OSFTWARWE Flashcards

Question

Vulnerability Assessment

Answer 1

A vulnerability assessment is the process of identifying, analyzing, and prioritizing security weaknesses in a system, network, or application before they can be exploited by attackers.

Answer 2

Prevents SQL injection, XSS, and buffer overflow attacks.

Answer 3

Prevents leakage of sensitive system information. Uses generic error messages instead of exposing system details. Example: Displaying “Invalid username or password” instead of “User not found” to prevent user enumeration attacks.

Answer 4

APIs must be designed to prevent unauthorised access and reduce vulnerabilities. Use authentication and authorisation (e.g., OAuth, JWT). Validate API inputs to avoid injection attacks. Rate-limit requests to prevent denial-of-service attacks. Example: An API key and OAuth token are required to access a payment gateway securely.

Answer 5

Memory management ensures that a program safely allocates and frees memory to prevent issues like buffer overflows, memory leaks, or use-after-free errors.

Answer 6

Session management controls how users stay logged in and interact securely with a system. It involves generating random, unique session IDs, storing them safely (e.g., using Secure and HttpOnly cookies), and invalidating them on logout or timeout. Good session management prevents attacks like session hijacking or fixation. Ensures user sessions are secure and expire after inactivity. Uses secure cookies and tokens.

Answer 7

Exception management handles unexpected errors in a controlled way without exposing sensitive system details. Instead of showing debug info or stack traces to users, errors are logged securely for developers. An app uses try-except to handle unexpected failures gracefully.

Answer 8

Ensures passwords are stored securely using hashing. Uses MFA and session expiration policies. Example: Users must verify identity with an SMS code before accessing sensitive account details.

Answer 9

XSS happens when an attacker injects malicious JavaScript into a trusted website. When other users visit that site, the script runs in their browser, letting the attacker steal cookies, session tokens, or even modify the page content. To prevent XSS, always sanitize and encode user input, use Content Security Policy (CSP), and avoid directly injecting user data into HTML.

Answer 10

CSRF tricks a logged-in user into unknowingly sending a malicious request to a website where they’re authenticated. For example, clicking a fake link could transfer money from their bank account if their session is still active. To prevent CSRF, use anti-CSRF tokens, enforce same-site cookies, and verify the Origin/Referer headers for sensitive actions.

Answer 11

CSP is a browser security feature that helps stop attacks like XSS (Cross-Site Scripting) by controlling what content (like scripts, images, or styles) a webpage is allowed to load and run. I

Answer 12

This vulnerability occurs when a web application redirects or forwards users to another URL without properly validating user input. Attackers can exploit this by tricking users into visiting malicious websites through what looks like a legitimate link from a trusted domain.

Answer 13

A race condition is when two or more processes or threads try to access or modify shared data at the same time, and the final result depends on the timing of how they run. For instance, if there’s only one product left, both users’ requests to buy it are processed nearly simultaneously. Each thread reads quantity = 1, both pass the availability check, and each executes an UPDATE query decrementing the stock to 0, resulting in a final state of -1. Prevent race conditions by using locks or synchronisation mechanisms to control access to shared resources, ensuring only one thread can access them at a time.

Answer 14

These happen when a hacker tricks a system into opening, uploading, or running files it shouldn’t. For example, using path tricks like ../../ to access hidden files, uploading dangerous scripts, or including files from untrusted sources. To stop this, apps should check file names, limit what types can be uploaded, store files securely, and never run user-uploaded files.

Answer 15

These attacks steal information by observing how a system behaves rather than breaking its code. For example, measuring how long a login takes to guess a password or watching power or CPU usage to find encryption keys. They can be prevented by writing code that runs in constant time, adding randomness to calculations, and keeping sensitive processes isolated from others.

Answer 16

DevOps combines software development and IT operations to speed up the process of building, testing, and deploying apps. It focuses on automation, continuous integration/delivery (CI/CD), and team collaboration to make software updates faster, more reliable, and easier to maintain.

