Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
101 Cards in this Set
- Front
- Back
- 3rd side (hint)
|
An agile development method that uses pairs of programmers who work off a detailed specification. |
Extreme Programming (XP)
|
|
|
|
A "black box" that combines code and data and sends and receives messages.
|
Object
|
|
|
|
Changes the older procedural programming methodology and treats a program as a
series of connected objects that communicate via messages. |
Object-Oriented Programming
|
|
|
|
Programming languages that use subroutines, procedures, and functions.
|
Procedural Languages
|
|
|
|
A software development model designed to control risk.
|
Spiral Model
|
|
|
|
A development model that focuses on security in every phase.
|
Systems Development Life Cycle (SDLC)
|
|
|
|
An application development model that uses rigid phases; when one phase ends, the next begins.
|
Waterfall Model
|
|
|
|
Software that is executed directly by the CPU. CPU
dependent; |
Machine code (also called machine language)
|
|
|
|
Low-level computer programming language. Instructions are short mnemonics,
such as "ADD," "SUB" (subtract), and "JMP" (jump), that match to machine language instructions. |
Assembly language
|
|
|
|
Converts assembly language into machine language.
|
An assembler
|
|
|
|
Take source code, such as C or Basic, and compile it into machine code.
|
Compilers
|
|
|
|
Code compiled on the fly each
time the program is run. Differ from compiled languages |
Interpreted languages / Interpreted code (such as shell)
|
|
|
|
Interpreted code exists as an intermediary form (converted from source code) but still must be converted into machine code before it may run on the CPU.
|
Bytecode (such as Java bytecode)
|
|
|
|
Use subroutines, procedures, and functions. Examples: Basic, C, Fortran, and Pascal.
|
Procedural languages (also called procedure-oriented languages)
|
|
|
|
Attempt to model the real world through the use of
objects that combine methods and data. Examples include C++, Ruby, and Python. |
Object-oriented languages
|
|
|
|
Computer languages that are designed to increase a programmer's efficiency by automating the creation of computer programming code. Tend to be Graphical User Interface (GUI) focused and creation of databases, reports, and
websites. |
Fourth-generation programming languages (4GL)
|
|
|
|
- First-generation language—Machine code
- Second-generation language—Assembly - Third-generation language—COBOL, C, Basic - Fourth-generation language—ColdFusion®, Progress 4GL, Oracle® Reports |
4 Generations of Prog languages
|
|
|
|
Uses programs to assist in the creation and maintenance of other computer programs.
|
Computer-aided software engineering (CASE)
|
|
|
|
1. Tools:
2. Workbenches: 3. Environments: |
Three types of CASE software
|
|
|
|
Starts with the broadest and highest level requirements (the concept of the final program)
and works down toward the low-level technical implementation details. |
Top-down (TD) programming (e.g. Procedural languages)
|
|
|
|
Starts with the low-level technical implementation details and works up to the concept of the complete program.
|
Bottom-up programming; is the reverse of TD; (e.g. Object-oriented)
|
|
|
|
Software typically released in executable form; the source code is kept confidential. Examples
include Oracle® and Microsoft® Windows® 7. |
Closed source software
|
|
|
|
Publishes source code publicly. Examples include
Ubuntu® Linux® and the Apache web server. |
Open source Software
|
|
|
|
A linear application development model that uses rigid phases; when one phase ends, the next
begins. Limited customer interaction. Predates software design and was initially used in manufacturing. includes the following steps: System requirements, Software Requirements, Analysis, Program Design, Coding, Testing, and Operations |
Waterfall model
|
|
|
|
Exam
Warning |
The specific names of the phases of Royce's unmodified waterfall model are not specifically testable; learn the overall flow. Also, Royce omitted a critical final step: destruction. No development process that leads to an operational system with sensitive production data is truly complete until that system has been retired, the data archived, and the remaining data on those physical systems securely destroyed.
|
|
|
|
Highly overlapping steps; it can be thought of as a real-world successor to the waterfall model (and is sometimes called the _____________ waterfall model).
|
Sashimi model
|
named after the Japanese delicacy sashimi, which has overlapping
layers of fish |
|
|
Evolved as a reaction to rigid software development models such as the waterfall model. More flexibility, fast turnaround with smaller milestones,
strong communication within the team, and more customer involvement. |
Agile software development
(e.g. SCRUM; XP) |
|
|
|
Software development model designed to control risk. Boehm created the model. risk-driven approach to the software process rather than a primarily document-driven or code-driven process.
|
Spiral model
|
|
|
|
Rapidly develops software via the use of prototypes, dummy GUIs, back-end databases. Goal is quickly meeting the business needs of the system; technical concerns are secondary. The customer is heavily involved in the process.
|
Rapid Application Development (RAD)
|
|
|
|
Security in every phase. This model is broader than many application development models,
focusing on the entire system, from selection and development through operational requirements to secure disposal. Many variants but most follow (or are based on) the National Institute of Standards and Technology (NIST) XXXX process. |
Software Development Life Cycle or Systems Development Life Cycle (SDLC),
|
|
|
|
Security is part of every step of secure SDLC. "secure" or "security" appears somewhere in every step of NIST's SDLC, from project initiation to disposal.
