Defensive programming techniques aim to avoid problems in code development and during runtime. Issues that can occur include dodgy user input data, poorly structured code that is hard to maintain, and runtime errors. Defensive design focuses on preventing unintended exploitation of systems, keeping code well-organized, and minimizing bugs. Input validation and sanitization are important techniques to check user data meets criteria and remove unwanted characters. Database inputs especially need to be sanitized to prevent SQL injection attacks.
This document discusses SQL injection, including what it is, how it works, and how to perform SQL injection attacks to extract information from a database and alter data. It provides examples of SQL queries that can be used to find the number of columns in a table, determine table and column names, and extract or alter data. The document notes that proper input validation and use of prepared statements are needed to prevent SQL injection attacks, and that no single solution can fully prevent SQL injection.
The document provides an overview of basic web security issues and recommendations to address them. It discusses making regular backups and testing restores, using strong and unique passwords that are changed frequently, password protecting directories with .htaccess, keeping software updated, restricting access to sensitive files and data, preventing cross-site scripting attacks, filtering user-submitted data, and using prepared statements to prevent SQL injection. The goal is to increase awareness of common vulnerabilities and how to avoid or lessen exposure to exploits.
This document provides an overview of basic web security best practices. It recommends making rolling backups and testing restores, using strong and unique passwords that are changed frequently, password protecting directories with .htaccess, keeping software updated, filtering user inputs to prevent XSS and SQL injection attacks, and avoiding displaying sensitive data in publicly accessible areas. The document also warns about cookies potentially containing malicious code and the risks of iframes.
Internal DSLs For Automated Functional TestingJohn Sonmez
Automated functional testing is one of the hardest things to get right on a project. Many people with high hopes set out to develop fully automated regression tests, only to be caught up in the tangle of fragile tests which are always broken. In this session I will present a clean way to build a framework using free tools to develop an internal Domain Specific Language custom to the application being testing. I will show the benefits of this approach versus the record and modify methods of most automated testing tools. In addition, I will talk about a real working practical example I have developed for the Dept of Health in Welfare in testing their new case management system.
The document provides 10 rules for safer code in order to prevent security vulnerabilities:
1. Do not use eval() or evaluate strings as code.
2. Do not use pickle for serialization as it is unsafe and not secure.
3. Use ORM queries and query parameters instead of direct SQL to prevent SQL injection.
4. Be careful of XSS vulnerabilities in templates, DOM manipulations, and uploads. Escape variables and user input.
5. Securely store passwords and tokens and do not leak them.
6. Review sudo() usage and do not allow blind writes from public methods.
7. Use CSRF tokens for HTTP POST forms to prevent CSRF attacks.
This document discusses the importance of good design principles for test automation code. It provides examples of applying basic design concepts like avoiding duplication and separating concerns when automating tests using the Robot Framework and Selenium. The examples start simply by extracting duplicated steps in a single test into keywords and variables. They progress to splitting functionality across multiple files as "resources" and parameterizing tests to run with different data values. The goal is to demonstrate how non-programmers can design maintainable automated tests by applying basic coding best practices.
10 Rules for Safer Code [Odoo Experience 2016]Olivier Dony
In this talk, we will cover the top 10 development mistakes that lead to security issues. Olivier Dony will go through all the security issues we have had over the past 3 years and give tips on how to avoid the traps for safer Odoo code.
The document discusses common coding errors in ASP scripts that can lead to security vulnerabilities. It covers three main categories: input validation issues, problems with managing state predictably and securely, and source code maintenance issues. Specific problems discussed include insufficient validation of user-supplied input used in SQL queries, which can enable SQL injection attacks, poor randomness or predictability of session IDs, hardcoded credentials, and debugging code left enabled. The document provides examples of each issue and recommendations for more secure coding practices.
This document discusses SQL injection, including what it is, how it works, and how to perform SQL injection attacks to extract information from a database and alter data. It provides examples of SQL queries that can be used to find the number of columns in a table, determine table and column names, and extract or alter data. The document notes that proper input validation and use of prepared statements are needed to prevent SQL injection attacks, and that no single solution can fully prevent SQL injection.
The document provides an overview of basic web security issues and recommendations to address them. It discusses making regular backups and testing restores, using strong and unique passwords that are changed frequently, password protecting directories with .htaccess, keeping software updated, restricting access to sensitive files and data, preventing cross-site scripting attacks, filtering user-submitted data, and using prepared statements to prevent SQL injection. The goal is to increase awareness of common vulnerabilities and how to avoid or lessen exposure to exploits.
This document provides an overview of basic web security best practices. It recommends making rolling backups and testing restores, using strong and unique passwords that are changed frequently, password protecting directories with .htaccess, keeping software updated, filtering user inputs to prevent XSS and SQL injection attacks, and avoiding displaying sensitive data in publicly accessible areas. The document also warns about cookies potentially containing malicious code and the risks of iframes.
