Containerization Security & Technical Debt Quiz

Questions and Answers

What is the primary security risk associated with shared kernel vulnerabilities in containerization?

Resource exhaustion caused by a single misconfigured container.

Malicious processes escaping the container environment. (correct)

Increased network latency between containers.

Data corruption due to concurrent access from multiple containers.

Which strategy is NOT a best practice for mitigating risks associated with container breakout?

Regularly updating and applying security patches to the system.

Dropping unnecessary privileges from containers to limit their capabilities.

Utilizing minimal base images to reduce the attack surface.

Expanding the system calls available to containers to enable more functionality. (correct)

What is the role of the ephemeral read/write layer in a container image?

To allow temporary data modifications during the container runtime. (correct)

To store the base OS and prevent it being modified.

To ensure that only specific users can modify files.

To cache data used during the image build process.

Which of the following best describes the function of container runtimes?

Executing containers at a low-level and interfacing with the OS kernel. (A)

What is the primary purpose of the Open Container Initiative (OCI)?

To standardize container image formats and runtime interfaces. (C)

Compromises made in internal quality during system design primarily contribute to which type of technical debt?

Architectural TD (C)

Which type of technical debt is most directly associated with shortcuts in testing?

Test TD (A)

Sub-optimal configuration of development-related processes and supporting tools is most representative of which category of technical debt?

Infrastructure TD (B)

What kind of technical debt is caused by lingering bugs or failures that affect the system's evolution?

Defect TD (D)

What type of technical debt arises from a mismatch between optimal requirements and actual system implementation?

Requirement TD (B)

What is a primary challenge when migrating a database to PostgreSQL as described in the text?

Dealing with a continuously updated database and compatibility issues with existing MySQL configurations. (C)

According to the provided information, what does 'principal' refer to in the context of technical debt?

The effort needed to remove inefficiencies in the system's design. (D)

What is described as the 'interest' in relation to technical debt?

The extra work to modify software when adding features or fixing bugs. (B)

What best describes the concept of technical debt?

A deliberate choice to use a technology with limited features to expedite initial development, with plans for future remediation. (A)

In the face of a challenging database migration, what alternative is mentioned?

To create a secondary PostgreSQL database linking to the original database. (C)

According to the provided information, what is the main downside of technical debt?

It makes future code changes harder and more expensive. (D)

What potential negative outcome is associated with choosing the second database solution?

The accumulation of additional 'technical debt'. (D)

What was the primary effect of Knight Capital's system experiencing miscopied code related to technical debt?

Large financial loss in a short amount of time. (D)

What is often a key motivating factor for accumulating technical debt?

Priority to deliver quickly to meet deadlines while sacrificing architectural perfection. (C)

Why might a team choose MariaDB/MySQL as initial database if it lacks all needed features?

Due to good familiarity and the need to quickly create an MVP (Minimum Viable Product). (C)

Flashcards

Container Image

A collection of immutable, layered filesystem bundles used to package software applications and their dependencies.

Container Engine

A tool that manages and runs containers. It provides an interface (CLI, API) and handles tasks like image management and orchestration.

Container Runtime

A tool that executes containers at a low level and interacts with the OS kernel. It adheres to OCI (Open Container Initiative) for standardization.

Image Registry

A type of software that allows developers to store and share container images. They can be public or private.

Building Container Images

A process that involves writing instructions in a Dockerfile to build a container image. The instructions tell the container to copy files, install dependencies, configure environment variables, and more.

What is Technical Debt?

Technical debt is the unavoidable consequence of choosing expedient solutions over ideal designs in software development. It's like borrowing money to solve an immediate problem, but accumulating interest in the form of future maintenance and development challenges.

What are symptoms of technical debt?

Symptoms signal the presence of technical debt. They can manifest as increased development time, difficulty adding new features, bugs that are difficult to fix, and code that is hard to understand and maintain.

What does refactoring help with?

Refactoring is the process of improving the existing codebase without changing its functionality. It can be used to reduce technical debt by making the code easier to understand, maintain, and extend.

What trade-off does technical debt represent?

Technical debt is a trade-off between immediate benefits and long-term sustainability. It's about prioritizing speed and efficiency over long-term quality, but it can lead to increased costs and reduced agility down the road.

Can technical debt be managed?

Technical debt can be measured and managed. Methods like code analysis and monitoring can help assess the severity of technical debt and prioritize its repayment. This means focusing on the most critical aspects of the code first and addressing them to reduce the risk of future problems.

Cost of Change (Technical Debt)

The additional development effort needed to modify software (adding new features or fixing bugs) due to technical debt. It's like the interest on a loan, where the initial debt (technical debt) grows over time, making maintenance more expensive.

Principal (Technical Debt)

Effort required to fix inefficiencies or flaws in a system's design or implementation. It's like the principal of a loan, representing the initial cost of the technical debt.

Technical Debt

A situation where quick fixes or shortcuts are taken in software development, leading to future issues. It's like taking out a loan, but with a high interest rate. It can be helpful in the short term, but accumulates costs in the long run.

Database Migration

A process of transferring data and functionality from one database system (e.g., MySQL) to another (e.g., PostgreSQL). It's like moving your belongings from one house to another.

Database Migration Challenges

The complications or obstacles encountered during a database migration. It can involve differences in data structures, query languages, or functionalities between the source and target databases. It's like finding out your new house has different rules and furniture layouts than your old one.

Architectural Technical Debt

Compromises made in the design of a system's architecture, often due to time or resource constraints. These choices can impact maintainability and scalability in the long run.

Design Technical Debt

Shortcuts taken during the detailed design phase, impacting code quality and maintainability. This can lead to difficulties in understanding and modifying the code later.

Code Technical Debt

Code that deviates from best practices and coding rules, making it difficult to understand, maintain, and test. This can lead to bugs and increased technical debt.

Infrastructure Technical Debt

Suboptimal configuration of development-related processes, technologies, and tools. It can hinder efficient development and deployment processes, increasing time and effort.

Test Technical Debt

Shortcuts taken in testing, which can lead to undetected bugs and issues that may surface later in the development process.

Study Notes

Advanced Programming (WBCS053-05)

• Course title: Advanced Programming (WBCS053-05)
• Course instructor: Daniel Feitosa
• Subject: Inversion of Control and Spring Beans

Inversion of Control

• Design principle where custom code is executed by external code.
• Control of parts of the code is delegated to another logical unit.
• Requires a predefined interface.
• Think of submitting an assignment to a system like themis. You don't code the tests, but the tests are still run against your assignment, provided input and output handling is correct.

Inversion of Control - Implementations

• Several ways to implement inversion of control.
• Example using a SimpleProduct class implementing Product interface. This class holds product name and price.
• Example of DecoratorPattern class implementing Product. It holds a reference to a Product object.
• Where the product object is created: Code A and B.

Dependency Injection

• Example B from previous slide is called Dependency Injection (DI).
• DI is a form of Inversion of Control (IoC).
• In DI, the control being inverted is the creation of dependencies.
• In previous example, the product object (dependency) is not created by the owner (DecoratorPattern). Instead, another class injects it.

Spring Framework

• Framework for enterprise Java development.
• Provides infrastructure support for building Java applications.
• Enables flexibility.
• Developers focus on application logic, framework handles complexities.
• Examples of support features:
  • Spring Boot: simplifies setup and configuration (including Web REST APIs)
  • Spring Data: tools for data access and manipulation
  • Spring Security: security features for applications.

Beans

• Building blocks of Spring applications.
• Similar to stem cells of Spring applications.
• Instantiated, managed, and configured by Spring's IoC container.
• IoC container doesn't run the application. It ensures all components are properly configured and available.
• Application starts by an application server or Spring Boot context.

Configuring Beans

• Configured to assume a specific responsibility.
• Examples using Spring annotations: @Component, @Service, @Repository.
• Examples using Java-based configuration (@Configuration and @Bean methods)

Bean Lifecycle

• Lifecycle of a bean is impacted by its scope.
• Singleton beans are instantiated and destroyed with the IoC container.
• Prototype beans are instantiated for each request but not destroyed.
• Typical lifecycle: Container starts - Bean instantiated - Dependencies injected - Custom init method - Internal Spring Processing - Bean is ready to work - Custom Destroy method - Container stops.

