Briefly define/describe what is meant by “ defensive programming ." Which of the following is NOT a valid category of software errors ? Porous Defenses Malware activation Insecure interaction between...

TSM615 SP13 FE

1
1. Briefly define/describe what is meant by “defensive programming.”
Answer. Defensive programming is defined as an approach to improve the software and
source code. It is an approach to reduce the software bugs in the source code, make
source code in understandable and readable form, and ensure that the software
behaves in predictable manner at unexpected inputs.
2. Which of the following is NOT a valid category of software errors? ( b )
a) Porous Defenses
b) Malware activation
c) Insecure interaction between components
d) Risky resource management
Answer. (b)
3. Identify a form of injection attack, AND briefly describe what is involved in this type
of attack.
Answer. There are different forms of injections like SQL, LDAP, OS injection, etc. The
common and dangerous injections are SQL. In this type of attack it involves data driven
applications. This SQL injection manipulates SQL query targeted on database,
attackers executes unintended operations and unauthorized data.


4. Which of the following is NOT a valid characteristic of cross site scripting? ( a )
a) An attack where input from one user is later output to another user
b) Commonly seen in scripted web apps
c) Can be created with JavaScript and Active X
d) Social networking websites are immune to cross site scripting
Answer. (a)
5. Identify AND briefly describe an approach for validating the input to a program.
Answer. Validating the input to a program is a process of checking whether the user
given input data is satisfying the requirements or not. The programs usually accept any
input data, if bad input entered will crash the system. Therefore validating input data is
important. There are different approaches in validating. The important approach is to
stop the program. Whenever user enters a bad input, the program stops instead of
crashing.


6. Match the following with the words that best describe them (4 points)
Memory leak; Race condition; Fuzzing; Least Privilege;
Privilege escalation; Canonicalization; Safe code; XSS reflection;
a) A powerful testing method using a large range of randomly generated inputs
_____________Fuzzing_______
2
b) Where multiple processes or threads compete to gain access to resources
possibly resulting in corrupted data and/or lost changes _____Race condition___
c) Attackers exploit flaws in programs to give the attacker great authority or power
_______ Privilege escalation ______
d) Where a program fails to correctly manage use and release of memory causing a
steady reduction in available memory to the point where it is completely exhausted
_____ Memory leak___________
7. Briefly define/describe the “white listing” security approach.
Answer. Whitelist is defined as list of entities, which are provided a particular service,
access, mobility, privilege or recognition. The entities in this list are only approved,
accepted or recognized. This security approach is converse of black listing approach.
This approach accepts only the entities which are recognized and denies the remaining
entities.
8. Which of the following is the best definition/description of the chroot jail Linux/Unix
security control? (a)
a) Prevents a user from switching to su/root level privilege
b) Shuts down discretionary access control mechanisms
c) Restricts a system/user view of the file system to a specified portion
d) Encrypts the password file...