Domain 8: Software Development

Question 1

What is machine code?

Answer 1

Machine code, also called machine language, is software that is executed directly by the central processing unit (CPU)

Question 2

What is source code?

Answer 2

Source code is computer programming language instructions that are written in text that must be translated into machine code before execution by the CPU.

Question 3

What is assembly language?

Answer 3

Assembly language is a low-level computer programming language. Assembly language instructions are short mnemonics, such as “ADD,” “SUB” (subtract), and “JMP” (jump), that match to machine language instructions

Question 4

What is an assembler?

Answer 4

An assembler converts assembly language into machine language. A disassembler attempts to convert machine language into assembly.

Question 5

What is a compiler?

Answer 5

Compilers take source code, such as C or Basic, and compile it into machine code

Question 6

What is an interpreted language?

Answer 6

Interpreted languages are compiled on the fly each time the program is run

Question 7

What is a bytecode?

Answer 7

Bytecode:
- An interpreted code, in intermediary form, converted from source code to interpreted, but still needs to be converted into machine code before it can run

Question 8

What is CASE?

Answer 8

Computer-aided software engineering (CASE) uses programs to assist in the creation and maintenance of other computer programs

Question 9

What are the three types of CASE software?

Answer 9

There are three types of CASE software:

1. “Tools: support only specific task in the software-production process.
2. Workbenches: support one or a few software process activities by integrating several tools in a single application.
3. Environments: support all or at least part of the software-production process with a collection of Tools and Workbenches.

Question 10

What is the waterfall model?

Answer 10

The waterfall model is a linear application development model that uses rigid phases; when one phase ends, the next begins. Steps occur in sequence, and the unmodified
waterfall model does not allow developers to go back to previous steps
Waterfall methodology is well suited for long, very clearly defined projects.

Question 11

What is the sashimi model?

Answer 11

The sashimi model has highly overlapping steps; it can be thought of as a real-world successor to the waterfall model and is sometimes called the sashimi waterfall model

Question 12

What are the four values in the agile manifesto?

Answer 12

Agile manifesto: We are uncovering better ways of developing software by doing it and helping
others do it. Through this work we have come to value:
• Individuals and interactions over processes and tools
• Working software over comprehensive documentation
• Customer collaboration over contract negotiation
• Responding to change over following a plan

Question 13

What is scrum?

Answer 13

Scrum is a framework for managing software development. Scrum is designed for teams of approximately 10 individuals, and generally relies
on two-week development cycles, called “sprints”, as well as short daily stand-up meetings

Question 14

What are the three core roles in the scrum framework?

Answer 14

The three core roles in the Scrum framework: Product owner, development team, scrum master

Question 15

What are the 5 XP core practices?

Answer 15

XP core practices include:
• Planning: specifies the desired features, which are called the user stories. They are used to determine the iteration (timeline) and drive the detailed specifications.
• Paired programming: programmers work in teams.
• Forty-hour workweek: the forecasted iterations should be accurate enough to forecast how many hours will be required to complete the project. If programmers must put in additional overtime, the iteration must be flawed.
• Total customer involvement: the customer is always available and carefully monitors the project.
• Detailed test procedures: these are called unit tests.

Question 16

What is the purpose of rapid application development?

Answer 16

Rapid application development (RAD) rapidly develops software via the use of prototypes, “dummy” GUIs, back-end databases, and more. The goal of RAD is quickly meeting the business need of the system, while technical concerns are secondary. The customer is heavily involved in the process.

Question 17

What is an integrated product team?

Answer 17

An integrated product team (IPT) is a customer-focused group that focuses on the entire lifecycle of a project:

Question 18

What is software escrow?

Answer 18

Software escrow describes the process of having a third-party store an archive of computer software. This is often negotiated as part of a contract with a proprietary
software vendor.

Question 19

What are the 9 OWASP API controls?

Answer 19

The OWASP enterprise security API toolkits project includes these critical API controls:

• Authentication
• Access control
• Input validation
• Output encoding/escaping
• Cryptography
• Error handling and logging
• Communication security
• HTTP security
• Security configuration

Question 20

What does a relational database contain?

