2649

ITICT302A – Secure Programming – Assignment 1
==================================================
Due date: Sunday 29th September 2019
Value: 15% of final subject mark
Task: Based on the coursework to date and your own research answer the questions below. Answers should
be between 300 and 400 words. Include references where appropriate, references should be in the Harvard
style. Marks will be awarded for analysis of the problem or issue, correctness of information provided and
evidence of independent research.
Question1
As part of a secure code review of an ASP.Net web application you have discovered the following
code:
var username = Request.Form[“username”];
var password = Request.Form[“password”];
var sqlString = “SELECT * FROM Users WHERE username ='” + username + “‘
AND password = HASHBYTES(‘SHA2_512’, ‘” + password + “‘+ salt)” ;
var connString = WebConfigurationManager.ConnectionStrings
[“NorthwindConnectionString”].ConnectionString;
using (var conn = new SqlConnection(connString)) {
var command = new SqlCommand(sqlString, conn);
var dataReader = command.ExecuteReader(CommandBehavior.SingleResult);
if (dataReader.HasRows){
loggedIn = true;
}
dataReader.Close();
}
Identify the vulnerability and remediate the code using appropriate countermeasures. Document
your findings and the remediation implemented. (10 Marks)
Question 2
In your role as an analyst for TMP Co you have been asked to review the following authentication
routine for a customer’s python web application. The application is expected to handle large
numbers of users at peak times. Identify any issues with the code and evaluate potential fixes and
the trade-offs they may require. Once you have decided on a fix implement the code, justify your
choices. (10 Marks)
import hashlib
def authenticate_user(username, password):
#retrieve user details from database
user = usermodel.details(username)
password_hash = user.password
if hashlib.md5(password) == password_hash:
return ‘True’
else:
return ‘False’

Attachments:

itict302a-201….pdf