701.1.

- Modern Software Development

Weight 6
Description Candidates should be able to design software solutions suitable
for modern runtime environments. Candidates should understand
how services handle data persistence, sessions, status
information, transactions, concurrency, security, performance,
availability, scaling, load balancing, messaging, monitoring and
APIs. Furthermore, candidates should understand the implications
of agile and DevOps on software development.

1. Understanding and Designing Service-Based Applications

Modern software development has largely moved away from monolithic applications
towards modular, distributed architectures. This paradigm shift is driven by the need
for scalability, flexibility, and independent deployment.

Service-Oriented Architectures (SOA):

Concept A style of software design where services are provided to
other components by application components, through a
communication protocol over a network. Services are loosely
coupled, reusable, and have well-defined interfaces.
Characteristics Reusability, discoverability, loose coupling, platform
independence.
Focus Enterprise-level integration, often involves a robust Enterprise
Service Bus (ESB) for communication and transformation.
Example A large enterprise might have services for customer
management, order processing, and inventory, all
communicating via an ESB.
Microservices:
Concept An architectural style that structures an application as a
collection of small, autonomous services, each responsible for
a specific business capability. Each service is independently
deployable, scalable, and often has its own database.
Characteristics • Loose Coupling: Services operate independently,
reducing dependencies
• Small and Focused: Each service does one thing well.
• Independent Deployment: Services can be deployed
and updated without affecting others.
• Decentralized Data Management: Each service
manages its own data persistence.
• Polyglot Persistence/Programming: Different services
can use different technologies optimized for their
specific needs.
Advantages Improved scalability, faster development cycles, easier
maintenance, technology flexibility.
Disadvantages Increased operational complexity, distributed data
management challenges, complex inter-service
communication.

Immutable Servers:
Concept A server that, once deployed, is never modified. If a change is
needed (e.g., security patch, software update), a new server
image is built with the changes, and the old server is replaced.
Benefits Consistency, predictability, easier rollbacks, reduced
configuration drift, improved security.
Contrast with Traditional approach where servers are patched and updated
Mutable Servers in place.
2.- Understanding Common API Concepts and Standards
Application Programming Interfaces (APIs) are fundamental for enabling
communication between different software components, especially in service-based
architectures.

REST (Representational State Transfer):

Concept An architectural style for designing networked applications.
RESTful APIs use standard HTTP methods (GET, POST, PUT,
DELETE) to interact with resources.
Principles Client-Server Separation of concerns between the
client and server.
Stateless Each request from client to server must
contain all the information necessary to
understand the request; the server does
not store any client context between
requests.
Cacheable Responses must explicitly or implicitly
define themselves as cacheable to
prevent clients from reusing stale or
inappropriate data.
Layered System A client cannot ordinarily tell whether it is
connected directly to the end server, or to
an intermediary along the way.
Uniform interface A standardized way for clients to interact
with the server. This includes using
resource identifiers, manipulating
resources through representations, self-
descriptive messages, and hypermedia as
the engine of application state
(HATEOAS).
Example GET /users/{id}

JSON (JavaScript Object Notation):

Concept A lightweight, human-readable, and machine-parsable data
interchange format. It is widely used for transmitting data
between a server and web application, and between services
in microservices architectures.
Structure Uses key-value pairs and arrays.
Example {
"name": "Alice",
"age": 30,
"isStudent": false,
"courses": ["Math", "Science"]
}
CORS headers and CSRF tokens: These are crucial for web security, particularly
when APIs are consumed by browser-based clients.
CORS (Cross-Origin Resource CSRF (Cross-Site Request
Sharing) Forgery)
Purpose A browser security mechanism A security measure to protect
that allows web pages from one against attacks where an attacker
domain to request resources tricks a user's browser into making
from another domain. an unauthorized request to a
legitimate web application on their
behalf.
Mechanism The server specifies allowed The server embeds a unique,
origins, HTTP methods, and secret token in web forms or
headers in its responses JavaScript, which the client then
(Access-Control-Allow-Origin, sends back with each request. The
Access-Control-Allow-Methods, server verifies this token. If the
etc.). If a request's origin is not token is missing or incorrect, the
permitted, the browser blocks request is rejected.
the request.
Revelance Essential for APIs consumed by Protects state-changing
single-page applications (SPAs) operations (e.g., password
hosted on different domains. change, money transfer) from
malicious cross-site requests.
3.- Understanding Aspects of Data Storage, Service Status, and Session Handling
In distributed systems, managing data persistence, application state, and user
sessions presents unique challenges.

Data Persistence:
Concept Ensuring that data remains available and consistent even after an
application restarts or crashes.
Methods Databases (relational, NoSQL), file systems, cloud storage.
ACID Properties • Atomicity: All operations within a transaction either
(for RDBMS) complete successfully or are entirely rolled back.
• Consistency: A transaction brings the database from one
valid state to another.
• Isolation: Concurrent transactions execute independently
without interfering with each other.
• Durability: Once a transaction is committed, its changes are
permanent and survive system failures.
CAP Theorem Concept In a distributed system, it's impossible to
(NOSQL) simultaneously guarantee Consistency,
Availability, and Partition Tolerance. You must
choose two.
Consistency All nodes see the same data at the same time.
Availability Every request receives a response, without
guarantee of the latest version of the
information.
Partition The system continues to operate even if there
Tolerance are network failures (partitions) that prevent
some nodes from communicating.
Implications • CP Systems (Consistency + Partition
Tolerance): Prioritize consistency over
availability during network partitions
(e.g., traditional RDBMS clusters, some
NoSQL databases like MongoDB).
• AP Systems (Availability + Partition
Tolerance): Prioritize availability over
consistency during network partitions
(e.g., highly available systems like
Cassandra, DynamoDB, often eventual
consistency).
• CA Systems (Consistency + Availability):
Cannot tolerate network partitions (e.g.,
a single-node database, not truly
distributed).
Service Status and Session Handling:
• Stateless Services:
Concept: A service does not store any client-specific context or
state between requests. Each request contains all
necessary information.
Advantages: Simpler to scale horizontally (just add more instances),
easier fault tolerance (any instance can handle any
request), no need for session synchronization.
Revelance: RESTful APIs are inherently stateless.

• Session Management (for Stateful Applications):

Concept: Maintaining user-specific data or context across multiple
requests.
Advantages: If a user's session is tied to a specific server, what
happens if that server goes down or traffic is routed to
another server by a load balancer?
Revelance: • Sticky Sessions: Load balancers route all requests
from a specific user to the same server (reduces
scalability and fault tolerance).
• Distributed Caching: Store session data in a shared,
external store (e.g., Redis, Memcached) accessible
by all service instances.
• Database-backed Sessions: Store sessions in a
shared database.
• Token-based Authentication (e.g., JWT): The client
sends a token with each request, containing all
necessary user information. The server validates
the token cryptographically without needing to
store session state. This makes the server
stateless.
4.- Designing Software to be Run in Containers
Containers (like Docker) have become a standard deployment unit for modern
applications due to their portability and isolation.

Principles for Containerized Applications:

One process per container: Ideally, each container should run a single primary
process to simplify scaling and management.
Statelessness Containers themselves should be ephemeral and
(within container): stateless. Any persistent data should be stored
externally (e.g., volumes, external databases).
Small images: Keep container images as small as possible to
reduce build times, network transfer, and attack
surface.
Configuration via Enviorment Avoid baking sensitive configuration into images.
Variables/Mounts: Use environment variables or mounted configuration
files.
Logging to Standard Containers should log to stdout and stderr for easy
Output/Error: collection by container orchestration platforms.
Graceful Shutdown: Applications should handle SIGTERM signals for
graceful shutdown.

