Software Dev

Question 1

First Generation language

Answer 1

First Generation language: Machine-level programming languages like Machine Code

Question 2

Second Generation language

Answer 2

Second Generation language: The code is human readable. It must be converted into a machine readable form, a process called assembly, before it can be run. The language is specific to a particular processor family and environment. (example: Assembly)

Question 3

Third Generation Language

Answer 3

Third Generation Language (High-Level Language): Established a logical structure to software. Improve human readability, automate lower level tasks and introduced more abstraction than second generation languages. Can operate independent of processor family or environment. (examples: COBOL, C, Basic)

Question 4

Fourth Generation language

Answer 4

Fourth Generation language: Utilize graphical programmer interfaces to automate and increase the speed of code creation. Many fourth generation languages are interpreted. (examples: Java, ColdFusion, Ruby, Python).

Question 5

CASE

Answer 5

CASE (Computer Aided Software Engineering): contains tools (supporting specific dev tasks), workbenches (supporting multiple activities), and environments (supporting all/part of the sw production process)

Question 6

Compilers

Answer 6

Compilers: Convert source code from third generation, or later, languages into machine code. Compilers parse the instructions into machine code and store them in a separate file like an “.exe”.

Question 7

Assembler

Answer 7

Assembler: Converts assembly language into machine language.

Question 8

Interpreted languages

Answer 8

Interpreted languages: These languages are compiled on the fly each time the program is run. The source code is executed line by line by the interpreter. Examples of interpreters include ColdFusion Application Server and the JavaScript Engine in browsers.

Question 9

Procedural Languages

Answer 9

Procedural Languages: Use subroutines, procedures, and functions. (examples: Basic, C, Fortran, Pascal).

Question 10

Object-oriented languages

Answer 10

Object-oriented languages: Model the real world through the use of objects which combine tasks (methods) and data.

Question 11

RAD

Answer 11

Rapid Application Development (RAD): A software development methodology that uses minimal planning in favor of rapid development and construction of iterative prototypes. The goal is to quickly meet business needs and technical concerns are secondary.

Question 12

Configuration Management

Answer 12

Configuration Management: tracks changes to a piece of sw

Question 13

Change management

Answer 13

Change management: broader, tracks changes across an entire sw program

Question 14

Prototyping

Answer 14

Prototyping: A rudimentary working model of an information system or mockup of system design features

Question 15

Software Escrow

Answer 15

Software Escrow: A process of having a third party store and archive software. Escrow is typically requested by customer acquiring software, to ensure maintenance and availability of the software. If the vendor goes out of business or fails to live up to the agreement, software escrow ensures that the customer still has access to the source code for future development and maintenance.

Question 16

Data modeling

Answer 16

Data modeling: Defines how data components are associated with each other. Considers the data independently of the way it is processed.

Question 17

Data Structure

Answer 17

Data Structure: Is a representation of the logical relationship between elements of data

Question 18

Cohesive

Answer 18

Cohesive: A cohesive module can perform a single task with little or no help from other modules 
•	Low Cohesion: Scatter brained, does several tasks. 
•	High Cohesion: Focused on one task and is better for security purposes

The best programming uses the most cohesive modules possible, but because different modules need to pass data and communicate, they usually cannot be totally cohesive.

Question 19

Coupling

Answer 19

Coupling: Is a measure of interconnection among modules in an application. 
•	Low Coupling: Promotes module independence and is better for security purposes
•	High Coupling: Depend on other modules 

The lower the coupling, the better the software design, because it promote module independence. The more independent a component is, the less complex the application is and the easier it is to modify and troubleshoot.

Question 20

ORB

Answer 20

ORB (Object Request Brokers)- allow reuse of mature objects
o COM- MS sharing of objects written in different languages on a local system
o DCOM- MS sharing over multiple systems (eg OLE); supplanted by .NET
o CORBA- OMG networked object broker that separates objects into an object and an IDL (Interface Definition Language)

Question 21

DDE

Answer 21

Dynamic Data Exchange (DDE): Enables different applications to share data by providing Inter-Process Communications (IPC). It is a communication mechanism that enables direct conversation between two applications.

