Software Security Slide Set #10 Textbook Chapter 11 Clicker Questions                     Peer Instruction Questions for Intro to Computer Security by William E. Johnson, Allison Luzader, Irfan Ahmed is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

Which of the following distinguishes software quality/reliability from software security? Software security is concerned with accidental failure of a program as a result of some random input. Software quality is concern with how often a bug is triggered (not how many bugs there are). Software security seeks to improve software using structured design. Software quality uses testing to eliminate as many bugs as possible. Software security is unlikely to be identified by common testing approaches (triggered by inputs often dramatically different than expected). Software quality is concerned with how often bugs are triggered (not how many bugs). Software quality is unlikely to be identified by common testing approaches (triggered by inputs often dramatically different than expected). None/Other/More than one of the above Correct Answer = C Question Triggers: ”Identify a set" because of the option in choice E ”None of the above" because of the option in choice E “Compare and contrast” due to the question distinguishing between QA and security “Qualitative questions” as this question is primarily qualitative, focusing on features and concepts Total Count: 4 Count without none of the above: 3 Count without identify a set: 3 Count without none of the above or identify a set: 2 Complexity: Composite, requiring understanding of security vs. QA Presentation: Feature Identification

Aligns clearly with traditional programming practice. Which of the following is of paramount importance for defensive programming? Always validate user inputs. Always validate assumptions regarding input. Aligns clearly with traditional programming practice. Certain library calls can be assumed to function as intended/advertised. Aligns well with business needs and desire to keep development cycles as short as possible. None/Other/More than one of the above //Marked because must review book to determine complexity of defensive programming concept in the context of the book Correct Answer = A Question Triggers: ”Identify a set" because of the option in choice E as well as the framing of the question (”Which of the following…” ”None of the above" because of the option in choice E “Qualitative questions” as the question elicits recognition of concepts Total Count: 3 Count without none of the above: 2 Count without identify a set: 2 Count without none of the above or identify a set: 1 Complexity: Composite, as it requires understanding of a number of potential attacks Presentation: Example

Input is any value hardcoded by the programmer. Which of the following is true regarding program input and defensive programming? Input is any value hardcoded by the programmer. Input is any value unknown to the programmer at the time the code was written. Input should be validated on size only (to prevent buffer overflows). Input should be validated on size and type of values to prevent unanticipated outcomes. None/Other/More than one of the above Correct Answer = E (both B & D) Question Triggers: ”None of the above" because of the option in choice E ”Identify a set" because of the option in choice E as well as the question framing (“Which of the following…”) “Qualitative questions” because this is conceptual rather than quantitative Total Count: 3 Count without none of the above: 2 Count without identify a set: 2 Count without none of the above or identify a set: 1 Complexity: Composite as this combines understanding of program input and its relationship to defensive programming Presentation: Truth

What might occur as a result of an injection attack? Buffer overflow Program might reveal confidential data Flow of execution might be altered System utilities might be reused None/Other/More than one of the above Correct Answer = C (I think B could be a valid response as well—so E; for example with command injection in set{uid,gid} binaries) Question Triggers: ”Identify a set" because of the option in choice E ”None of the above" because of the option in choice E “Qualitative questions” as this question asks for understanding of the concept of injection attacks and their potential results Total Count: 3 Count without none of the above: 2 Count without identify a set: 2 Count without none of the above or identify a set: 1 Complexity: Simple Presentation: Example

None/Other/More than one of the above Consider the code show below. What type of attack could be used on this vulnerable code? Poison packet Snooping SQL injection Cross site scripting None/Other/More than one of the above Correct Answer = C Question Triggers: ”Identify a set" because of the option in choice E ”None of the above" because of the option in choice E “Analysis and reasoning” as this requires one to analyze the SQL query itself to find the injection point “Interpret representations” as this question requires students to understand the SQL code provided Total Count: 4 Count without none of the above: 3 Count without identify a set: 3 Count without none of the above or identify a set: 2 Complexity: Composite, as this builds upon generic injection attacks to apply to SQL queries Presentation: Example

How could a malicious user implement an SQL injection attack? Snoop on network traffic and obtain confidential packets sent to/from the database Obtain access to the database by bypassing an intrusion detection systems Block assignment of form field values to global variables Supply input that can be used to construct a SQL request None/Other/More than one of the above Correct Answer = D Question Triggers: ”Identify a set" because of the option in choice E ”None of the above" because of the option in choice E “Strategize only” as this asks the students how they might best approach SQL injection “Qualitative questions” as this question is asked in a conceptual way, asking students to understand and apply features and implementation of SQL injection Total Count: 4 Count without none of the above: 3 Count without identify a set: 3 Count without none of the above or identify a set: 2 Complexity: Composite; as this requires the understanding of basic injection as well as SQL injection Presentation: Example

How could a cross-site scripting attack be prevented? Avoid using cookies on a web application Validate the size of user input Examine user input and remove any dangerous code Allow all user input and block execution of malicious spyware None/Other/More than one of the above Correct Answer = C Question Triggers: ”Identify a set" because of the option in choice E ”None of the above" because of the option in choice E “Strategize only” as this asks students to determine the best approach to XSS prevention “Qualitative questions” as this asks students to understand and apply techniques for XSS prevention Total Count: 4 Count without none of the above: 3 Count without identify a set: 3 Count without none of the above or identify a set: 2 Complexity: Simple Presentation: Example

None/Other/More than one of the above Consider the following then determine which concept is being described. This is a software testing technique that uses randomly generated data as inputs to a program. This can be used to determine if a program functions correctly. Cross site scripting Input fuzzing Race conditions Host virtualization None/Other/More than one of the above Correct Answer = B Question Triggers: ”None of the above" because of the option in choice E ”Identify a set" because of the option in choice E “Analysis and reasoning” as this requires an understanding of the scenario to determine what it best describes “Interpret representations” as students must interpret the characteristics and features in the example to successfully identify it “Qualitative questions” as this question requires and understanding of the concept of fuzzing and its features Total Count: 5 Count without none of the above: 4 Count without identify a set: 4 Count without none of the above or identify a set: 3 Complexity: Simple Presentation: Feature Identification