InFS6830 Secure Programming Questions
Page 7 of 7
Essay Test Research and Resources
At the minimum please consult the following resources to prepare you answers for the essay section of the midterm:
· .NET Security and Cryptography - Chapters 1 thru 6
· Core Security Patterns: best Practices and Strategies for J2EE, Web Services and Identity Management - Chapters 1 thru 5
· Class Assignments 1 and 2
· Presentations, Links and other information in Blackboard Weeks 1 thru 4
· Course Document - Introduction to Application Programming
· Course Document – Introduction to Procedural Application Development
· Course Document – Introduction to Object Oriented Program and Application Development.
Since you are a graduate student you are highly encouraged to supplement the previous listed research with your own personal research. Essay Testing Procedure
This midterm essay will be worth 10% of your final. Use of laptops or other electronic devices are not permitted. Use of notes are not permitted. You are encouraged to write neatly. This is NOT a take-home test.
You will be given ALL essay questions in advance of the test. By providing these essay questions in advance the instructor expects that you will prepare a quality answer using the guidelines listed below.
While there is no time limit for the essay portion of the midterm, the instructor reserves the right to terminate the test if a student lingers after the majority of the students have completed the test and seems to be in a meditation state seeking inspiration from a higher being.
While it is recognized that students may legitimate reasons to miss the midterm test date, it will be the responsibility of the student to coordinate with the instructor to meet his schedule. In addition, a retake of the midterm essay test may be possible if a student wants to improve their score. But, again it will be the responsibility of the student to coordinate with the instructor to meet his schedule for any all retakes.
Essay Grading Procedure
Each essay answer will be graded using the following criteria:
· 80% - Content - Coverage of the assign topics with an continuous emphasis on security
· 15% - Clear and understandable writing style that integrates and applies the assigned concept in a practical manner
· 10% - Organization of answers, e.g., appropriate use of sub-headers or outline style, rough drawing will applicable, underlining of key points, etc.
Other guidelines include:
· Minor spelling and grammar errors will be ignored. A well-written and organized outline style will be permitted.
· Minor omissions of essay topics will be ignored if the overall quality of the answer merits the treatment. There is no intention to nit-pick.
· If I can't read your handwriting, the answer is not there.
· You may cite personal experience to provide context for your answer, but your grade will be based only your demonstrated knowledge and application of the application of the topics.
InFS6830 Secure Programming Questions Page 7 of 7Essay.docx
1. InFS6830 Secure Programming Questions
Page 7 of 7
Essay Test Research and Resources
At the minimum please consult the following resources to
prepare you answers for the essay section of the midterm:
· .NET Security and Cryptography - Chapters 1 thru 6
· Core Security Patterns: best Practices and Strategies for J2EE,
Web Services and Identity Management - Chapters 1 thru 5
· Class Assignments 1 and 2
· Presentations, Links and other information in Blackboard
Weeks 1 thru 4
· Course Document - Introduction to Application Programming
· Course Document – Introduction to Procedural Application
Development
· Course Document – Introduction to Object Oriented Program
and Application Development.
Since you are a graduate student you are highly encouraged to
supplement the previous listed research with your own personal
research. Essay Testing Procedure
This midterm essay will be worth 10% of your final. Use of
laptops or other electronic devices are not permitted. Use of
notes are not permitted. You are encouraged to write neatly.
This is NOT a take-home test.
You will be given ALL essay questions in advance of the test.
By providing these essay questions in advance the instructor
2. expects that you will prepare a quality answer using the
guidelines listed below.
While there is no time limit for the essay portion of the
midterm, the instructor reserves the right to terminate the test if
a student lingers after the majority of the students have
completed the test and seems to be in a meditation state seeking
inspiration from a higher being.
While it is recognized that students may legitimate reasons to
miss the midterm test date, it will be the responsibility of the
student to coordinate with the instructor to meet his schedule.
In addition, a retake of the midterm essay test may be possible
if a student wants to improve their score. But, again it will be
the responsibility of the student to coordinate with the
instructor to meet his schedule for any all retakes.
Essay Grading Procedure
Each essay answer will be graded using the following criteria:
· 80% - Content - Coverage of the assign topics with an
continuous emphasis on security
· 15% - Clear and understandable writing style that integrates
and applies the assigned concept in a practical manner
· 10% - Organization of answers, e.g., appropriate use of sub-
headers or outline style, rough drawing will applicable,
underlining of key points, etc.
Other guidelines include:
· Minor spelling and grammar errors will be ignored. A well-
written and organized outline style will be permitted.
· Minor omissions of essay topics will be ignored if the overall
quality of the answer merits the treatment. There is no intention
3. to nit-pick.
· If I can't read your handwriting, the answer is not there.
· You may cite personal experience to provide context for your
answer, but your grade will be based only your demonstrated
knowledge and application of the application of the topics - not
your experience.
· You are encouraged whenever appropriate to share research
and answers with other students to improve the quality of your
answers. But, your essay grade will be based on what you write
on your essay.
Essay 1 - Application Security Flaws and Exploits (20%)
Overview of Application Security
1. Describe each of the following Application Security
Concepts.
A selection of the following concepts will be on the Essay Test.
· Application Security Risks
· Application Security Threats to Data
· Application Security Threats to Service Availability
· Application Security and Convenience Trade-Offs
· Separation of Application Developer Duties
· Code Hardening
· Code Signing
· Principle of Least Privilege
· App Sandboxing
· Software Privilege Separation
Application Security Flaws and Exploits
2. Describe and provide an example the following critical
4. Application Security Flaws and Exploits.
A selection of the following concepts will be on the Essay Test.
· Buffer Input Validation Errors
· Output Sanitation
· SQL injection
· Cross-site scripting
· Session theft
· Coding problems
· Insecure Infrastructure configurations, e.g., web server
· Deployment problems
Essay 2 – Application Security and Object-Oriented
Programming (20%)
1. Describe each of the following object-oriented programming
concept both in terms of: a) functionality, and b) relationship to
security and data integrity.
A selection of the following concepts will be on the Essay Test.
Object-Oriented Security Concepts
Description and Functionality
Security and Data Integrity
Packages
APIs
Advantages and Disadvantages of Frameworks or Platforms
Loosely versus strongly-typed
5. Automatic garbage collection
Accessibility of Classes, Data and Methods
Scope (Visibility) of data and Methods
2 Describe each of the following object-oriented programming
concept both in terms of: a) functionality, and b) relationship to
security and data integrity.
A selection of the following concepts will be on the Essay Test.
Object-Oriented Security Concepts
Description and Functionality
Security and Data Integrity
Encapsulation
Importing namespaces
Instantiation of a package API (NEW)
Inheritance or sub classing a parent class (Extended)
Method Overriding
6. Inheritance of an Abstract Class
Public Interfaces (IMPLEMENT)
Method Overriding and FINAL
Exception Handling
Essay 3 – Program Vulnerabilities and Cryptography (20%)
C-Programming Language Memory Vulnerabilities
1. Describe each of the following C-Programming Language
Memory Vulnerabilities, Attacks or Mitigation Techniques.
· Dangling Points
· Double Frees
· Memory Leaks
· Stack-based buffer overflow attacks.
· Heap-based buffer overflow attacks
· Preventing buffer overflow attacks
Digital Signatures, Digital Certificates and SSL/TLS
1. What are the differences between encryption, data integrity,
and authentication?
2. What are the differences between a digital signature, digital
7. certificate?
3. Describe the limitations and security flaws of digital
certificates.
4. Draw and overview diagram and describe the DETAILS of
the security design and process of a Public Key Infrastructure
(PKI), SSL/TLS, web browser client, application server and
database server in a modern transaction system.
Essay 4- .NET Application Development and Assembly
Deployment
The Instructor will randomly select either Essay 4 or Essay 5
during the test. Only one will be required.
1. Draw a clearly marked graphical overview of the .NET
Application Development Process. Describe this process from
the starting point of using an IDE to code source statements
until the application assembly is deployed and executed.
2. Describe each of the following .NET framework application
development concept or security concept.
· Common Language Infrastructure,
· Common Intermediate Language (CIL),
· Assemblies
· Managed code and type safety,
· Common Language Runtime (CLR)
· De-compilation (Reverse Engineering Attacks) and
Obfuscation
Essay 5 - Java Application Development and JAR Deployment
The Instructor will randomly select either Essay 4 or Essay 5
during the test. Only one will be required.
8. 1. Draw a graphical overview of the .JAVA Application
Development Process. Describe this process from the starting
point of using an IDE to code source statements until the
application assembly is deployed and executed.
2. Describe each of the following Java framework application
development concept or security concept.
· Java SDK
· Package
· Byte code
· ,JAVA and .CLASS Files
· JAR files
· Java Virtual Machine
· Java Container
· Bytecode verifier
· Class loader
Essay 6 - Android Application Development and Security (20%)
1. Describe the function and provide an example of each of the
following Android Components, Messages or Filters.
· Android Activity
· Android Service
· Android Content Providers
· Android Intent and Intent Filters
· Android Broadcast Receivers
2. Describe the function of the following Android application
development and security concepts.
· APK
· Classes.dex
· Native Code
· Dalvik VM
9. · ADB
· Android Manifest
· Android Application Signing
· Linux Identity
3. Describe the following pre-defined Android Application
Permissions.
· Normal
· Dangerous
· Signature
· URI
4. Where are Android Permissions stored in an Android App,
e.g., APK file?
5. What is the difference between and Android Application
Permission and Android File Permission?
6. Compare the major security differences between Android
Application Security with iOS Application Security.