Internal DSLs For Automated Functional TestingJohn Sonmez
Automated functional testing is one of the hardest things to get right on a project. Many people with high hopes set out to develop fully automated regression tests, only to be caught up in the tangle of fragile tests which are always broken. In this session I will present a clean way to build a framework using free tools to develop an internal Domain Specific Language custom to the application being testing. I will show the benefits of this approach versus the record and modify methods of most automated testing tools. In addition, I will talk about a real working practical example I have developed for the Dept of Health in Welfare in testing their new case management system.
The document provides 10 rules for safer code in order to prevent security vulnerabilities:
1. Do not use eval() or evaluate strings as code.
2. Do not use pickle for serialization as it is unsafe and not secure.
3. Use ORM queries and query parameters instead of direct SQL to prevent SQL injection.
4. Be careful of XSS vulnerabilities in templates, DOM manipulations, and uploads. Escape variables and user input.
5. Securely store passwords and tokens and do not leak them.
6. Review sudo() usage and do not allow blind writes from public methods.
7. Use CSRF tokens for HTTP POST forms to prevent CSRF attacks.
This document discusses the importance of good design principles for test automation code. It provides examples of applying basic design concepts like avoiding duplication and separating concerns when automating tests using the Robot Framework and Selenium. The examples start simply by extracting duplicated steps in a single test into keywords and variables. They progress to splitting functionality across multiple files as "resources" and parameterizing tests to run with different data values. The goal is to demonstrate how non-programmers can design maintainable automated tests by applying basic coding best practices.
10 Rules for Safer Code [Odoo Experience 2016]Olivier Dony
In this talk, we will cover the top 10 development mistakes that lead to security issues. Olivier Dony will go through all the security issues we have had over the past 3 years and give tips on how to avoid the traps for safer Odoo code.
The document discusses common coding errors in ASP scripts that can lead to security vulnerabilities. It covers three main categories: input validation issues, problems with managing state predictably and securely, and source code maintenance issues. Specific problems discussed include insufficient validation of user-supplied input used in SQL queries, which can enable SQL injection attacks, poor randomness or predictability of session IDs, hardcoded credentials, and debugging code left enabled. The document provides examples of each issue and recommendations for more secure coding practices.
The document provides an overview of secure coding principles for developers and code auditors. It discusses principles such as input/output validation, error handling, and authentication and authorization. Input/output validation is about validating data that enters and leaves the application. Error handling involves gracefully handling exceptions instead of revealing sensitive information. Authentication and authorization concerns implementing strong password policies, access control, and least privilege access. Following these secure coding principles can help protect against many common vulnerabilities.
Secure WordPress Development PracticesBrandon Dove
Keep user data secure by sanitizing all input and output, using nonces to verify requests, and whitelisting/blacklisting known safe data formats. Common attacks like XSS, CSRF and viruses can be prevented by escaping output, validating referrers, and using antivirus software. The document provides links to WordPress resources on data validation and security best practices.
This document discusses various web security topics such as never trusting user inputs, input validation, SQL injection, cross-site scripting, session hijacking, and cross-site request forgery. It emphasizes the importance of input sanitization, using prepared statements, and defensive coding practices to prevent security vulnerabilities. Common threats like SQL injection can occur if direct user input is inserted into SQL queries. The document also provides tips on secure programming, updating scripts, and resources for further reading on web security best practices.
This document discusses biological databases and PHP. It begins with an overview of biological databases and examples using BIOSQL to load genetic data from GenBank into a MySQL database. It then provides examples of building a basic 3-tier model with Apache, PHP, and a MySQL backend database. The document also includes a brief introduction to PHP, covering its history, why it is commonly used, and basic syntax like conditional statements.
This document provides an introduction to JavaScript including:
- JavaScript is the most popular programming language for adding interactivity to web pages.
- It is embedded directly into HTML and is case-sensitive.
- JavaScript can change HTML content, attributes, styles, validate data, and display pop-ups.
- The <script> tag is used to insert JavaScript into HTML. Scripts can go in the head or body.
- External JavaScript files allow code reuse across pages and improve performance.
- JavaScript outputs can be written to alerts, the page, elements, and the console.
- Variables, data types, operators, functions, conditional statements, loops, arrays and events are also introduced.
The document discusses various web application security issues like SQL injection, input validation, cross-site scripting and provides recommendations to prevent these vulnerabilities when developing PHP applications. It emphasizes the importance of validating all user inputs, using prepared statements and output encoding to prevent code injection attacks and ensuring session security. The document also covers other attacks like cross-site request forgery and provides mitigation techniques.
The document discusses common web application security threats like cross-site request forgery (CSRF), cross-site scripting (XSS), and SQL injections. It provides examples of each threat and explains how Joomla handles them, such as by adding tokens for CSRF protection and escaping user input. The document also covers other attacks like direct code access, register globals being on, and outlines best practices for secure web development like input sanitization and validation.
Building Better Applications with Data::ManagerJay Shirley
The document discusses tools for managing form data and validation. It introduces Data::Manager, which provides a way to manage incoming data and validation rules across multiple scopes or sections. Data::Manager uses Data::Verifier under the hood to validate data according to defined rules. It provides methods to verify data, check for errors, and retrieve validation results. The document emphasizes usability, reliability, and hiding complexity through a clean API.
