Software Secure Engineering Final Exam

Refactoring

Improving code’s internal structure without changing its external behavior.

Why Refactor

Improve design, make code easier to understand, help find bugs.

Common Refactoring Techniques

Extract Method, Rename Method, Replace Temp with Query, Introduce Explaining Variable, etc.

Obstacles to Refactoring

Complexity, risk of new errors, cultural resistance, performance concerns.

Software Maintenance

Modification of software after delivery to correct faults or improve performance.

Types of Maintenance

Corrective, Adaptive, Perfective, Preventive.

Software Maintenance Cost

Maintenance often costs more than original development.

Program Comprehension

Understanding code before making modifications.

Reengineering

Restructuring software to improve maintainability without changing functionality.

Reverse Engineering

Analyzing software to create representations at higher levels of abstraction.

Software Change

Inevitable due to new requirements, errors, business changes.

Change Implementation

Understand current system → design → implement → test.

Urgent Changes

Handled quickly without full process; risky but necessary.

Validation Testing

Ensures software meets user needs.

Verification Testing

Ensures software is built correctly per specifications.

Regression Testing

Re-running tests to confirm no new bugs after changes.

Black Box Testing

Testing based on functionality without looking at internal code.

White Box Testing

Testing with knowledge of the internal code structure.

Test-Driven Development (TDD)

Write tests before writing code.

Cross-Site Scripting (XSS)

Injecting malicious scripts into trusted websites.

Defense Against XSS

Input filtering, output encoding, Content Security Policy (CSP).

Cross-Site Request Forgery (CSRF)

Tricking users into submitting malicious requests.

Defense Against CSRF

SameSite cookies, secret tokens.

Buffer Overflow

Overwriting memory by exceeding a buffer’s capacity.

Defense Against Buffer Overflow

Use safe functions like fgets(), strncpy(), snprintf().

SQL Injection

Inserting malicious SQL through input fields.

Defense Against SQL Injection

Input filtering, encoding, prepared statements.

Goals of Secure Software

Confidentiality, Integrity, Availability (CIA).

Defense in Depth

Multiple layers of security for better protection.

Least Privilege

Grant users only the permissions they need.

Fail Securely

Systems should remain secure even when they fail.

Complete Mediation

Check every access attempt for authority.

Separation of Privilege

Require multiple conditions for sensitive actions.

Modularity

Separating unrelated concerns into independent modules.

Coupling

The degree of dependency between modules; should be low.

Cohesion

How closely related the functions within a module are; should be high.

Open-Closed Principle

Modules should be open for extension but closed for modification.

Liskov Substitution Principle

Subclasses should be usable through base class references without altering correctness.

Dependency Inversion Principle

Depend on abstractions, not concretions.

Interface Segregation Principle

Use several specific interfaces rather than a large general-purpose one.

Facade Design Pattern

Provides a simple interface to a complex subsystem.

Adapter Design Pattern

Makes incompatible interfaces compatible.

Observer Design Pattern

Notifies multiple objects when one object changes state.