Question

Complete the following exercises using C programming language. Take screenshots of the code and its output where specified and paste them into in a well-labeled Word document for submission.

Scenario

Assume you are the CIO of an organization with three different IT department locations with separate costs. You want a program to perform simple IT expenditure calculations. Your IT expenditure target is $35,000 per site.

Site expenditures:
Site 1 – $35,000.
Site 2 – $37,500.
Site 3 – $42,500.

Exercise 4 – Evaluating a Program’s Security

Examine the programs that you wrote and identify code that might have security-related implications. Explain a how that portion of code either enhances code security or introduces a security vulnerability.

Submit your well-labeled Word document that includes all elements specified in the exercises.

Answer 1

This is the brute-force method of security implementation:

Here is the code>>>

#include <stdio.h>
void checkExpenditure(int value){
int target=35000;
if(value>target) printf("The expenditure is exceed.\n");
else printf("The expenditure is not exceed.\n");
}
int main()
{
int site1=35000;
int site2=37500;
int site3=42500;
checkExpenditure(site1);
checkExpenditure(site2);
checkExpenditure(site3);

return 0;
}

Here is the live output of the program>>>

Security Implications>>>

• This ensures that if the expenditure is exceeded then the administrator gets notified as a message with proper information.
• As this solves the basic problem of informing the administrators. But there are some problems still in the problem.
  • Firstly if the expenditure can't be zero or minus, but there is no check about this in the program. Let us solve the problem.

Here is a more secure implementation>>>

#include <stdio.h>
void checkExpenditure(int value){
if(value>0){
int target=35000;
if(value>target) printf("The expenditure is exceed.\n");
else printf("The expenditure is not exceed.\n");
}else printf("Invalid expenditure entered.\n");
}
int main()
{
int site1=35000;
int site2=37500;
int site3=42500;
int site4=-1;
int site5=0;
checkExpenditure(site1);
checkExpenditure(site2);
checkExpenditure(site3);
checkExpenditure(site4);
checkExpenditure(site5);

return 0;
}

Here are the live output and code snippet>>>

Security Implications:

• In the above implementation, another problem is solved which was to tackle the zero or invalid condition.
• But there is another issue at hand. If the user enters any float number which is not a full number the program can't handle the situation. Let's handle the situation.

Here is the updated code>>>

#include <stdio.h>
void checkExpenditure(float value){
if(value>0){
float target=35000.00f;
if(value>target) printf("The expenditure is exceed.\n");
else printf("The expenditure is not exceed.\n");
}else printf("Invalid expenditure entered.\n");
}
int main()
{
float site1=35000.4f;
int site2=37500;
float site3=42500.5f;
int site4=-1;
int site5=0;
checkExpenditure(site1);
checkExpenditure(site2);
checkExpenditure(site3);
checkExpenditure(site4);
checkExpenditure(site5);

return 0;
}

Here is the code output>>

Security Implications:

• After these three updates, the code has solved three problems.
  • Firstly the code is more rigid by handling the zero or minus condition.
  • Secondly, the code sends feedback to the administrator.
  • Thirdly the program handles the float values as well.