The document discusses various web application security vulnerabilities such as hidden field manipulation, parameter tampering, cross-site scripting, and SQL injection. It provides examples of how attackers can exploit these vulnerabilities and recommendations for developers on how to prevent attacks, including sanitizing user input, encrypting cookies, and validating parameters.
The document discusses various cybersecurity risks and best practices to address them. It covers topics like information leakage, outdated software, authorization bypass, cross-site request forgery (CSRF), cross-site scripting (XSS), social engineering, and the importance of user training. The key message is that while technology is important, humans are often the weakest link and most common cause of breaches. Organizations must have security awareness programs to educate employees on threats like phishing.
12-security.ppt - PHP and Arabic Language - Indexwebhostingguy
The document discusses PHP security best practices. It emphasizes two golden rules: 1) filter all external input and 2) escape all output. It provides examples of filtering user-submitted data and escaping it before displaying or inserting into a database. It also covers common attacks like SQL injection, session fixation, and cross-site scripting, explaining how to prevent them by following the two golden rules of filtering input and escaping output.
The document discusses PHP security best practices. It emphasizes two golden rules: 1) filter all external input and 2) escape all output. It provides examples of filtering user-submitted data and escaping it before displaying to browsers or inserting into databases. It also covers common attacks like SQL injection, session hijacking, and cross-site scripting, explaining how to prevent them by following the two golden rules of filtering input and escaping output.
Access tips access and sql part 4 building select queries on-the-flyquest2900
This document discusses building select queries dynamically in Microsoft Access using VBA and SQL. It describes creating a stored query, building a dialog box to collect user criteria, and writing code to generate a SQL statement based on the user's selections. The code declares variables, builds the SQL by concatenating strings representing the criteria values, and tests the generated SQL by printing it to the Immediate window or displaying in a message box. The goal is to create a flexible multi-purpose query tool allowing users to filter data without knowledge of Access or SQL.
What's old is what's new - or never been really fixed yet. Web developers still don't get client-side security is no security at all. Presentation given at SyScan Hong Kong conference.
MySQL is an ubiquitous open source database but do you know how make it secure? This talk is from the 2022 Texas Cyber Summit on how to do just that. Make sure you data and database are secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
SQL injection is a common web application security vulnerability that allows attackers to control an application's database by tricking the application into sending unexpected SQL commands to the database. It works by submitting malicious SQL code as input, which gets executed by the database since the application concatenates user input directly into SQL queries. The key to preventing SQL injection is using prepared statements with bound parameters instead of building SQL queries through string concatenation. This separates the SQL statement from any user-supplied input that could contain malicious code.
The document provides an overview of JavaScript including:
- Key differences between JavaScript and Java
- Common uses of JavaScript like form validation, page effects, and content manipulation
- Examples of JavaScript code for adding numbers, handling browser events, and manipulating page elements
- Methods for numbers, strings, and the Math object
- Exception handling and pop-up boxes in JavaScript
The presentation is on Persistent Cookies and LDAP Injection. Persistent cookies stay on your hard drive (one of your browser's subfolders) until they expire or get deleted. The session will cover introduction to Persistent Cookies and applicable test-cases with respect to Web Application Penetration Testing. In LDAP Injection section, the presentation will cover: Understanding Active Directory, Understanding LDAP and How does LDAP Injection work.
This document discusses JavaScript and its popularity. JavaScript is one of the core languages used to build dynamic web applications. It has enabled features like Google Maps that provide dynamic and interactive experiences to users. JavaScript's cross-platform compatibility allows developers to write code once that runs on different operating systems. It is also used for server-side programming with Node.js. Popular frameworks like React and Angular are built with JavaScript. Overall, JavaScript has become very popular due to its ability to create rich and engaging user interfaces across different platforms and devices.
This document discusses information systems analysis and prototyping. It begins with an agenda that covers defining prototyping, the need for it, types of prototypes, prototyping as a methodology, user interface prototyping, and advantages and disadvantages. It then defines prototyping and discusses the need for it to explore problems and solutions with stakeholders. Various types of prototypes are covered, including throwaway, evolutionary, low-fidelity, and high-fidelity. Prototyping is presented as a methodology involving preliminary designs and refinements. The document concludes with risks of prototyping and key learnings around using prototypes to understand requirements and evolve systems.
The document discusses the OWASP Software Assurance Maturity Model (SAMM) which provides a framework for organizations to improve their application security practices. SAMM defines security practices across various stages of the development lifecycle. It establishes maturity levels for each practice to guide organizations from an initial to comprehensive approach. SAMM includes assessment worksheets, roadmap templates, and other resources to help organizations measure their maturity and develop a phased plan to strengthen security.
The document provides an overview of secure coding principles for developers and code auditors. It discusses principles such as input/output validation, error handling, and authentication and authorization. Input/output validation is about validating data that enters and leaves the application. Error handling involves gracefully handling exceptions instead of revealing sensitive information. Authentication and authorization concerns implementing strong password policies, access control, and least privilege access. Following these secure coding principles can help protect against many common vulnerabilities.