Answer 20

The most common modern database is the relational database, which contain two dimensional tables, or relations, of related data. Tables have rows and columns; a row is a database record, called a tuple, and a column is called an attribute. A single cell (ie, intersection of a row and column) in a database is called a value. Relational databases require a unique value called the primary key in each tuple in a table.

Question 21

What is a foreign key?

Answer 21

A foreign key is a key in a related database table that matches a primary key in a parent database table

Question 22

What is referential integrity?

Answer 22

Referential integrity means that every foreign key in a secondary table matches a primary key in the parent table; if this is not true, referential integrity has been broken.

Question 23

What is the purpose of database normalization?

Answer 23

Database normalization seeks to make the data in a database table logically concise, organized, and consistent. Normalization removes redundant data and improves the
integrity and availability of the database.

Question 24

What is a database view? What is it used for?

Answer 24

Database tables may be queried; the results of a query are called a database view. Views may be used to provide a constrained user interface; for example, nonmanagement employees can be shown their individual records only via database views.

Question 25

What are the two subsets of database query commands? What are they used for?

Answer 25

Database query languages have at least two subsets of commands: data definition language (DDL) and data manipulation language (DML). DDL is used to create, modify, and delete tables, while DML is used to query and update data stored in the tables.

Question 26

What is a database journal?

Answer 26

A database journal is a log of all database transactions. Should a database become corrupted, the database can be reverted to a back-up copy and then subsequent
transactions can be “replayed” from the journal, restoring database integrity

Question 27

What does database replication accomplish?

Answer 27

Database replication mirrors a live database, allowing simultaneous reads and writes to multiple replicated databases by clients

Question 28

What is a shadow database and how does it differ from a replicated database?

Answer 28

A shadow database is similar to a replicated database with one key difference: a shadow database mirrors all changes made to a primary database, but clients do not access the shadow. Unlike replicated databases, the shadow database is one way

Question 29

View answer to see OOP concepts as illustrated by Addy.

Answer 29

Here is a summary of OOP concepts illustrated by Addy:
• Object: Addy
• Class: Mathematical operators
• Method: Addition
• Inheritance: Addy inherits an understanding of numbers and math from his parent class mathematical operators. The programmer simply needs to program Addy to support the method of addition
• Example input message: 1+2
• Example output message: 3
• Polymorphism: Addy can change behavior based on the context of the input, overloading the + to perform addition, or concatenation, depending on the context
• Polyinstantiation: Two Addy objects (secret and top-secret), with different data

Question 30

What are fourth generation languages?

Answer 30

4th Generation languages (4GL):

• Fourth-generation languages are designed to reduce programming effort and the time it takes to develop software, resulting in a reduction in the cost of software development.
• Increases the efficiency by automating the creation of machine code.
• Often uses a GUI, drag and drop, and then generating the code, often used for websites, databases and reports.
• Examples are ColdFusion, Progress 4GL, SQL, PHP, Perl

Question 31

What are object request brokers used for?

Answer 31

Object request brokers (ORBs) can be used to locate objects because they act as object search engines. ORBs are middleware, which connects programs to programs.

Question 32

When do buffer overflows occur?

Answer 32

Buffer overflows can occur when a programmer fails to perform bounds checking. This technique can be used to insert and run shellcode

Question 33

What are TOC/TOU attacks?

Answer 33

Time of check/Time of use (TOC/TOU) attacks are also called race conditions. This means that an attacker attempts to alter a condition after it has been checked by the operating system, but before it is used. TOC/TOU is an example of a state attack, where the attacker capitalizes on a change in operating system state.

Question 34

What is XSS?

Answer 34

Cross-site scripting (XSS) leverages the third-party execution of web scripting languages such as JavaScript within the security context of a trusted site. Cross-site request forgery (CSRF, or sometimes XSRF) leverages a third-party redirect of static content within the security context of a trusted site. XSS and CSRF are often confused because they both are web attacks; the difference is XSS executes a script in a trusted context wheras CSRF often tricks a user into processing a URL, sometimes by embedding the URL in an HTML image tag, that performs a malicious act

Question 35

What is privilege escalation?

