JAYA SAKTHI ENGINEERING

COLLEGE
[Approved By AICTE, New Delhi &
Affiliated to ANNA UNIVERSITY, Chennai]
Thiruninravur– 602 024, Thiruvallur Dt.,
Tamil Nadu.

QUESTION BANK (AY: 2025-2026) ODD SEMESTER

Department: CSE Subject Code : CB3591

Year/ Sem : III/V Subject: – Engineering Secure Software Systems

Regulation : 2021 Staff In charge: N.Bamakumari

UNIT I NEED OF SOFTWARE SECURITY AND LOW-LEVEL

ATTACKS

Software Assurance and Software Security - Threats to software security -

Sources of software insecurity - Benefits of Detecting Software Security -
Properties of Secure Software – Memory- Based Attacks: Low-Level Attacks
against Heap and Stack - Defense Against Memory-Based Attacks

CO1 Identify various vulnerabilities related to memory attacks.

Q. PART-A Questions (2 marks) K level CO

No Mapping
1 Compare software assurance and software K1 CO1
Security.
2 What are software vulnerabilities, and how are they K1 CO1
identified?
3 List out the primary sources of software K1 CO1
In security.
4 Discuss memory-based attacks, and what are their K1 CO1
types?
5 Compare and contrast vulnerability, threat and K1 CO1
exploitation.
6 Explain Software Assurance? K1 CO1
7 Define Software Security. K1 CO1
8 List out the threats to software security. K1 CO1
9 Illustrate the sources of software insecurity? K1 CO1
 10 Define the key properties of secure software? K1 CO1
11 Define Memory-Based Attacks. K1 CO1
12 Differentiate between Heap and Stack. K1 CO1
13 Define Buffer Overflow Attack? K1 CO1
14 List any two low-level attacks against memory. K1 CO1
15 How does Stack Overflow occur? K1 CO1
16 Mention one defense mechanism against memory- K1 CO1
based attacks.
17 Define Address Space Layout Randomization (ASLR)? K1 CO1

Q. PART-B Questions (13 marks) K level CO

No Mapping
Explain Memory Based Attacks and Low- K1
1 CO1
Level Attacks against heap.
How will you defense against memory based K1
2 CO1
attacks explain in detail?
Explain the benefits of detecting software K1
3 CO1
security.
4 Examine the threats to software security. K1 CO1
Describe the properties of Secure Software in K1
5 CO1
detail.
Explain Software Assurance and its role in K1
6 CO1
ensuring software security.
Describe the sources of software in security K1
7 CO1
and how they impact software security.
Explain how buffer overflow attacks work. K1
8 CO1
How do they compromise system security?
Compare and contrast defense mechanisms K1
9 CO1
against memory-based attacks.
What are heap-based and stack-based K1
10 CO1
Vulnerabilities? How can they be exploited?

Q.No PART-C Questions (15 marks) K level CO

Mapping
1 Explain Address Space Layout Randomization
(ASLR) and other techniques to p r o t e c t s o ft w a r e K1 CO1
f r o m me mo r y -based attacks.
2 Discuss the role of secure coding practices in K1 CO1
 Preventing software security threats.
3 Explain the importance of software security testing
and various techniques used for testing security K1 CO1
vulnerabilities.
Analyze the impact of software security threats on
4 organizations and suggest measures to mitigate these K1 CO1
threats.
5 Explain in detail the properties of Secure Software K1 CO1

UNIT II SECURE SOFTWARE DESIGN

Requirements Engineering for secure software - SQUARE process Model –
Requirements elicitation and prioritization- Isolating The Effects of Untrusted
Executable Content – Stack Inspection – Policy Specification Languages –
Vulnerability Trends – Buffer Overflow – Code Injection - Session Hijacking.
Secure Design - Threat Modeling and Security Design Principles

CO2 Apply security principles in software development.

Q. K level CO
No
PART-A Questions (2 marks)
Mapping
1 Define Requirements Engineering? K1 CO2
2 Define secure software requirements. K1 CO2
3 What is the SQUARE process model? K1 CO2
List the main steps involved in the SQUARE process K1
4 CO2
model.
5 Explain requirements elicitation? K2 CO2
6 What is requirements prioritization? K1 CO2
How does untrusted executable content affect K1
7 CO2
software security? Justify your answer.
What is Stack Inspection in software K1
8 CO2
security?
9 Define Policy Specification Languages. K1 CO2
10 Explain are vulnerability trends? K1 CO2
11 Illustrate what is buffer overflow? K1 CO2
12 Define code injection. K1 CO2
13 What is session hijacking? K1 CO2
14 Define threat modeling in secure design? K1 CO2
15 List any two security design principles. K1 CO2
Q. CO
PART-B Questions (13 marks) K level
No Mapping
Explain the importance of Requirements
1 CO2
Engineering in developing secure software. K2
Describe the SQUARE process model in detail with
2 K1 CO2
its key steps.
Discuss different requirements elicitation
3 techniques and their role in secure software K1 CO2
development.
How is requirements prioritization performed for
4 K1 CO2
security-related software requirements?
Evaluate the impact of untrusted executable content
5 on system security and methods to isolate its K1 CO2
effects.
Describe Stack Inspection and its role in
6 K1 CO2
enforcing security policies.
What are Policy Specification Languages? Explain
7 their importance in security policy enforcement. K1 CO2
Analyze the latest vulnerability trends in software
8 security and how they impact modern applications. K1 CO2
Explain Buffer Overflow attacks with an
9 K1 CO2
example. How can they be prevented?
Describe Code Injection attacks and discuss
10 different techniques used to exploit vulnerabilities. K1 CO2

