FINAL Secure Software Engineering Exam Prep

Refactoring

Change code structure without changing behavior.

Why Refactor

Improves readability, maintainability, design quality.

Examples of Refactoring

Extract Method, Rename Method, Replace Temp with Query, Decompose Conditional.

Code Rot

Degrades quality over time; refactoring helps prevent this.

Corrective Maintenance

Fixes bugs in existing software.

Adaptive Maintenance

Modifies software to fit a changing environment.

Perfective Maintenance

Adds or improves features in software.

Preventive Maintenance

Makes software easier to maintain and prevents future issues.

Maintenance Cost

Maintenance often costs 2–100× more than initial development.

Validation

Are we building the right product? (user needs)

Verification

Are we building the product right? (specifications)

Black Box Testing

Test based on input/output only.

White Box Testing

Test based on code’s internal logic/structure.

Regression Testing

Check that existing functionality still works after changes.

TDD (Test-Driven Development)

Write tests before writing the code.

CIA Triad

Confidentiality, Integrity, Availability.

Confidentiality

Prevent unauthorized access to data.

Integrity

Ensure data is accurate and unmodified.

Availability

System and data are accessible when needed.

Defense in Depth

Use multiple layers of security.

Least Privilege

Users get only the access they need.

Fail Securely

System remains secure even during failures.

Complete Mediation

Validate every access request thoroughly.

Separation of Privilege

Use more than one condition to allow access.

XSS (Cross-Site Scripting)

Inject malicious JavaScript into trusted websites.

Defense Against XSS

Filter input, encode output, use CSP (Content Security Policy).

CSRF (Cross-Site Request Forgery)

Trick user into submitting unauthorized actions.

Defense Against CSRF

Use SameSite cookies and secret tokens.

SQL Injection

Inserting malicious SQL via user input.

Defense Against SQL Injection

Use prepared statements and sanitize input.

Buffer Overflow

Writing data beyond memory limits.

Defense Against Buffer Overflow

Use safe functions like fgets() and snprintf().

Modularity

Divide code into independent parts.

Cohesion

Group related functionality together within modules.

Coupling

Minimize dependencies between different parts of the system.

Open-Closed Principle

Software should be open for extension, closed for modification.

Liskov Substitution Principle

Subclasses should preserve behavior of base classes.

Dependency Inversion Principle

Depend on abstractions, not concrete implementations.

Interface Segregation Principle

Use many specific interfaces instead of one general-purpose one.

Facade Pattern

Provides a simplified interface to a complex system.

Adapter Pattern

Allows incompatible systems to work together.

Observer Pattern

Notifies other components when one component changes.

XSS vs SQL Injection

XSS is script injection; SQLi is query manipulation.

Validation vs Verification

Validation = user needs; Verification = specifications.

TDD Meaning(Test Driven Development)

Test first, write code second.

Adaptive vs Corrective Maintenance

Adaptive = environment change; Corrective = bug fixing.

Regression Testing Purpose

Check that nothing is broken after updates.

CSP (Content Security Policy)

Prevents execution of unauthorized scripts, such as inline JS.

Buffer Overflow Language Risk

Common in C/C++ due to manual memory management.

Observer Pattern Meaning

Publish-subscribe mechanism for automatic updates.