Answer 35

Privilege escalation vulnerabilities allow an attacker with typically limited access to be able to access additional resources.

Question 36

What are backdoors?

Answer 36

Backdoors are shortcuts in a system that allow a user to bypass security checks, such as username/password authentication. Attackers will often install a backdoor after
compromising a system.

Question 37

What is disclosure?

Answer 37

Disclosure describes the actions taken by a security researcher after discovering a software vulnerability. Full disclosure is the controversial practice of releasing vulnerability details publicly. Responsible disclosure is the practice of privately sharing vulnerability information with a vendor and withholding public release until a patch is available.

Question 38

What is the software capability maturity model?

Answer 38

The Software Capability Maturity Model (CMM) is a maturity framework for evaluating and improving the software development process. The goal of CMM is to develop a methodical framework for creating quality software that allows measurable and repeatable results.

Question 39

What are the five levels of the capability maturity model?

Answer 39

The five levels of the capability maturity model (CMM) are:

1. Initial: The software process is characterized as ad hoc and occasionally even chaotic. Few processes are defined, and success depends on individual effort.
2. Repeatable: Basic project management processes are established to track cost, schedule, and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications.
3. Defined: The software process for both management and engineering activities is documented, standardized, and integrated into a standard software process for the organization. Projects use an approved, tailored version of the organization’s standard software process for developing and maintaining software.
4. Managed: Detailed measures of the software process and product quality are collected, analyzed, and used to control the process. Both the software process and products are quantitatively understood and controlled.
5. Optimizing: Continual process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.

Question 40

What is acceptance testing?

Answer 40

Acceptance testing examines whether software meets various end-state requirements, whether from a user or customer, contract, or compliance perspective

Question 41

What are the four levels of acceptance testing according to the ISTQB?

Answer 41

The International Software Testing Qualifications Board (ISTQB) lists four levels of acceptance testing:

• “The User Acceptance test: focuses mainly on the functionality, thereby validating the fitnessfor-use of the system by the business user. The user acceptance test is performed by the users and application managers.
• The Operational Acceptance test: also known as Production Acceptance test validates whether the system meets the requirements for operation. In most of the organization, the operational acceptance test is performed by the system administration before the system is released. The operational acceptance test may include testing of backup/restore, disaster recovery, maintenance tasks, and periodic check of security vulnerabilities.
• Contract Acceptance testing: performed against the contract’s acceptance criteria for producing custom-developed software. Acceptance should be formally defined when the contract is agreed.
• Compliance acceptance testing: also known as regulation acceptance testing, which is performed against the regulations that must be followed, such as governmental, legal, or safety regulations.

Question 42

What is the OWASP top 10?

Answer 42

OWASP Top 10

• A1 Injection.
• A2 Broken Authentication and Session Management.
• A3 Cross-Site Scripting (XSS).
• A4 Broken Access Control.
• A5 Security Misconfiguration.
• A6 Sensitive Data Exposure.
• A7 Insufficient Detection and Response (NEW still being worked on).
• A8 Cross-Site Request Forgery (CSRF).
• A9 Using Components with Known Vulnerabilities.
• A10 Underprotected APIs (Application Programming Interfaces)

Question 43

Under which open source software license agreement is it allowed to alter the original software and sell the altered software?

Answer 43

BSD (Berkeley Software Distribution): A family of permissive free software licenses, imposing minimal restrictions on the use and redistribution of covered software. This is different than copyleft licenses, which have reciprocity share-alike requirements.

Question 44

In which of these project management methodologies do we use a linear approach, where 2 phases are overlapping, and when we close one phase, we start the next?

Answer 44

Sashimi model (Waterfall with overlapping phases): Similar to waterfall, but we always have 2 overlapping phases, if we close one phase, we add the next phase. The modified waterfall model allows us to go back to the previous phase but no further.

Question 45

When an attacker can guess a URL they don’t know about, from another similar logical URL, what is that called?

Answer 45

Insecure direct object reference

Question 46

Under which open source software license agreement does derivative work have to be distributed under the same software licensing terms?

Answer 46

GNU (General Public License): Also called GPL or GPL. Guarantees end users the freedom to run, study, share and modify the software. A copyleft license, which means that derivative work can only be distributed under the same license terms.

Question 47

We are using the Scrum methodology on one of our projects. Who would be responsible for being the voice of the customer?

Answer 47

The product owner: Representing the product’s stakeholders, the voice of the customer, and is accountable for ensuring that the team delivers value to the business.

Question 48

Which type of database does XML use?

Answer 48

Document-oriented

Question 49

What are the three forms (rules) of database normalization?

Answer 49

Normalization has three forms (rules): First Normal Form: Divides the base data into tables, primary key is assigned to most or all tables. Second Normal Form: Move data that is partially dependent on the primary key to another table. Third normal Form: Remove data that is not dependent on the primary key.

Question 50

In Object-Oriented Analysis and Design (OOAD), which would be used heavily by both the object-oriented analysis and design?

Answer 50

OOM (Object-oriented modeling): Common approach to modeling applications, systems, and business domains by using the object-oriented paradigm throughout the entire development life cycles. Heavily used by both OOA and OOD activities in modern software engineering.

Question 51

Where would we define the attributes and values of the database tables?

Answer 51

Database schema: Describes the attributes and values of the database tables.

Question 52

What is the spiral model? What are the four phases?

Answer 52

The spiral model: A risk-driven process model generator for software projects. The spiral model has four phases: Planning, Risk Analysis, Engineering and Evaluation. A software project repeatedly passes through these phases in iterations (called Spirals in this model). The baseline spiral, starting in the planning phase, requirements are gathered and risk is assessed. Each subsequent spirals builds on the baseline spiral.

Question 53

What are the phases of the SDLC?

Answer 53

SDLC (Software Development Life Cycle): The SDLC is not really a methodology, but a description of the phases in the life cycle of software development. These phases are (in general), investigation, analysis, design, build, test, implement, maintenance and support (and disposal). Can have security built into each step of the process, for the exam it always does.

Question 54

What is entity integrity?

Answer 54

Entity integrity: Each tuple (row) has a unique primary value that is not null.

Question 55

In object-oriented databases, the objects can have different attributes. Which of them would define the behavior of an object?

Answer 55

Methods: Defines the behavior of an object and are what was formally called procedures or functions. Objects contain both executable code and data.

Question 56

What is remote journaling?

Answer 56

Remote journaling: Sends transaction log files to a remote location, not the files themselves. The transactions can be rebuilt from the logs if we lose the original files.

Question 57

Object-oriented programming tends to lean towards which programming process?

Answer 57

Bottom-up Programming: Piecing together of systems to build more complex systems, making the original systems a sub-system of the overarching system. OOP leans tends toward Bottom-Up, you start by developing your objects and build up.

Question 58

Procedural programming tends to lean towards which type of programming process?

Answer 58

Top-Down Programming: Starts with the big picture, then breaks it down into smaller segments. Procedural programming leans toward Top-Down, you start with one function and add to it.

Question 59

What is semantic integrity?

Answer 59

Semantic integrity means that each attribute (column) value is consistent with the attribute data type. Entity integrity means each tuple has a unique primary key that is not null.

Question 60

What is a source code escrow?

Answer 60

Source code escrow: The deposit of the source code of software with a third party escrow agent. Escrow is typically requested by a party licensing software (the licensee), to ensure maintenance of the software instead of abandonment or orphaning. The software source code is released to the licensee if the licensor files for bankruptcy or otherwise fails to maintain and update the software as promised in the software license agreement.

Question 61

Which programming language uses short mnemonics like ADD and SUB, which is then matched to its full-length binary code?

Answer 61

Assembler Language: Short mnemonics like ADD/SUB/JMP which is matched with the full length binary machine code, an assembler converts assembly language into machine language, a disassembler does the reverse.

Question 62

What is proprietary software?

Answer 62

Proprietary software: Software protected by intellectual property and/or patents, often used interchangeably with Closed Source software, but it really is not. It can be both Open and Closed Source software. Any software not released into the public domain is protected by copyright.

Question 63

What is database shadowing?

Answer 63

Database shadowing: Exact real time copy of the database or files to another location. It can be another disk in the same server, but best practices dictates another geographical location, often on a different media.

