Software Dev Flashcards
First Generation language
First Generation language: Machine-level programming languages like Machine Code
Second Generation language
Second Generation language: The code is human readable. It must be converted into a machine readable form, a process called assembly, before it can be run. The language is specific to a particular processor family and environment. (example: Assembly)
Third Generation Language
Third Generation Language (High-Level Language): Established a logical structure to software. Improve human readability, automate lower level tasks and introduced more abstraction than second generation languages. Can operate independent of processor family or environment. (examples: COBOL, C, Basic)
Fourth Generation language
Fourth Generation language: Utilize graphical programmer interfaces to automate and increase the speed of code creation. Many fourth generation languages are interpreted. (examples: Java, ColdFusion, Ruby, Python).
CASE
CASE (Computer Aided Software Engineering): contains tools (supporting specific dev tasks), workbenches (supporting multiple activities), and environments (supporting all/part of the sw production process)
Compilers
Compilers: Convert source code from third generation, or later, languages into machine code. Compilers parse the instructions into machine code and store them in a separate file like an “.exe”.
Assembler
Assembler: Converts assembly language into machine language.
Interpreted languages
Interpreted languages: These languages are compiled on the fly each time the program is run. The source code is executed line by line by the interpreter. Examples of interpreters include ColdFusion Application Server and the JavaScript Engine in browsers.
Procedural Languages
Procedural Languages: Use subroutines, procedures, and functions. (examples: Basic, C, Fortran, Pascal).
Object-oriented languages
Object-oriented languages: Model the real world through the use of objects which combine tasks (methods) and data.
RAD
Rapid Application Development (RAD): A software development methodology that uses minimal planning in favor of rapid development and construction of iterative prototypes. The goal is to quickly meet business needs and technical concerns are secondary.
Configuration Management
Configuration Management: tracks changes to a piece of sw
Change management
Change management: broader, tracks changes across an entire sw program
Prototyping
Prototyping: A rudimentary working model of an information system or mockup of system design features
Software Escrow
Software Escrow: A process of having a third party store and archive software. Escrow is typically requested by customer acquiring software, to ensure maintenance and availability of the software. If the vendor goes out of business or fails to live up to the agreement, software escrow ensures that the customer still has access to the source code for future development and maintenance.
Data modeling
Data modeling: Defines how data components are associated with each other. Considers the data independently of the way it is processed.
Data Structure
Data Structure: Is a representation of the logical relationship between elements of data
Cohesive
Cohesive: A cohesive module can perform a single task with little or no help from other modules • Low Cohesion: Scatter brained, does several tasks. • High Cohesion: Focused on one task and is better for security purposes
The best programming uses the most cohesive modules possible, but because different modules need to pass data and communicate, they usually cannot be totally cohesive.
Coupling
Coupling: Is a measure of interconnection among modules in an application. • Low Coupling: Promotes module independence and is better for security purposes • High Coupling: Depend on other modules
The lower the coupling, the better the software design, because it promote module independence. The more independent a component is, the less complex the application is and the easier it is to modify and troubleshoot.
ORB
ORB (Object Request Brokers)- allow reuse of mature objects
o COM- MS sharing of objects written in different languages on a local system
o DCOM- MS sharing over multiple systems (eg OLE); supplanted by .NET
o CORBA- OMG networked object broker that separates objects into an object and an IDL (Interface Definition Language)
DDE
Dynamic Data Exchange (DDE): Enables different applications to share data by providing Inter-Process Communications (IPC). It is a communication mechanism that enables direct conversation between two applications.
DCE
Distributed Computing Environment (DCE): Is a set of management services with a communication layer based on Remote Procedure Call (RPC). It is a layer of software that sits on top of the network layer and provides services to the applications above it. The RPC function collects the arguments and commands from the sending program and prepares them for transmission over the network
DFS
Distributed File Services (DFS): Provides a single integrated file system that all DCE users can use to share files
.NET
.NET framework: An application framework that has a large library which different applications can call upon. The libraries provide functions as in data access, database connectivity, network communication, etc.
OLE
Object linking and embedding (OLE): Provides a way for objects to be shared on a local personal computer and to use COM as their foundation. OLE enables objects—such as graphics, clipart, and spreadsheets—to be embedded into documents
J2EE
Java Platform, Enterprise Edition (J2EE): J2EE is an enterprise Java computing platform. This means it is a framework that is used to develop enterprise software written mainly in the Java programming language. It provides Application Programming Interfaces (API) for networking services, fault tolerance, security, and web services for large-scale, multi-tiered network applications
SOA
Service-oriented architecture (SOA): A software design and software architecture design pattern based on discrete pieces of software providing application functionality as services to other applications. This is known as service-orientation
Mashup
Mashup: The combination of functionality, data, and presentation capabilities of two or more sources to provide some type of new service or functionality
SOAP
Simple Object Access Protocol (SOAP): An XML-based protocol that encodes messages in a web service environment. It defines an XML schema of how communication is going to take place. The SOAP XML schema defines how objects communicate directly.
SaaS
Software as a Service (SaaS): A model that allows applications and data to be centrally hosted and accessed by thin clients, commonly web browsers
Mobile code
Mobile code: Code that can be transmitted across a network, to be executed by a system or device on the other end
Bytecode
Bytecode: Intermediate code created by Java platform
JVM
Java Virtual Machine (JVM): Converts the bytecode to the machine code that the processor on that particular system can understand
Applets
Java Applets: Small components (applets) that provide various functionalities and are delivered to users in the form of Java bytecode. Java applets can run in a web browser using a Java Virtual Machine (JVM). Java is platform independent; thus, Java applets can be executed by browsers for many platforms
ActiveX
ActiveX: ActiveX is a loosely defined set of technologies developed by Microsoft for sharing information among different applications. ActiveX is an outgrowth of OLE (Object Linking and Embedding) and COM (Component Object Model).
Authenticode
Authenticode: A type of code signing, which is the process of digitally signing software components and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was digitally signed. Authenticode is Microsoft’s implementation of code signing
OOP
Object Oriented Programming treats a program as a series of connected objects that communicate via messages. It utilizes modular design and reusable software components.
• Object Oriented Languages (C++, Java, Ruby, Python)
• Objects contain Data and Methods
• Objects obfuscate the details of the data and methods they contain
Objects
Objects: Objects have state/attributes and methods/behaviors. State is data about the object and behaviors are what the object does. An object stores its state in fields and exposes its behavior through methods. (example: A dog is an object with state values of fury, four legged, etc, and methods/behaviors like fetches sticks and barks)
Methods
Methods: These are actions or operations performed by an object. (example: addition, subtraction, etc.)
Class
Class: An template for creating objects which provides initial values for data (state) and defines methods
Messages
Messages: Data sent to or from an object
Inheritance
Inheritance: When an object or class is based on another object or class, using the same implementation. It automatically inherits the instance variables and member functions of the parent Class/Object
Delegation
Delegation: Forwarding of a request by an object to another object or delegate. This forwarding is necessitated by the fact that the object receiving the request does not have a method to service the request.
Polymorphism
Polymorphism: Polymorphic functions behave differently depending on the context of the input message.
Abstraction
Abstraction: Information hiding
OOA
OOA- analysis seeks to understand a problem domain
OOD
OOD- designs a solution
Waterfall Model
Waterfall Model The Waterfall Model is a linear application development model that uses rigid phases; when one phase ends, the next begins. The waterfall model contains the following steps: • System requirements • Software Requirements • Analysis • Program Design • Coding • Testing • Operations
An unmodified waterfall does not allow iteration (going back to previous steps). This places a heavy planning burden on the earlier steps. Also, since each subsequent step cannot begin until the previous step ends, any delays in earlier steps cascade through to the later steps.
The Modified Waterfall Model allows going back at least one step. Omitted in the waterfall method was a final step of destruction.
Sashimi Model
The Sashimi Model has highly overlapping steps; it can be thought of as a real-world successor to the Waterfall Model (and is sometimes called the Sashimi Waterfall Model).
Spiral Model
The Spiral Model is a software development model designed to control risk. The spiral model repeats steps of a project, starting with modest goals, and expanding outwards in ever wider spirals (called rounds). Each round of the spiral constitutes a project, and each round may follow traditional software development methodology such as Modified Waterfall. A risk analysis is performed each round.
Agile principles
Agile principles:
o Individuals and interaction over processes and tools
o Working software over comprehensive documentation
o Customer collaboration over contract negotiation
o Responding to change over following a plan
Scrum
Scrum (named after Rugby scrum):
o A Scrum is a small team of developers. They are supported by a Scrum Master, a senior member of the organization who acts like a coach for the team.
XP
Extreme programming (XP) – uses pairs of developers to work on a detailed spec with high customer involvement. Improves a sw project via communication, simplicity, feedback, respect, courage.
XP Principles:
- Planning: Specifies the desired features (called the user story)
- Paired Programming: Programmers work in teams of two
- Forty hour week: Forecasts should be accurate
- Total customer involvement: Customer is available and monitoring project status
- Detailed test procedures: Unit testing
SEI CMM
The Software Engineering Institutes Capability Maturity Model Integrated is a framework for objectively assessing the formality and optimization of an organization’s software development process.
Normally 15-50 errors/KLOC (1000 lines of code). SEI CMM can lower to 1/KLOC
The five levels of CMM:
1. Initial: The software process is characterized as ad hoc, and occasionally even chaotic.
2. Repeatable: Basic project management processes are established to track cost, schedule, and functionality.
3. Defined: This is the common target for vendors dealing with government agencies. The software process for both management and engineering activities is documented, standardized, and integrated into a standard software process for the organization.
4. Managed: Detailed measures of the software process and product quality are collected, analyzed, and used to control the process. Both the software process and products are quantitatively understood and controlled.
5. Optimizing: Continual process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.
SDLC
System Development Life Cycle (SDLC)
SDLC is a system development model that focuses on security in every phase. It is also called Software Development Life Cycle. ISC2 focuses on the security aspects of SDLC.
• **The first step in any SDLC is the security plan
• Most variants of System Development Lifecycle follow the format described in NIST Special Publication 800-14.
NIST 800-14
NIST 800-14
• Prepare a security plan:
• Initiation: Need and purpose defined
• Development/Acquisition:
o Determine security requirements
o Incorporate security requirements into specifications
o Develop/Obtain the System and related security activities: Develop system’s security features, monitor development process itself for security problems…
• Implementation:
o Install/Turn-on Controls
o Security testing: Certify system
o Accreditation: Formal authorization for system operation
• Operation/Maintenance
o Security Operations and Administration
o Operational Assurance: operating according to security requirements
o Audits and Monitoring
• Secure Disposal:
o Information: information movement, archival, discarded or destroyed.
Freeware
Freeware (gratis) software: Software that is free of charge to use
Shareware
Shareware: Software which may be initially available for free, but the licensing agreement normally requires payment for continued use.
Crippleware
Crippleware: Any software program that cannot be fully utilized until the user registers or purchases the program
Public domain
Public domain software (Libre): Software which is not copy righted or licensed (e.g. GNU)
Open Source licenses
Open Source licenses: The software source code is available to the public (e.g. GNU, BSD, Apache)
GPL
GPL (GNU Public License) is most common and has the following
• The freedom to use the software for any purpose
• The freedom to change the software to suite your needs
• The freedom to share the software with others
• The freedom to share the changes you make
• Modifications to GPL software must free
Software vulnerability testing methods
Software vulnerability testing methods
• Static: Passive scan of the actual source code or binary files. The code is not executing at the time of the scan.
• Dynamic: Scans the application while it is executing. Most commonly used for testing web applications by scanning the exposed interfaces.
• White Box: The tester has knowledge of the internal workings of the software being tested, has the source code, and understands what the program is supposed to do and how it works.
• Black Box: The tester has no internal details; the application is treated as a black box that receives inputs. Combinatorial testing seeks to ID all unique combinations of input.
Software testing levels
Software testing levels
• Unit Testing: Low-level tests of software components, such as functions, procedures or objects
• Installation Testing: Testing software as it is installed and first operated
• Integration Testing: Testing multiple software components as they are combined into a working system.
• Regression Testing: Testing software after updates, modifications, or patches
• Acceptance Testing: Testing to ensure the software meets the customer’s operational requirements.
• User Acceptance Testing: testing done by the customer
Fuzzing
Fuzzing: A type of black box testing that enters random, malformed data as inputs into software programs to determine if they will crash.
Attack Surface
Attack Surface: The points or interfaces in a software environment where an attacker can leverage system functionality to initiate malicious actions.
Client-side validation
Client-side validation: When the user input validation is done at the client before being sent back to the server to process. While this can increase application performance, it has limited security value, since the client can be under the control of an attacker.
SQL injection
SQL injection: Instead of valid input, the attacker puts actual database commands into the input fields, which are then parsed and run by the database.
XSS
Cross-site scripting (XSS): An attack that takes advantage of a Web site vulnerability in which the site displays or executes un-sanitized user provided data.
Parameter validation
Parameter validation: Where the values that are being received by the application are validated to be within defined limits before the server application processes them within the system.
cookie
Browser cookie (HTTP cookie): A small piece of data given to a Web browser by a Web server. The browser stores the data as either a temporary “session cookie” or a permanent “persistent cookie”. Cookies are specific to a domain and are sent back and forth between the browser and server.
Web proxy
Web proxy: A piece of software installed on a client that is designed to intercept all traffic between the local web browser and the web server. Commonly used for security testing web applications because they allow a tester to modify the requests and responses. (examples Burp Suite, Zed Attack Proxy (ZAP))
5 Database Models
5 Database Models
• Hierarchical: Data in a hierarchical database is arranged in a tree structure, with the parent records at the top of the database, and the hierarchy of child records in successive layers.
• Network Database: Improved the hierarchical model by allowing records to be networked to other records through paths that are different than the hierarchy.
• Relational Database: Contains two dimensional tables which use attributes (columns) and tuples (rows) to contain and organize information. It allows for the customization of relationships without hierarchical constraints. The relational database model is the most widely used model today
• Object-oriented: These databases store objects which combine both data and functions (code). They use an object oriented framework with similar features as object oriented languages and can have classes, instances, inheritance, etc.
• Distributed Database: Data is stored in more than one database (e.g. DNS), but it is logically connected. The components exist in multiple locations. A distributed database is not really about the database design so much as the fact that it exists in multiple locations.
Normalization
Normalization: seeks to make the data in a table logically concise, organized, and consistent. Three rules (or forms):
• First normal form (1NF)- divide data into tables
• 2NF- move data partially dependent on primary key to another table
• 3NF- remove data not dependent on primary key
DB Tuple
Record (Row or Tuple): Collection of related data items
DB Table
Table: A collection of similar records
DB Attribute
Attribute: A column in a database table
DB View
View: Virtual relation defined by the database to control subjects from viewing certain data. Permits one group or a specific user to see certain information, while restricting another group from viewing it altogether.
DB Field
Field (Cell): Intersection of a row and column
Data dictionary
Data dictionary: Is a central repository of data elements and their relationships, such as data elements, schema objects and reference keys.
Data Schema
Data Schema: describes the attributes and values of the tables
Cardinality
Cardinality: The number of rows in the table.
Table Degree
Degree: The number of columns in the table.
DB Domain
Domain: Is a set of allowable values that an attribute can take.
Data warehouse
Data warehouse: A large database used for reporting and data analysis. It Integrates data from one or more disparate sources and creates a central repository of data.
Data mining
Data mining: The process of analyzing data from different perspectives and summarizing it into useful information
ODBC
Open Database Connectivity (ODBC): Provides a standard SQL dialect that can be used to access many types of rational databases.
SQL
• Structured Query Language (SQL): The most popular relational database query language. It enables interaction with databases. There are many types of SQL. SQL uses two subsets of commands to work with databases: DDL, & DML
DDL
Data Definition Language (DDL): Used to create, modify and delete tables in a database. It also defines the structure and schema of the database.
- Structure: table size, key placement, views and data element relationships.
- Schema: the type of data that will be held and manipulated and their properties.
DML
Data Manipulation Language (DML): Used to query and update data in a database.
Primary key
Primary key: Is a unique identifier in the table that uniquely identifies an individual row (tuple) in the table.
Foreign key
Foreign key: An attribute (column) in one table, that has values matching the primary key in another table. It is used to establish and enforce a link between two tables.
Semantic integrity
Semantic integrity: Ensures that data entered into a row reflects an allowable value for that row.
Referential integrity
Referential integrity: Refers to the relationship between tables. Each table in a database must have a primary key. This primary key can appear in other tables because of its relationship to data within those tables. When a primary key from one table appears in another table, it is called a foreign key.
Entity integrity
Entity integrity: Every table must have a primary key and that the column or columns chosen to be the primary key should be unique and not null.
ACID Test
ACID Test
o Atomicity- when one part of the transaction fails, the entire transaction fails;
o Consistency- database remains in a consistent state before the start of the transaction and after the transaction is over;
o Isolation- other operations cannot access or see the data in an intermediate state during a transaction;
o Durability- once the user has been notified of success, the transaction will persist, and not be undone;
Concurrency
Concurrency: Many users can access data at the same time.
Rollback
Rollback: The process of undoing a change to a database
Commit
Commit: A permanent change to a database
Savepoint
Savepoint: Used to make sure that if a system failure occurs or if an error is detected, the user can always return to a point in time before the system crashed
Transactions
Transactions: Used when there are multiple writes to a database and to make sure all writes occurred without error before committing them. All writes are wrapped within a single transaction and checked for errors after each write. If any write causes an error, they are all rolled back. If all writes occur successfully, you commit the transaction.
Polyinstantiation
Polyinstantiation: Enables a relation to contain multiple tuples with the same primary keys with each instance distinguished by a security level. A different set of information can be given dependent on access privileges.
SSI
Server side includes (SSI): An HTML feature that allows a web page to embed contents from another file, before serving the page to the user. This allows web developers to reuse the contents of the include file in multiple web pages.
