Software Engineering Body of Knowledge (v3) (2014) (811503), страница 71
Текст из файла (страница 71)
Themodules should be as small as possible andshould perform only those tasks that requirethose privileges.• Ensure that any assumptions in the programare validated. If this is not possible, document them for the installers and maintainersso they know the assumptions that attackerswill try to invalidate.• Ensure that the program does not shareobjects in memory with any other program.• The error status of every function must bechecked. Do not try to recover unless neitherthe cause of the error nor its effects affectany security considerations.
The programshould restore the state of the software tothe state it had before the process began, andthen terminate.17.4. Software Testing SecuritySoftware testing security determines that software protects data and maintains security specification as given. For more information, pleaserefer to the Software Testing KA.17.5. Build Security into Software EngineeringProcessSoftware is only as secure as its developmentprocess goes.
To ensure the security of software,security must be built into the software engineering process. One trend that emerges in this regardis the Secure Development Lifecycle (SDL) concept, which is a classical spiral model that takesa holistic view of security from the perspectiveof software lifecycle and ensures that security isinherent in software design and development, notan afterthought later in production. The SDL process is claimed to reduce software maintenancecosts and increase reliability of software concerning software security related faults.17.6. Software Security GuidelinesAlthough there are no bulletproof ways for securesoftware development, some general guidelinesdo exist that can be used to aid such effort.
These13-26 SWEBOK® Guide V3.0guidelines span every phase of the softwaredevelopment lifecycle. Some reputable guidelines are published by the Computer EmergencyResponse Team (CERT) and below are its top10 software security practices (the details can befound in [12]:1. Validate input.2. Heed compiler warnings.3. Architect and design for security policies.4. Keep it simple.5. Default deny.6. Adhere to the principle of least privilege.7. Sanitize data sent to other software.8.
Practice defense in depth.9. Use effective quality assurance techniques.10. Adopt a software construction securitystandard.Computing Foundations 13-271. Problem SolvingTechniques1.1. Definition ofProblem Solving1.2. Formulating theReal Problem1.3. Analyze theProblem1.4. Design aSolution SearchStrategy1.5. Problem SolvingUsing Programs2. Abstraction2.1. Levels ofAbstraction2.2. Encapsulation2.3. Hierarchy3. ProgrammingFundamentals3.1. TheProgrammingProcess3.2. ProgrammingParadigms3.3. DefensiveProgramming4. ProgrammingLanguage Basics4.1. ProgrammingLanguage Overview4.2. Syntax andSemantics ofProgrammingLanguages3.2,s4.2s3.2s3.2s3.2s4.2c5s5.2–5.4s5.2–5.3s5.3s5.2c6–19c6–c19c6–c19c8c6s6.1s6.2Bishop 2002[11*]Nielsen 1993[9*]Null and Lobur 2006[8*]Sommerville 2011[6*]Horowitz et al.
2007[5*]Brookshear 2008[4*]McConnell 2004[3*]Voland 2003[2*]MATRIX OF TOPICS VS. REFERENCE MATERIAL4.3. Low LevelProgrammingLanguage4.4. High LevelProgramingLanguage4.5. Declarativevs. ImperativeProgrammingLanguage5. Debugging Toolsand Techniques5.1. Types of Errors5.2. DebuggingTechniques:5.3. DebuggingTools6. Data Structure andRepresentation6.1. Data StructureOverview6.2. Types of DataStructure6.3. Operations onData Structures7. Algorithms andComplexitys6.5–6.7s6.5–6.7s6.5–6.7c23s23.1s23.2s23.5s2.1–2.6s2.1–2.6s2.1–2.6s2.1–2.6s1.1–1.3,s3.3–3.6,s4.1–4.8,s5.1–5.7,s6.1–6.3,s7.1–7.6,s11.1,s12.1Bishop 2002[11*]Nielsen 1993[9*]Null and Lobur 2006[8*]Sommerville 2011[6*]Horowitz et al. 2007[5*]Brookshear 2008[4*]McConnell 2004[3*]Voland 2003[2*]13-28 SWEBOK® Guide V3.07.1. Overview ofAlgorithms7.2. Attributes ofAlgorithms7.3. AlgorithmicAnalysis7.4. AlgorithmicDesign Strategies7.5. AlgorithmicAnalysis Strategies8. Basic Concept of aSystem8.1. EmergentSystem Properties8.2. SystemEngineering8.3. Overview of aComputer Systems1.1–1.2s1.3s1.3s3.3–3.6,s4.1–4.8,s5.1–5.7,s6.1–6.3,s7.1–7.6,s11.1,s12.1s3.3–3.6,s4.1–4.8,s5.1–5.7,s6.1–6.3,s7.1–7.6,s11.1,s12.1c10s10.1s10.2Bishop 2002[11*]Nielsen 1993[9*]Null and Lobur 2006[8*]Sommerville 2011[6*]Horowitz et al.