Secure WordPress Development PracticesBrandon Dove
Keep user data secure by sanitizing all input and output, using nonces to verify requests, and whitelisting/blacklisting known safe data formats. Common attacks like XSS, CSRF and viruses can be prevented by escaping output, validating referrers, and using antivirus software. The document provides links to WordPress resources on data validation and security best practices.
This document discusses various web security topics such as never trusting user inputs, input validation, SQL injection, cross-site scripting, session hijacking, and cross-site request forgery. It emphasizes the importance of input sanitization, using prepared statements, and defensive coding practices to prevent security vulnerabilities. Common threats like SQL injection can occur if direct user input is inserted into SQL queries. The document also provides tips on secure programming, updating scripts, and resources for further reading on web security best practices.
This document discusses biological databases and PHP. It begins with an overview of biological databases and examples using BIOSQL to load genetic data from GenBank into a MySQL database. It then provides examples of building a basic 3-tier model with Apache, PHP, and a MySQL backend database. The document also includes a brief introduction to PHP, covering its history, why it is commonly used, and basic syntax like conditional statements.
This document provides an introduction to JavaScript including:
- JavaScript is the most popular programming language for adding interactivity to web pages.
- It is embedded directly into HTML and is case-sensitive.
- JavaScript can change HTML content, attributes, styles, validate data, and display pop-ups.
- The <script> tag is used to insert JavaScript into HTML. Scripts can go in the head or body.
- External JavaScript files allow code reuse across pages and improve performance.
- JavaScript outputs can be written to alerts, the page, elements, and the console.
- Variables, data types, operators, functions, conditional statements, loops, arrays and events are also introduced.
The document discusses various web application security issues like SQL injection, input validation, cross-site scripting and provides recommendations to prevent these vulnerabilities when developing PHP applications. It emphasizes the importance of validating all user inputs, using prepared statements and output encoding to prevent code injection attacks and ensuring session security. The document also covers other attacks like cross-site request forgery and provides mitigation techniques.
The document discusses common web application security threats like cross-site request forgery (CSRF), cross-site scripting (XSS), and SQL injections. It provides examples of each threat and explains how Joomla handles them, such as by adding tokens for CSRF protection and escaping user input. The document also covers other attacks like direct code access, register globals being on, and outlines best practices for secure web development like input sanitization and validation.
Building Better Applications with Data::ManagerJay Shirley
The document discusses tools for managing form data and validation. It introduces Data::Manager, which provides a way to manage incoming data and validation rules across multiple scopes or sections. Data::Manager uses Data::Verifier under the hood to validate data according to defined rules. It provides methods to verify data, check for errors, and retrieve validation results. The document emphasizes usability, reliability, and hiding complexity through a clean API.
The document discusses various web application security vulnerabilities such as hidden field manipulation, parameter tampering, cross-site scripting, and SQL injection. It provides examples of how attackers can exploit these vulnerabilities and recommendations for developers on how to prevent attacks, including sanitizing user input, encrypting cookies, and validating parameters.
The document discusses various cybersecurity risks and best practices to address them. It covers topics like information leakage, outdated software, authorization bypass, cross-site request forgery (CSRF), cross-site scripting (XSS), social engineering, and the importance of user training. The key message is that while technology is important, humans are often the weakest link and most common cause of breaches. Organizations must have security awareness programs to educate employees on threats like phishing.
12-security.ppt - PHP and Arabic Language - Indexwebhostingguy
The document discusses PHP security best practices. It emphasizes two golden rules: 1) filter all external input and 2) escape all output. It provides examples of filtering user-submitted data and escaping it before displaying or inserting into a database. It also covers common attacks like SQL injection, session fixation, and cross-site scripting, explaining how to prevent them by following the two golden rules of filtering input and escaping output.
The document discusses PHP security best practices. It emphasizes two golden rules: 1) filter all external input and 2) escape all output. It provides examples of filtering user-submitted data and escaping it before displaying to browsers or inserting into databases. It also covers common attacks like SQL injection, session hijacking, and cross-site scripting, explaining how to prevent them by following the two golden rules of filtering input and escaping output.
Access tips access and sql part 4 building select queries on-the-flyquest2900
This document discusses building select queries dynamically in Microsoft Access using VBA and SQL. It describes creating a stored query, building a dialog box to collect user criteria, and writing code to generate a SQL statement based on the user's selections. The code declares variables, builds the SQL by concatenating strings representing the criteria values, and tests the generated SQL by printing it to the Immediate window or displaying in a message box. The goal is to create a flexible multi-purpose query tool allowing users to filter data without knowledge of Access or SQL.
What's old is what's new - or never been really fixed yet. Web developers still don't get client-side security is no security at all. Presentation given at SyScan Hong Kong conference.
