NATIONAL INSTITUTE OF BUSINESS MANAGEMENT

Higher national Diploma in Computer Based Information Systems – 17.1F

Higher National Diploma in Software Engineering - 17.1F
Software Security- HDCBIS-1-3-04 / HDSE-1-3-04

Time allowed: Three hours 30th June, 2017, 13.30-16.30p.m

INSTRUCTIONS TO CANDIDATES

 This paper contains 4 questions on one page (1).

 The total marks obtainable for this examination is 100.
 Marks for each question is indicated
 This examination accounts 60% for the course assessments.
 This is a closed book examination.
 All calculators are not allowed.
 Answer ALL questions.

ADDITIONAL MATERIALS

 None
1.
1.1. Describe SQL injection attack and related threats on web applications? (10 marks)
1.2. Write one of the SQL injection preventing mechanisms using suitable programming language or
a pseudo code. (10 marks)
1.3. Discuss importance of frontend and backend input validations in web applications.
(05 marks)
2. You are an IT security officer in XYZ Company. One day your boss ask your recommendation for
enabling a feature in a web application which allows unregistered users to share articles with other
users / friends using email service running on the same web server.
2.1. What are the risks associates with this implementation? (05 Marks)
2.2. If you are going to implement this, what are the boundary conditions that you can identify?
(05 marks)
2.3. Web developers of your organization are inquiring, whether the network perimeter security
(Firewalls, Intrusion Detection System, Antivirus software, Anti-spam gateways, etc) is
adequate within the organization. Why we need to think about the application security attack
vectors.
Please elaborate your response. You can use suitable image if required. (10 marks)
2.4. What is the objective of enhancing security through obscurity techniques? (02 marks)
2.5. Does it really effective? (03 marks)

3. “Don’t trust anyone until they can prove to you that they can be trusted”. This is one of the popular
phrases in information security and business world.
3.1. How this statement is relevant to secure an application development. Provide a brief technical
description on risk factors. (05 marks)
3.2. Write a program or a pseudo code to validate address field using regular expression. Address
field can contain alphanumeric characters, spaces, dots (.), minus (-), underscore (_) and slashes
(/). The length must be minimum 3 characters and maximum 50 characters.
(15 marks)
3.3. What is the different between lazy and greedy modifiers in regular expression?
(05 marks)
4. Answer the following questions.
4.1. What is symmetric key crypto system? (02 marks)
4.2. What is asymmetric key crypto system? (02 marks)
4.3. What is Cipher and key? (02 marks)
4.4. What is the major difference between MD5 algorithm and 3DES algorithm? (04 marks)
4.5. What is the meaning of dictionary attack? (02 marks)
4.6. What is the use of HASH algorithms in your applications to validate username and password?
Suitable diagrams may useful. (06 marks)
4.7. Write down three categories of authentication mechanisms with relevant examples.
(06 marks)
4.8. What is the use of CAPTCHA code in web applications? (01 mark)