Studied by 0 people
Looks like no one added any tags here yet for you.
Software Development Life Cycle
The process that a program goes through. It consists of the development, maintenance, and demise of a software system. The phases include analysis, design, coding, testing/verification, maintenance, and obsolescence
Feasibility Phase
The project phase that demonstrates that the client's requirement can be achieved, this phase identifies and evaluates the options to determine the one preferred solution.
analysis and requirements definition phase
customer input is sought to determine what the desired functionality is
Design Phase
Establishes descriptions of the desired features and operations of the system including screen layouts, business rules, process diagrams, pseudo code, and other documentation
Development Phase
Involves taking all of the detailed design documents from the design phase and transforming them into the actual system
testing and integration phase
-when development stage is complete to make sure it conforms to previous requirements of SDLC
User Acceptance Testing (UAT)
determine if the system satisfies the user and business requirements
Training and Transition Phase
acceptance, installation and deployment phase
Ongoing Operations and Maintenance
patching, updating, minor modifications
disposition phase
occurs when a product or system reaches the end of its life
Development Environment
An environment used to create or modify IT services or applications.
test environment
An environment containing hardware, instrumentation, simulators, software tools, and other support elements needed to conduct a test.
Staging Environment
A "production like" environment to test installation, configuration and migration scripts.
Performance testing, load testing, processes required by other teams, boundary partners, etc.
production environment
The environment for the actual system operation. It includes hardware and software configurations, system utilities, and communications resources. Also called the operational environment.
Waterfall Model
an SDLC approach that assumes the phases can be completed sequentially with no overlap
Spiral model
An abstract description of the systems life cycle where there are four defined quadrants - planning, risk analysis, use of design methods, client and management evaluation. Once one stage of development has gone full circle, the next please takes place, and so on until completion.
DevOps
Software development and information technology operations
toolchains
A collection of tools, to improve the coding, building and test, packaging, release, configuration and configuration management, and monitoring elements of a software development life cycle.
Continous Integration
A software development method where code updates are tested and committed to a development or build server/code repository rapidly
Continous Deployment (CD)
a software development model where application and platform updates are committed to production rapidly
Continuous validation
the extension of testing to support the continuous process of software development that occurs in DevOps
continous monitoring
Term used to describe a system that has monitoring built into it, so rather than monitoring being an external event that may or may not happen, monitoring is an intrinsic aspect of the action.
OWASP (Open Web Application Security Project)
Is an online community dedicated to web application security. This community works to create freely-available articles, methodologies, documentation, tools, and technologies that include web application flaws and a way to address and correct them.
Application programming interfaces
programming hooks, or guidelines, published by firms that tell other programs how to get a service to perform a task such as send or receive data
Pair Programming
agile software development technique in which two programmers work together at one workstation
Over the shoulder review
a form of peer review where two programmers sit down in front of the code and work through it together. One explains it to another.
Pass-Around Code Review
A code review process that relies on email or other distribution methods to distribute code for review.
Tool assisted code review
A type of peer review in which authors and reviewers use tools designed for peer code review.
formal code review
This type of code review is often called Fagan inspection and is common for projects that use the waterfall software development methodology. Requires a lot of meeting.
A modern adaptation is to have single meeting to review only the code changes. This way, the code can benefit from the live discussion amongst reviewers. This is sometimes known as a walkthrough.
Fagan inspection
A formal code review process that relies on specified entry and exit criteria for each phase
static code analysis
Analysis of source code carried out without execution of that software.Type of white ox tes
Dynamic Code Analysis
Examining code after the source code is compiled and when all components are integrated and running.
Fuzzing (Fuzz Testing)
A type of black box testing that enters random malformed data as inputs into software programs to determine if they will crash
Injection Vulnerability
A reference to a flaw in software and a common application vulnerability that would allow externally influenced (malicious) input to be used as part of the construction and subsequent execution of a command. Variations include SQL injection, OS command injection, and LDAP injection.
Blind SQL Injection
Is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The results are usually not visible to the attacker.
Blind Content-Based SQL Injection
the perpertrator sends input to the web application that tests whether the application is interpreting injected code before attempting to carry out an attack.
Lightweight Directory Access Protocol (LDAP)
A protocol used by various client applications when the application needs to query a database.
Extensible Markup Language (XML)
The markup language designed to transport and store data on the Web.
Cross-Site Scripting (XSS)
An attack that injects scripts into a Web application server to direct attacks at clients.
password authentication
Provides authentication of the user
Credential-stealing attacks
allow a hacker or penetration tester to authenticate directly to a service using a stolen account
Session Hijacking
An attack in which an attacker attempts to impersonate the user by using his session token.
man-in-the-middle attack
a hacker placing himself between a client and a host to intercept communications between them
Session Replay Attack
Attacker listens to the conversation between the user and the server and captures the authentication token of the user
Pass the hash
A password attack that captures and uses the hash of a password. It attempts to log on as the user with the hash and is commonly associated with the Microsoft NTLM protocol.
Unvalidated Redirects and Forwards
redirects: [A] can install malware or trick victims into disclosing. Attacks user
forwards: may allow access to control bypass. Attacks server
Unvalidated redirect
application allows redirection to any URL and attacker may use this to redirect the user to a malicious site
Insecure Direct Object Reference
Takes advantage of lack of checks to ensure a user requesting a resource actually has permissions to do so.
Directory Transversal/ Path Transversal
Read files from a web server that are outside of the websites file directory. Users shouldn't be able to browse the windows folder. Similar to Privilege escalation for for reading access.
Directory Transversal / Command Injection
allows the inclusion of opersators filesystem access controls dont properly restrict access to files stoed elsewhere on the server.
file inclusion attacks
An attack that executes the code contained within a file, allowing the attacker to fool the web server into executing arbitrary code.
Priviledge escalation
a network intrusion attack that takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications
