Defensive Design

Question 1

What is defensive design?

Answer 1

Is the practice of anticipating every possible way that an end-user could misuse a system or device

Question 2

How do you know that defensive design has not been good enough?

Answer 2

When the program crashes
When the program behaves in an unintended fashion
When data security has been compromised

Question 3

What is a menu-driven user interface?

Answer 3

A menu-driven user interface limits the user to being able to pick from a displayed list of choices

Question 4

How can a menu interface limit the misuse of a program?

Answer 4

A menu interface can help to limit unexpected or invalid entries

Question 5

What is a ‘graphical widget’?

Answer 5

Is a small self-contained object on-screen to allow data selection to be made

Question 6

How does the calendar widget not allow the user to select an invalid value?

Answer 6

The date information can be encoded in any way convenient to the programmer, and the user cannot select an invalid value

Question 7

What is the purpose of widgets?

Answer 7

Is to limit user choice to only valid values

Question 8

What is the most flexible way of receiving inputs from a user?

Answer 8

Text input

Question 9

What defensive design help with for text input?

Answer 9

Making it as easy as possible for the user to get things right on the first try

Question 10

How can a programmer design to reduce errors in inputting text?

Answer 10

Inform the user of what they need to enter

Question 11

What is validation?

Answer 11

It ensures that the data entered is valid for further processing by the program handling it

Question 12

What are the 4 validation techniques?

Answer 12

Checking and limiting the Length of the data
Checking the Range of the data
Checking the Type of the data
Checking the Format of the data

Question 13

What is length validation?

Answer 13

Checking to see if the entered value is within the allowed number of characters

Question 14

What 2 options are there for the programmer if the length validation is not right?

Answer 14

Inform the user of the problem and allow them to re-enter the data
Modify the input to fit the rules (truncation)

Question 15

What is range validation?

Answer 15

Used when inputs have to fall between certain values (e.g. If the program asked for an age, the user would have to enter a positive number)

Question 16

What is type validation?

Answer 16

Checking that the input conforms to the allowed data types (e.g. if the input can only be a numeric value then alphabetic or symbol characters are rejected)

Question 17

What is format validation?

Answer 17

To check that the input is in the correct format

Question 18

What is a white-list?

Answer 18

A list of data that the application will accept as valid

Question 19

What is black-list?

Answer 19

A list of data that the application will reject

Question 20

How are white-list and black-list used?

Answer 20

Often used with firewall applications and email filtering applications

Question 21

What is a firewall?

Answer 21

An application that helps protect a network from intrusion or to limit what network users can access online

Question 22

What is one of the things that a firewall always checks?

Answer 22

The URL sent from a web browser within the network

Question 23

What URLs are contained within each list?

Answer 23

The whitelist may contain a list of URLs that the firewall will let through
The blacklist may contain a list of banned URLs which will be blocked

Question 24

Why is it easier to create a whitelist?

Answer 24

It is easier to define what is acceptable than to try and anticipate what is not acceptable.

Question 25

What should defensive coding have?

Answer 25

Encryption

Question 26

What is SQL injection?

Answer 26

To send unauthorised SQL queries to a database by typing extra data into some input fields

Question 27

What is a good defence against SQL injection?

Answer 27

Sanitising input

Question 28

Give 2 examples of sanitising input

Answer 28

Stripping out all whitespaces from username / password inputs
Rejecting any non-alphabetic symbols

Question 29

What is authentication?

Answer 29

A way of confirming that the user is authorised to access the system

Question 30

What is the most common way of authentication?

Answer 30

Username and Password

Question 31

What is two-factor authentication?

Answer 31

After the user enters a valid user name and password, the system sends an SMS text ‘authentication code’ to their mobile phone. They then have to enter this as well

Question 32

What is biometric authentication?

Answer 32

Checks some physical feature of the authorised person such as their fingerprint. The user puts their thumb on a fingerprint entry device, the data is sent off to a database and checked against their valid data