DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

(CYBER SECURITY)
CB3591- ENGINEERING SECURE SOFTWARE SYSTEMS
QUESTION BANK

Prepared by
Mrs. M. Ambika, AP/CSE Page 1
 R-2021

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

(CYBER SECURITY)

III YEAR / V SEMESTER

REGULATION 2021
CB3591- ENGINEERING SECURE SOFTWARE SYSTEMS

Faculty in Charge Head of the Department

Mrs. M. Ambika, M.E., Dr. M. P. Revathi, M.E., Ph.D.,
Assistant Professor Professor
Department of CSE Department of CSE
(Cyber Security)

Prepared by
Mrs. M. Ambika, AP/CSE Page 2
 INSTITUTION VISION & MISION

VISION:
To become a globally recognized ‘Centre of Academic Excellence’ providing
Quality Education to all students.

MISION:
To provide Quality Education in the fields of Engineering, Management,
Information Technology and other Engineering areas.

DEPARTMENT VISION & MISION

VISION:

To develop eminent engineers, researchers and entrepreneurs in the areas of

Computer Science & Engineering and Cyber Security with exceptional technical
expertise, skills and ethical values, capable of providing innovative solutions to
national and global needs.

MISION:
M1 To create a study environment where all academicians, entrepreneurs,
researchers are brought together.
M2 To create perpetual learning environment for students and faculty
members establish research centre and conduct researches in emerging
areas.
M3 To create a platform for socially relevant technical and domain
Prepared byresearches through funded projects.
Mrs. M. Ambika, AP/CSE Page 3
PROGRAMME EDUCATIONAL OBJECTIVES (PEOs)
PEO1 Apply their technical competence in computer science to solve real world problems,
with technical and people leadership.
PEO2 Conduct cutting edge research and develop solutions on problems of social
relevance.
PEO3 Work in a business environment, exhibiting team skills, work ethics, adaptability
and lifelong learning.

PROGRAMME OUTCOMES (POs)

Engineering knowledge: Apply the knowledge of mathematics, science,
engineering fundamentals, and an engineering specialization to the solution of
PO1
complex engineering problems.
Problem analysis: Identify, formulate, review research literature, and analyze
complex engineering problems reaching substantiated conclusions using first
PO2 principles of mathematics, natural sciences, and engineering sciences.
Design/development of solutions: Design solutions for complex engineering
problems and design system components or processes that meet the specified needs
PO3
with appropriate consideration for the public health and safety, and the cultural,
societal, and environmental considerations.
Conduct investigations of complex problems: Use research-based knowledge and
PO4 research methods including design of experiments, analysis and interpretation of
data, and synthesis of the information to provide valid conclusions.
Modern tool usage: Create, select, and apply appropriate techniques, resources, and
PO5 modern engineering and IT tools including prediction and modeling to complex
engineering activities with an understanding of the limitations.
The engineer and society: Apply reasoning informed by the contextual knowledge
PO6 to assess societal, health, safety, legal and cultural issues and the consequent
responsibilities relevant to the professional engineering practice.
Environment and sustainability: Understand the impact of the professional
PO7 engineering solutions in societal and environmental contexts, and demonstrate the
knowledge of, and need for sustainable development.
Ethics: Apply ethical principles and commit to professional ethics and
PO8
responsibilities and norms of the engineering practice.
PO9 Individual and team work: Function effectively as an individual, and as a member

Prepared by
Mrs. M. Ambika, AP/CSE Page 4
 or leader in diverse teams, and in multidisciplinary settings.
Communication: Communicate effectively on complex engineering activities with
the engineering community and with society at large, such as, being able to
PO10
comprehend and write effective reports and design documentation, make effective
presentations, and give and receive clear instructions.
Project management and finance: Demonstrate knowledge and understanding of
the engineering and management principles and apply these to one’s own work, as a
PO11
member and leader in a team, to manage projects and in multidisciplinary
environments.
Life-long learning: Recognize the need for, and have the preparation and ability to
PO12 engage in independent and life-long learning in the broadest context of
technological change.

PROGRAMME SPECIFIC OUTCOMES (PSOs)

PSO1 Exhibit design and programming skills to build and automate business solutions
using cutting edge technologies.
PSO2 Strong theoretical foundation leading to excellence and excitement towards
research, to provide elegant solutions to complex problems.

