someone else to gain unauthorized access.

Tampering: Unauthorized alteration of data or system components.
Repudiation: Denying actions or activities, leading to a lack of accountability.
Information Disclosure: Unauthorized access to sensitive information.
Denial of Service (DoS): Disrupting the availability of a service.
Elevation of Privilege: Gaining unauthorized higher access rights.

c) You are required to build a threat model for the Smart IOT Library using the
STRIDE framework and propose one countermeasure for each element in the
STRIDE framework. (12 Marks)
(2*6 =12 )

Threat Example Countermeasure

Spoofing An attacker could Implement Multi-Factor Authentication

impersonate a legitimate (MFA) for user accounts to ensure that
user to gain unauthorized only authorized users can access
access to borrow devices or
manage reservations.

Tampering An attacker could modify Keep backups, encrypt the data

the data such as records of
borrowings - so he does not
have to return

Repudiation deny borrowing devices or Maintain comprehensive logging of all

3
 returning them late, transactions and provide verifiable audit
trails.

Information Disclosing the information Strict access control system

Disclosure about the devices and other
resources obtained by
students who participate at
competitions.

Denial of An attacker could overload Use rate limiting and deploy DDoS
Service the web-based system or protection services
network infrastructure,
causing disruptions

Elevation of An attacker gains higher- Apply the principle of least privilege by

Privilege level access to ensuring that users have only the access
administrative functions or rights necessary for their roles and
sensitive system controls. regularly review and update user
permissions to prevent unauthorized
privilege escalation.

2. Formulate an abuse case for the web-based information system of the Smart IoT Library
project. (4 Marks)

A way to use a feature that was not expected by the implementer, allowing an attacker to
influence the feature or outcome of use of the feature based on the attacker action (or input). (2
marks for description)
2 or 4 marks for any idea – possible answer

An attacker borrow an item but the borrowed item was recorded against name of another person.

4
Question 02 (25 marks)

A. Briefly describe the following policy and the purpose. (6 Marks)

"Version": "2012-10-17",

"Statement": [{

"Effect": "Allow",

"Principal": {

"Federated": "accounts.google.com"

},

"Action": "sts:AssumeRoleWithWebIdentity",

"Condition": {

"StringEquals": {

"accounts.google.com:aud": "<app-id>"

}]

Version: Specifies the version of the policy language. In this case, it is "2012-10-17",

Statement: Each statement defines permissions or conditions for the action.

Effect: "Allow" specifies that the policy allows the specified actions.

Principal: Defines the entity allowed to assume the role. Here, it is a federated identity
from "accounts.google.com",

Action: "sts:AssumeRoleWithWebIdentity" allows the federated users to assume an

IAM role using a web identity token, such as one from Google.

5
 Condition: The StringEquals condition ensures that the audience (aud) claim in the
web identity token matches the specified <app-id>. This helps verify that the token is
valid and intended for your application.

In summary: This policy allows users authenticated by Google to assume an AWS

IAM role if the token’s audience matches <app-id>. This setup is typically used for
integrating external identity providers with

B. Briefly discuss cross-site scripting (XSS) attacks in a cloud environment using an

appropriate diagram. (6 Marks)

Definition. Cross-site scripting (XSS) is an attack in which an attacker injects malicious

executable scripts into the code of a trusted application or website. Attackers often initiate an
XSS attack by sending a malicious link to a user and enticing the user to click it. Either one
of the followings

6
C. Examine the importance of understanding shared responsibility in a cloud environment.
(6 Marks)

Security is broken into two components: security “of” the cloud and security “in” the cloud.
Not only AWS, any model could be discussed.

7
D. Describe the Access and Identity Management (AIM) system in a cloud environment. (7
Marks)

Access and Identity Management (AIM) in the cloud involves managing user identities and access
to resources. It includes user account creation, role-based access control (RBAC), multi-factor
authentication (MFA), and detailed permissions management. AIM ensures secure and compliant
access through authentication, authorization, and activity monitoring.

8
Question 03 (25 marks)

A. Briefly explain how to protect confidentiality and integrity using cryptography.

(6 Marks)
Confidentiality: Use public key encryption to encrypt data. The sender encrypts the
data with the recipient's public key, making it unreadable to anyone except the
recipient, who uses their private key to decrypt it. This ensures that only the intended
recipient can access the data.