5.- Designing Software to be Deployed to Cloud Services

Cloud platforms (IaaS, PaaS, SaaS) offer immense benefits for scalability,
availability, and reduced operational overhead. Software design must account for
cloud characteristics.

Cloud-Native Principles:
Scalability: Design applications to scale horizontally by
adding more instances rather than vertically by
adding more resources to a single instance.
Resilience and Fault Tolerance: Assume failures will happen. Design for
redundancy, graceful degradation, and self-
healing.
Observability: Implement robust logging, monitoring, and tracing
mechanisms.
Automation: Automate provisioning, deployment, and
management.
Loose Coupling: As with microservices, independent components
are easier to manage and scale in the cloud.
Managed Services: Leverage cloud provider's managed services
(databases, queues, caching, serverless
functions) to reduce operational burden.
6.- Awareness of Risks in the Migration and Integration of Monolithic Legacy
Software
Migrating from a large, tightly coupled monolithic application to modern service-
based architectures or the cloud is a complex process with inherent risks.

"Big Bang" vs. A full rewrite (big bang) is highly risky; incremental
Incremental Migration: approaches (e.g., "Strangler Fig" pattern) are generally
preferred.
Data Migration Moving and transforming large datasets can be
Complexity: challenging and prone to errors.
Interoperability Issues: Ensuring seamless communication between legacy
components and new services.
Performance New architecture might introduce latency or overhead if
Degradation: not properly designed.
Security Gaps: New attack vectors or misconfigurations during
integration.
Skill Gaps: Development and operations teams may lack expertise
in new technologies.
Cost Overruns: Underestimating the effort, resources, and time required
for migration.
Vendor Lock-in: Becoming overly reliant on a specific cloud provider's
proprietary services.
7.- Understanding Common Application Security Risks and Ways to Mitigate Them
Security must be an integral part of software design ("security by design") from the
outset.

Common Risks (OWASP Top 10):

Description Mitigation
Injection Attacker inputs malicious code Parameterized queries, input
that is executed by the validation, least privilege for
application or database. database accounts.
Cross-Site Attacker injects malicious client- Output encoding, input
Scripting side scripts into web pages validation, Content Security
(XSS) viewed by other users. Policy (CSP).
Broken Flaws in authentication or Strong password policies, multi-
Authenticatio session management allow factor authentication (MFA),
n attackers to compromise user secure session management,
accounts. API authentication (e.g., OAuth2,
API Keys, JWT).
Sensitive Data Sensitive data (credentials, Consistent enforcement of
Exposure financial data) is not properly transport encryption
protected. (HTTPS/TLS), encryption at rest,
data masking, secure storage of
secrets.
Verbose Error Error messages that reveal too Generic error messages for
Reports much information (e.g., stack users, detailed logs for
traces, database schema details) developers (stored securely).
can aid attackers.
Broken Users are able to access Implement least privilege, robust
Access unauthorized functionality or access control mechanisms
Control data. (RBAC/ABAC), thorough testing.

Security Best Practices:

Principle of Least Granting only the necessary permissions.
Privilege
Input Validation and Never trust user input.
Sanitization
Secure Coding Following guidelines to prevent common vulnerabilities.
Practices
Regular Security Identifying and fixing vulnerabilities.
Audits and Penetration
Testing
Secrets Management Securely storing and managing API keys, database
credentials, etc.
8.- Understanding the Concept of Agile Software Development
Agile is an iterative and incremental approach to software development that
emphasizes collaboration, flexibility, and rapid delivery.

Core Principles:
• Individuals and interactions over processes and tools.
• Working software over comprehensive documentation.
• Customer collaboration over contract negotiation.
• Responding to change over following a plan.

Key Characteristics:
Iterative Work is done in short cycles (sprints/iterations).
Development
Incremental Working software is delivered frequently.
Delivery
Cross-functional Cross-functional Teams
Teams
Continuous Regular communication with stakeholders to incorporate
Feedback feedback.
Adaptability Ability to respond to changing requirements.
9.- Understanding the Concept of DevOps and its Implications to Software
Developers and Operators
DevOps is a set of practices that combines software development (Dev) and IT
operations (Ops) to shorten the systems development life cycle and provide
continuous delivery with high software quality.

Core Concepts:
Culture Fostering collaboration, shared responsibility, and empathy
between development and operations teams. Breaking down
silos.
Automation Automating repeatable tasks across the entire lifecycle (CI/CD,
infrastructure provisioning, testing, monitoring).
Lean Principles Eliminating waste, continuous improvement.
Measurement Monitoring key metrics to identify bottlenecks and areas for
improvement.
Sharing Sharing knowledge, tools, and best practices.

Implications for Software Developers

"You Build It, You Developers take more ownership of the operational aspects of
Run It" their code.
Focus on Designing software for easy deployment, monitoring, logging,
Operability and troubleshooting.
Infrastructure as Developers contribute to defining infrastructure (e.g., using
Code (IaC) Terraform, Ansible).
Understanding Awareness of how their code behaves in production.
Production
Environment
Continuous Integrating code frequently and participating in automated
Integration and deployments.
Delivery
Implications for Operators:
Infrastructure as Code Managing infrastructure through code and automation
rather than manual processes.
Collaboration with Working closely with developers to understand
Developers application needs and automate infrastructure.
Shift-Left Operations Bringing operational concerns earlier into the
development lifecycle.
Tools Proficiency Learning and using tools for automation, monitoring, and
orchestration.
Focus on Enabling Providing self-service infrastructure and platforms for
Developers developers.
Questions:
1.- Which of the following values stems from the Agile Manifesto?
a) Processes and tools over individuals and interactions.
b) Contract negotiation over customer collaboration.
c) Comprehensive documentation over working software.
d) Predictability and long-term planning over flexibility and adaption.
e) Responding to change over following a plan

2.- Which of the following benefits are realized by using immutable servers?
(Choose TWO correct answers)
a) Immutable servers are flexible in how they are configured during their
deployment.
b) Immutable servers are not connected to a network and cannot be attacked
remotely.
c) Immutable servers are usable right after they are started without further
configuration.
d) Immutable servers bundle all components required for an application and
never need external services.
e) Immutable servers ensure production servers are identical staging servers.

3.- Where should containerized applications store persistent data such as user
uploaded files or billing information? (choose TWO correct answers).
a) In files inside the container that are exclusively locked by the application.
b) In memory with an API to download a serialized dump of the data.
c) In external systems such as databases or object stores.
d) In dedicated, well known directory trees within the container.
e) In database server which is installed within the container.

4.- Which of the following statements regarding microservices are true? (Choose
three correct answers.)
a) Microservices facilitate the replacement of the implementation of a specific
functionality.
b) Microservices applications are hard to scale because microservice
architecture allow only one instance of each microservice.
c) Integration tests for microservices are not possible until all microservices
forming a specific application are completely developed.
d) Interaction between microservices can be slower that the interaction of similar
components within a monolithic application.
e) Within one application, individual microservices can be updated and
redeployed independent of the remaining microservices.
5.- Which of the following HTTP headers is a CORS header?
a) X-CORS-Access-Token:
b) Location:
c) Referer:
d) Authorization:
e) Access-Control-Allow-Origin

6.- What implications does container virtualization have for DevOps? (Choose two
answers.)
a) Containers decouple the packaging of an application from its infrastructure.
b) Containers require developers to have detailed knowledge of their IT
infrastructure.
c) Containers let developers test their software under production conditions.
d) Containers complicate the deployment of software and require early
deployment tests.
e) Containers require application specific adjustment to the container platform.

7.- Which of the following HTTP methods are used by REST? (Choose three
correct answers.)
a) CREATE
b) REPLACE
c) PUT
d) DELETE
e) GET