Configuration Management (CM)

• Process of storing, retrieving, uniquely identifying, and modifying artifacts relevant to a project, and their relationships.
• Main goals: managing changes, documenting system evolution, governing team collaboration.
• Example use cases for CM:
  • Anyone on the team should be able to replicate the environment (OS version, network, software stack, deployed applications and their configuration)
  • Easily find needed information (code, docs, dependencies), change features, check correctness, quality, and deploy changes minimally.

Version Control

• Aims to retain and provide access to all versions, enabling collaboration across time and location.
• Reproduction: Reproduce a precise previous state of the software.
• Auditing: provides a complete history of the application (what, when, why, who).
• Deletion is cheap (rollback or copy from an older state)
• Key aspects in version control systems: retaining all versions, allowing collaboration, and having tools to manage different states.

Using Git

• Useful for tracking source code, tests, documents, database scripts, build/deployment scripts, application configuration files, and development configuration files.
• Generated artifacts (e.g., compiled code) typically aren't controlled by Git.
• Importance of atomic commits, descriptive messages, and merging policies; branching and proper use of branching strategies needed avoiding excess branching.

Semantic Versioning

• Schema for version numbering of software.
• Major version (breaks APIs), Minor version (minor change, doesn't disturb interface, new features), Patch version (bug/security fixes)
• backwards compatible

Managing Configuration

• Treat configuration as code (programmable, scalable, safe).
• Abstract configuration loading from chosen format (e.g., using getProperty(A) or getPropertyA()).
• Using configuration formats: Pkl, JSON, YAML, Property Lists.

Application Environments

• Includes hardware, software, data, infrastructure, and external systems.
• Test environments should be close representations of production environments to identify issues early.
• Example environments: Development, Test, Production.
• Environments also require specific configurations- libraries/dependencies, software versions, database connections, networking configurations, configurations for external services (patch levels, configuration settings), and operating systems.

Effective Configuration Management

• Keep binaries independent from configuration.
• Keep all configuration in one place.
• Using same mechanism for configuration across different environments.
• Importance of automated provisioning and baselines for creating and reliably reproducing environments.

Container Technology

• Aim for replicating a baseline.
• Processes: Instances of executing programs.
• Containers: Lightweight, isolated environments that share the host OS kernel.
• Benefits over VMs: Faster startup, lower resource consumption, simplified deployment.
• Limitations: Potential security issues due to shared kernel.
• Challenges: Complexity, management of layers and resources, security, etc..
• Linux Namespaces: Isolate global system resources.
• Linux Control Groups (cgroups): Limit, monitor and prioritize resource usage.
• Types of namespaces to isolate resources: Mount, PID, Network, IPC, UTS, User, Time and cgroup.

Continuous Software Engineering

• Development dynamics have changed, resulting in differing technology, cycle duration, and risk of failure across different development eras (70s/80s, 90s, 2000-present).
• Development cycle: ensure-compilation-run-test-improve-commit-repository-deploy-feedback-monitor.
• Solution by automating: ensuring good commits and quality checks in the repository, implementing an automated build process, and coordinating multiple containers via orchestration
  • The continuous delivery (CD) pipeline: the automated sequence of steps that must be continuously practiced for deployment to be successful, e.g., code-build-test-plan-release-deploy-monitor.
• Common release antipatterns: manual deployments, late deployments to production-like environments, manual configuration management, inconsistencies across environments, other potential problems.

Technical Debt

• Collection of design & implementation decisions that solve problems but create future costs or impossibility in the implementation of new solutions.
• Symptoms of refactoring needs: trade-off between short-term advantages of "cutting corners" and long-term sustainability of a software system.
• Understanding debt timelines: occurrence, identification latency, discussion period, decision, remediation latency, interval
• Typical sources of debt: bad architecture, complex code, obsolete tech, inadequate testing, insufficient testing, inappropriate modularity and dependencies between modules, etc.
• Tools for managing technical debt: SonarQube, CAST, etc.
• Importance of identifying debt early to mitigate potential negative impact.

DevOps

• Combines software development and IT operations to shorten development life cycle and enhance continuous delivery with improved quality.
• Identifying areas of intersection between Dev and Ops phases.
• DevOps is about culture, breaking silos, and fostering better communication.

Description

Test your knowledge on containerization security risks and best practices, as well as various types of technical debt. This quiz covers essential concepts including the roles of container runtimes and the impact of design compromises. Prepare to explore critical challenges in system design and implementation.