Answer 17

uses software bots to automate repetitive, rule-based tasks — like data entry, form filling, or invoice processing — without changing existing systems. It mimics human actions on a computer to save time and reduce errors. A bot automatically reads invoices from emails, extracts key details (like amount and date), and enters them into an accounting system

Answer 18

is broader — it automates entire workflows or processes across departments, not just small tasks. It focuses on improving efficiency, consistency, and decision-making by integrating automation into the overall business. When a new employee is hired, the system automatically creates their accounts, sends a welcome email, assigns training modules, and sets up payroll

Answer 19

AI is the bigger concept — it’s all about making computers behave like humans. That means thinking, reasoning, understanding language, solving problems, and even being creative. AI systems can be rule-based (following programmed logic) or learning-based. Example: Chatbots, self-driving cars, or a voice assistant like Siri — all are AI because they try to act “smart.”

Answer 20

ML is a subset of AI — it’s how machines learn from data instead of being manually programmed. You feed the machine tons of data, and it uses statistical methods to find patterns, make predictions, or improve performance over time. Example: Netflix learning your watch habits to recommend shows, or spam filters learning what emails are junk.

Answer 21

The model learns from labeled data. Input-output pairs are provided during training. Example: Spam email classification (Emails labeled as spam or not spam).

Answer 22

The model learns patterns and relationships from unlabeled data. Used for clustering and anomaly detection. the algorithm groups customers with similar habits without being told what the groups are.

Answer 23

Combines a small amount of labeled data with a large amount of unlabeled data. Useful when labeling data is expensive or time-consuming. you label a small set of emails as spam or not spam, and the model learns from those, then uses unlabeled emails to improve its accuracy.

Answer 24

The model learns by trial and error and receives rewards or penalties. Used in robotics, gaming, and self-driving cars. Example: A robot learning to navigate an environment by receiving positive reinforcement for correct moves.

Answer 25

ML models predict future trends based on historical data. Used in stock market predictions, weather forecasting, and sales forecasting. Example: A retail company uses ML to forecast demand for seasonal products.

Answer 26

AI-powered assistants like Siri, Alexa, Google Assistant use ML for natural language processing (NLP). They learn user preferences and improve interactions over time.

Answer 27

A tree-like structure that breaks down a decision into smaller, simpler parts. Nodes represent decisions or splits based on input data. Used in classification and regression tasks. Example: Predicting whether a customer will buy a product based on age and income.

Answer 28

Neural Networks (NN) simulate how the human brain processes information. Instead of a single equation, they use multiple layers of neurons to extract patterns from data. A network of artificial neurons that simulates how the human brain processes information. Consists of input layers, hidden layers, and output layers. Input Layer → Hidden Layer(s) → Output Layer Each neuron applies a mathematical function to its input and passes the result forward to the next layer. Input Layer: Accepts raw data. Hidden Layers: Process and refine the data. Output Layer: Generates a final prediction (e.g., "dog" vs "cat"). Used in image recognition, natural language processing, and self-driving cars.

Answer 29

A supervised learning algorithm used for predicting continuous values. Fits a straight line to the data points. Example: Predicting house prices based on square footage.

Answer 30

Used for binary classification problems (e.g., yes/no, spam/not spam). Instead of a straight line, it produces an S-shaped curve (sigmoid function) that maps input values between 0 and 1. Example: Predicting whether an email is spam or not spam. Code Example: Predicting spam emails with logistic regression:

Answer 31

A classification algorithm that assigns a label based on the majority class of its nearest neighbors. Uses Euclidean distance to find the closest points. Works well for pattern recognition and recommendation systems. Example: Recommending movies based on a user’s past preferences.

Answer 32

Polynomial regression is an extension of linear regression that can fit curved relationships by adding higher-degree polynomial terms. The equation looks like this: [ y = a + bx + cx^2 + dx^3 + ... ]

Answer 33

1. Safety of Workers Example: Factory robots replacing humans in car manufacturing. Positive: Reduces workplace injuries and fatigue from dangerous or repetitive tasks. Negative: Job loss or reduced hours for manual laborers, leading to unemployment concerns. 2. People with Disability Example: Voice-controlled devices and automated wheelchairs. Positive: Increases independence, accessibility, and quality of life. Negative: Expensive technology can create inequality — not everyone can afford it. 3. Nature and Skills Required for Employment Example: Self-checkout machines replacing cashiers. Positive: Faster service, fewer human errors, and lower business costs. Negative: Loss of entry-level jobs and need for workers to retrain for more technical roles. 4. Production Efficiency, Waste, and the Environment Example: Automated farming with irrigation and sensor systems. Positive: Reduces resource waste, increases yield, and lowers environmental impact. Negative: High setup costs and potential electronic waste from obsolete systems. 5. Economy and Distribution of Wealth Example: AI trading systems and automated business operations. Positive: Boosts productivity, profits, and economic growth. Negative: Concentrates wealth among companies that own the tech, widening the gap between rich and poor.

Answer 34

Selection Bias: The training data does not represent the entire population. Confirmation Bias: AI reinforces existing human biases in decision-making. Historical Bias: Data reflects past inequalities (e.g., hiring discrimination in job applications). Facial Recognition Bias: AI struggles to recognize faces of different ethnicities if the training data is not diverse. Hiring Algorithms: AI tools used for hiring have been found to favor men over women due to past hiring data. Loan Approval AI: AI models may reject loans unfairly if trained on biased financial records.

Answer 35

Web applications that function like native mobile/desktop apps. Offer offline access, push notifications, and responsive design.

Answer 36

Information sent across the internet is broken into small units (packets) for transmission. Each packet contains: Header: Includes source/destination IP addresses and other control information. Payload: The actual data being transmitted. Footer: Signals the end of the packet.

Answer 37

Unique numerical identifiers assigned to devices for network communication. Two main versions: IPv4: 32-bit addresses (e.g., 192.168.1.1). IPv6: 128-bit addresses (e.g., 2001:db8::ff00:42:8329) for expanded internet capacity. Example: A laptop connecting to a website uses its IP address to request data from the server’s IP.

Answer 38

Translates human-readable domain names (e.g., google.com) into IP addresses. Acts as an address book of the internet, mapping domain names to their respective servers. Example: When a user types facebook.com, the DNS finds the corresponding IP and directs the browser to Facebook’s servers.

Answer 39

Ports are numerical identifiers used by protocols to determine where network traffic should be directed within a system. Each service on a device (e.g., a web browser, email client, or FTP program) communicates through a specific port. Ports ensure that multiple network applications can function simultaneously without interfering with one another. Example: A device can browse the web while receiving emails because web traffic uses port 443 (HTTPS), while email uses port 993 (IMAP).

Answer 40

HTTP & HTTPS (Hypertext Transfer Protocol / Secure) HTTP (port 80): Transfers web data in plaintext. HTTPS (port 443): Uses SSL/TLS encryption for secure communication. Example: A bank website uses HTTPS to protect login credentials from hackers. TCP/IP (Transmission Control Protocol / Internet Protocol) TCP: Ensures reliable, ordered data transmission by breaking data into packets and reassembling them. IP: Handles addressing and routing of packets between devices. Example: TCP ensures an email arrives intact, even if some packets take different routes. DNS (Domain Name System) Resolves domain names into IP addresses. Uses port 53 to query name servers. Example: When visiting netflix.com, DNS servers find the corresponding IP address and return it to the browser. FTP & SFTP (File Transfer Protocol / Secure File Transfer Protocol) FTP (port 21): Transfers files between clients and servers but lacks security. SFTP (port 22): Uses SSH encryption for secure file transfers. Example: A web developer uploads a website’s files using SFTP to ensure secure transmission. SSL & TLS (Secure Sockets Layer / Transport Layer Security) SSL (deprecated) & TLS: Encrypts data to secure communications between clients and servers. Commonly used for secure login forms, payment gateways, and email encryption. Example: Online banking websites use TLS encryption to protect financial transactions. SMTP, POP3, & IMAP (Email Protocols) SMTP (port 25, or 587 for encryption): Sends outgoing emails. POP3 (port 110): Downloads emails from a server to a local device and then removes the emails from the server. This is an older way of doing things; it made more sense when server space was more expensive and households usually only had one computer. IMAP (port 143, or 993 for encryption): Keeps emails stored on the server while syncing multiple devices. Example: Gmail uses IMAP to allow users to access their email from multiple devices while keeping messages on the server.

Answer 41

Secure Sockets Layer (SSL) Certificates SSL/TLS certificates encrypt data transmitted between a client (browser) and a server, preventing eavesdropping. Websites with HTTPS use SSL/TLS to ensure secure transactions. Example: A user logging into an online banking website with an HTTPS connection ensures their credentials are protected from attackers. Encryption Algorithms Convert plain text (readable data) into cipher text (unreadable scrambled data) to protect it from unauthorised access. Common encryption algorithms: AES (Advanced Encryption Standard) – Used for securing sensitive information. RSA (Rivest-Shamir-Adleman) – Commonly used for encrypting communication over the web. ECC (Elliptic Curve Cryptography) – Provides high security with smaller key sizes. Example: A messaging app encrypts text messages using AES-256, ensuring only the intended recipient can decrypt and read them. Encryption Keys Encryption relies on keys that determine how data is scrambled and unscrambled. Types of encryption: Symmetric encryption: Uses the same key for encryption and decryption (e.g., AES). Asymmetric encryption: Uses a public key for encryption and a private key for decryption (e.g., RSA). Example: An e-commerce site encrypts customer credit card details using an RSA public key; only the business's private key can decrypt it. Plain Text and Cipher Text Plain text: Unencrypted data that anyone can read. Cipher text: Encrypted data that appears scrambled. Simple Example – Caesar Cipher: A Caesar cipher is a basic encryption method where each letter is shifted by a fixed number of places in the alphabet. Example: With a shift of 3, HELLO becomes KHOOR. While simple, this method is easily breakable. Real-World Example – AES Encryption: Before encryption: password123 After encryption with AES-256: F5A1B6C9D8E2… Unlike the Caesar cipher, AES is highly secure and widely used. Authentication and Authorisation Authentication verifies a user's identity (e.g., entering a username and password). Authorisation determines what a user is allowed to do (e.g., an admin can access all settings, but a regular user cannot). Example: A user logs into their email (authentication), but only an admin can reset passwords for all users (authorisation). Hash Values A hash function converts data into a fixed-length string that represents the original data. Hashes are irreversible and used to securely store passwords. Common hash functions: SHA-256 – Used for password hashing. MD5 (obsolete) – Previously used for file verification but now insecure. Example: A password mypassword hashed with SHA-256 becomes 5e88489f..., preventing attackers from recovering the original password. Digital Signatures Ensure data integrity and authenticity by verifying that a message or document has not been altered. Generated using asymmetric encryption. Example: When downloading software, a digital signature ensures it was not tampered with before installation.

Answer 42

How an Encryption Handshake Works An encryption handshake is a process used to establish a secure connection between a client and a server. This is crucial for HTTPS websites and other secure online communications. Client Hello: The client (e.g., a web browser) sends a request to the server, listing supported encryption algorithms (cipher suites). Server Hello: The server selects the strongest available encryption method and sends back its SSL/TLS certificate, which contains its public key. Key Exchange: The client verifies the server's certificate using a trusted certificate authority (CA). The client and server generate a shared secret key using asymmetric encryption (e.g., RSA or Diffie-Hellman key exchange). Session Key Established: From this point onward, all communication is encrypted using symmetric encryption (e.g., AES), which is faster and more efficient. Secure Communication Begins: The encrypted session allows safe transmission of sensitive data, such as passwords or credit card details. Example: When you log into your online banking account, an encryption handshake ensures that your login details are securely transmitted over HTTPS.

