PS – CS2013 Version

Information Assurance and Security (IAS)

In CS2013, the Information Assurance and Security KA is added to the Body of Knowledge in recognition of the world’s reliance on information technology and its critical role in computer science education. Information assurance and security as a domain is the set of controls and processes both technical and policy intended to protect and defend information and information systems by ensuring their confidentiality, integrity, availability, and providing for authentication and non-repudiation.  The concept of assurance also carries an attestation that current and past processes and data are valid.  Both assurance and security concepts are needed to ensure a complete perspective. Information assurance and security education, then, includes all efforts to prepare a workforce with the needed knowledge, skills, and abilities to protect our information systems and attest to the assurance of the past and current state of processes and data.  The importance of security concepts and topics has emerged as a core requirement in the Computer Science discipline, much like the importance of performance concepts has been for many years.

The Information Assurance and Security KA is unique among the set of KAs presented here given the manner in which the topics are pervasive throughout other Knowledge Areas.  The topics germane to only IAS are presented in the IAS section; other topics are noted and cross referenced in the IAS KA.  In the IAS KA the many topics are represented with only 9 hours of Core-Tier1 and Tier2 coverage.  This is balanced with the level of mastery primarily at the familiarity level and the more indepth coverage distributed in the referenced KAs where they are applied.  The broad application of the IAS KA concepts (63.5 hours) across all other KAs provides the depth of coverage and mastery for an undergraduate computer science student.

The IAS KA is shown in two groups; (1) concepts where the depth is unique to Information Assurance and Security and (2) IAS topics that are integrated into other KAs that reflect naturally implied or specified topics with a strong role in security concepts and topics.  For completeness, the total distribution of hours is summarized in the table below.

 

IAS. Information Assurance and Security “Core” and Distributed

Core-Tier1 hours Core-Tier2 hours Elective Topics
IAS 3 6 Y
IAS distributed in other KA’s 32 31.5 Y

 

IAS. Information Assurance and Security (3 Core-Tier1 hours, 6 Core-Tier2 hours)

Core-Tier1 hours Core-Tier2 hours Includes Electives
IAS/Foundational Concepts in Security 1 N
IAS/Principles of Secure Design 1 1 N
IAS/Defensive Programming 1 1 Y
IAS/Threats and Attacks 1 N
IAS/Network Security 2 Y
IAS/Cryptography 1 N
IAS/Web Security Y
IAS/Platform Security Y
IAS/Security Policy and Governance Y
IAS/ Digital Forensics Y
IAS/Secure Software Engineering Y

 

The following table shows the distribution of hours throughout all other KA’s in CS2013 where security is appropriately addressed either as fundamental to the KU topics (for example, OS/Security or Protection or SE/Software Construction) or as a supportive use case for the topic (for example, HCI/Foundations or NC/Routing and Forwarding or SP/Intellectual Property).  The hours represent the set of hours in that KA/KU where the topics are particularly relevant to Information Assurance and Security.

 

IAS. Information Assurance and Security (distributed) (32 Core-Tier1 hours, 31.5 Core-Tier2 hours)

Knowledge Area and Topic Core-Tier1 hours Core-Tier2 hours Includes Electives
AR/Assembly Level Machine Organization 1
AR/Memory System Organization and Architecture 0.5
AR/Multiprocessing and Alternative Architectures Y
HCI/Foundations 1
HCI/Human Factors and Security Y
IM/Information Management Concepts 0.5 0.5
IM/Transaction Processing Y
IM/Distributed Databases Y
IS/Reasoning Under Uncertainty Y
NC/Introduction 1
NC/Networked Applications 0.5
NC/Reliable Data Delivery 1.5
NC/Routing and Forwarding 1
NC/Local Area Networks 1
NC/Resource Allocation 0.5
NC/Mobility 1
OS/Overview of OS 2
OS/OS Principles 1
OS/Concurrency 1.5
OS/Scheduling and Dispatch 2
OS/Memory Management 2
OS/Security and Protection 2
OS/Virtual Machines Y
OS/Device Management Y
OS/File Systems Y
OS/Real Time and Embedded Systems Y
OS/Fault Tolerance Y
OS/System Performance Evaluation Y
PBD/Web Platforms Y
PBD/Mobile Platforms Y
PBD/Industrial Platforms Y
PD/Parallelism Fundamentals 1
PD/Parallel Decomposition 0.5
PD/Communication and Coordination 1 1 Y
PD/Parallel Architecture 0.5 Y
PD/Distributed Systems Y
PD/Cloud Computing Y
PL/Object-Oriented Programming 1 3
PL/Functional Programming 1
PL/Basic Type Systems 0.5 2
PL/Language Translation and Execution 1
PL/Runtime Systems Y
PL/Static Analysis Y
PL/Concurrency and Parallelism Y
PL/Type Systems Y
SDF/Fundamental Programming Concepts 1
SDF/Development Methods 8
SE/Software Processes 1
SE/Software Project Management 1 Y
SE/Tools and Environments 1
SE/Software Construction 2 Y
SE/Software Verification and Validation 1 Y
SE/Software Evolution 1.5
SE/Software Reliability 1
SF/Cross-Layer Communications 3
SF/Parallelism 1
SF/Resource Allocation and Scheduling 0.5
SF/Virtualization and Isolation 1
SF/Reliability through Redundancy 2
SP/Social Context 0.5
SP/Analytical Tools 1
SP/Professional Ethics 1 0.5
SP/Intellectual Property 2 Y
SP/Privacy and Civil Liberties 0.5
SP/Security Policies, Laws and Computer Crimes Y