Prepared by
Mrs. M. Ambika, AP/CSE Page 5
 CB3591 ENGINEERING SECURE SOFTWARE SYSTEMS LTPC
2 0 2 3
COURSE OBJECTIVES:
 Know the importance and need for software security.
 Know about various attacks.
 Learn about secure software design.
 Understand risk management in secure software development.
 Know the working of tools related to software security.
UNIT I NEED OF SOFTWARE SECURITY AND LOW-LEVEL ATTACKS 6
Software Assurance and Software Security - Threats to software security - Sources of software
insecurity - Benefits of Detecting Software Security - Properties of Secure Software – Memory-
Based Attacks: Low-Level Attacks Against Heap and Stack - Defense Against Memory-Based
Attacks
UNIT II SECURE SOFTWARE DESIGN 7
Requirements Engineering for secure software - SQUARE process Model – Requirements
elicitation and prioritization- Isolating The Effects of Untrusted Executable Content – Stack
Inspection – Policy Specification Languages – Vulnerability Trends – Buffer Overflow – Code
Injection - Session Hijacking. Secure Design - Threat Modeling and Security Design Principles
UINT III SECURITY RISK MANAGEMENT 5
Risk Management Life Cycle – Risk Profiling – Risk Exposure Factors – Risk Evaluation and
Mitigation – Risk Assessment Techniques – Threat and Vulnerability Management
UNIT IV SECURITY TESTING 8
Traditional Software Testing – Comparison - Secure Software Development Life Cycle – Risk-
Based Security Testing – Prioritizing Security Testing With Threat Modeling – Penetration
Testing – Planning and Scoping - Enumeration – Remote Exploitation – Web Application
Exploitation - Exploits and Client Side Attacks – Post Exploitation – Bypassing Firewalls and
Avoiding Detection - Tools for Penetration Testing
UNIT V SECURE PROJECT MANAGEMENT 4
Governance and security - Adopting an enterprise software security framework - Security and
project management - Maturity of Practice
Prepared by
Mrs. M. Ambika, AP/CSE Page 6
 TOTAL: 30 PERIODS
COURSE OUTCOMES:

Upon completion of the course, the student will be able to

CO1 Identify various vulnerabilities related to memory attacks.
CO2 Apply security principles in software development.
CO3 Evaluate the extent of risks.
CO4 Involve selection of testing techniques related to software security in the testing
phase of software development.
CO5 Use tools for securing software.

CO’s-PO’s & PSO’s MAPPING

PO’s PSO’s
CO’s
PO1
PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 PO11 PSO1 PSO2
2
CO1 2 3 2 3 2 - - - 2 1 2 2 - 2

CO2 2 2 2 3 3 - - - 2 1 2 2 - 3

CO3 1 2 2 2 1 - - - 1 1 2 1 1 2

CO4 2 3 2 2 2 - - - 2 1 2 2 - 1

CO5 2 1 2 2 3 - - - 2 1 1 2 2 1

Avg 1.8 2.2 2 2.4 2.2 - - - 1.8 1 1.8 1.8 1.5 1.8

1 - Low, 2 - Medium, 3 - High, ‘-‘ - No correlation

TEXT BOOKS:
1. Julia H. Allen, “Software Security Engineering”, Pearson Education, 2008
2. Evan Wheeler, “Security Risk Management: Building an Information Security Risk
Management Program from the Ground Up”, First edition, Syngress Publishing, 2011

Prepared by
Mrs. M. Ambika, AP/CSE Page 7
 3. Chris Wysopal, Lucas Nelson, Dino Dai Zovi, and Elfriede Dustin, “The Art of Software
Security Testing: Identifying Software Security Flaws (Symantec Press)”, Addison-Wesley
Professional, 2006
REFERENCE BOOKS:
1. Robert C. Seacord, “Secure Coding in C and C++ (SEI Series in Software Engineering)”,
Addison-Wesley Professional, 2005.
2. Jon Erickson, “Hacking: The Art of Exploitation”, 2nd Edition, No Starch Press, 2008.
3. Mike Shema, “Hacking Web Apps: Detecting and Preventing Web Application Security
Problems”, First edition, Syngress Publishing, 2012
4. Bryan Sullivan and Vincent Liu, “Web Application Security, A Beginner's Guide”, Kindle
Edition, McGraw Hill, 2012
5. Lee Allen, “Advanced Penetration Testing for Highly-Secured Environments: The Ultimate
Security Guide (Open Source: Community Experience Distilled)”, Kindle Edition, Packt
Publishing,2012
6. Jason Grembi, “Developing Secure Software”

Prepared by
Mrs. M. Ambika, AP/CSE Page 8
 UNIT I
NEED OF SOFTWARE SECURITY AND LOW-LEVEL ATTACKS