2007[5*]Brookshear 2008[4*]McConnell 2004[3*]Voland 2003[2*]Computing Foundations 13-299. ComputerOrganization9.1. ComputerOrganizationOverview9.2. Digital Systems9.3. Digital Logic9.4. ComputerExpression of Data9.5. The CentralProcessing Unit(CPU)9.6. Memory SystemOrganization9.7. Input and Output(I/O)10. Compiler Basics10.1. CompilerOverview10.2. Interpretationand Compilation10.3. TheCompilation Process11. OperatingSystems Basics11.1. OperatingSystems Overview11.2. Tasks ofOperating System11.3. OperatingSystem Abstractions11.4. OperatingSystemsClassificationc1–4s1.1–1.2c3c3c2s4.1–4.2s4.6s4.5s6.4s8.4s8.4s8.4s6.4c3s3.2s3.3s3.2s3.1s8.4Bishop 2002[11*]Nielsen 1993[9*]Null and Lobur 2006[8*]Sommerville 2011[6*]Horowitz et al.
2007[5*]Brookshear 2008[4*]McConnell 2004[3*]Voland 2003[2*]13-30 SWEBOK® Guide V3.012. DatabaseBasics and DataManagement12.1. Entity andSchema12.2. DatabaseManagementSystems (DBMS)12.3. DatabaseQuery Language12.4. Tasks ofDBMS Packages12.5. DataManagement12.6. Data Mining13. NetworkCommunicationBasics13.1. Types ofNetwork13.2. Basic NetworkComponents13.3. NetworkingProtocols andStandards13.4. The Internet13.5. Internet ofThings13.6. Virtual PrivateNetwork14. Parallel andDistributedComputing14.1. Paralleland DistributedComputingOverviewc9s9.1s9.1s9.2s9.2s9.5s9.6c12s12.2–12.3s12.6s12.4–12.5s12.8c9s9.4.1–9.4.3Bishop 2002[11*]Nielsen 1993[9*]Null and Lobur 2006[8*]Sommerville 2011[6*]Horowitz et al. 2007[5*]Brookshear 2008[4*]McConnell 2004[3*]Voland 2003[2*]Computing Foundations 13-3114.2. Differencesbetween Paralleland DistributedComputing14.3. Paralleland DistributedComputing Models14.4. Main Issuesin DistributedComputing15. Basic UserHuman Factors15.1. Input andOutputBishop 2002[11*]Nielsen 1993[9*]Null and Lobur 2006[8*]Sommerville 2011[6*]Horowitz et al.
2007[5*]s9.4.4–9.4.5s9.4.4–9.4.5c8c5s5.1,s5.3s5.2,s5.8s5.5–5.615.2. Error Messages15.3. SoftwareRobustness16. Basic DeveloperHuman Factors16.1. Structure16.2. Comments17. Secure SoftwareDevelopment andMaintenance17.1. Two Aspects ofSecure Coding17.2. CodingSecurity intoSoftware17.3. RequirementSecurity17.4. DesignSecurity17.5. ImplementationSecurityBrookshear 2008[4*]McConnell 2004[3*]Voland 2003[2*]13-32 SWEBOK® Guide V3.0c31–32c31c32c29s29.1s29.4s29.2s29.3s29.5Computing Foundations 13-33REFERENCES[1] Joint Task Force on Computing Curricula,IEEE Computer Society and Associationfor Computing Machinery, SoftwareEngineering 2004: Curriculum Guidelinesfor Undergraduate Degree Programs inSoftware Engineering, 2004; http://sites.computer.org/ccse/SE2004Volume.pdf.[2*] G. Voland, Engineering by Design, 2nd ed.,Prentice Hall, 2003.[3*] S.
McConnell, Code Complete, 2nd ed.,Microsoft Press, 2004.[4*] J.G. Brookshear, Computer Science: AnOverview, 10th ed., Addison-Wesley, 2008.[5*] E. Horowitz et al., Computer Algorithms,2nd ed., Silicon Press, 2007.[6*] I. Sommerville, Software Engineering, 9thed., Addison-Wesley, 2011.[7] ISO/IEC/IEEE 24765:2010 Systems andSoftware Engineering—Vocabulary, ISO/IEC/IEEE, 2010.[8*] L. Null and J. Lobur, The Essentials ofComputer Organization and Architecture,2nd ed., Jones and Bartlett Publishers,2006.[9*] J. Nielsen, Usability Engineering, MorganKaufmann, 1993.[10] ISO 9241-420:2011 Ergonomics of HumanSystem Interaction, ISO, 2011.[11*] M.
Bishop, Computer Security: Art andScience, Addison-Wesley, 2002.[12] R.C. Seacord, The CERT C Secure CodingStandard, Addison-Wesley Professional,2008.CHAPTER 14MATHEMATICAL FOUNDATIONSINTRODUCTIONSoftware professionals live with programs. In avery simple language, one can program only forsomething that follows a well-understood, nonambiguous logic. The Mathematical Foundationsknowledge area (KA) helps software engineerscomprehend this logic, which in turn is translatedinto programming language code.
The mathematics that is the primary focus in this KA is quitedifferent from typical arithmetic, where numbersare dealt with and discussed. Logic and reasoning are the essence of mathematics that a softwareengineer must address.Mathematics, in a sense, is the study of formalsystems. The word “formal” is associated withpreciseness, so there cannot be any ambiguous orerroneous interpretation of the fact.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