MySQL is an ubiquitous open source database but do you know how make it secure? This talk is from the 2022 Texas Cyber Summit on how to do just that. Make sure you data and database are secure.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
SQL injection is a common web application security vulnerability that allows attackers to control an application's database by tricking the application into sending unexpected SQL commands to the database. It works by submitting malicious SQL code as input, which gets executed by the database since the application concatenates user input directly into SQL queries. The key to preventing SQL injection is using prepared statements with bound parameters instead of building SQL queries through string concatenation. This separates the SQL statement from any user-supplied input that could contain malicious code.
The document provides an overview of JavaScript including:
- Key differences between JavaScript and Java
- Common uses of JavaScript like form validation, page effects, and content manipulation
- Examples of JavaScript code for adding numbers, handling browser events, and manipulating page elements
- Methods for numbers, strings, and the Math object
- Exception handling and pop-up boxes in JavaScript
The presentation is on Persistent Cookies and LDAP Injection. Persistent cookies stay on your hard drive (one of your browser's subfolders) until they expire or get deleted. The session will cover introduction to Persistent Cookies and applicable test-cases with respect to Web Application Penetration Testing. In LDAP Injection section, the presentation will cover: Understanding Active Directory, Understanding LDAP and How does LDAP Injection work.
This document discusses JavaScript and its popularity. JavaScript is one of the core languages used to build dynamic web applications. It has enabled features like Google Maps that provide dynamic and interactive experiences to users. JavaScript's cross-platform compatibility allows developers to write code once that runs on different operating systems. It is also used for server-side programming with Node.js. Popular frameworks like React and Angular are built with JavaScript. Overall, JavaScript has become very popular due to its ability to create rich and engaging user interfaces across different platforms and devices.
This document discusses information systems analysis and prototyping. It begins with an agenda that covers defining prototyping, the need for it, types of prototypes, prototyping as a methodology, user interface prototyping, and advantages and disadvantages. It then defines prototyping and discusses the need for it to explore problems and solutions with stakeholders. Various types of prototypes are covered, including throwaway, evolutionary, low-fidelity, and high-fidelity. Prototyping is presented as a methodology involving preliminary designs and refinements. The document concludes with risks of prototyping and key learnings around using prototypes to understand requirements and evolve systems.
The document discusses the OWASP Software Assurance Maturity Model (SAMM) which provides a framework for organizations to improve their application security practices. SAMM defines security practices across various stages of the development lifecycle. It establishes maturity levels for each practice to guide organizations from an initial to comprehensive approach. SAMM includes assessment worksheets, roadmap templates, and other resources to help organizations measure their maturity and develop a phased plan to strengthen security.
The document discusses access control and authorization in distributed systems. It introduces role-based access control (RBAC) as a promising approach. RBAC separates the administration of principals and roles from the specification of authorization policy in terms of roles. This allows authorization policy to be expressed independently of changes to principal membership. RBAC also facilitates inter-domain authorization by allowing roles to span domains. The document presents an example RBAC implementation using the OASIS framework that specifies role activation and authorization policies using rules. It also discusses engineering role certificates and maintaining credential state to support RBAC in a distributed environment.
The document discusses validating all inputs to prevent cross-site scripting (XSS) attacks. It introduces the OWASP HTML Sanitizer Project, which is a Java library that sanitizes HTML to allow untrusted user input to be safely embedded in web pages. The sanitizer removes malicious code while keeping desired markup, through a policy-based approach. Sample usages demonstrated validate specific elements like images and links. The project aims to protect against XSS while allowing third-party content through a tested, securely-designed library.
The document provides information on coding techniques and best practices for variable declarations and naming. It discusses data types, initializing variables, variable scope, naming conventions, and the Hungarian notation naming convention. The key points are:
- Variables should be declared close to where they are used and initialized immediately to avoid errors from unintended values.
- Variable names should be descriptive yet concise to indicate what they represent and avoid confusion. Naming conventions can help with readability and consistency.
- The Hungarian notation convention prefixes variable names with abbreviations to indicate their type, scope, and other properties to make their purpose clear at a glance.
This document discusses defensive programming techniques of assertions and parameter checking. Assertions allow programmers to explicitly check assumptions in code through boolean conditions. If an assertion fails, it throws an error. Parameter checking validates function parameters are valid, either through assertions or throwing exceptions if invalid. Both help avoid bugs by detecting errors early.
This document provides an overview of the requirements analysis process. It explains that requirements come from both business and technical perspectives and describe what the system must do and how it will be implemented. Various techniques for gathering requirements are discussed, including interviews, documentation analysis, questionnaires, observation, and prototyping. The importance of user involvement and properly documenting requirements is also covered.
This document provides an overview of the requirements analysis process. It explains that requirements come from both business and technical perspectives and describe what the system must do and how it will be implemented. Various techniques for gathering requirements are discussed, including interviews, documentation analysis, questionnaires, observation, and prototyping. The importance of user involvement and properly documenting requirements is also covered.
The document provides an overview of a lecture on system analysis and design (SAD). It introduces SAD processes and approaches, including structured analysis, design, and programming as well as object-oriented analysis and design. Key concepts covered include objects, classes, encapsulation, inheritance, and polymorphism in the object-oriented approach.
This document covers topics in requirements engineering including functional and non-functional requirements, the software requirements document, requirements specification, and requirements processes. It defines requirements engineering as establishing customer services and system constraints. Requirements can range from abstract to detailed specifications and serve both bidding and contractual purposes. User requirements use natural language while system requirements provide structured descriptions. Functional requirements define system services and behaviors while non-functional requirements constrain timing, standards, and processes.
The document provides information on modeling business processes using activity diagrams. It discusses the key elements and notation of activity diagrams including activities, transitions, start/final states, decisions, swimlanes, and parallel activities. Guidelines are provided for creating activity diagrams such as setting the context, identifying activities and organizing them in order, adding decisions, object flows, prospects for parallelism, and swimlanes. An example activity diagram for a dentist office system is described and guidelines are given for developing the diagram and associated use case descriptions.
This document provides an overview of use case modeling. It defines what use cases are, how they are created, and the elements that comprise them. Use cases describe the functional requirements of a system from the perspective of an actor. They are developed through user interviews and documentation analysis to understand how users interact with the system. Use cases are then written as text descriptions and organized visually in a use case diagram to show relationships between use cases and actors.
Presentation Use Case Diagram and Use Case Specification.pptxazida3
The use case diagram models the interactions between a Customer and an ATM machine. The Customer can perform the use cases of Logging In, Making a Withdrawal, Checking Balance, and Depositing Funds. The ATM machine facilitates these use cases.
The document provides an overview of a module on system analysis and design (SAD). It discusses the structured approach to SAD using techniques like data flow diagrams, entity relationship diagrams, and structure charts. It also covers the object-oriented approach, defining key concepts like objects, classes, encapsulation, inheritance, and polymorphism. The structured approach models the problem as a set of functions, while the object-oriented approach models the real world and subdivides problems based on objects.
This presentation was provided by Steph Pollock of The American Psychological Association’s Journals Program, and Damita Snow, of The American Society of Civil Engineers (ASCE), for the initial session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session One: 'Setting Expectations: a DEIA Primer,' was held June 6, 2024.
How to Add Chatter in the odoo 17 ERP ModuleCeline George
In Odoo, the chatter is like a chat tool that helps you work together on records. You can leave notes and track things, making it easier to talk with your team and partners. Inside chatter, all communication history, activity, and changes will be displayed.
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...PECB
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Walmart Business+ and Spark Good for Nonprofits.pdfTechSoup
"Learn about all the ways Walmart supports nonprofit organizations.
You will hear from Liz Willett, the Head of Nonprofits, and hear about what Walmart is doing to help nonprofits, including Walmart Business and Spark Good. Walmart Business+ is a new offer for nonprofits that offers discounts and also streamlines nonprofits order and expense tracking, saving time and money.
The webinar may also give some examples on how nonprofits can best leverage Walmart Business+.
The event will cover the following::
Walmart Business + (https://business.walmart.com/plus) is a new shopping experience for nonprofits, schools, and local business customers that connects an exclusive online shopping experience to stores. Benefits include free delivery and shipping, a 'Spend Analytics” feature, special discounts, deals and tax-exempt shopping.
Special TechSoup offer for a free 180 days membership, and up to $150 in discounts on eligible orders.
Spark Good (walmart.com/sparkgood) is a charitable platform that enables nonprofits to receive donations directly from customers and associates.
Answers about how you can do more with Walmart!"
বাংলাদেশের অর্থনৈতিক সমীক্ষা ২০২৪ [Bangladesh Economic Review 2024 Bangla.pdf] কম্পিউটার , ট্যাব ও স্মার্ট ফোন ভার্সন সহ সম্পূর্ণ বাংলা ই-বুক বা pdf বই " সুচিপত্র ...বুকমার্ক মেনু 🔖 ও হাইপার লিংক মেনু 📝👆 যুক্ত ..
আমাদের সবার জন্য খুব খুব গুরুত্বপূর্ণ একটি বই ..বিসিএস, ব্যাংক, ইউনিভার্সিটি ভর্তি ও যে কোন প্রতিযোগিতা মূলক পরীক্ষার জন্য এর খুব ইম্পরট্যান্ট একটি বিষয় ...তাছাড়া বাংলাদেশের সাম্প্রতিক যে কোন ডাটা বা তথ্য এই বইতে পাবেন ...
তাই একজন নাগরিক হিসাবে এই তথ্য গুলো আপনার জানা প্রয়োজন ...।
বিসিএস ও ব্যাংক এর লিখিত পরীক্ষা ...+এছাড়া মাধ্যমিক ও উচ্চমাধ্যমিকের স্টুডেন্টদের জন্য অনেক কাজে আসবে ...
This presentation includes basic of PCOS their pathology and treatment and also Ayurveda correlation of PCOS and Ayurvedic line of treatment mentioned in classics.
2. www.drfrostmaths.com
Everything is completely free.
Why not register?
Registering on the DrFrostMaths platform allows you to save all the code
and progress in the various Computer Science mini-tasks.
It also gives you access to the maths platform allowing you to practise
GCSE and A Level questions from Edexcel, OCR and AQA.
With Computer Science questions by:
Your code on any mini-tasks
will be preserved.
Note: The Tiffin/DFM Computer
Science course uses JavaScript as its
core language. Most code examples
are therefore in JavaScript.
Using these slides: Green question
boxes can be clicked while in
Presentation mode to reveal.
Slides are intentionally designed to double up as
revision notes for students, while being optimised
for classroom usage. The Mini-Tasks on the DFM
platform are purposely ordered to correspond to
these slides, giving your flexibility over your lesson
structure.
?
3. What problems might occur in our program?
Suggest problems that might occur either in the development of
code or problems when the code is running.
Dodgy data input from the user, e.g.
• Unexpected characters.
• Data not in the expected format.
• Inserting JavaScript code that then
subsequently runs on the page!
• Hijacking SQL queries (we’ll see this
in a sec)
Badly structured/unreadable code.
• Fellow programmers unable to
maintain your code.
• Lack of ‘commenting’.
• Repeated code, meaning that
changes to one instance might not
be replicated in the other.
Runtime errors.
• Errors can potentially bring down the
entire system! (and subsequently
require restarting)
• Often a result of an unexpected
situation.
Defensive design therefore in general is
attempting to:
• Avoid users unintentionally or
intentionally exploiting your system.
• Keeping code well-maintained.
• Minimising bugs in your code.
4. Input Validation vs Sanitisation
Input Santisation:
Cleaning up the data to remove
any unwanted characters.
Input Validation:
Checking the data meets a
certain criteria.
Data Sanitisation: I remove
any HTML students attempt
to insert into their name.
Data Validation: First name
and surname must be entered.
Data Validation: Email must be
in a valid format, e.g. have
characters before and after a
@ and at least one dot after @.
Data Validation: The two
passwords must match.
This is the student registration
page for DrFrostMaths
Often we need to check
whether the input from a
user is what we expect.
Data Sanitisation: I also get rid of any space characters
before or after the name, as this otherwise causes
problems later when trying to search for that person.
5. Types of Input Validation
Range Check e.g. Between 1 and 100
Presence Check Was the value entered?
Check digit (We will see this when we
cover ‘bits’)
Format check e.g. A valid email, date.
Lookup- table One of a restricted set of
values.
Length check e.g. Between 5 and 15
characters.
Note to be safe, data should be checked both on the client end (where the data is
entered) and the server end (where the data might be entered into a database).
Without the latter check, it’s possible a ‘rogue client’ might be able to input invalid
data directly to the server end, bypassing your client-end validation checks.
?
?
?
?
?
?
6. The importance of sanitising database inputs
Source: www.xkcd.com
How could this break your system?
• Suppose your user entered their name and you wanted to insert this as a row in your
“Students” table, but appending strings together:
“INSERT TO Students VALUES (‘“+name+”’)”
• But suppose the student entered their name as “Robert'); DROP TABLE Students;
--”
• The resulting SQL query would be:
“INSERT INTO Students VALUES (‘Robert’); DROP TABLE Students; --”
• This dodgy value finished the INSERT query, then deletes the entire Students table. The --
is to comment out any SQL that might have appeared after.
• The solution is to use SQL injection. We instead use “INSERT INTO Students VALUES (?)”,
replacing our values with ?, and then use proper database library methods to ‘inject’ the
query with our values.
7. The importance of sanitising web comments
When user input is displayed on a
webpage, a common hijacking
technique is to put JavaScript code
in your comment.
One commenter used: <script>document.body.innerHTML = "";</script>
as their name on a Edexcel GCSE Predicted Paper resource. This completely blanked out
the page, preventing anyone accessing the resource until I spotted it an hour later!
This means when your comment gets
displayed on the page, the JavaScript code
runs!
A simple solution is to use stripHTML(str)
which removes any HTML and JavaScript from
the input.
But while I had anticipated this for the
comment itself, I forgot to strip it from the
commenter’s name…
8. Input Validation in JavaScript
How might we do each of the following checks in JavaScript, on an input x?
var x = prompt(“Enter a value”);
if(!x)alert(“No input entered”);
if([“bob”,”mike”,”dave”].indexOf(x)==-1)alert(“…”);
var n = Number(x);
if(n<100 || n>200)alert(“Number not in range 100-200”);
if(x.length > 10)alert(“Value too long”);
Was a value entered?
Note that empty strings (“”), when cast
to a Boolean, give a value of false.
Was “bob”, “mike” or
“dave” entered?
Was number in range 100 to 200?
Was length of the input at
most 10 characters?
?
?
?
?