IAS/Foundational Concepts in Security

[1 Core-Tier1 hour]

Topics:

  • CIA (Confidentiality, Integrity, Availability)
  • Concepts of risk, threats, vulnerabilities, and attack vectors (cross reference SE/Software Project Management/Risk)
  • Authentication and authorization, access control (mandatory vs. discretionary)
  • Concept of trust and trustworthiness
  • Ethics (responsible disclosure). [cross-reference SP/Professional Ethics/Accountability, responsibility and liability]

 

Learning outcomes:

  1. Analyze the tradeoffs of balancing key security properties (Confidentiality, Integrity, Availability). [Usage]
  2. Describe the concepts of risk, threats, vulnerabilities and attack vectors (including the fact that there is no such thing as perfect security). [Familiarity]
  3. Explain the concepts of authentication, authorization, access control. [Familiarity]
  4. Explain the concept of trust and trustworthiness. [Familiarity]
  5. Describe important ethical issues to consider in computer security, including ethical issues associated with fixing or not fixing vulnerabilities and disclosing or not disclosing vulnerabilities. [Familiarity]

 

 

IAS/Principles of Secure Design

[1 Core-Tier1 hour, 1 Core-Tier2 hour]

Topics:

. [Core-Tier1]

  • Least privilege and isolation (cross-reference OS/Security and Protection/Policy/mechanism separation and SF/Virtualization and Isolation/Rationale for protection and predictable performance and PL/Language Translation and Execution/Memory management)
  • Fail-safe defaults (cross-reference SE/Software Construction/ Coding practices: techniques, idioms/patterns, mechanisms for building quality programs and SDF/Development Methods/Programming correctness)
  • Open design (cross-reference SE/Software Evolution/ Software development in the context of large, pre-existing code bases)
  • End-to-end security (cross reference SF/Reliability through Redundancy/ How errors increase the longer the distance between the communicating entities; the end-to-end principle)
  • Defense in depth (e.g., defensive programming, layered defense)
  • Security by design (cross reference SE/Software Design/System design principles)
  • Tensions between security and other design goals

 

[Core-Tier2]

  • Complete mediation
  • Use of vetted security components
  • Economy of mechanism (reducing trusted computing base, minimize attack surface) (cross reference SE/Software Design/System design principles and SE/Software Construction/Development context: “green field” vs. existing code base)
  • Usable security (cross reference HCI/Foundations/Cognitive models that inform interaction design)
  • Security composability
  • Prevention, detection, and deterrence (cross reference SF/Reliability through Redundancy/Distinction between bugs and faults and NC/Reliable Data Delivery/Error control and NC/Reliable Data Delivery/Flow control)

 

Learning outcomes:

[Core-Tier1]

  1. Describe the principle of least privilege and isolation as applied to system design. [Familiarity]
  2. Summarize the principle of fail-safe and deny-by-default. [Familiarity]
  3. Discuss the implications of relying on open design or the secrecy of design for security. [Familiarity]
  4. Explain the goals of end-to-end data security. [Familiarity]
  5. Discuss the benefits of having multiple layers of defenses. [Familiarity]
  6. For each stage in the lifecycle of a product, describe what security considerations should be evaluated. [Familiarity]
  7. Describe the cost and tradeoffs associated with designing security into a product. [Familiarity]

 

[Core-Tier2]

  1. Describe the concept of mediation and the principle of complete mediation. [Familiarity]
  2. Describe standard components for security operations, and explain the benefits of their use instead of re-inventing fundamentals operations. [Familiarity]
  3. Explain the concept of trusted computing including trusted computing base and attack surface and the principle of minimizing trusted computing base. [Familiarity]
  4. Discuss the importance of usability in security mechanism design. [Familiarity]
  5. Describe security issues that arise at boundaries between multiple components. [Familiarity]
  6. Identify the different roles of prevention mechanisms and detection/deterrence mechanisms. [Familiarity]

 

IAS/Defensive Programming

[1 Core-Tier1 hour, 1 Core-Tier2 hour]

Topics in defensive programming are generally not thought about in isolation, but applied to other topics particularly in SDF, SE and PD Knowledge Areas.

