Scribd
Upload
65 views4 pages

CB3591 - ESSS-SET A - Answer Key

Uploaded by

deebak selvaraj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
65 views4 pages

CB3591 - ESSS-SET A - Answer Key

Uploaded by

deebak selvaraj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

CB3591 – Engineering Secure Software Systems

SET -A - Answer Key

1. Why Software Security is Important ?


It protects sensitive data and systems from unauthorized access, breaches, and attacks

2. Write down few sources of software security.


Secure coding practices, regular software updates, comprehensive testing and validation,
threat modeling
3. What is SQL injection.
SQL injection is a code injection attack where an attacker inserts or manipulates SQL queries
through input fields, allowing unauthorized access to or manipulation of a database.
4. What is the differnece between Authentication and Authorization.

• Authentication is the process of verifying the identity of a user or system, ensuring that
they are who they claim to be (e.g., through usernames and passwords).
• Authorization, on the other hand, determines what an authenticated user or system is
allowed to do, defining their permissions and access rights within the system.

5. Write down the benefits of the SQUARE Process Model.


Early identification of security requirements, stakeholder involvement, prioritization of needs,
improved communication, enhanced compliance and Increased software quality.
6. What is Stack Inspection ?
Stack Inspection is a security mechanism that controls access to resources based on the call
stack of executing code.
7. What is Requirements elicitation?
It is the process of gathering, discovering, and defining the needs and expectations of
stakeholders for a system or project.
8. Define Buffer Overflow.
A **buffer overflow** occurs when a program writes more data to a buffer than it can hold,
causing adjacent memory locations to be overwritten.
9 What is Risk Profiling?
**Risk profiling** is the process of identifying and analyzing potential risks associated with an
organization, project, or system.
10. What is Risk exposure factors?
Elements that contribute to the level of risk an organization or project faces. These factors
include asset value, threat landscape, vulnerabilities, impact
PART B
11 a) Explain in detailed about Threats to software security

• Malware and Viruses


• Injection Attacks
• SQL Injection
• Command Injection
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Denial of Service (DoS) Attacks
• Insider Threats
• Weak Authentication and Authorization
• Insecure APIs
• Software Vulnerabilities

b) Explain in detailed about Properties of Secure Software

• Confidentiality
• Integrity
• Availability
• Authentication
• Authorization
• Non-repudiation
• Accountability
• Resilience
• Compliance

12) a) What are all the Sources of software insecurity?


• Poor Coding Practices
• Inadequate Testing and Validation
• Third-Party Components and Libraries
• Misconfiguration Issues
• Insufficient User Input Validation
• Weak Authentication Mechanisms
• Lack of Security Awareness and Training
• Environmental Factors
• Design Flaws
• Human Factors and Insider Threats

b) i) Low-Level Attacks Against Heap


• Heap Overflow
• Use After Free
• Double Free
• Heap Spraying

ii) Low-Level Attacks Against Stack


• Stack Overflow
• Buffer Overflow
• Return-to-libc Attacks
• Stack Smashing
13) a) What is SQUARE Model? Explain the Process involved in it.
• Step 1: Identify Stakeholders
• Step 2: Gather Security Requirements
• Step 3: Categorize Requirements
• Step 4: Prioritize Requirements
• Step 5: Specify Requirements
• Step 6: Validate Requirements

b) Explain in detailed about Requirements Engineering for secure software.


• Requirements Elicitation
• Requirements Analysis
• Requirements Specification
• Requirements Validation

14) a) Write a brief notes about


i) Code Injection
**Code injection** is a security vulnerability that occurs when an attacker is able to insert
malicious code into a program or application, which is then executed by the system. This can
lead to unauthorized access, data manipulation, and execution of arbitrary commands. Common
types of code injection include SQL injection, command injection, and script injection (such as
cross-site scripting). Preventing code injection requires proper input validation, sanitization, and
the use of secure coding practices.
ii) Session Hijacking
**Session hijacking** is a type of security attack where an attacker takes control of a user's
active session, typically by stealing session tokens or cookies. This allows the attacker to
impersonate the legitimate user, gaining unauthorized access to sensitive information and
functions without needing to authenticate. Common methods include packet sniffing, cross-site
scripting (XSS), and session fixation. To prevent session hijacking, it's essential to use secure
connections (HTTPS), implement session timeouts, and utilize secure cookie attributes like
HttpOnly and SameSite.
b) Explain in detailed about Threat Modeling

Threat Modeling Methodologies:


• STRIDE
• DREAD
• PASTA

Steps in the Threat Modeling Process:


• Asset Identification
• Threat Identification
• Vulnerability Assessment
• Risk Assessment
• Mitigation Strategies
15) a) Explain Risk Management Life Cycle with neat diagram.
• Step 1: Risk Identification
• Step 2: Risk Assessment
• Step 3: Risk Response Planning
• Step 4: Risk Monitoring and Control
• Step 5: Risk Communication
• Step 6: Review and Improvement

b) Explain few Risk Exposure Factors with example.


• Asset Value
• Threat Landscape
• Vulnerabilities
• Impact Severity
• Likelihood of Occurrence
• Regulatory Compliance
• Organizational Culture

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy