Soft Work Personal Blog-week7

Part 1 No Silver bullet-essence and accidents of software Engineering
In fact, I do not have a clear idea of how to make software engineering rapid progress in a short period of time without a common method or technology. In fact, in recent years, the Agile Development Framework, MVC structure, rest style, these appear to greatly improve the efficiency of software engineering, in my opinion, the appearance of silver bullets is not without a possibility, after all, a simple rest style combined with HTML5, give me the feeling of development efficiency increased by at least 30%.
Part 2 Big balls of mud do you have a big mud ball on your project? What's the answer?
The so-called big mud ball, refers to the messy, intricate, sloppy, random collage of a lot of code. In fact, in the beginning of the project is I, is my freshman year, I wrote the code is this big mud ball-style code, I think this code is mainly due to developers have no experience in development and cooperative programming experience, have to rush to complete the task. The way to solve this code is to do a hierarchical decoupling and callback, take the back end, we must at least do is, the separation of the logical processing and data model, and then can be further decoupled, the front and back end of the API separation as a route, the data processing logic body separated into a controller, parameter preprocessing logic separation into the middleware, The overall action of the backend is separated into system services and triggers, data processing is separated into models, database structure and padding are separated for data migration and data filling. This ensures that the code is well-organized, reusable, and easy to maintain.
Part 3 Catb–cathedral and the Bazaar
About the church and the Grand Bazaar, this is the open source software development model classification, the church model, the source code is open, but the development process has a group control, the market mode, with the source code is open, and sources of code on the Internet for people to read, and can contribute to the development of codes. Promote the market model and think that there is no place for bugs to hide under the scrutiny of enough people. I agree with the author's point of view, for example, most of the domestic open-source CMS is the cathedral mode, or even the cathedral mode can not be counted, the top control is too serious. It can be said that the security of these CMS is very poor, but the anti-foreign open source projects, most of them are on GitHub to let people maintain together, including PHP this very popular language (although PHP is a little more loopholes, or I touch more ...) ), the security of the domestic CMS compared to a higher level.
Part 4 Lost in CATB do these things happen to your team?
The problem of over-reliance did not occur in our development, as I wrote the environment-building tutorials and requirements for the team members in the first development of the API and development documentation, and regulated the storage forms and structure of the various data in our project, the data is stored in the database, The data generated by the report is in the form of a file.
In fact, the only time the dependency problem is this, we need to use Latex for the report generation, we debug the script found that the normal user execution is successful, but the PHP call to generate the script has been reported so library file reference error, After I put a trojan to get the Apache daemon user permissions, found that the user run is unsuccessful, and then I use LDD to see the wrong so library reference point, found that he actually pointed to the Apache library file, that is, the PY library and Apache Library has a duplicate name conflict, Later found that Apache will automatically add his own lib path to Ld_library_path, but PHP command execution is not bash, so cannot add environment variable, finally I wrote a sh from a bash The Lib path is added to the environment variable and finally resolves the dependency problem ...
Part 5 managing the development of large software systems:concepts and techniques
Waterfall model is fully used in our project, the first is to make plans and requirements analysis, then the plan is actually only a general concept for me, know what you will be in the general what time to do what is good, because if it is for my planned time, I generally will be ahead of the completion of a lot, after the demand analysis handed over to my hands , I made the backend Routing and API design based on their site prototypes, and then to the front-end and back-end developers, we developed together, after the final completion of the docking, after testing, on-line maintenance.
Part 6 How useful is the methodology of software engineering?
He can actually guide most collaborative projects, with versatility.
-----------------------------I am an elegant and unclean dividing line-------------------------
In fact, in the end I want to write a little other things unrelated to the job, you in our team's blog comments, the user name password transmission process is not encrypted, back-end storage is not clear. First of all, the backend is encrypted, and encryption is a dynamic salt after the hash, to my cognitive level, in our minimum password length of 6 bits, this encryption method is not cracked.
After the issue of clear text transmission, my main business of information security, in fact, I met a lot of people with me to mention the loophole when all are told me that this password is clear text transmission, I actually do not understand, so to speak, simple in front of the encryption is not any eggs, I have met many sites, They do the front end of the MD5, after the transmission, but this transmission process if I sniff the packet, still can take this packet to log in, and, these sites in the access to their database permissions or injected to get the password, found that at least 70% is directly from the front end of the MD5 to store, It's a stupid way to explode. Security is a bit better if both the front and back ends are encrypted, but I can also log in with the packet.
I can come up with the only reliable front-end encryption method is to use a timestamp as a dynamic salt, that is, we take a time interval such as 15s as a unit, to use a time stamp to calculate a salt with the password hash, the back end also take this method to verify, This ensures that each packet has a maximum effective time of 15s, but even so, there will be random validation failures (such as verifying that the time is just in the instant of the salt change), and I can use the script to replay the attack immediately after sniffing the packet, even without the need to re-send it. Since I can sniff you out of the package, you can also sniff the packet you receive, the password of ordinary users is not important, it is important to open the interface after login, so that more vulnerability exposure, that is, the important is the cookie and session. However, this is a security issue that cannot be addressed by any front-end encryption.
And, there is a very important cost problem, I can think of the most effective way is the time stamp scheme, but this is a solution can be easily compromised, however, the implementation of this program is also cost-efficient, if the application really has such a high security requirements, He's not going to pay such a cost to implement a flawed solution, and will definitely use SSL. However, sites that do not have this security need will not pay the cost.
The above discussion is to stand in a hacker or operation of the point of view, I do not for the user to expose the plaintext password, because I think, the user password is sniffing, anyway is a minimum range, if the sniffer is in the server C segment, then I think the server security is precarious, and the key is not in the transmission. Password is not important, password is to get permissions, data and permissions is what a hacker wants to get.
In the comprehensive.
Thank you.

Soft Work Personal Blog-week7