Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 548 Secure Software Development Final Exam – Review.

Published byToby Cannon Modified over 8 years ago

Similar presentations

Presentation on theme: "CSCE 548 Secure Software Development Final Exam – Review."— Presentation transcript:

1 CSCE 548 Secure Software Development Final Exam – Review

2 Project – Final Report Project Final Report – Electronic submission: April 25, 5:00 pm – Hard copy: April 25, 2010 5:30 pm CSCE 548 - Farkas2

3 Final Project Format Title Author Abstract What you did in this paper 1. Introduction 2. Related work 3. Background information 4. Current research/development 5. Conclusions and Future Work 6. Group members’ contributions References CSCE 548 - Farkas3

4 FINAL EXAM CSCE 548 - Farkas4

5 5 Reading McGraw: Software Security: Chapters 1 – 9, 12 19 Deadly Sins: 1. Chapter 1: Buffer overruns 2. Chapter 2: Format string problems 3. Chapter 3: Integer overflows 4. Chapter 4: SQL injection 5. Chapter 6: Failure to handle errors 6. Chapter 7: Cross-site scripting 7. Chapter 13: Information leakage 8. Chapter 14: Improper file access

6 Non-Textbook Reading NEW: – Secure Design Patterns, Software Engineering Institute, Carnegie Mellon, www.cert.org/archive/pdf/09tr010.pdf www.cert.org/archive/pdf/09tr010.pdf OLD: – Lodderstedt et. al, SecureUML: A UML-Based Modeling Language for Model-Driven Security, http://kisogawa.inf.ethz.ch/WebBIB/publications- softech/papers/2002/0_secuml_uml2002.pdfhttp://kisogawa.inf.ethz.ch/WebBIB/publications- softech/papers/2002/0_secuml_uml2002.pdf – B. Littlewood, P. Popov, L. Strigini, "Modelling software design diversity - a review", ACM Computing Surveys, Vol. 33, No. 2, June 2001, pp. 177-208, http://portal.acm.org/citation.cfm?doid=384192.384195 http://portal.acm.org/citation.cfm?doid=384192.384195 – I. Alexander, Misuse Cases: Use Cases with Hostile Intent, IEEE Software, vol. 20, no. 1, pp. 58-66, Jan./Feb. 2003. http://www.computer.org/portal/web/csdl/doi/10.1109/MS.2003.1159030http://www.computer.org/portal/web/csdl/doi/10.1109/MS.2003.1159030 – B. Schneier on Security, http://schneier.com/blog/archives/2007/05/is_penetration.htmlhttp://schneier.com/blog/archives/2007/05/is_penetration.html – P. Meunier, Classes of Vulnerabilities and Attacks, Wiley Handbook of Science and Technology for Homeland Security, http://homes.cerias.purdue.edu/~pmeunier/aboutme/classes_vulnerabilities.pdf http://homes.cerias.purdue.edu/~pmeunier/aboutme/classes_vulnerabilities.pdf CSCE 548 - Farkas6

7 7 Final Exam April 25, 2012, 5:30 pm – 7:30 pm Room: 2A 15 Closed book – 1 page cheat sheet

8 19 deadly Sins Overview of the sin Affected languages Overview of the sin -- at the level of presentations, focusing on the text book How to detect? Best practices CSCE 548 - Farkas8

9 Sample Questions – 19 deadly sins Explain why casting operations may lead to integer overflows. Why is it dangerous to use “gets” to read input in C/C++ code? Recommend an alternate. What is the difference between attack patterns and taxonomy of programming errors? Indirect information flow may be created by inferences. Give an example of an unauthorized inference that cannot be controlled using traditional access control. Show an example code for SQL Injection. Explain the security problem. Why does a failed Windows impersonation create a security problem if not handled properly? Show the binary representations of the decimal numbers +70 and +80. Show their addition using an 8 bits register. CSCE 548 - Farkas9

10 Sample Questions Explain a way how buffer overruns occur. Which languages are the most vulnerable? Define covert and overt communication channels. Explain the 2 stages of the buffer overrun attack. Why do we have binary arithmetic operations that yield results different on paper than by a computer. Give an example. What type of access control Windows support? Give a common access control mistake in Windows environment. Should stored data be protected by the operating system security or by database management system security? CSCE 548 - Farkas10

Download ppt "CSCE 548 Secure Software Development Final Exam – Review."

Similar presentations

CSE594 Fall 2009 Jennifer Wong Oct. 14, 2009

CSE594 Fall 2009 Jennifer Wong Oct. 14, 2009
Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology

Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
GUIDELINES FOR REPORT/ DISSERTATION/THESIS WRITING Dr. W. Z. Gandhare.

GUIDELINES FOR REPORT/ DISSERTATION/THESIS WRITING Dr. W. Z. Gandhare.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
A Taxonomy of Computer Program Security Flaws C. E. Landwehr, A. R. Bull, J. P. McDermott and W.S. Choi -- Presented by: Feng Hui Luo ACM Computing Surveys,

A Taxonomy of Computer Program Security Flaws C. E. Landwehr, A. R. Bull, J. P. McDermott and W.S. Choi -- Presented by: Feng Hui Luo ACM Computing Surveys,
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Microsoft Excel 2007 Bug Mikko Heinonen 7.2.2008.

Microsoft Excel 2007 Bug Mikko Heinonen
©TheMcGraw-Hill Companies, Inc. Permission required for reproduction or display. COMPSCI 125 Introduction to Computer Science I.

©TheMcGraw-Hill Companies, Inc. Permission required for reproduction or display. COMPSCI 125 Introduction to Computer Science I.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.

Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.
TERM PROJECT The Project usually consists of the following: Title

TERM PROJECT The Project usually consists of the following: Title
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
CSCE 548 Secure Software Development Risk-Based Security Testing.

CSCE 548 Secure Software Development Risk-Based Security Testing.
© 2007 Carnegie Mellon University Secure Coding Initiative Jason A. Rafail Monday, May 14 th, 2007.

© 2007 Carnegie Mellon University Secure Coding Initiative Jason A. Rafail Monday, May 14 th, 2007.
A Security Review Process for Existing Software Applications

A Security Review Process for Existing Software Applications
CSCE 548 Secure Software Development Test 1 Review.

CSCE 548 Secure Software Development Test 1 Review.

Similar presentations

Ads by Google