CS375: Software Engineering - Software Security Knowledge Check (10 Points)

Assignment Goals

The goals of this assignment are:
  1. To recall the CIA triad and classify what a given attack violates
  2. To match common vulnerabilities to their OWASP Top 10 category and their defense
  3. To distinguish authentication from authorization, hashing from encryption, and encoding from encryption

The Assignment

This is a short, low-stakes knowledge check on the Secure Software Engineering activity, graded on a participation basis. Answer in a few sentences each; the goal is to confirm the shared vocabulary, not to trick you. You may use your notes and the linked references.

Software Security Knowledge Check

  1. The CIA triad. Name the three properties of the CIA triad. For each, give one concrete example of an attack that violates it.

  2. Injection. A colleague writes "SELECT * FROM Users WHERE name = '" + input + "'". What vulnerability class is this, which OWASP Top 10 category and CWE does it fall under, and what is the single most effective fix? Why is “reject any input containing an apostrophe” a weaker defense than that fix?

  3. Authentication vs. authorization. A logged-in user sends a request to delete a note that belongs to a different user. Which of the two – authentication or authorization – should stop this, and why is it not enough that the user is logged in?

  4. JWT payloads. A JWT payload is only Base64-encoded, so anyone holding the token can read it. (a) Why, then, can a user not simply edit the payload to impersonate someone else? (b) Why must you never place a password or secret inside a JWT payload?

  5. Hashing vs. encryption. You must store user passwords and you must store a session value you will later need to read back. Which one calls for hashing and which for encryption, and why? Why is a bare hash(password) without a salt still weak?

  6. Secrets and supply chain. (a) What is the risk of committing a JWT_SECRET or API key to a git repository, and what should you use instead? (b) In one sentence, what is a supply-chain vulnerability, and how does automated dependency scanning in CI help? (This course’s own site fixed one – the compromised polyfill.io dependency.)

  7. Threat modeling. STRIDE stands for six threat categories. Pick any two letters, name the threat, and give an example of that threat against the note-taking service from the MVC activity.

Submission

Submit your answers as directed for participation activities (in the class notebook or as instructed). Full credit is awarded for a good-faith, complete attempt.

Submission

In your submission, please include answers to any questions asked on the assignment page, as well as the questions listed below, in your README file. If you wrote code as part of this assignment, please describe your design, approach, and implementation in a separate document prepared using a word processor or typesetting program such as LaTeX. This document should include specific instructions on how to build and run your code, and a description of each code module or function that you created suitable for re-use by a colleague. In your README, please include answers to the following questions:
  • Describe what you did, how you did it, what challenges you encountered, and how you solved them.
  • Please answer any questions found throughout the narrative of this assignment.
  • If collaboration with a buddy was permitted, did you work with a buddy on this assignment? If so, who? If not, do you certify that this submission represents your own original work?
  • Please identify any and all portions of your submission that were not originally written by you (for example, code originally written by your buddy, or anything taken or adapted from a non-classroom resource). It is always OK to use your textbook and instructor notes; however, you are certifying that any portions not designated as coming from an outside person or source are your own original work.
  • Approximately how many hours it took you to finish this assignment (I will not judge you for this at all...I am simply using it to gauge if the assignments are too easy or hard)?
  • Your overall impression of the assignment. Did you love it, hate it, or were you neutral? One word answers are fine, but if you have any suggestions for the future let me know.
  • Using the grading specifications on this page, discuss briefly the grade you would give yourself and why. Discuss each item in the grading specification.
  • Any other concerns that you have. For instance, if you have a bug that you were unable to solve but you made progress, write that here. The more you articulate the problem the more partial credit you will receive (it is fine to leave this blank).

Please refer to the Style Guide for code quality examples and guidelines.