|
NIST Special Publication 800-14
|
Any step that omits security is the wrong answer. Any SDLC plan that omits secure disposal as the final lifecycle step is also the wrong answer
|
|
|
The process of having a third party store an archive of computer software. This is often
negotiated as part of a contract with a proprietary software vendor. |
Software escrow
|
|
|
|
Programs as a series of connected objects that communicate via messages. Attempts to model the real world. Contains data and
methods (the functions they perform); provides encapsulation (also called data hiding) |
Object-oriented programming (OOP)
|
Examples of OOP languages include Java, C++, Smalltalk, and Ruby.
|
|
|
In OOP, many instances of an object with different inputs and outputs.
|
Polyinstantiation
|
|
|
|
In OOP, the capability of an action or method to do different things based on the object that it is acting upon
|
Polymorphism
|
|
|
|
Used to locate objects; they act as object search engines. Are middleware; they connect programs to programs. (e.g. COM, DCOM, and CORBA)
|
Object Request Brokers (ORBs)
|
|
|
|
Locates objects on a local system; used by developers to create reusable software components, link components
together to build applications, and take advantage of Windows services. |
COM (Component Object Model)
|
|
|
|
Can locate objects over a network. Extends COM to support communication among
objects on different computers—on a LAN, a WAN, or even the Internet |
DCOM (Distributed Component Object Model).
|
|
|
|
An open vendor-neutral networked object broker framework; Objects
communicate via a message interface, described by the interface definition language (IDL). low-level details are encapsulated (hidden) from the client. |
Common Object Request Broker Architecture (CORBA)
|
|
|
|
Seeks to understand (analyze) a problem domain (the challenge you are trying to address) and
identifies all objects and their interaction. |
Object-Oriented Analysis (OOA); with OOD is OOAD
|
|
|
|
Develops (designs) the solution.
|
Object-oriented design (OOD); with OOA is OOAD
|
|
|
|
Types of Software Vulnerabilities
|
- Hard-coded Credentials
- Buffer Overflow - SQL Injection - Directory Path Traversal - |
|
|
|
Backdoor username/passwords left by programmers in production code
|
Hard-coded Credentials
|
|
|
|
Occurs when a programmer does not perform variable bounds checking
|
Buffer Overflow
|
|
|
|
Common type of attack that occurs when some control changes between the time that the system security functions check the contents of variables and the time the variables actually are used during operations.
|
TOC/TOU: Time-of-check/time-of-use
|
|
|
|
Manipulation of a back-end SQL server via a front-end Web server
|
SQL Injection
|
|
|
|
Escaping from the root of a Web server (such as/var/www) into the regular file system by referencing directories such as "…/…"
|
Directory Path Traversal
|
|
|
|
Altering normal _ _ _ URLs and variables
|
PHP Remote File Inclusion (RFI)
|
|
|
|
Web attack that leverages third-party execution of Web scripting languages such as JavaScript within the security context of a trusted site. Executes a script in a trusted context:
|
Cross-Site Scripting (XSS)
|
|
|
|
Web attack that leverages third-party redirect of static content within the security context of a trusted site. Tricks a user into processing a URL
|
Cross-Site Request Forgery (CSRF, or sometimes XSRF)
|
|
|
|
Vulnerabilities that allow an attacker with (typically limited) access to be able to access additional resources. (e.g. normal Unix user into root access)
|
Privilege escalation vulnerabilities
|
|
|
|
Shortcuts in a system that allow a user to bypass security checks.
|
Backdoors
|
|
|
|
Software Testing Methods
|
- Static testing
- Dynamic testing - White box software - Black box |
|
|
|
Tests the code passively; that is, the code is not running. includes walkthroughs, syntax checking, andcode reviews.
|
Static testing
|
|
|
|
Tests the code while executing it.
|
Dynamic testing
|
|
|
|
Testing gives the tester access to program source code, data structures, variables, etc.
|
White box software
|
|
|
|
Testing gives the tester no internal details: The software is treated as a black box that receives inputs.
|
Black box
|
|
|
|
Used to map customer's
requirements to the software testing plan: It "traces" the "requirements," and ensures that they are being met. |
A Traceability Matrix (sometimes called a Requirements Traceability Matrix, or RTM)
|
|
|
|
Software Testing Levels
|
- Unit Testing
- Installation Testing - Integration Testing - Regression Testing - Acceptance Testing |
|
|
|
Low-level tests of software components, such as functions, procedures, or objects
|
Unit Testing
|
|
|
|
Testing software as it is installed and first operated
|
Installation Testing
|
|
|
|
Testing multiple software components as they are combined into a working system; subsets may be tested, or Big Bang integration testing tests all integrated software components
|
Integration Testing
|
|
|
|
Testing software after updates, modifications, or patches
|
Regression Testing
|
|
|
|
Testing to ensure the software meets the customer's operational requirements; when this testing
is done directly by the customer, it is called User Acceptance Testing |
Acceptance Testing
|
|
|
|
Type of black box testing that enters random, malformed data as inputs into software programs to determine if they will crash.