PART –A
CO
Q.
Questions Mappin BT Level Complexity
No
g
Compare software assurance and software CO1 Evaluate High
1
security.
What are software vulnerabilities, and how are Understand Low
2 CO1
they identified?
List out the primary sources of software Remember Low
3 CO1
insecurity?
What are memory-based attacks, and what are Understand Low
4 CO1
their types?
Compare and contrast vulnerability, threat and
5 CO1 Evaluate High
exploitation.
6 What is Software Assurance? CO1 Understand Low
7 Define Software Security. CO1 Remember Low
8 List any two threats to software security. CO1 Remember Low
9 What are the sources of software insecurity? CO1 Understand Low
10 What are the key properties of secure software? CO1 Understand Low
11 Define Memory-Based Attacks. CO1 Remember Low
12 Differentiate between Heap and Stack. CO1 Understand Low
13 What is a Buffer Overflow Attack? CO1 Understand Low
14 List any two low-level attacks against memory. CO1 Remember Low
15 How does Stack Overflow occur? CO1 Understand Low
Mention one defense mechanism against
16 CO1 Remember Low
memory-based attacks.
17 What is Address Space Layout Randomization CO1 Understand Low
Prepared by
Mrs. M. Ambika, AP/CSE Page 9
 (ASLR)?

PART –B
CO
Q.
Questions Mappin BT Level Complexity
No
g
Explain Memory Based Attacks and Low-Level CO1 Understand Medium
1
Attacks against heap.
How will you defense against memory based Understand Medium
2 CO1
attacks explain in detail?
Explain the benefits of detecting software Understand Medium
3 CO1
security.
4 Examine the threats to software security. CO1 Analyze Medium
Describe the properties of Secure Software in Understand Medium
5 CO1
detail.
Explain Software Assurance and its role in Understand Medium
6 CO1
ensuring software security.
Describe the sources of software insecurity and CO1 Understand Medium
7
how they impact software security.
Explain how buffer overflow attacks work. How CO1 Understand Medium
8
do they compromise system security?
Compare and contrast defense mechanisms CO1 Evaluate High
9
against memory-based attacks.
What are heap-based and stack-based CO1 Understand Medium
10
vulnerabilities? How can they be exploited?
Explain Address Space Layout Randomization
11 (ASLR) and other techniques to protect software CO1 Understand Medium
from memory-based attacks.
Discuss the role of secure coding practices in CO1 Understand Medium
12
preventing software security threats.
Explain the importance of software security
13 testing and various techniques used for testing CO1 Understand Medium
security vulnerabilities.
Analyze the impact of software security threats
14 on organizations and suggest measures to CO1 Analyze Medium
mitigate these threats.

Prepared by
Mrs. M. Ambika, AP/CSE Page 10
 UNIT II
SECURE SOFTWARE DESIGN

PART –A
CO
Q.
Questions Mappin BT Level Complexity
No
g
1 What is Requirements Engineering? CO2 Understand Low
2 Define secure software requirements. CO2 Remember Low
3 What is the SQUARE process model? CO2 Understand Low
List the main steps involved in the SQUARE
4 CO2 Remember Low
process model.
5 What is requirements elicitation? CO2 Understand Low
6 What is requirements prioritization? CO2 Understand Low
How does untrusted executable content affect
7 CO2 Analyze Medium
software security? Justify your answer.
8 What is Stack Inspection in software security? CO2 Understand Low
9 Define Policy Specification Languages. CO2 Remember Low
10 What are vulnerability trends? CO2 Understand Low
11 What is a buffer overflow? CO2 Understand Low
12 Define code injection. CO2 Remember Low
13 What is session hijacking? CO2 Understand Low
14 What is threat modeling in secure design? CO2 Understand Low
15 List any two security design principles. CO2 Remember Low

PART –B
CO
Q.
Questions Mappin BT Level Complexity
No
g
Explain the importance of Requirements
1 CO2 Understand Medium
Engineering in developing secure software.
2 Describe the SQUARE process model in detail CO2 Understand Medium