Q. CO
No
PART-C Questions (15 marks) K level Mapping
Explain Session Hijacking and discuss different
11 K1 CO2
techniques used to prevent it.
 What is Threat Modeling? Discuss its
12 K1 CO2
significance in secure software design.
Explain various Security Design Principles and
13 their role in building secure software K1 CO2
systems.
14 Describe vulnerability trends and also explain its
usage in software security K1 CO2
Explain Stack inspection and its application in
15 K1
software security CO2

UNIT III SECURITY RISK MANAGEMENT

Risk Management Life Cycle – Risk Profiling – Risk Exposure Factors –
Risk Evaluation and Mitigation – Risk Assessment Techniques – Threat
and Vulnerability Management
CO3 Evaluate the extent of risks.

Q. CO
No
PART-A Questions (2 marks) K level Mapping
1 Define Risk Management in software security? K1 CO3
List the phases of the Risk Management Life Cycle. K1
2 CO3

3 Define Risk Profiling. K1 CO3

4 Explain Risk Exposure Factors? K2 CO3
5 What is Risk Evaluation? K1 CO3

6 Define Risk Mitigation. K1 CO3

7 Mention any two Risk Assessment Techniques. K1 CO3
8 What is Threat Management? K1 CO3
9 Define Vulnerability Management. K1 CO3
Compare threats and vulnerabilities? K1 CO3
10
Compare and contrast qualitative and K1
11 CO3
quantitative risk assessment.
12 Mention any two methods for Risk Mitigation. K1 CO3

13 What are the key steps in Risk Assessment? K1 CO3

 14 Define Residual Risk. K1 CO3

Q. CO
No
PART-B Questions (13 marks) K level Mapping
1 Explain the Risk Management Life Cycle in detail K1 CO3
with its phases.
2 Describe Risk Profiling and its importance in K1 CO3
security management.
3 What are Risk Exposure Factors? Explain their role in K1 CO3
risk assessment.
4 Discuss Risk Evaluation and Mitigation K1 CO3
techniques with examples.
5 Compare and contrast Risk Assessment K1 CO3
Techniques used in cyber security.
6 Describe the concept of Threat Management and how K1 CO3
organizations handle emerging threats.
7 Explain Vulnerability Management and its K1 CO3
importance in maintaining software security.
Compare key differences between Threats, K1
8 Vulnerabilities, and Risks with real-world CO3
examples.
What are the different strategies for risk K1
9 mitigation in software security? Explain with CO3
examples.
Explain the importance of risk assessment in K1
10 securesoftware development and discuss CO3
different risk assessment models.

Q. CO
No
PART-C Questions (15 marks) K level Mapping

11 Compare and contrast quantitative vs. K3 CO3

qualitative risk assessment with examples.
What are the common security threats and
12 vulnerabilities faced by modern software K1 CO3
applications? How can they be managed
effectively?
 Analyze the impact of effective risk management on
13 an organization’s security posture. K1 CO3
14 Discuss the Risk Management Life Cycle in detail K1 CO3
with its applications in secured software.
15 Risk Evaluation and Mitigation techniques with K1 CO3
examples.

Unit IV: Security Testing

Traditional Software Testing – Comparison – Secure Software Development
Life Cycle – Risk Based Security Testing – Prioritizing Security Testing With
Threat Modeling – Penetration Testing – Planning and Scoping – Enumeration
– Remote Exploitation – Web Application Exploitation Exploits and Client Side
Attacks – Post Exploitation – Bypassing Firewalls and Avoiding Detection –
Tools for Penetration Testing

Involve selection of testing techniques related to software security in the

CO4 testing phase of software development.

Q. PART-A Questions (2 marks) CO

No K level Mapping
1 Explain Traditional Software Testing? K1 CO4
2 Mention any two differences between Traditional K1 CO4
Testing and Security Testing.
3 What is the Secure Software Development Life Cycle K3 CO4
(SDLC)?
4 Define Risk-Based Security Testing. K1 CO4
5 What is the purpose of Threat Modeling in security K1 CO4
testing?
6 Define Penetration Testing. K1 CO4
7 Define key phases in Penetration K1 CO4
Testing?
8 What is the importance of Planning and Scoping in K1 CO4
penetration testing?
9 Explain Enumeration in cyber security? K2 CO4
10 Define Remote Exploitation. K1 CO4
11 What is Web Application Exploitation? CO4
K1
12 Mention any two common Client-Side CO4
Attacks. K1
13 What is Post Exploitation in penetration CO4
testing? K1
14 How do attackers bypass firewalls? K1 CO4
15 List any two tools used in Penetration K1 CO4
Testing.

Q. CO
No
PART-B Questions (13 marks) K level Mapping
Explain Traditional Software Testing and compare
1 K1 CO4
it with Security Testing.
Describe the Secure Software Development Life
2 Cycle (SDLC) and its significance. K1 CO4
What is Risk-Based Security Testing? Explain its
3 importance and approach. K4 CO4
Discuss how ThreatModeling helps in
4 prioritizing security testing. K1 CO4
Explain the Penetration Testing Process in detail
5 with key phases. K1 CO4

Describe the Planning and Scoping phase in

6 K4 CO4
penetration testing and its importance.

7 What is Enumeration? Discuss its role in security CO4

assessments with examples. K1

8 Analyze Remote Exploitation techniques and how CO4

attackers take advantage of vulnerabilities. K1
Discuss different methods used in Web
9 K1 CO4
Application Exploitation.
Explain Client-Side Attacks and different
10 K1 CO4
techniques used by attackers.
Q. CO
No
PART-C Questions (15 marks) K level Mapping

Apply Post Exploitation technique and discuss its K1

11 CO4
significance in penetration testing.
Describe various methods used for Bypassing K1
12 CO4
Firewalls and Avoiding Detection.
Evaluate different tools used in Penetration Testing, K1
13 CO4
including their applications.
14 Discuss about the Penetration Testing Process in K3 CO4
detail and explain its usage
15 E x p l a i n Secure Software Development Life Cycle K1 CO4
(SDLC) in detail and explain and its significance.

Unit V: Secure Project Management

Governance and security – Adopting an enterprise software security

framework – Security and project management – Maturity of Practice

CO5 Use tools for securing software.

Q. CO
No
PART-A Questions (2 marks) K level Mapping
1 Explain Governance in Security? CO5
K2
Define Enterprise Software Security CO5
2
Framework. K1
What is the role of Governance in Software CO5
3 Security? K1
List any two benefits of adopting an CO5
4 Enterprise Software Security Framework. K1
5 What is the relationship between Security and CO5
Project Management? K1
6 Define Security Governance in an CO5
organization. K1
7 What are the key elements of an Enterprise CO5
Security Framework? K1
Mention any two challenges in integrating security CO5
8 with project management. K1
9 What is Security Maturity in an organization? CO5
K1
10 Define Maturity of Practice in software CO5
security. K1
11 Apply Risk Governance in security CO5
management? K1
12 How does Project Management influence CO5
software security? K1
Mention any two industry-standard Security CO5
13 Frameworks. K1
14 What is ISO 27001, and how does it relate to CO5
security governance? K1
Compare security governance and security CO5
15 management. K1

Q. CO
No
PART-B Questions (13 marks) K level Mapping
Explain Governance in Security and its role CO5
1 K1
in enterprise security management.
Discuss the importance of adopting an Enterprise
2 Software Security Framework and K1 CO5
its benefits.
Describe various Enterprise Security CO5
3 K1
Frameworks used in organizations.
Explain the relationship between Security and
4 Project Management and how security is integrated K1 CO5
into project planning.
Discuss Security Governance Models and their CO5
5 K1
impact on software security.
How can organizations enhance Software Security
6 Maturity? Discuss different security maturity K1 CO5
models.
 Explain the Maturity of Practice in security
7 CO5
and its evolution over time. K level
What are the challenges in adopting a Software
8 Security Framework, and how can they be K1 CO5
overcome?
Discuss the role of Security Policies,
9 Standards,and Compliance in security governance. K3 CO5

How does Risk Governance influence enterprise

10 security decisions? Explain with K1 CO5
examples.

Q. CO
No
PART-C Questions (15 marks) K level Mapping

Describe the impact of Security Governance

11 on Software Development Life Cycle (SDLC). K4 CO5
Explain the steps involved in implementing a
12 K1 CO5
Mature Security Practice in an organization.
Compare different Security Frameworks such as
13 NIST, ISO 27001, and CIS Controls and discuss K1 CO5
their relevance.
14 Explain how to adopt Enterprise Software Security
Framework and K2 CO5
its benefits.
15 Explain the relationship between Security and
Project Management and how security is integrated K1 CO5
into project planning.
COURSE OUTCOMES:

Upon completion of the course, the student will be able to

CO1 Identify various vulnerabilities related to memory attacks.
CO2 Apply security principles in software development.
CO3 Evaluate the extent of risks.
Involve selection of testing techniques related to software security in
CO4 the testing phase of software development.

CO5 Use tools for securing software.