Question 64

What is crippleware?

Answer 64

Cripple ware: Partially functioning proprietary software, often with key features disabled. The user is required to make a payment to unlock the full functionality.

Question 65

What is extreme programming (XP)?

Answer 65

XP (Extreme programming) uses programming in pairs or doing extensive code review. Intended to improve software quality and responsiveness to changing customer requirements. Uses advocates frequent releases in short development cycles, intended to improve productivity and introduce checkpoints at which new customer requirements can be adopted.

Question 66

What is agile software development?

Answer 66

Agile software development: Describes a set of values and principles for software development under which requirements and solutions evolve through the collaborative effort of self-organizing cross-functional teams. Uses adaptive planning, evolutionary development, early delivery, and continuous improvement, and it encourages rapid and flexible response to change.

Question 67

What is e-vaulting?

Answer 67

Electronic vaulting (e-vaulting): Using a remote backup service, backups are sent off-site electronically at a certain interval or when files change.

Question 68

What is prototyping?

Answer 68

Prototyping: Breaks projects into smaller tasks, creating multiple prototypes of system design features. A working model of software with some limited functionality, rather than designing the full software up front. Has a high level of customer involvement, the customer has inspects the prototypes to ensure that the project is on track and meeting its objective.

Question 69

What is a buffer overflow?

Answer 69

Buffer overflow (buffer overrun): An anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations, happen from improper coding when a programmer fails to perform bounds checking. Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs.

Question 70

What is a pseudo flaw?

Answer 70

A false vulnerability or apparent loophole intentionally implanted to tempt hackers. Often used in honey pot systems.

Question 71

What is a class?

Answer 71

A collection of common methods from a set of objects that is used to define the behavior of those objects

Question 72

What is polymorphism?

Answer 72

When an object exhibits different behaviors based on the same message and methods because of variances in external conditions.

Question 73

What is an agent?

Answer 73

Intelligent code objects that perform actions on behalf of the user

Question 74

What is a method?

Answer 74

Internal code that defines the actions an object performs in response to a message

Question 75

What is code review?

Answer 75

In code review, also known as peer review, developers other than the ones who wrote the code review it for defects. This may result in approval to production or rejection with recommendations to work through issues.

Question 76

What are the six steps of the Fagan code review process?

Answer 76

Planning
Overview
Preparation
Inspection
Rework
Follow-up

Question 77

What are some examples of 1st, 2nd, 3rd and 4th Generation programming languages?

Answer 77

1st generation: Machine Code
2nd Generation: Assembler
3rd Generation: Cobol, basic, C, C++, C#, Java, JavaScript
4th Generation: ColdFusion, Progress 4GL, SQL, PHP, Perl

Question 78

How does top down programming differ from bottom up programming?

Answer 78

Top-Down Programming: Starts with the big picture, then breaks it down into smaller segments.
Bottom-Up Programming:
Piecing together of systems to build more complex systems, making the original systems a sub-system of the overarching system.

Question 79

How does database coupling differ from database cohesion?

Answer 79

Coupling: The degree of interdependence between software modules, a measure of how
closely connected two routines or modules are.
Cohesion: Refers to the degree to which the elements inside a module belong together. Measures the strength of relationship between pieces of functionality within a
given module.
Low coupling often correlates with high cohesion, and vice versa.

Question 80

What is COM (Component Object Model)?

Answer 80

COM (Component Object Model):
A language-neutral way of implementing objects that can be used in environments different from the one in which they werecreated, even across machine boundaries. A type of Object Request Broker.

Question 81

What is DCOM (Distributed COM)?

Answer 81

DCOM (Distributed COM): The networked sequel to COM which adds to support communication among objects on different computers—on a LAN, a WAN, or even the Internet. Both COM and DCOM are slowly being replaced by Microsoft.NET, which can interoperate with DCOM, but offers more advanced functionality than COM and DCOM

Question 82

What is CORBA?

Answer 82

CORBA (Common Object Request Broker Architecture):
Open vendor neutral ORB standard defined by the Object Management Group (OMG) designed to facilitate the communication of systems that are deployed on diverse platforms.