Prepared by
Mrs. M. Ambika, AP/CSE Page 11
 with its key steps.
Discuss different requirements elicitation
3 techniques and their role in secure software CO2 Understand Medium
development.
How is requirements prioritization performed
4 CO2 Understand Medium
for security-related software requirements?
Evaluate the impact of untrusted executable
5 content on system security and methods to CO2 Evaluate Medium
isolate its effects.
Describe Stack Inspection and its role in
6 CO2 Understand Medium
enforcing security policies.
What are Policy Specification Languages?
7 Explain their importance in security policy CO2 Understand Medium
enforcement.
Analyze the latest vulnerability trends in
8 software security and how they impact modern CO2 Analyze Medium
applications.
Explain Buffer Overflow attacks with an
9 CO2 Understand Medium
example. How can they be prevented?
Describe Code Injection attacks and discuss
10 different techniques used to exploit CO2 Understand Medium
vulnerabilities.
Explain Session Hijacking and discuss different
11 CO2 Understand Medium
techniques used to prevent it.
What is Threat Modeling? Discuss its
12 CO2 Understand Medium
significance in secure software design.
Explain various Security Design Principles and
13 CO2 Understand Medium
their role in building secure software systems.

Prepared by
Mrs. M. Ambika, AP/CSE Page 12
 UNIT III
SECURITY RISK MANAGEMENT

PART –A
CO
Q.
Questions Mappin BT Level Complexity
No
g
1 What is Risk Management in software security? CO3 Understand Low
List the phases of the Risk Management Life
2 CO3 Remember Low
Cycle.
3 Define Risk Profiling. CO3 Remember Low
4 What are Risk Exposure Factors? CO3 Understand Low
5 What is Risk Evaluation? CO3 Understand Low
6 Define Risk Mitigation. CO3 Remember Low
7 Mention any two Risk Assessment Techniques. CO3 Remember Low
8 What is Threat Management? CO3 Understand Low
9 Define Vulnerability Management. CO3 Remember Low
10 Compare threats and vulnerabilities? CO3 Evaluate High
Compare and contrast qualitative and
11 CO3 Evaluate High
quantitative risk assessment.
12 Mention any two methods for Risk Mitigation. CO3 Remember Low
13 What are the key steps in Risk Assessment? CO3 Understand Low
14 Define Residual Risk. CO3 Remember Low

PART –B
CO
Q.
Questions Mappin BT Level Complexity
No
g
Explain the Risk Management Life Cycle in CO3 Understand Medium
1
detail with its phases.

Prepared by
Mrs. M. Ambika, AP/CSE Page 13
 Describe Risk Profiling and its importance in CO3 Understand Medium
2
security management.
What are Risk Exposure Factors? Explain their CO3 Understand Medium
3
role in risk assessment.
Discuss Risk Evaluation and Mitigation Understand Medium
4 CO3
techniques with examples.
Compare and contrast Risk Assessment Evaluate High
5 CO3
Techniques used in cybersecurity.
Describe the concept of Threat Management and Understand Medium
6 CO3
how organizations handle emerging threats.
Explain Vulnerability Management and its Understand Medium
7 CO3
importance in maintaining software security.
Compare key differences between Threats,
8 Vulnerabilities, and Risks with real-world CO3 Evaluate High
examples.
What are the different strategies for risk
9 mitigation in software security? Explain with CO3 Understand Medium
examples.
Explain the importance of risk assessment in
10 secure software development and discuss CO3 Understand Medium
different risk assessment models.
Compare and contrast quantitative vs. qualitative Evaluate High
11 CO3
risk assessment with examples.
What are the common security threats and
vulnerabilities faced by modern software Understand Medium
12 CO3
applications? How can they be managed
effectively?
Analyze the impact of effective risk management Analyze Medium
13 CO3
on an organization’s security posture.

Prepared by
Mrs. M. Ambika, AP/CSE Page 14
 UNIT IV
SECURITY TESTING

PART –A
CO
Q.
Questions Mappin BT Level Complexity
No
g
1 What is Traditional Software Testing? CO4 Understand Low
Mention any two differences between Traditional CO4 Remember Low
2
Testing and Security Testing.
What is the Secure Software Development Life Understand Low
3 CO4
Cycle (SDLC)?
4 Define Risk-Based Security Testing. CO4 Remember Low
What is the purpose of Threat Modeling in Understand Low
5 CO4
security testing?
6 Define Penetration Testing. CO4 Remember Low
7 What are the key phases in Penetration Testing? CO4 Understand Low
What is the importance of Planning and Scoping Understand Low
8 CO4
in penetration testing?
9 What is Enumeration in cybersecurity? CO4 Understand Low
10 Define Remote Exploitation. CO4 Remember Low
11 What is Web Application Exploitation? CO4 Understand Low
12 Mention any two common Client-Side Attacks. CO4 Remember Low
13 What is Post Exploitation in penetration testing? CO4 Understand Low
14 How do attackers bypass firewalls? CO4 Understand Low
15 List any two tools used in Penetration Testing. CO4 Remember Low

