Software Integrity and Defects

Q1. What is Integrity in Software Development? Descript the different types of threats with the help of different scenarios.

Integrity:

In the age of cyber-terrorism and hacking, software integrity has become an important factor in the software development. Software integrity can be defined as the degree to which unauthorized access to the components of software (program, data, and documents) can be controlled.

For measuring integrity of software, attributes such as threat and security are used. Threat can be defined as the probability of a particular attack at a given point of time. Security is the probability of repelling an attack, if it occurs. Using these two attributes, integrity can be calculated by using the following equation.

Integrity = ∑(1-threat)*(1-security) 

Threat:

            In Information Security threats can be many like Software attacks, theft of intellectual property, identity theft, theft of equipment or information, sabotage, and information extortion. ... Software attacks means attack by Viruses, Worms and Trojan Horses etc.

In computer security, a threat is a possible danger that might exploit a vulnerability to breach security and therefore cause possible harm. A threat can be either "intentional" or "accidental" or otherwise a circumstance, capability, action, or event.

Types of Threats:

• Bugs
• Weak passwords
• Software that is already infected with virus
• Missing data encryption.
• SQL injection
• Buffer overflow
• Missing authorization
• Unrestricted upload of dangerous file types
• Viruses

Classification of Threats

Misuse cases are instances of threats to a system:

Interception threats: attacker gains access to an asset.

Interruption threats: attacker makes part of a system unavailable.

Modification threats: a system asset if tampered with.

Fabrication threats: false information is added to a system.

Security:

            Security is the efforts to reduce or eliminate the risks due to different kind of threats. To make system more reliable and safe our data from unauthorized access or avoid the system from getting down due to different attacks.

Examples of different Threats are as following:

1. In an online Admission system, there was a restriction / check on the user which restricts the male users to apply in female campus and female in male campus. This check was implemented on client side via JavaScript instead of Server Side. This check can be overridden to enable the students to apply in any campus.
2.  In the same online Admission System, users were able to see their profiles. In the absence of Data Encryption user can change the id in the URL and see the profile of any other user.
3. In a School Management System, there were different options like news update, students’ strength management etc. Any user were able to change the primary key in the cookies to access the others data.
4. In WhatsApp, a particular type of message were found in the past. This message can stuck the WhatsApp. As this message contains some hidden characters having length in thousands. Whenever someone selects the message to delete, copy or forward, his/her WhatsApp gone stuck due to limited buffer memory allocated to WhatsApp.
5. In online hotel managements system, very poor program skills were used to handle users’ login. A users with limited knowledge of SQL Injection can inject his/her own code to bypass the login and access the admin panel. Where it can perform many activities as an Admin.
6. A software having no or less password policy can be easily bypassed through few attempts.
7. A software having no authorization phase is very much unsecured and any user who can get access the interface can make changes into data and perform different actions without letting the system to know who is he/she.
8. In an online Petrol Pump Management System, there was an authorization / login page to verify the user with username and passwords and after successful attempt it redirects the user to the Dashboards. But there was no check on Dashboard page to verify weather users is logged in or not. So any user who knows the URL of Dashboard can easily access                       the system without knowing the username and passwords.
9.  In a Web Base System, there was an option to upload the files but there were no restriction on file types. So a user can easily upload the file having code written in the same language in which the software was developed e.g php, asp.net etc. So this code can be executed on the server to make desired changes in the software.
10. In Windows Operation System, there is a loophole which can be cause to crack the password and bypass user login. User can get into the system without logging In and can get access to the all data without any authorization.

Q2. What is Integrity in Software Development? Descript the different types of threats with the help of different scenarios.

Software Defect:

A defect is an error in coding or logic that causes a program to malfunction or to produce incorrect/unexpected results. A program that contains a large number of bugs is said to be buggy.

Types of Defects in Software:

Arithmetic Defects:

It include the defects made by the developer in some arithmetic expression or mistake in finding solution of such arithmetic expression. This type of defects are basically made by the programmer due to access work or less knowledge. Code congestion may also lead to the arithmetic defects as programmer is unable to properly watch the written code.

