EXAM CODES:
TITLE OF PAPER:
EXAM DURATION:
READING TIME:
Semester One 2019 Examination Period
Faculty of Information Technology
FIT5003
SOFTWARE SECURITY 2 hours writing time 10 minutes
THIS PAPER IS FOR STUDENTS STUDYING AT: (tick where applicable)
oCaulfield oClayton oParkville oPeninsula o Monash Extension o Off Campus Learning o Malaysia o Sth Africa oOther (specify)
AUTHORISED MATERIALS
OPEN BOOK
CALCULATORS
SPECIFICALLY PERMITTED ITEMS if yes, items permitted are:
oYES o YES oYES
¨NO ¨ NO ¨NO
Office Use Only
During an exam, you must not have in your possession any item/material that has not been authorised for your exam. This includes books, notes, paper, electronic device/s, mobile phone, smart watch/device, calculator, pencil case, or writing on any part of your body. Any authorised items are listed
below. Items/materials on your desk, chair, in your clothing or otherwise on your person will be deemed to be in your possession.
No examination materials are to be removed from the room. This includes retaining, copying, memorising or noting down content of exam material for personal use or to share with any other person by any means following your exam.
Failure to comply with the above instructions, or attempting to cheat or cheating in an exam is a discipline offence under Part 7 of the Monash University (Council) Regulations.
Candidates must complete this section if required to write answers within this paper
STUDENT ID: __ __ __ __ __ __ __ __ DESK NUMBER: __ __ __ __ __
Page 1 of 2
Exam paper contents: 9 questions, 50 marks total. Attempt all questions.
Write ALL your answers in the answer booklet provided.
Q1) What you mean by software security? Why or why not the principles of information security can be applied for software security?
Sample answer:
Software security implies: SAFTEY, DEPENDABILITY, RELIABILITY (3 marks)
Security features are applicable to information objects that are stored in computer systems. Hence availability, confidentiality, integrity and repudiation need to be satisfied. They are different from that of the software security properties. Hence, Security features ¡ Secure features (of software). (3 marks)
Q2) Consider the following data flow diagram for a personal cloud file storage system such as `Google Drive¡¯. Select one of the five labelled elements in this diagram, and for each element consider one threat to the user¡¯s security. For each threat, write: (1) The threat target, (2) The threat category in terms of the STRIDE categories, (3) A brief description of the threat and the assumed identity/capability of the attacker, and (4) Proposed mitigation techniques for the threat.
(3 + 3 = 6 marks)
(4 x 2 = 8 marks)
2
User (Client) Machine
1
Upload
2
Cloud File Server
3
file
Sample solution:
User client Threat: Spoofing the client
(1) Target: Client machine (1) (2 marks)
(2) STRIDE category: S (2 marks)
(3) Attacker user Bob impersonates honest user Alice to the cloud file server to access Alice¡¯s files. Attacker can observe data transferred from Alice¡¯s client to cloud server, and manipulate authentication data sent to the server. (2 marks)
(4) Mitigation: Use strong authentication protocols like TLS/SSL and encrypt the communication between client and server. As long as attacker does not have access to client¡¯s private keys and Alice¡¯s password, he/she cannot impersonate Alice. (2 marks)
Note: This is just a sample paper showing the structure of the final exam. The final exam will have different questions. Besides, there will be nine questions in total in the final exam. The students are expected to answer all of them.
— End of the Examination Paper —
4
Write file
4
File Storage System
5
Read file
Download file
Page 2 of 2
����