Software Engineering Midterm Study Guide

which is true about the use case diagram above? A cannot complete without B B cannot complete without A C cannot complete without B None of the above

C cannot complete without B

requirements imprecision

Problems arise when requirements are not precisely stated. Imprecise requirements lead to development of incorrect software

The result of this activity is a description of the system in terms of actors and use cases Requirements Elicitation Object design Implementation System design

Requirements Elicitation

Given the above use case diagram, which of the following statements is true of the ViewBill use case description The Participation actors is incorrect. It should say "Initiated by Patient and Database" The Flow of events is incorrect. Event #1 should say something about patents logging into the system The Pre-Condition is incorrect. It should be blank The use case description is correct

The participation actors are incorrect. It should say "initiated by patient and database"

extend relationship

a base use case may be influenced by the behavior of the extending use case extend relationships typically used for exceptional behavior in a use case

scenarios

a narrative of what people do and experience as they try to ake use of the systems a concrete example of the system in use used by developers to communicate with clients to better understand the requirements

what are attack vectors

a pathway through which an attaccker exploits a system pathways is the part of the application that serves as the delivery mechanism or is the target of an attack that seeks to exploit a weakness attack vectors represent vulnerability risks for application

what is software engineering

a systematic (organized) approach to software development and maintenance

use cases

a use case represents a sequence of interaction form some functionality the set of use cases define the scope of the system everything outside the system boundary is outside the scope of the system

what is the difference between vulnerability and weakness

a vulnerability is an instance of a security fault in software vulnerabilities can exploited by an attacker a weakness is a type of vulnerability most vulnerabilities most vulnerabillities are due to programming error

what are the set of object-oriented software engineering technical activities

activities produce work products 1. Requirements Elicitation 2. Analysis 3. System Design 4. Object Design 5. Implementation6. Testing

actors

actors represent external entities that interact with the system actors can be human or component actors are part of the system's environment

Which of the following weaknesses is possible and poses a risk to the application? Cross-Site Scription at event #1 Improper Input Validation at event #1 Exposure of Sensitive Information at event #2 All the above

all of the above

Which of these need to be part of a use case description participating actors flow of events use case name all of the above

all of the above

which of the following can be considered a limitation of threat modeling? The accuracy of threat identification and scoring mechanism might not be precise Threat modeling can be time consuming Currently threat moddelling is highly dependent of human expertise all the above

all of the above

flow of events

alternating flow

what is a model

an abstraction of reality abstractions - ignore irrelevent depends on the purpose of the model what is relevant or irrelevant depends on the purpose of the model

exposure of sensitive information

application could reveal important information abouts its implementation state or other confidential ( ip addresses or database connection attack vectors ( descriptive error messages insecure cookies , cache, url parameters, and network traffic mitigation includesL using generic error messaes effective accesss control strong data encryption limiting clients- side information exposure

What is software

computer programs and associated documentation and data

case tool

computer-aided software engineering

post condition

conditions that are satisfied after a use case completes such as • A state that shows that the use case completed • acknowledgement is received• account balance is correctly updated

precondition

conditions that needs to be satisfied before a use case is initiated should not be trivial, e.g, system is turned on, or user has access to system, user pushes login button

what is the meaning of software requirements

descriptions of features that the system must have: description of system services (functional) description of system constraints(non-functional) generated during requirements elicitation critical to distinguish constraints from services It is a contract between the client and the developer

what are the causes of software system failures

developers did not anticipate seldom-occuring situations (e.g. memory leaks), the use actively misusing the system, and project management failures lead to delivery of an incorrect system, lead to unnecessary complexity (e.g., scope creep)

how to find use cases

discuss scenarios - client interview use task observation - find out what the user does create user interface mock-ups

improper access control

failure to correctly determining if the actor is authorized to access some functionaluty or information could result from inconsistent enforcement of authentication and authorization across the application attack vectors (url request, form data)

what is a use diagram also called

functional model

which of the following questions is suitable for eliciting reliability requirements who maintains the system? how much data can the system loose? what documentation should be provided to the user? how many concurrent users should the system support?