Logical Defects:

Logical defects are mistakes done regarding the implementation of the code. When the programmer doesn’t understand the problem clearly or thinks in a wrong way then such types of defects happen. Also while implementing the code if the programmer doesn’t take care of the corner cases then logical defects happen. It is basically related to the core of the software.

Syntax Defects:

Syntax defects means mistake in the writing style of the code. It also focuses on the small mistake made by developer while writing the code. Often the developers do the syntax defects as there might be some small symbols escaped. For example, while writing a code in C++ there is possibility that a semicolon (;) is escaped.

Multithreading Defects:

Multithreading means running or executing the multiple tasks at the same time. Hence in multithreading process there is possibility of the complex debugging. In multithreading processes sometimes there is condition of the deadlock and the starvation is created that may lead to system’s failure.

Interface Defects:

Interface defects means the defects in the interaction of the software and the users. The system may suffer different kinds of the interface testing in the forms of the complicated interface, unclear interface or the platform based interface.

Performance Defects:

Performance defects are the defects when the system or the software application is unable to meet the desired and the expected results. When the system or the software application doesn’t fulfill the users’ requirements then that is the performance defects. It also includes the response of the system with the varying load on the system.

Some real life Examples of Software Defects are as following:

1. In a students’ management system, while we enter data for new student, we can leave the date of birth empty if we don’t have the actual date of birth for that student. So when we print student’s form, an error occurs during age calculation and system shows the age in thousands of years.
2. In the same software, counting the number of siblings were done against the father’s name instead of father’s CNIC.  The system was showing the wrong figure as there can be the same name of two or more different parents.
3. In Student’s’ Image uploading field, if there is no check to validate the type of file then any file can be uploaded  instead of a particular image format. It will show an error on viewing and printing students form as there is no valid image uploaded.
4.  In a Stock Management System, a defect was found that was regarding the Return Product Option. Whenever an orders is placed for some particular product having quantity more than one. If we return the same product but not same quantity but less than the ordered quantity, the system removes all order details for that product.
5. In the same system, whenever a product is returned, the returned quantity was added in the current stock but the returned amount was not deducted from the current cash.
6. In a centralized college management system, a defect was found regarding students profile picture. In that system whenever a picture is uploaded, the system saved the image with the actual name in the target directory but if another student’s picture with the same name was uploaded, it replace the existing image with the new image having the same name. Now on student’s form, two or more than two students have the same picture which were uploaded recently.
7. In a CRM (Customer Relationship Management) System, a defect was found after 4 years of its release. It was that the system become unable to store data in the database as data type for Customer Id was selected lower. And system failed when it reached its highest limit.
8. In ERP System of a University, a defect were seen by the students that was the same subject of the same class were allocated to two different teachers.  
9. In an application to calculate the Marks in the Exams, a defect was found that user was able to enter the data in the given fields. Application was working fine while user enters numeric data but application got stuck when user entered string instead of number. System does not have data validation rule or error handling.
10. In a small application to Compare Two Strings, a very simple defect was found due to poor programming practices is that the application gives wrong output as it compare all characters in the strings and set isCompare flag true or false on each comparison  and does do not stop comparing once it found any unmatched character.   

Defect Removal Efficiency (DRE)

Defect removal efficiency (DRE) can be defined as the quality metrics, which is beneficial at both the project level and process level. Quality assurance and control activities that are applied throughout software development are responsible for detecting errors introduced at various phases of SDLC. The ability to detect errors (filtering abilities) is measured with the help of DRE, which can be calculated by using the following equation.

DRE = E / (E + D)

Where

E = number of errors found before software is delivered to the user

D = number of defects found after software is delivered to the user.

The value of DRE approaches 1, if there are no defects in the software. As the value of E increases for a given value of D, the overall value of DRE starts to approach 1. With an increase in the value of E, the value of D decreases as more errors are discovered before the software is delivered to the user. DRE improves the quality of software by establishing methods which detect maximum number of errors before the software is delivered to the user.

Example:

Let 10 different types of bugs found during development. 8 of those fixed before release, 2 put on the backlog.

3 bugs found in production. 2 of those were found by customers, 1 was found by the team before any customers caught it.

E = 10

D = 3

DRE    = (E / (E + D))

            = 10 / (10 + 3)

DRE    = 0.769

            = 0.769× 100

            = 76.9%