Topics:

[Core-Tier1]

  • Input validation and data sanitization (cross reference SDF/Development Methods/Program Correctness)
  • Choice of programming language and type-safe languages
  • Examples of input validation and data sanitization errors (cross reference SDF/Development Methods/Program Correctness and SE/Software Construction/Coding Practices)
    • Buffer overflows
    • Integer errors
    • SQL injection
    • XSS vulnerability
  • Race conditions (cross reference SF/Parallelism/Parallel programming and PD/Parallel Architecture/Shared vs. distributed memory and PD/Communication and Coordination/Shared Memory and PD/Parallelism Fundamentals/Programming errors not found in sequential programming)
  • Correct handling of exceptions and unexpected behaviors (cross reference SDF/Development Methods/program correctness)

 

[Core-Tier2]

  • Correct usage of third-party components (cross reference SDF/Development Methods/program correctness and Operating System Principles/Concepts of application program interfaces (APIs)
  • Effectively deploying security updates (cross reference OS/Security and Protection/Security methods and devices)

 

[Electives]

  • Information flow control
  • Correctly generating randomness for security purposes
  • Mechanisms for detecting and mitigating input and data sanitization errors
  • Fuzzing
  • Static analysis and dynamic analysis
  • Program verification
  • Operating system support (e.g., address space randomization, canaries)
  • Hardware support (e.g., DEP, TPM)

 

 

Learning outcomes:

[Core-Tier1]

  1. Explain why input validation and data sanitization is necessary in the face of adversarial control of the input channel. [Familiarity]
  2. Explain why you might choose to develop a program in a type-safe language like Java, in contrast to an unsafe programming language like C/C++. [Familiarity]
  3. Classify common input validation errors, and write correct input validation code. [Usage]
  4. Demonstrate using a high-level programming language how to prevent a race condition from occurring and how to handle an exception. [Usage]
  5. Demonstrate the identification and graceful handling of error conditions. [Usage]

 

[Core-Tier2]

  1. Explain the risks with misusing interfaces with third-party code and how to correctly use third-party code. [Familiarity]
  2. Discuss the need to update software to fix security vulnerabilities and the lifecycle management of the fix. [Familiarity]

 

[Elective]

  1. List examples of direct and indirect information flows. [Familiarity]
  2. Explain the role of random numbers in security, beyond just cryptography (e.g. password generation, randomized algorithms to avoid algorithmic denial of service attacks). [Familiarity]
  3. Explain the different types of mechanisms for detecting and mitigating data sanitization errors. [Familiarity]
  4. Demonstrate how programs are tested for input handling errors. [Usage]
  5. Use static and dynamic tools to identify programming faults. [Usage]
  6. Describe how memory architecture is used to protect runtime attacks. [Familiarity]

 

IAS/Threats and Attacks

[1 Core-Tier2 hour]

Topics:

[Core-Tier2]

  • Attacker goals, capabilities, and motivations (such as underground economy, digital espionage, cyberwarfare, insider threats, hacktivism, advanced persistent threats)
  • Examples of malware (e.g., viruses, worms, spyware, botnets, Trojan horses or rootkits)
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS)
  • Social engineering (e.g., phishing) (cross reference SP/Social Context/Social implications of computing in a networked world and HCI/Designing Interaction/Handling human/system failure.)

 

[Elective]

  • Attacks on privacy and anonymity (cross reference HCI/Foundations/Social models that inform interaction design: culture, communication, networks and organizations. cross reference SP/Privacy and Civil Liberties/technology-based solutions for privacy protection)
  • Malware/unwanted communication such as covert channels and stegonography.

 

 

Learning outcomes:

[Core-Tier2]

  1. Describe likely attacker types against a particular system. [Familiarity]
  2. Discuss the limitations of malware countermeasures (e.g., signature-based detection, behavioral detection). [Familiarity]
  3. Identify instances of social engineering attacks and Denial of Service attacks. [Familiarity]
  4. Discuss how Denial of Service attacks can be identified and mitigated. [Familiarity]

 

[Elective]

  1. Describe risks to privacy and anonymity in commonly used applications. [Familiarity]
  2. Discuss the concepts of covert channels and other data leakage procedures. [Familiarity]

 

IAS/Network Security

[2 Core-Tier2 hours]

Discussion of network security relies on previous understanding on fundamental concepts of networking, including protocols, such as TCP/IP, and network architecture/organization (cross-reference NC/Network Communication).

