Defensive Design Flashcards
What is defensive design?
Is the practice of anticipating every possible way that an end-user could misuse a system or device
How do you know that defensive design has not been good enough?
When the program crashes
When the program behaves in an unintended fashion
When data security has been compromised
What is a menu-driven user interface?
A menu-driven user interface limits the user to being able to pick from a displayed list of choices
How can a menu interface limit the misuse of a program?
A menu interface can help to limit unexpected or invalid entries
What is a ‘graphical widget’?
Is a small self-contained object on-screen to allow data selection to be made
How does the calendar widget not allow the user to select an invalid value?
The date information can be encoded in any way convenient to the programmer, and the user cannot select an invalid value
What is the purpose of widgets?
Is to limit user choice to only valid values
What is the most flexible way of receiving inputs from a user?
Text input
What defensive design help with for text input?
Making it as easy as possible for the user to get things right on the first try
How can a programmer design to reduce errors in inputting text?
Inform the user of what they need to enter
What is validation?
It ensures that the data entered is valid for further processing by the program handling it
What are the 4 validation techniques?
Checking and limiting the Length of the data
Checking the Range of the data
Checking the Type of the data
Checking the Format of the data
What is length validation?
Checking to see if the entered value is within the allowed number of characters
What 2 options are there for the programmer if the length validation is not right?
Inform the user of the problem and allow them to re-enter the data
Modify the input to fit the rules (truncation)
What is range validation?
Used when inputs have to fall between certain values (e.g. If the program asked for an age, the user would have to enter a positive number)
What is type validation?
Checking that the input conforms to the allowed data types (e.g. if the input can only be a numeric value then alphabetic or symbol characters are rejected)
What is format validation?
To check that the input is in the correct format
What is a white-list?
A list of data that the application will accept as valid
What is black-list?
A list of data that the application will reject
How are white-list and black-list used?
Often used with firewall applications and email filtering applications
What is a firewall?
An application that helps protect a network from intrusion or to limit what network users can access online
What is one of the things that a firewall always checks?
The URL sent from a web browser within the network
What URLs are contained within each list?
The whitelist may contain a list of URLs that the firewall will let through
The blacklist may contain a list of banned URLs which will be blocked
Why is it easier to create a whitelist?
It is easier to define what is acceptable than to try and anticipate what is not acceptable.
What should defensive coding have?
Encryption
What is SQL injection?
To send unauthorised SQL queries to a database by typing extra data into some input fields
What is a good defence against SQL injection?
Sanitising input
Give 2 examples of sanitising input
Stripping out all whitespaces from username / password inputs
Rejecting any non-alphabetic symbols
What is authentication?
A way of confirming that the user is authorised to access the system
What is the most common way of authentication?
Username and Password
What is two-factor authentication?
After the user enters a valid user name and password, the system sends an SMS text ‘authentication code’ to their mobile phone. They then have to enter this as well
What is biometric authentication?
Checks some physical feature of the authorised person such as their fingerprint. The user puts their thumb on a fingerprint entry device, the data is sent off to a database and checked against their valid data
