Software Engineering Exam 3 Questions Answered Correctly Latest Version () Already Passed
Software Security - Answers • Should always be a high priority for product developers and their users.
• If you don't prioritize it, you and your customers will inevitably suffer losses from malicious ...
Software Security - Answers • Should always be a high priority for product developers and their users.
• If you don't prioritize it, you and your customers will inevitably suffer losses from malicious attacks.
• In the worst case, these attacks could can put product providers out of business.
• If their product is unavailable or if customer data is compromised, customers are liable to cancel their
subscriptions.
• Even if they can recover from the attacks, this will take time and effort that would have been better
spent working on their software.
Availability Threats - Answers An attacker attempts to deny access to the system for legitimate users
Integrity Threats - Answers Attacker attempts to damage system or data
Confidentiality Threats - Answers Attacker tries to gain access to private information held by the system
Authentication and Authorization - Answers You should have standards and procedures that ensure that
all users have strong authentication and that they have properly access permissions properly. This
minimizes the risk of unauthorized users accessing system resources.
System Infrastructure Management - Answers Software should be properly configured and security
updates that patch vulnerabilities should be applied as soon as they become available.
Attack Monitoring - Answers The system should be regularly checked for possible unauthorized access. If
attacks are detected, it may be possible to put resistance strategies in place that minimize the effects of
the attack.
Backup - Answers Policies should be implemented to ensure that you keep undamaged copies of
program and data files. These can then be restored after an attack
Operational Security - Answers Focuses on helping users to maintain security. User attacks try to trick
users into disclosing their credentials or accessing a website that includes malware such as a key-logging
system.
Operational security procedures and practices - Answers 1. Auto logout
2. User Command Logging
3. Multifactor authentication
,Injection Attacks - Answers • Type of attack where a malicious user uses a valid input field to input
malicious code or database commands.
• These malicious instructions are then executed, causing some damage to the system. Code can be
injected that leaks system data to the attackers.
• Common types include buffer overflow attacks and SQL poisoning attacks.
SQL Poisoning Attacks - Answers • Attacks on software products that use an SQL database.
• They take advantage of a situation where a user input is used as part of an SQL command.
• A malicious user uses a form input field to input a fragment of SQL that allows access to the database.
• The form field is added to the SQL query, which is executed and returns the information to the
attacker.
Cross-site Scripting Attacks - Answers • Another form of injection attack.
• An attacker adds malicious Javascript code to the web page that is returned from a server to a client
and this script is executed when the page is displayed in the user's browser.
• The malicious script may steal customer information or direct them to another website.
• This may try to capture personal data or display advertisements.
• Cookies may be stolen, which makes a session hijacking attack possible.
• As with other types of injection attack, this may be avoided by input validation.
Session Hijacking Attacks - Answers Type of attack where an attacker gets hold of a session cookie and
uses this to impersonate a legitimate user.
Traffic Encryption - Answers Always encrypt the network traffic between clients and your server. This
means setting up sessions using https rather than http. If traffic is encrypted it is harder to monitor to
find session cookies.
Multifactor Authentication - Answers Always use multi-factor authentication and require confirmation of
new actions that may be damaging. For example, before a new payee request is accepted, you could ask
the user to confirm their identity by inputting a code sent to their phone. You could also ask for
password characters to be input before every potentially damaging action, such as transferring funds.
Short Timeouts - Answers Use relatively short timeouts on sessions. If there has been no activity in a
session for a few minutes, the session should be ended and future requests directed to an
authentication page. This reduces the likelihood that an attacker can access an account if a legitimate
user forgets to log off when they have finished their transactions.
, Denial of Service Attacks - Answers Attacks on a software system that are intended to make that system
unavailable for normal use.
Most Common type of denial of service attack - Answers Distributed denial of service attacks (DDOS)
Distributed denial of service attacks (DDOS) - Answers These involve distributed computers, that have
usually been hijacked as part of a botnet, sending hundreds of thousands of requests for service to a
web application. There are so many service requests that legitimate users are denied access.
Brute Force Attacks - Answers • Attacks on a web application where the attacker has some information,
such as a valid login name, but does not have the password for the site.
• The attacker creates different passwords and tries to login with each of these. If the login fails, they
then try again with a different password.
• Attackers may use a string generator that generates every possible combination of letters and
numbers and use these as passwords.
• To speed up the process of password discovery, attackers take advantage of the fact that many users
choose easy-to-remember passwords. They start by trying passwords from the published lists of the
most common passwords.
• They rely on users setting weak passwords, so you can circumvent them by insisting that users set long
passwords that are not in a dictionary or are common words.
Knowledge-based Authentication - Answers The user provides secret, personal information when they
register with the system. Each time they log on, the system asks them for this information.
Possession-based Authentication - Answers This relies on the user having a physical device (such as a
mobile phone) that can generate or display information that is known to the authenticating system. The
user inputs this information to confirm that they possess the authenticating device.
Attribute-based Authentication - Answers Based on a unique biometric attribute of the user, such as a
fingerprint, which is registered with the system
Multi-factor Authentication - Answers combines these approaches and requires users to use more than
one authentication method.
Insecure Passwords - Answers Users choose passwords that are easy to remember. However, it is also
easy for attackers to guess or generate these passwords, using either a dictionary or a brute force attack.
Phishing Attacks - Answers Users click on an email link that points to a fake site that tries to collect their
login and password details.
Password Reuse - Answers Users use the same password for several sites. If there is a security breach at
one of these sites, attackers then have passwords that they can try on other sites.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller TutorJosh. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for £7.02. You're not tied to anything after your purchase.