Integrity: Use digital signatures. The sender generates a hash of the data and signs it
with their private key. The recipient can use the sender's public key to verify the
signature and confirm that the data has not been altered and is indeed from the sender.
This process ensures the data’s integrity and authenticity

B. Briefly discuss the importance of information security design principles for

information system developers. (4 Marks)

Information Security Design Principles are fundamental guidelines used to ensure that
information systems are secure from threats and vulnerabilities. These principles guide
developers in creating systems that protect data and resources effectively.

C. Briefly describe three information security design principles and provide an

appropriate example for each. (6 Marks)

Students can discuss any 3. Model answer

Least Privilege: Grant users and systems only the access necessary to perform their tasks,
minimizing potential damage from misuse or breaches.
Defense in Depth: Implement multiple layers of security controls so that if one layer fails,
others still provide protection.
Fail-Safe Defaults: Configure systems with secure default settings and require explicit
permissions to access or change settings.
D. What is meant by end-to-end encryption? Does Gmail support end-to-end encryption?

9
 (5 Marks)

End-to-End Encryption (E2EE) is a method of data transmission where only the

communicating users can read the messages. In E2EE, data is encrypted on the sender’s side
and only decrypted on the recipient’s side, ensuring that intermediaries, including service
providers, cannot access the content. ( 3 marks)

As of now, Gmail does not support end-to-end encryption for emails by default. this does not
ensure that emails are encrypted end-to-end, as they can still be accessed by Google while
they are stored on Gmail's servers. (2 marks)

E. Compare the GET and POST methods in HTTP requests and explain the typical
scenarios in which each method is used. (4 Marks)

The GET and POST methods are fundamental to HTTP requests with distinct uses. GET is
used to retrieve data from a server and includes parameters in the URL, making it suitable for
fetching resources like web pages and performing search queries. It is idempotent and
supports caching, but is limited in the amount of data it can send. In contrast, POST sends
data to the server to create or update resources, with parameters included in the request body.
It is non-idempotent and can handle larger data volumes, making it ideal for form
submissions, file uploads, and actions that modify server state.

10
Question 04 (25 marks)

A. Discuss four distinct roles of a cybersecurity professional in a newly established

international organization. (8 Marks)
a. Promote the growth of the business by making information secure (3 or 4
marks)
b. Assess the risk and take risk mitigation measures (2 marks)
c. Develop policy and implementation (2)
d. Training and awareness (2)
B. Critique the statement "Security Is A Process, Not A Product." Using a suitable
example, argue for the importance of improving security processes. (6 Marks)

The phrase "Security is a process, not a product" emphasizes that achieving and maintaining
security requires ongoing efforts, practices, and continuous improvement rather than relying
solely on individual products or tools

Products Alone Are Insufficient: While security tools (like firewalls, antivirus software, and
encryption) are essential, they alone cannot guarantee security. Effective security requires
integrating these tools into a comprehensive strategy that includes processes and practices.

Process is right you can get the right product. Product can’t be always tested. E.g. you can’t
test every live bullet. What you can do is to build a process such that every bullet is good.

C. Examine the importance of understanding regular expressions for information security

professionals. (4 Marks)

Understanding regular expressions (regex) is vital for information security professionals as it

aids in validating and sanitizing user inputs to prevent injection attacks, crafting patterns for
detecting suspicious activities in logs and network traffic, and automating the extraction and
filtering of sensitive information. Regex enables precise pattern matching, which is crucial
for identifying vulnerabilities, enforcing security policies, and efficiently managing security
tasks, ultimately enhancing the overall security posture and response capabilities of an
organization

11
 D. Briefly describe what an SQL Injection attack is with an example. (3 Marks)

An SQL Injection attack is a security vulnerability where an attacker inserts or "injects"

malicious SQL code into a query through user input fields or URLs. This manipulation can
trick the database into executing unintended commands, such as retrieving, modifying, or
deleting data. By exploiting this flaw, attackers can gain unauthorized access to sensitive
information, compromise database integrity, or potentially take control of the underlying
server, making SQL Injection a serious threat to data security and system integrity.
SELECT * FROM users WHERE username = 'admin' OR '1'='1' AND password
= 'password';

E. List two techniques to counter SQL Injection attacks. (4 Marks)

Parameterized Queries (Prepared Statements):
Input Validation and Sanitization:

12