PART –B
Q. Questions CO BT Level Complexity
Prepared by
Mrs. M. Ambika, AP/CSE Page 15
 Mappin
No
g
Explain Traditional Software Testing and Understand Medium
1 CO4
compare it with Security Testing.
Describe the Secure Software Development Life Understand Medium
2 CO4
Cycle (SDLC) and its significance.
What is Risk-Based Security Testing? Explain its Understand Medium
3 CO4
importance and approach.
Discuss how Threat Modeling helps in Understand Medium
4 CO4
prioritizing security testing.
Explain the Penetration Testing Process in detail Understand Medium
5 CO4
with key phases.
Describe the Planning and Scoping phase in Understand Medium
6 CO4
penetration testing and its importance.
What is Enumeration? Discuss its role in security Understand Medium
7 CO4
assessments with examples.
Analyze Remote Exploitation techniques and how Analyze Medium
8 CO4
attackers take advantage of vulnerabilities.
Discuss different methods used in Web Understand Medium
9 CO4
Application Exploitation.
Explain Client-Side Attacks and different Understand Medium
10 CO4
techniques used by attackers.
Apply Post Exploitation technique and discuss Apply Medium
11 CO4
its significance in penetration testing.
Describe various methods used for Bypassing Understand Medium
12 CO4
Firewalls and Avoiding Detection.
Evaluate different tools used in Penetration Evaluate High
13 CO4
Testing, including their applications.

Prepared by
Mrs. M. Ambika, AP/CSE Page 16
 UNIT V
SECURE PROJECT MANAGEMENT

PART –A
CO
Q.
Questions Mappin BT Level Complexity
No
g
1 What is Governance in Security? CO5 Understand Low
2 Define Enterprise Software Security Framework. CO5 Remember Low
What is the role of Governance in Software CO5 Understand Low
3
Security?
List any two benefits of adopting an Enterprise CO5 Remember Low
4
Software Security Framework.
What is the relationship between Security and CO5 Understand Low
5
Project Management?
6 Define Security Governance in an organization. CO5 Remember Low
What are the key elements of an Enterprise CO5 Understand Low
7
Security Framework?
Mention any two challenges in integrating
8 CO5 Remember Low
security with project management.
9 What is Security Maturity in an organization? CO5 Understand Low
10 Define Maturity of Practice in software security. CO5 Remember Low
Apply Risk Governance in security
11 CO5 Apply Medium
management?
How does Project Management influence CO5 Understand Low
12
software security?
Mention any two industry-standard Security
13 CO5 Remember Low
Frameworks.
What is ISO 27001, and how does it relate to CO5 Understand Low
14
security governance?
15 Compare security governance and security CO5 Evaluate High
Prepared by
Mrs. M. Ambika, AP/CSE Page 17
 management.

PART –B
CO
Q.
Questions Mappin BT Level Complexity
No
g
Explain Governance in Security and its role in CO5 Understand Medium
1
enterprise security management.
Discuss the importance of adopting an Enterprise CO5 Understand Medium
2
Software Security Framework and its benefits.
Describe various Enterprise Security CO5 Understand Medium
3
Frameworks used in organizations.
Explain the relationship between Security and
4 Project Management and how security is CO5 Understand Medium
integrated into project planning.
Discuss Security Governance Models and their CO5 Understand Medium
5
impact on software security.
How can organizations enhance Software
6 Security Maturity? Discuss different security CO5 Understand Medium
maturity models.
Explain the Maturity of Practice in security and CO5 Understand Medium
7
its evolution over time.
What are the challenges in adopting a Software
8 Security Framework, and how can they be CO5 Understand Medium
overcome?
Discuss the role of Security Policies, Standards, CO5 Understand Medium
9
and Compliance in security governance.
How does Risk Governance influence enterprise CO5 Understand Medium
10
security decisions? Explain with examples.
Describe the impact of Security Governance on CO5 Understand Medium
11
Software Development Life Cycle (SDLC).
Explain the steps involved in implementing a CO5 Understand Medium
12
Mature Security Practice in an organization.
13 Compare different Security Frameworks such as CO5 Evaluate High

Prepared by
Mrs. M. Ambika, AP/CSE Page 18
 NIST, ISO 27001, and CIS Controls and discuss
their relevance.

THANK YOU

ALL THE BEST

Prepared by
Mrs. M. Ambika, AP/CSE Page 19