how much data can the system loose?

reliabiltiy sample questions for eliciting nonfunctional requirements

how reliable, and fault-tolerant should the system be? is restarting the system acceptable in the event of a failure> (e,g. cruise control system)

which of these activities could be included in Requirements Elicitation? Identifying usage scenarios Identifying the object model Identifying the dynamic model all of the above

identifying usage scenarios

include and extend relationship

include - necessary use case extend - optional use case

what are types of reuse

include and extend relationship

what are the three different attack methods for weaknesses

injection, interception, inspection

what is an attack method

it is a technique that us utilized by an attacker (malicious actor) to exploit a weakness

legal

licensing, regulations(e.g., accessibility)

why is it important to model software

modeling is a means for dealing with complexity because software is complex and some operating systems have more than 100 million lines of code

why are reports of vulnerabilities increasing

modern software is connected to a network modern software reuse many existing software components modern software is very large lack of tools to help developers address security in the development process each vulnerability is associated with a weakness over 900 weaknesses have been enumerated

what are the work products produced by the requirements elicitation activities

nnonfunctional requirements, functional model, dynamic model, analysis object model

Which of the following is NOT considered part of software? Design plans Configuration files The requirements None of the above

none of the above

Which of the following tasks is prescribed for the Security Development Lifecycle (SDL)? Build a prototyple Fix old bugs Plan for the next phase None of the above

none of the above

SQL injection

occurs when an attacker can insert sql statements into application data attack could gain access to the database (view or modify database) interfere with application login (e.g access control) attack vectors (primarily form data) mitigation includes : • Proper validation and sanitization of all incoming data • avoiding the use of user-supplied input in SQL queries • Using stored procedures rather than dynamic queries

unambiguous

only one system is described, cannot be misinterpreted

safety

prevention of damage or harm to a resource (system, data, user). e.g.,

security

prevention of unauthorized access to sstem and data

why model?

problem solving mechanism focus on what is important

performance

quantifiable attributes of the system related to response time or throughput

use case reuse

reduces complexity of use cases by identifying commonalities between use cases avoids redundancy

_________ is a category of requirements that is measured by rate of failure Portability Reliability Usability Performance

reliability

correct

requirements accurately represent what the customer wants (Not what the engineer thinks the customer needs) does not contain unintended features the software engineer should fid out exactly • What: the service (function) required. The goal of the service • Who: the actor that the service is indented for and performs tasks • How: the interaction, including what data (input or output) is needed

se technical activities

requirements elicitation, analysis, object design , system desing

requirements validation

requirements shoul be continuously validated (checked) requirements should be checked for ambiguity, correctness, consistency, completeness if requirements are invalid, all subsequent work products are invalid

examples of associated documentation

requirements, design, test cases (results), manual, configuration files

what are some examples of attack vectors

script: form input, email attachment messaging: http request, email message form data source code ( and scripts) file data (word, excel, json, xml, zip, etc) cookie data email message images(jpeg, gif, etc) network traffic network protocols(https, ftp, smtp, etc)

requirements specification

services and constraints

what is the difference between function and non-function requirements

services vs constraints

Which of the following models will best accommodate changing requirements during the development process? Spiral model Security Development Lifecycle Waterfall model None of the above

spiral model

portability

the ability to transfer system or components between different platforms

reliability

the anility of a system to perform its required function s(corretly and without failure) main time to faulure failure rate

injection

the attacker inserts some form of malicious data into the control flow of an application malicious data could ne in many forms ( code, program) other forms of this method include the insertion of commands into system, to perform tasks on begalf of the attacker

inspection

the attacker is able to observe sensitive information about the application (eg. db request information, implementation details, user credentials attacker could review source code and other system artifacts (client side views, cache, logs and configuration files, stack trace) attack could use obtained information to refine future attack

interception

the attacker is able to view or modigy sensitive data in the application's network traffic typically known as man in the middle attack attacker is able to intercept the traffic between a sender and receiver

include relationship

the base use case includes another use case in its flow of events the base use case would not be considered complete withoug the included use case included use case is not optional

maintainability

the ease of changes to the system, e.g. measure downtime during maintenance

usability

the ease of use of the system from the perspective of the user user interface design, online help,k documentation (tool tims?)

