Some possible final exam questions. DISCLAIMER models only These questions are models only. Some of these questions may or may not appear in the final.

Slides:



Advertisements
Similar presentations
Lectures on File Management
Advertisements

Chapter 1  Introduction 1 Chapter 1: Introduction.
Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.
3/10/07ACM SIGCSE'071 SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation Wenliang (Kevin) Du Zhouxuan Teng & Ronghua Wang Department.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
CMPT 300: Operating Systems I Dr. Mohamed Hefeeda
1 School of Computing Science Simon Fraser University CMPT 300: Operating Systems I Dr. Mohamed Hefeeda.
Why Security Testing Is Hard Herbert H. Thompson Presenter: Alicia Young.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Input Validation For Free Text Fields ADD Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav.
Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.
Building Secure Software Chapter 9 Race Conditions.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.
Proxy Servers Dr. Ronald Bergmann, CIO, ISO. Proxy servers A proxy server is a machine which acts as an intermediary between the computers of a local.
1 Functional Testing Motivation Example Basic Methods Timing: 30 minutes.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
CS252: Systems Programming Ninghui Li Final Exam Review.
CSC 386 – Computer Security Scott Heggen. Agenda Introduction to Software Security.
Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
A Security Review Process for Existing Software Applications
Computer Security and Penetration Testing
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
OS Hardening Justin Whitehead Francisco Robles. ECE Internetwork Security OS Hardening Installing kernel/software patches and configuring a system.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
CSCE 548 Secure Software Development Final Exam – Review.
Static Testing Code Review/Verification –Code is reviewed by the developer after each change Individually and with code sessions –Use of Visual Studio’s.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Testing and Debugging Version 1.0. All kinds of things can go wrong when you are developing a program. The compiler discovers syntax errors in your code.
1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.
Security - Why Bother? Your projects in this class are not likely to be used for some critical infrastructure or real-world sensitive data. Why should.
16 October Reminder Types of Testing: Purpose  Functional testing  Usability testing  Conformance testing  Performance testing  Acceptance.
Intermediate 2 Software Development Process. Software You should already know that any computer system is made up of hardware and software. The term hardware.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
CSCE 548 Secure Software Development Taxonomy of Coding Errors.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
Ready Marjan Nikolovski Father, Dev, CEO/Emit Knowledge Down the rabbit hole Error handling examined try { } // // Blog: emitknowledge.com/research-labs.
Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.
Chapter 10 XML and Web Services. Topics Why a standards-compliant XML parser Why a standard (off the shelf) XML parser Validation. External references.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.
Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.
CHAPTER 7 Unexpected Input. INTRODUCTION What is Unexpected Input? Something (normally user-supplied data) that is unexpected happen to an application.
Python Programming Lecture II. Data Data is the raw material that programs manipulate. Data comes in different flavours. The basic ones are called “primitive.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Winter 2007SEG2101 Chapter 121 Chapter 12 Verification and Validation.
By Kyle Bickel.  Securing a host computer is making sure that your computer is secure when it’s connected to the internet  This be done by several protective.
Lecture 14 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Content Coverity Static Analysis Use cases of Coverity Examples
SE-1021 Software Engineering II
Protecting Memory What is there to protect in memory?
Chapter 7: Identifying Advanced Attacks
Protecting Memory What is there to protect in memory?
Module 30 (Unix/Linux Security Issues II)
Protecting Memory What is there to protect in memory?
CSCE 548 Secure Software Development Final Exam – Review 2016
SQL Injection Attacks Many web servers have backing databases
A Security Review Process for Existing Software Applications
Secure Software Development: Theory and Practice
High Coverage Detection of Input-Related Security Faults
Part A – Doing Your Own Input Validation with Simple VB Tools
Mid Term II Review.
Introduction to Static Analyzer
CS5123 Software Validation and Quality Assurance
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Software Construction
Presentation transcript:

Some possible final exam questions

DISCLAIMER models only These questions are models only. Some of these questions may or may not appear in the final. Questions in the final may or may not be in this presentation. This presentation is strictly intended as a model guide, not a study guide.

Some questions for chapter 1 Why is static analysis necessary? What is the difference between security features and secure features? Why is testing not enough to determine whether a program is secure? What is a secure program? What are the seven pernicious kingdoms and their importance?

Questions for chapter 2 Is it possible to produce a perfect static analysis tool? Why or why not? What are false positives? False negatives? What is their effect on a static analysis tool? What is the difference between a static analysis tool and a bug finder?

Questions for Chapter 3 Is the “number of possible vulnerabilities per line of code” a useful metric? Somebody believes that doing a security analysis is a waste of time. What arguments would you use to convince that person that it is not?

Questions for chapter 4 How can data-flow analysis impact static analysis? What is the importance of parsing in static analysis? What is local analysis? Global analysis? How do they interact? What is taint analysis? Why is it important?

Questions for Chapter 5 What data should be validated? Why is blacklisting not a good idea? How would you validate an input which is supposed to be a person's full name? How about a filename? Does it make a difference where the file is required to reside? How should data be input? Which functions can be used and which should not be used? What should be done with bad data? What should be done if your input is too long?

Questions for chapter 6 Why are buffer overflows dangerous? How can we avoid buffer overflows? How can we detect buffer overflows? What is meant by null-termination? What headaches can be caused by wide and extra-wide character sets?

Questions for chapter 7 How can integer overflows lead to vulnerabilities? What problems are there with integer arithmetic that can cause vulnerabilities?

Questions on Chapter 8 What kinds of error handling can a programmer use? How can an exception vanish? What problems can be introduced with error handling? What are some good practices for error logging? What are Easter Eggs? Are there exceptions that should not happen? What is the proble with error handling and resource leaks? How can it be avoided?

Questions on Chapter 9 What is wrong with get vs post? What is XSS and why is it bad? How can it be stopped? What other problem are there with web sites? What is phishing? What is an open redirect? What is a session identifier and how is it used?

Questions for Chapter 10 What is XML? What is its use? Should XML input be validated? If yes, how? If no, why?

Questions for Chapter 11 What kinds of data should be kept confidential? How can secrets be protected? How can private data be protected in transit? What software needs to be used? Why is random() not a good function to use in security? What are your chances of finding useful information that a program left behind a week earlier in a Windows machine? What about a Linux machine? How would you store a password for use in an application?

Questions on Chapter 12 Does the admin user on MACs have absolute privileges? Why or why not? What is the difference between the effective UID and the real UID? How can chroot() be used? Why is it dangerous? What are race conditions? What is a safe directory?

Questions on Secure Design Principles How many Design principles are not being fulfilled in Windows? Which are they? How would you change windows so the principles are fulfilled? What is a covert channel? Pretty much any question on any principle is fair game.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.