CDL - Section 13 - Testing and Securing Applications Flashcards

1
Q

What is Test Driven Development (TDD)?

A

A software development practice that focuses on creating unit test cases before developing the actual code.

It’s a style of programming where coding, testing, and design are tightly interwoven.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the 4 layers of the TDD Testing Pyramid?

A
  1. Unit Testing
  2. Integration Testing
  3. System Testing
  4. Acceptance Testing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Unit testing (UUT)?

A

Conducted at the beginning for the development process; unit tests are done in isolation. They should not test interaction between multiple system components.

Automated tests that individually focus on a small portion of the application code that you want to test.

The tests should be: reliable, fast, isolated and readable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Integration Testing (CUT)?

A

After the unit testing (UUT) is finished, you need to validate that the component can interact properly with actual system components.

Combining and testing multiple components and their interaction is called integration testing.

CUT = Component Under Test

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is System Testing?

A

The purpose of this testing layer is validating that the system or product works as a whole.

Examples are: functionality, security, usability, storage, and regression testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is Acceptance Testing?

A

Once developers are finished with developing and testing the product, it is ready for delivery.

This final testing layer serves the purpose of validating that the delivered product matches the requirements of the client.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the difference between Alpha and Beta testing?

A

Alpha = testing done by developers in a Dev environment.

Beta = a selected group of users get access to the product before it’s release to provide feedback on quality,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Is a Unit Test clearly defined? IS the size defined?

A

No.

The size of a unit under test is not strictly defined, and neither is the definition of what a unit is.

A unit test in practice is a piece of code, typically a method or function, that invokes any part of the application code that you want to test.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the only two verdicts of a Unit Test?

A

PASS or FAIL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are Happy Path/Sunny Day and Error Path/Rainy Day scenario?

A

The happy path scenario is a default use case where a test uses known input and executes successfully without any exceptions. AKA the test is always a PASS

the input is not in the expected form; it can help you to identify code smells and bugs early in the development of your application. AKA the test should FAIL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

REVIEW: Containers

→ Containers run isolated processes on an operating system, providing reliable and consistent deployments regardless of the environment.

→ They provide a standard way of packaging your application code and all the dependencies into a single object

→ It makes containers very convenient for running tests, as well as making sure you are deploying the same code that was used for testing

→ Containerization technology makes it possible for developers to replicate the production environment on the local computer; containers can be managed via the Terminal

A

→ Process of creating a container:

  1. Write the Dockerfile
  2. Add files to Build’s context
    * * the Build’s Context = the directory where the Dockerfile is located
  3. Build the image using the “docker build” cmd
  4. Start the container with the new image
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a Docker File?

A

The file which holds the set of instructions that define a Docker image.

Containers are then spun up from a Docker Image.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

REVIEW: Common Docker Commands

○ Convention dictates the instructions to be all in upper-case

○ Starts with the instruction FROM

  • -> “FROM” Specifies the parent (base) image to be used for the following instructions in the Dockerfile.
  • -> EX) FROM ubuntu:latest = creating a container based on an image from the latest release of Ubuntu. You would then use “docker run ubuntu:latest” to create a new Docker container.

○ Lines starting with “#” are the comments

A

○ COPY - Used to copy files or directories from the build’s context into the container

○ ENV - Creates a new environment variable or sets a value of an existing variable inside the container

○ RUN - Used to run a single or multiple commands in a shell in the container to prepare the image

○ VOLUME - Creates a mounting point for persisting data that is consumed by the Docker containers

○ EXPOSE - Exposes a TCP or UDP port on which the application running in the container is accessible

○ CMD - Unlike the RUN command, the CMD command does not execute while building the image. Instead, it just specifies what command to execute when a new container is started from this image

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a Docker Repository?

What is a collection of Docker Repo’s called?

A

A Docker Repo is where a collection of Docker Images are stored.

A collection of Repo’s is called a Registry

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a Network Driver (when working with Containers)?

A

Drivers are used to connect containers to other containers, or to a machine on the host network, or outside the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is more vulnerable to attacks - data @ rest or data in transit?

What is the main method used for protection in both?

A

Data @ Rest

Encryption

17
Q

REVIEW: Types of Attacks

–> Cross-Site Scripting (XSS) - occurs when an attacker executes/injects malicious scripts/code in the web browser of a victim; It exploits known vulnerabilities in web applications, web application servers, and its plug-in systems

–> SQL Injection - made of an insertion of a SQL query through the input data from an attacker to the web application; the attacker can then red/modify sensitive data from the DB

A

–> Cross-Site Request Forgery (CSRF) - occurs when an attacker forces a victim to issue undesirable actions on the victim-authenticated web application. CSRF is done through social engineering where a victim clicks a link (such as inside an email) and unknowingly submits a forged request - such as transferring money.

–> Server Side Request Forgery - allow the attacker to send a forged request from a web server on the behalf of the attacker

18
Q

What instruction must be used for a Docker File to start?

A

FROM

19
Q

A “same-origin policy” relies on which parts or components of a URL request to be the same?

A

URI scheme

Hostname

Port Number

20
Q

REVIEW:

→ Good app design allows you to scale up to 2-3 times the average amount of Ingress traffic with the same level of performance delivered when it’s the average amount of traffic

→ Traffic security (1) and Scaling (2) is often times done after it’s too late; SSL Offloading and Load Balancers help with this

A

SSL:

1) SSL Bridging - gets encrypted data, and then sends data re-encrypted through to backend servers i.e Traffic is encrypted all the way through.
- more secure
- requires more overhead
- backend server has to decrypt + re-encrypt

2) SSL Termination - when a LB or Proxy de-crypts traffic from user and send its to backend web server unencrypted. The LB/Proxy then re-encrypts the data on the way back out to the user.
- helps with scaling web app traffic because it removes the need for the backend server to handle the decrypt + re-encrypt.

21
Q

What are the 4 methods LB’s use for distributing traffic?

A
  1. Round Robin is the default algorithm, which selects servers in turns.
  2. Least Connections selects a server with the least number of connections.
  3. Source algorithm establishes a hash of the user IP address, making sure that the user connects to the same server.
  4. Sticky sessions ensure that the same user connects to the same web server when web applications demand so; downside is the server can get more easily overloaded
    - - If the server down, all sticky sessions are lost making the performance inconsistent