Answer 43

The process of analyzing large datasets to find patterns, trends, and relationships. Used in advertising, fraud detection, and recommendation systems. Example: E-commerce sites like Amazon analyze purchase history to recommend products. Security Implications: Hackers can use data mining to identify security vulnerabilities or predict user behavior for phishing attacks.

Answer 44

Data about data, describing its content, origin, and structure. Includes information like timestamps, geolocation, and file properties. Example: A photo taken on a smartphone has metadata storing the date, time, and location. Privacy Concern: Websites and companies collect metadata to track users, often without their explicit consent.

Answer 45

Platforms like Netflix, YouTube, and Spotify handle enormous amounts of real-time data to deliver seamless experiences. Uses CDNs (Content Delivery Networks) to distribute content efficiently. Requires load balancing to handle millions of concurrent users. Example: Netflix optimises video quality based on a user's internet speed using adaptive streaming. Security Concerns: Cyberattacks like DDoS (Distributed Denial of Service) can target streaming services, overwhelming servers with traffic and causing service outages.

Answer 46

The World Wide Web Consortium (W3C) is an international organization that develops and maintains web standards to ensure the internet is consistent, accessible, and works across all browsers and devices. It creates key technologies like HTML, CSS, and XML, promotes web accessibility through the WCAG guidelines, and supports security and privacy standards. Overall, W3C ensures the web remains open, reliable, and usable for everyone.

Answer 47

Aims to make the web usable for people with disabilities. Provides guidelines such as the Web Content Accessibility Guidelines (WCAG) to help developers create accessible web applications. Accessibility features include: Keyboard navigation (ensuring users can navigate without a mouse). Alt text for images (providing descriptions for screen readers). ARIA roles (improving accessibility for interactive elements).

Answer 48

Tracks Code Changes: Developers can view previous versions of code and revert if needed. Collaboration: Multiple developers can work on a project simultaneously without overwriting changes. Branching and Merging: Developers can work on different features in separate branches before merging changes. Backup and Recovery: Prevents data loss by storing a history of code changes.

Answer 49

A template engine is a tool that lets developers create dynamic web pages by combining HTML templates with data from a program or database. It replaces placeholders in the HTML (like {{ user }}) with real values at runtime, making it easy to display personalised or changing content

Answer 50

Social Issues Loss of Trust: Customers may lose confidence in the organisation’s ability to protect their data. Reputation Damage: Businesses and institutions can suffer long-term brand harm and public backlash. Emotional Distress: Victims may face anxiety, embarrassment, or financial stress due to leaked personal information. Impact on Society: Widespread breaches can erode public trust in digital systems and discourage online participation. Ethical Issues Negligence in Data Protection: Failing to implement adequate security measures is unethical, especially when handling sensitive or personal data. Misuse of Information: Unethical use or sale of stolen data (e.g., identity theft, fraud) violates privacy and autonomy. Transparency and Accountability: Organisations have an ethical duty to disclose breaches promptly and take responsibility. Informed Consent: Users should know how their data is stored, used, and protected; failing to communicate this violates ethical data practices. Legal Issues Privacy Laws Violations: Breaches can violate regulations like the Australian Privacy Act 1988, GDPR (Europe), or CCPA (US). Mandatory Reporting: In many regions, companies are legally required to report breaches to authorities and affected individuals. Fines and Penalties: Non-compliance with data protection laws can result in heavy fines or lawsuits. Liability: Organisations can face legal action for negligence or failure to protect users’ personal information.

OSFTWARWE Flashcards

(74 cards)