A hospital board requests a risk analysis before approving cybersecurity upgrades for its infusion pump network. The board wants a clear assessment that supports financial and operational decision-making.

Based on the scenario, select the most appropriate risk assessment approach and justify your choice.

A large e-commerce platform discovers that several of its web servers run a vulnerable version of OpenSSL affected by the Heartbleed bug. The company uses TLS for customer logins and payment processing. Which two statements correctly describe the security risk and exploitation mechanism of the Heartbleed attack? Select two correct answers.

Which Android permissions pose high privacy risks if misused? Select 2 correct answers.

Justify your answers to question 5. For each option you selected, explain how it aligns with best-practice coordinated vulnerability disclosure and why the other options do not provide the same level of protection for vendors and critical infrastructure.

A researcher discovers a remote code execution vulnerability in an IoT chipset used by 45 device vendors. Some vendors respond quickly, others do not respond, and several affected products support critical infrastructure services. The researcher must decide how to handle disclosure. Which actions follow best-practice coordinated vulnerability disclosure in this scenario? Select 2 correct answers.

Justify your answers to Question 3. Explain how each selected permission creates a realistic security risk or attack surface for a malicious actor.

A smart fitness tracking application requests several permissions during installation. The app claims these permissions improve personalisation and social engagement features. Which requested permissions introduce realistic security attack surfaces? Select two correct options.

An Android app requests READ_EXTERNAL_STORAGE, MANAGE_EXTERNAL_STORAGE, READ_CLIPBOARD, INTERNET, ACCESS_FINE_LOCATION, READ_CONTACTS, REQUEST_INSTALL_PACKAGES, SYSTEM_ALERT_WINDOW, FOREGROUND_SERVICE, READ_PHONE_NUMBERS. Which permission combinations enable cross-app data leakage? Select all that apply. (4 correct answers)

A web application processes user login requests through a backend service written in a low-level language. The backend stores the submitted username and role information in fixed-size memory buffers during authentication. Due to missing length checks on the username field, the system accepts overly long input without error. Security testing shows that when this occurs, some sessions are assigned administrator privileges even though correct credentials were not provided.

Explain how this vulnerability could be exploited in the web application.

Have you read and understood the assessment specification (at least the first two cases) for the coursework?