9. Harder Ones :: Input Validation in JavaScript
Here’s some further ones you would not be expected to reproduce in an exam!
var x = prompt(“Enter a value”);
if(!/dd/dd/dddd/.test(x))alert(“Invalid date format”);
var re =
/^(([^<>()[].,;:s@"]+(.[^<>()[].,;:s@"]+)*)|(".+
"))@(([[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-
9]{1,3}])|(([a-zA-Z-0-9]+.)+[a-zA-Z]{2,}))$/;
if(!re.test(x))alert(“Invalid email”);
Was value a valid date format?
Regular expressions are an advanced way of matching strings which fit a specified pattern. In
Javascript we put these between forward slashes: / … /
d means ‘any single digit’. We want dd/dd/dddd. But because “/” denotes the end of the regular
expression, we need to ‘escape’ the /s by adding a backslash on front of them. This tells the code that
the character immediately after is a symbol we want to use rather than a special character. The test
function sees whether x matches the regular expression.
Valid email address format?
This is a much more complicated regular expression. It is a
standard pattern that can be easily found on the internet.
?
?
10. Input Sanitisation in JavaScript
And how about cleaning up data by removing unwanted characters?
var x = prompt(“Enter a value”);
x = x.trim();
var filename = prompt(“Enter a filename to save as.”);
filename = filename.replace(“@”,””)
Remove any whitespace characters (e.g.
spaces) from the ends of the string (e.g. so
“Jamie ” becomes “Jamie”)
Filenames are not allowed to contains an
@ symbol so remove.
?
?
11. One population encryption function is md5, which puts the string into a coded form. It’s intended to
be a one-way process, so that it’s difficult to recover the original string. For example:
md5(“Pythagoras”) “d9af1fd83c9a1c30a7cc38c59acb31d7”
Authentication
Authentication is the process of confirming the identity of the user.
This is typically done with usernames and an associated password.
Passwords on DrFrostMaths are not
stored in their original form, but in
encrypted form, just in case,
hypothetically, anyone were to break
into the database.
Try it here: www.md5online.org
Password from registration
Password when logging in
md5
md5
Equal?
When someone logs in, the input
password is encrypted in the
same way and checked against
encrypted password in database.
12. Authentication
It’s possible to password protect online directories, such that the user is directly
prompted for a username and password by the browser rather than through a
webpage. There are few sensitive pages on DFM which use such authentication.
To set this up just put a file with the filename “.htaccess” within a directory on
your web server. There are various online tutorials which outline what to put in
this file.
13. Verifying an email
If a user supplies an email address when they register, there’s generally two options:
• Require that the user clicks an ‘activation URL’ within an automated email in order
to make their account active. Because the activation URL contains a passcode that
is only communicated via email, it ensures that the email address registered with
belongs to the user.
• Many sites allow you to start using the site straight away after registering, as users
often want to be able to access a service immediately without requiring further
activation (i.e. authentication can be a deterrent). Sometimes functionality is
limited until their account is activated, even if they’re already logged in.
An early security flaw in the DrFrostMaths registration process for teachers is that accounts
approved (by myself) didn’t subsequently have to be activated my email. A student then
exploited the process as follows:
#1 Student registered as a
teacher, using a made up
teacher-looking email address.
#2 Student then waited a few
days in the hope I’d approve
the account.
#3 Student then able to
log in as a teacher at their
school, despite their email
address not existing!
14. Writing Nice Code
Most of the code on DrFrostMaths is largely uncommented, because I’m the only person
who has access it! But were I to collaborate with anyone else, it would be essential to make
my code consistently clear what it is doing to other coders, and prevents them from
accidentally doing something the shouldn’t.
Strategies
Code comments
Can be used to explain functions,
blocks of code, the purpose of
variables/constants or even what
individual lines of code do.
// Mario’s current position.
var pos = {x: 30, y: 50 }
Indentation
Makes the flow of
your program clear
by using an
appropriate amount
of spacing at the
start of each line.
while(x > 4) {
if(x%2==0) {
x = x / 2;
} else {
x = x + 1;
}
}
Helpful naming of
functions and variables
e.g. isPrime for a function
name makes clear it returns
a Boolean value.
Correct scope of
variables
Recall that scope is the parts of
your program where a declared
variable can be used. You
shouldn’t for example make a
variable ‘global’ unless you
need to make it accessible in
every part of your program.
Constants vs Variables
Use constants when you don’t want
another coder to accidentally change
its value somewhere in the code.
15. Criticise Dr Frost’s Code
Here’s some code I adapted for my DFM algebra libraries. I’ll let you work out what it might do!
But identify ways in which my code is helpful or unhelpful to other coders…
You might be able to tell from the function name that it converts floats/reals to
fractions, e.g. 0.4 ⇒
2
5
, but a comment before this line explaining its purpose, and
what the inputs are, would have been helpful; why the ‘tolerance’?
What on earth are these variables?!
Unhelpful variable names!
For loops it would be helpful to describe overall what happens
on each iteration of the loop. The code uses something called
continued fractions (I have a poster on this here:
https://www.drfrostmaths.com/resource.php?rid=293 )
We should make clear, via
commenting, what we expect the
function to output.
16. Coding Mini-Tasks
Return to the DrFrostMaths
site to complete the various
mini-coding tasks on
defensive design.