|
Fuzzing (also called fuzz testing)
|
|
|
|
A black-box testing method that seeks to identify and test all unique combinations of software inputs. (e.g. pairwise testing (also called all pairs testing).
|
Combinatorial software
|
|
|
|
Maturity framework for evaluating and improving the software development process. Goal is to develop a methodical framework for creating quality software that allows measurable and repeatable results.
|
Software Capability Maturity Model (CMM)
|
|
|
|
Five levels of CMM
|
1. Initial
2. Repeatable 3. Defined 4. Managed 5. Optimizing |
|
|
|
Software process is characterized as ad hoc and occasionally even chaotic. Few processes are defined, and success depends on individual effort.
|
Initial
|
|
|
|
Basic project management processes are established to track cost, schedule, and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications.
|
Repeatable
|
|
|
|
The software process for both management and engineering activities is documented, standardized, and
integrated into a standard software process for the organization. Projects use an approved, tailored version of the organization's standard software process for developing and maintaining software. |
Defined
|
|
|
|
Detailed measures of the software process and product quality are collected, analyzed, and used to control
the process. Both the software process and products are quantitatively understood and controlled. |
Managed
|
|
|
|
Continual process improvement is enabled by quantitative feedback from the process and from piloting
innovative ideas and technologies |
Optimizing
|
|
|
|
Formal database types
|
- Relational (two dimensional)
- hierarchical - object-oriented. Flat File could also be considered, but not formal db. |
|
|
|
Key in a related database table that matches a primary key in the parent database.
|
A foreign key
|
|
|
|
Every foreign key in a secondary table matches a primary key in the parent table;
|
Referential integrity
|
|
|
|
Database term for a row in a relational database.
|
Tuple
|
|
|
|
Each tuple has a unique primary key that is not null
|
Entity integrity
|
|
|
|
Each attribute (column) value is consistent with the attribute data type.
|
Semantic integrity
|
|
|
|
Seeks to make the data in a database table logically concise, organized, and consistent.
|
Database normalization
|
|
|
|
Three rules of DB normalization
|
- First normal form (1NF)—Divide data into tables.
- Second normal form (2NF)—Move data that is partially dependent on the primary key to another table - Third normal form (3NF)—Remove data that is not dependent on the primary key. |
|
|
|
Results of a database query; may be used to provide a constrained user interface.
|
Database view
|
|
|
|
Description of the database tables. Contains database view information, information about authorized database administrators, and user
accounts, including their names and privileges, auditing information, and others. |
Data dictionary contains
|
|
|
|
Data about data.
|
metadata (e.g. Data Dictionary)
|
|
|
|
Database query languages have at least two subsets of commands
|
1 - data definition language (DDL) 2 - data manipulation language (DML)
|
|
|
|
Used to create, modify, and delete tables. DML is used to query and update data
stored in the tables. |
DDL - data definition language
|
|
|
|
Used to query and update data
stored in the tables. |
DML - data manipulation language
|
|
|
|
Databases forms a tree (e.g. global Domain Name Service (DNS) servers form a global tree.
|
Hierarchical databases
|
|
|
|
combine data with functions (code) in an object-oriented framework. Object-oriented programming (OOP) is used to manipulate the objects (and their data), managed by an object database management system (ODBMS).
|
object-oriented databases
|
|
|
|
Log of all database transactions
|
database journal
|
|
|
|
Mirrors a live database, allowing simultaneous reads and writes to multiple replicated databases by
clients. Pose additional integrity challenges. |
Database replication
|
|
|
|
Mirrors all changes made to a primary database, but clients do not access the shadow. Is
one way (i.e., data flows from primary to shadow); it serves as a live data backup of the primary. |
Shadow database
|
|
|
|
Large collection of data. This requires large, scalable storage solutions. The storage must be high performance and allow analysis and searches of the data.
|
Data warehouse is
|
|
|
|
Used to search for patterns.
|
Data mining
|
|
|
|
Science of programming electronic computers to "think" more intelligently,
|
Artificial intelligence (AI)
|
|
|
|
Consist of two main components. The first is a knowledge base that consists of "if/then" statements. These
statements contain rules that the expert system uses to make decisions. The second component is an inference engine that follows the tree formed by the knowledge base and fires a rule when there is a match. |
Expert systems
|
|
|
|
Consists of "if/then" statements. Statements contain rules that the expert system uses to make decisions.
|
Knowledge base
|
|
|
|
Follows the tree formed by the knowledge base and fires a rule when there is a match.
|
Inference engine
|
|
|
|
Simulate neural networks found in humans and animals. This multilayer neural network is capable of making a single decision based on thousands or more inputs. used for "fuzzy" solutions, where exactness is not always required (or possible), such as predicting the weather.
|
Artificial neural networks (ANN)
|
|
|
|
Based on a number of probability and statistical methods; is commonly used to identify spam.
|
Bayesian filtering
|
|
|
|
Refers to creating entire software programs (usually in the
form of Lisp source code); genetic algorithms refer to creating shorter pieces of code (represented as strings called chromosomes); creates random programs and assigns them a task of solving a problem. |
Genetic programming
|
|
