Learning Objectives
In this assignment you will demonstrate:
- Familiarity with security weaknesses in C, C++, and Java
- Familiarity with secure coding issues in C, C++, and Java
- Familiarity with the SEI CERT documentation on C, C++, and Java
- Research and writing skills through the exploration and exposition of certain topics in software security
- The ability to get through a few more of Tom Scott videos on YouTube
Read and Watch
Do the following:
For Submission
Submit via BrightSpace, a PDF document with answers to the following. Please note that several of these questions involve research to answer questions not specifically addressed during lectures (though they may build on the big ideas introduced during class meetings).
- Give the titles and URLs of the three Tom Scott security-related videos you watched (to completion), together with a sentence or two on the purpose or lesson if each video.
- Research the concept of Security Through Obscurity. Write up a couple paragraphs describing what this phrase refers to, give some examples, and describe why it is (generally) a bad thing.
- Give (software) examples of (a) a failure of confidentiality, (b) a failure of integrity, and (c) a failure of availability.
- What is the difference between authentication and authorization? Give an example.
- Select 3 guidelines each from the SEI CERT Guidelines in this assignment’s reading list (for C, C++, and Java). For each, give their name, their number in the CERT numbering scheme, a description of the standard in your own words and an example of your very own of code that is compliant with the selected guideline. (You may optionally include a non-compliant piece of code too, but please mark it as non-compliant.) Yes, your answer will be very much based on the code in the standard itself, but the effort you put into answering this question well, and testing the code, will help you reach the learning objectives and increase your familiarity with these useful documents. (Be careful to select 9 guidelines that are markedly different from each other.)
Grading
- For each video: 1 pt for giving the URL, 3 points for capturing the essence of the video. (4 points × 3 = 12 points)
- For the STO question: 3 points for writing well, 3 points for an accurate description, 4 points for good examples (at least 2), 5 points for saying why it is bad. (15 points)
- For CIA, 3 points each (9 points)
- For auth 5 points in being accurate, 7 points for the examples. (12 points)
- For each of the 9 CERT guidelines: 0.5 point for the name, 1.5 for the description, 3 points for your example(s). Then, 5 points for spreading out concerns (i.e., having a good selection) and 2 points for good writing. (5 points * 9 + 7 points = 52 points)