Question 22

DCE

Answer 22

Distributed Computing Environment (DCE): Is a set of management services with a communication layer based on Remote Procedure Call (RPC). It is a layer of software that sits on top of the network layer and provides services to the applications above it. The RPC function collects the arguments and commands from the sending program and prepares them for transmission over the network

Question 23

DFS

Answer 23

Distributed File Services (DFS): Provides a single integrated file system that all DCE users can use to share files

Question 24

.NET

Answer 24

.NET framework: An application framework that has a large library which different applications can call upon. The libraries provide functions as in data access, database connectivity, network communication, etc.

Question 25

OLE

Answer 25

Object linking and embedding (OLE): Provides a way for objects to be shared on a local personal computer and to use COM as their foundation. OLE enables objects—such as graphics, clipart, and spreadsheets—to be embedded into documents

Question 26

J2EE

Answer 26

Java Platform, Enterprise Edition (J2EE): J2EE is an enterprise Java computing platform. This means it is a framework that is used to develop enterprise software written mainly in the Java programming language. It provides Application Programming Interfaces (API) for networking services, fault tolerance, security, and web services for large-scale, multi-tiered network applications

Question 27

SOA

Answer 27

Service-oriented architecture (SOA): A software design and software architecture design pattern based on discrete pieces of software providing application functionality as services to other applications. This is known as service-orientation

Question 28

Mashup

Answer 28

Mashup: The combination of functionality, data, and presentation capabilities of two or more sources to provide some type of new service or functionality

Question 29

SOAP

Answer 29

Simple Object Access Protocol (SOAP): An XML-based protocol that encodes messages in a web service environment. It defines an XML schema of how communication is going to take place. The SOAP XML schema defines how objects communicate directly.

Question 30

SaaS

Answer 30

Software as a Service (SaaS): A model that allows applications and data to be centrally hosted and accessed by thin clients, commonly web browsers

Question 31

Mobile code

Answer 31

Mobile code: Code that can be transmitted across a network, to be executed by a system or device on the other end

Question 32

Bytecode

Answer 32

Bytecode: Intermediate code created by Java platform

Question 33

JVM

Answer 33

Java Virtual Machine (JVM): Converts the bytecode to the machine code that the processor on that particular system can understand

Question 34

Applets

Answer 34

Java Applets: Small components (applets) that provide various functionalities and are delivered to users in the form of Java bytecode. Java applets can run in a web browser using a Java Virtual Machine (JVM). Java is platform independent; thus, Java applets can be executed by browsers for many platforms

Question 35

ActiveX

Answer 35

ActiveX: ActiveX is a loosely defined set of technologies developed by Microsoft for sharing information among different applications. ActiveX is an outgrowth of OLE (Object Linking and Embedding) and COM (Component Object Model).

Question 36

Authenticode

Answer 36

Authenticode: A type of code signing, which is the process of digitally signing software components and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was digitally signed. Authenticode is Microsoft’s implementation of code signing

Question 37

OOP

Answer 37

Object Oriented Programming treats a program as a series of connected objects that communicate via messages. It utilizes modular design and reusable software components.
• Object Oriented Languages (C++, Java, Ruby, Python)
• Objects contain Data and Methods
• Objects obfuscate the details of the data and methods they contain

Question 38

Objects

Answer 38

Objects: Objects have state/attributes and methods/behaviors. State is data about the object and behaviors are what the object does. An object stores its state in fields and exposes its behavior through methods. (example: A dog is an object with state values of fury, four legged, etc, and methods/behaviors like fetches sticks and barks)

Question 39

Methods

Answer 39

Methods: These are actions or operations performed by an object. (example: addition, subtraction, etc.)

Question 40

Class

Answer 40

Class: An template for creating objects which provides initial values for data (state) and defines methods

Question 41

Messages

Answer 41

Messages: Data sent to or from an object

Question 42

Inheritance

Answer 42

Inheritance: When an object or class is based on another object or class, using the same implementation. It automatically inherits the instance variables and member functions of the parent Class/Object

Question 43

Delegation

Answer 43

Delegation: Forwarding of a request by an object to another object or delegate. This forwarding is necessitated by the fact that the object receiving the request does not have a method to service the request.

Question 44

Polymorphism

Answer 44

Polymorphism: Polymorphic functions behave differently depending on the context of the input message.

Question 45

Abstraction

Answer 45

Abstraction: Information hiding

Question 46

OOA

Answer 46

OOA- analysis seeks to understand a problem domain

Question 47

OOD

Answer 47

OOD- designs a solution

Question 48

Waterfall Model

Answer 48

Waterfall Model 
The Waterfall Model is a linear application development model that uses rigid phases; when one phase ends, the next begins. 
The waterfall model contains the following steps: 
•	System requirements 
•	Software Requirements 
•	Analysis 
•	Program Design 
•	Coding 
•	Testing 
•	Operations 

An unmodified waterfall does not allow iteration (going back to previous steps). This places a heavy planning burden on the earlier steps. Also, since each subsequent step cannot begin until the previous step ends, any delays in earlier steps cascade through to the later steps.
The Modified Waterfall Model allows going back at least one step. Omitted in the waterfall method was a final step of destruction.

Question 49

Sashimi Model

Answer 49

The Sashimi Model has highly overlapping steps; it can be thought of as a real-world successor to the Waterfall Model (and is sometimes called the Sashimi Waterfall Model).

Question 50

Spiral Model

Answer 50

The Spiral Model is a software development model designed to control risk. The spiral model repeats steps of a project, starting with modest goals, and expanding outwards in ever wider spirals (called rounds). Each round of the spiral constitutes a project, and each round may follow traditional software development methodology such as Modified Waterfall. A risk analysis is performed each round.

Question 51

Agile principles

Answer 51

Agile principles:
o Individuals and interaction over processes and tools
o Working software over comprehensive documentation
o Customer collaboration over contract negotiation
o Responding to change over following a plan

Question 52

Scrum

Answer 52

Scrum (named after Rugby scrum):
o A Scrum is a small team of developers. They are supported by a Scrum Master, a senior member of the organization who acts like a coach for the team.

Question 53

XP

Answer 53

Extreme programming (XP) – uses pairs of developers to work on a detailed spec with high customer involvement. Improves a sw project via communication, simplicity, feedback, respect, courage.
XP Principles:
- Planning: Specifies the desired features (called the user story)
- Paired Programming: Programmers work in teams of two
- Forty hour week: Forecasts should be accurate
- Total customer involvement: Customer is available and monitoring project status
- Detailed test procedures: Unit testing

Question 54

SEI CMM

Answer 54

The Software Engineering Institutes Capability Maturity Model Integrated is a framework for objectively assessing the formality and optimization of an organization’s software development process.
Normally 15-50 errors/KLOC (1000 lines of code). SEI CMM can lower to 1/KLOC
The five levels of CMM:
1. Initial: The software process is characterized as ad hoc, and occasionally even chaotic.
2. Repeatable: Basic project management processes are established to track cost, schedule, and functionality.
3. Defined: This is the common target for vendors dealing with government agencies. The software process for both management and engineering activities is documented, standardized, and integrated into a standard software process for the organization.
4. Managed: Detailed measures of the software process and product quality are collected, analyzed, and used to control the process. Both the software process and products are quantitatively understood and controlled.
5. Optimizing: Continual process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.

Question 55

SDLC

Answer 55

System Development Life Cycle (SDLC)
SDLC is a system development model that focuses on security in every phase. It is also called Software Development Life Cycle. ISC2 focuses on the security aspects of SDLC.
• **The first step in any SDLC is the security plan
• Most variants of System Development Lifecycle follow the format described in NIST Special Publication 800-14.

Question 56

NIST 800-14

Answer 56

NIST 800-14
• Prepare a security plan:
• Initiation: Need and purpose defined
• Development/Acquisition:
o Determine security requirements
o Incorporate security requirements into specifications
o Develop/Obtain the System and related security activities: Develop system’s security features, monitor development process itself for security problems…
• Implementation:
o Install/Turn-on Controls
o Security testing: Certify system
o Accreditation: Formal authorization for system operation
• Operation/Maintenance
o Security Operations and Administration
o Operational Assurance: operating according to security requirements
o Audits and Monitoring
• Secure Disposal:
o Information: information movement, archival, discarded or destroyed.

Question 57

Freeware

Answer 57

Freeware (gratis) software: Software that is free of charge to use

Question 58

Shareware

Answer 58

Shareware: Software which may be initially available for free, but the licensing agreement normally requires payment for continued use.

Question 59

Crippleware

Answer 59

Crippleware: Any software program that cannot be fully utilized until the user registers or purchases the program

Question 60

Public domain

Answer 60

Public domain software (Libre): Software which is not copy righted or licensed (e.g. GNU)

Question 61

Open Source licenses

Answer 61

Open Source licenses: The software source code is available to the public (e.g. GNU, BSD, Apache)

Question 62

GPL

Answer 62

GPL (GNU Public License) is most common and has the following
• The freedom to use the software for any purpose
• The freedom to change the software to suite your needs
• The freedom to share the software with others
• The freedom to share the changes you make
• Modifications to GPL software must free

Question 63

Software vulnerability testing methods

Answer 63

Software vulnerability testing methods
• Static: Passive scan of the actual source code or binary files. The code is not executing at the time of the scan.
• Dynamic: Scans the application while it is executing. Most commonly used for testing web applications by scanning the exposed interfaces.
• White Box: The tester has knowledge of the internal workings of the software being tested, has the source code, and understands what the program is supposed to do and how it works.
• Black Box: The tester has no internal details; the application is treated as a black box that receives inputs. Combinatorial testing seeks to ID all unique combinations of input.

Question 64

Software testing levels

Answer 64

Software testing levels
• Unit Testing: Low-level tests of software components, such as functions, procedures or objects
• Installation Testing: Testing software as it is installed and first operated
• Integration Testing: Testing multiple software components as they are combined into a working system.
• Regression Testing: Testing software after updates, modifications, or patches
• Acceptance Testing: Testing to ensure the software meets the customer’s operational requirements.
• User Acceptance Testing: testing done by the customer

Question 65

Fuzzing

Answer 65

Fuzzing: A type of black box testing that enters random, malformed data as inputs into software programs to determine if they will crash.

Question 66

Attack Surface

Answer 66

Attack Surface: The points or interfaces in a software environment where an attacker can leverage system functionality to initiate malicious actions.

Question 67

Client-side validation

Answer 67

Client-side validation: When the user input validation is done at the client before being sent back to the server to process. While this can increase application performance, it has limited security value, since the client can be under the control of an attacker.

Question 68

SQL injection

Answer 68

SQL injection: Instead of valid input, the attacker puts actual database commands into the input fields, which are then parsed and run by the database.

Question 69

XSS

Answer 69

Cross-site scripting (XSS): An attack that takes advantage of a Web site vulnerability in which the site displays or executes un-sanitized user provided data.

Question 70

Parameter validation

Answer 70

Parameter validation: Where the values that are being received by the application are validated to be within defined limits before the server application processes them within the system.

Question 71

cookie

Answer 71

Browser cookie (HTTP cookie): A small piece of data given to a Web browser by a Web server. The browser stores the data as either a temporary “session cookie” or a permanent “persistent cookie”. Cookies are specific to a domain and are sent back and forth between the browser and server.

Question 72

Web proxy

Answer 72

Web proxy: A piece of software installed on a client that is designed to intercept all traffic between the local web browser and the web server. Commonly used for security testing web applications because they allow a tester to modify the requests and responses. (examples Burp Suite, Zed Attack Proxy (ZAP))

Question 73

5 Database Models

Answer 73

5 Database Models
• Hierarchical: Data in a hierarchical database is arranged in a tree structure, with the parent records at the top of the database, and the hierarchy of child records in successive layers.
• Network Database: Improved the hierarchical model by allowing records to be networked to other records through paths that are different than the hierarchy.
• Relational Database: Contains two dimensional tables which use attributes (columns) and tuples (rows) to contain and organize information. It allows for the customization of relationships without hierarchical constraints. The relational database model is the most widely used model today
• Object-oriented: These databases store objects which combine both data and functions (code). They use an object oriented framework with similar features as object oriented languages and can have classes, instances, inheritance, etc.
• Distributed Database: Data is stored in more than one database (e.g. DNS), but it is logically connected. The components exist in multiple locations. A distributed database is not really about the database design so much as the fact that it exists in multiple locations.

Question 74

Normalization

Answer 74

Normalization: seeks to make the data in a table logically concise, organized, and consistent. Three rules (or forms):
• First normal form (1NF)- divide data into tables
• 2NF- move data partially dependent on primary key to another table
• 3NF- remove data not dependent on primary key

Question 75

DB Tuple

Answer 75

Record (Row or Tuple): Collection of related data items

Question 76

DB Table

Answer 76

Table: A collection of similar records

Question 77

DB Attribute

Answer 77

Attribute: A column in a database table

Question 78

DB View

Answer 78

View: Virtual relation defined by the database to control subjects from viewing certain data. Permits one group or a specific user to see certain information, while restricting another group from viewing it altogether.

Question 79

DB Field

Answer 79

Field (Cell): Intersection of a row and column

Question 80

Data dictionary

Answer 80

Data dictionary: Is a central repository of data elements and their relationships, such as data elements, schema objects and reference keys.

Question 81

Data Schema

Answer 81

Data Schema: describes the attributes and values of the tables

Question 82

Cardinality

Answer 82

Cardinality: The number of rows in the table.

Question 83

Table Degree

Answer 83

Degree: The number of columns in the table.

Question 84

DB Domain

Answer 84

Domain: Is a set of allowable values that an attribute can take.

Question 85

Data warehouse

Answer 85

Data warehouse: A large database used for reporting and data analysis. It Integrates data from one or more disparate sources and creates a central repository of data.

Question 86

Data mining

Answer 86

Data mining: The process of analyzing data from different perspectives and summarizing it into useful information

Question 87

ODBC

Answer 87

Open Database Connectivity (ODBC): Provides a standard SQL dialect that can be used to access many types of rational databases.

Question 88

SQL

Answer 88

• Structured Query Language (SQL): The most popular relational database query language. It enables interaction with databases. There are many types of SQL. SQL uses two subsets of commands to work with databases: DDL, & DML

Question 89

DDL

Answer 89

Data Definition Language (DDL): Used to create, modify and delete tables in a database. It also defines the structure and schema of the database.

• Structure: table size, key placement, views and data element relationships.
• Schema: the type of data that will be held and manipulated and their properties.

Question 90

DML

Answer 90

Data Manipulation Language (DML): Used to query and update data in a database.

Question 91

Primary key

Answer 91

Primary key: Is a unique identifier in the table that uniquely identifies an individual row (tuple) in the table.

Question 92

Foreign key

Answer 92

Foreign key: An attribute (column) in one table, that has values matching the primary key in another table. It is used to establish and enforce a link between two tables.

Question 93

Semantic integrity

Answer 93

Semantic integrity: Ensures that data entered into a row reflects an allowable value for that row.

Question 94

Referential integrity

Answer 94

Referential integrity: Refers to the relationship between tables. Each table in a database must have a primary key. This primary key can appear in other tables because of its relationship to data within those tables. When a primary key from one table appears in another table, it is called a foreign key.

Question 95

Entity integrity

Answer 95

Entity integrity: Every table must have a primary key and that the column or columns chosen to be the primary key should be unique and not null.

Question 96

ACID Test

Answer 96

ACID Test
o Atomicity- when one part of the transaction fails, the entire transaction fails;
o Consistency- database remains in a consistent state before the start of the transaction and after the transaction is over;
o Isolation- other operations cannot access or see the data in an intermediate state during a transaction;
o Durability- once the user has been notified of success, the transaction will persist, and not be undone;

Question 97

Concurrency

Answer 97

Concurrency: Many users can access data at the same time.

Question 98

Rollback

Answer 98

Rollback: The process of undoing a change to a database

Question 99

Commit

Answer 99

Commit: A permanent change to a database

Question 100

Savepoint

Answer 100

Savepoint: Used to make sure that if a system failure occurs or if an error is detected, the user can always return to a point in time before the system crashed

Question 101

Transactions

Answer 101

Transactions: Used when there are multiple writes to a database and to make sure all writes occurred without error before committing them. All writes are wrapped within a single transaction and checked for errors after each write. If any write causes an error, they are all rolled back. If all writes occur successfully, you commit the transaction.

Question 102

Polyinstantiation

Answer 102

Polyinstantiation: Enables a relation to contain multiple tuples with the same primary keys with each instance distinguished by a security level. A different set of information can be given dependent on access privileges.

Question 103

SSI

Answer 103

Server side includes (SSI): An HTML feature that allows a web page to embed contents from another file, before serving the page to the user. This allows web developers to reuse the contents of the include file in multiple web pages.