examples of ambiguity

the system shall provide appropriate viewers for the user to read documents in the database the viewer should display the document in a timely manner the users should be able to manage their account the system should be secure these system should be reliable

What are functional requirements

they describe required services

what are non functional requirements

they describe the constraints on the system;s operation and development. They can improve the overall system

why is it important to engineer software

to eliminate software failures

Why is software engineering important? To follow an organized approach to software development To ensure that software systems never encounter failures To create software products with maximum complexity All of the above

to follow an organized approach to software development

ui mockups

ui mock-up can be used to determine use case mock-ups represent a prototyple determine interactions and data acts as a storyboard

A requirements specification is _______ if exactly one system is defined. unambiguous correct consistent complete

unambiguous

what is uml

unified modeling language, a standard for modeling object-oriented software, it is a language i.e has a notation

categories of non-functional requirements

usability, reliability, performance, maintainability, Portability, Implementation, Legal, Security, Safety

what are the parts of the structured document that make up a use case description

use case name, participation actors, pre condition, flow of events, post condition, quality requirements

functional requirements

use cases, • Actors (roles. E.g., User, Manager)• Interactions (what actions are required)• Inputs, output (what data is required)

implementation

use of specific tool, language, or platform

Which of the following can cause software system failures? Following established practices User misuse and poor project planning Testing software thoroughly Overusing hardware resources

user misuse and poor project planning

cross site scripting

web browsers havve the ability to run embedded code this can be exploited by inserting malicious web scripts malicious code could redirect the user or user's data to another domain mitigation includes : • avoiding the use of user-supplied input inapplication logic • validating both application input and output

usability sample questions for eliciting nonfunctional requirements

what is the level of expertise of the user? what user interface standards are familiar to the user? what documentation should be provided to the user?

cross-site request forgery

when an application is unable to correctly determine if a client request is unintentionally sent by the user attacker exploits improper verification of request user is tricked into clicking a link to submit a malicious request requeest leverages the context of the user's valid session attack vectors ( e.g weblinks in eail) mitigation includes: using unique request tokens inserting tokens into hidderd form fields

security sample questions for eliciting nonfunctional requirements

• Are there any data access restrictions?• Are there are access restrictions to functionality?• What are the possible security threats for the application?

safety sample questions for elicitiong nonfunctional requirements

• Are there are risks to loss of data? • Are there any risks of harm to life? • Are there any risks of damage to a component?

performance sample questions for eliciting nonfunctional requirements

• How responsive should thesystem be? • Are any user tasks time critical? • How many concurrent usersshould it support? • How large is the typical data? • What is the worst latency that isacceptable to users?

complete

• Specification should include descriptions of allrequirements (services and constrains). • All features are described

consistent

• There should be no conflicts or contradictions in thedescriptions of the system requirements. • Uniformity • Standardization • Freedom from contradiction among the documents

examples of preconditions

• User has completed a required preceding use case (E.g. Login, Search) • System is in a certain state/state change (E.g., Fault occurrence, timed event)

maintainability sample questions for eliciting nonfunctional requirements

• What are the foreseenextensions to the system?• Who maintains the system?• How much downtime isacceptable?

what are the steps of cross-site request forgery

1. bank manager is logged into acme bank system 2. a request that will transfer money from bank is embedded in a link 3. link is sent by email or website 4. manager clicks link which sends request 5. money is transferred to attacker

Below are brief descriptions of the same use case( UploadImage) for two software applications (A & B): Application A: UploadImage: This use case will allow a customer to upoload a profile image. The image can be of any image calid image format. Application B: UploadImage: This use case will allow a customer to upload a profile image. The image must be of JPEG Which of the following statement is correct of the applications Application A has better reliability Application A has better usability Application A has better performance All the above

Appliction A has more better usability