Topics:

[Core-Tier2]

  • Network specific threats and attack types (e.g., denial of service, spoofing, sniffing and traffic redirection, man-in-the-middle, message integrity attacks, routing attacks, and traffic analysis)
  • Use of cryptography for data and network security.
  • Architectures for secure networks (e.g., secure channels, secure routing protocols, secure DNS, VPNs, anonymous communication protocols, isolation)
  • Defense mechanisms and countermeasures (e.g., network monitoring, intrusion detection, firewalls, spoofing and DoS protection, honeypots, tracebacks)

 

. [Elective]

  • Security for wireless, cellular networks (cross reference NC/Mobility/Principles of cellular networks; cross reference NC/Mobility/802.11)
  • Other non-wired networks (e.g., ad hoc, sensor, and vehicular networks)
  • Censorship resistance
  • Operational network security management (e.g., configure network access control)

 

Learning outcomes:

[Core-Tier2]

  1. Describe the different categories of network threats and attacks. [Familiarity]
  2. Describe the architecture for public and private key cryptography and how PKI supports network security. [Familiarity]
  3. Describe virtues and limitations of security technologies at each layer of the network stack. [Familiarity]
  4. Identify the appropriate defense mechanism(s) and its limitations given a network threat. [Familiarity]

 

[Elective]

  1. Discuss security properties and limitations of other non-wired networks. [Familiarity]
  2. Identify the additional threats faced by non-wired networks. [Familiarity]
  3. Describe threats that can and cannot be protected against using secure communication channels. [Familiarity]
  4. Summarize defenses against network censorship. [Familiarity]
  5. Diagram a network for security. [Familiarity]

 

 

IAS/Cryptography

[1 Core-Tier2 hour]

Topics:

[Core-Tier2]

  • The Basic Cryptography Terminology covers notions pertaining to the different (communication) partners, secure/unsecure channel, attackers and their capabilities, encryption, decryption, keys and their characteristics, signatures.
  • Cipher types (e.g., Caesar cipher, affine cipher) together with typical attack methods such as frequency analysis.
  • Public Key Infrastructure support for digital signature and encryption and its challenges.

 

[Elective]

  • Mathematical Preliminaries where essential for Cryptography; includes topics in linear algebra, number theory, probability theory, and statistics.
  • Cryptographic primitives:
    • pseudo-random generators and stream ciphers
    • block ciphers (pseudo-random permutations), e.g., AES
    • pseudo-random functions
    • hash functions, e.g., SHA2, collision resistance
    • message authentication codes
    • key derivations functions
  • Symmetric key cryptography
    • Perfect secrecy and the one time pad
    • Modes of operation for semantic security and authenticated encryption (e.g., encrypt-then-MAC, OCB, GCM)
    • Message integrity (e.g., CMAC, HMAC)
  • Public key cryptography:
    • Trapdoor permutation, e.g., RSA
    • Public key encryption, e.g., RSA encryption, EI Gamal encryption
    • Digital signatures
    • Public-key infrastructure (PKI) and certificates
    • Hardness assumptions, e.g., Diffie-Hellman, integer factoring
  • Authenticated key exchange protocols, e.g., TLS
  • Cryptographic protocols: challenge-response authentication, zero-knowledge protocols, commitment, oblivious transfer, secure 2-party or multi-party computation, secret sharing, and applications
  • Motivate concepts using real-world applications, e.g., electronic cash, secure channels between clients and servers, secure electronic mail, entity authentication, device pairing, voting systems.
  • Security definitions and attacks on cryptographic primitives:
    • Goals: indistinguishability, unforgeability, collision-resistance
    • Attacker capabilities: chosen-message attack (for signatures), birthday attacks, side channel attacks, fault injection attacks.
  • Cryptographic standards and references implementations
  • Quantum cryptography

 

 

Learning outcomes:

[Core-Tier2]

  1. Describe the purpose of Cryptography and list ways it is used in data communications. [Familiarity]
  2. Define the following terms: Cipher, Cryptanalysis, Cryptographic Algorithm, and Cryptology and describe the two basic methods (ciphers) for transforming plain text in cipher text. [Familiarity]
  3. Discuss the importance of prime numbers in cryptography and explain their use in cryptographic algorithms. [Familiarity]
  4. Explain how Public Key Infrastructure supports digital signing and encryption and discuss the limitations/vulnerabilities. [Familiarity]

 

[Elective]

  1. Use cryptographic primitives and describe their basic properties. [Usage]
  2. Illustrate how to measure entropy and how to generate cryptographic randomness. [Usage]
  3. Use public-key primitives and their applications. [Usage]
  4. Explain how key exchange protocols work and how they fail. [Familiarity]
  5. Discuss cryptographic protocols and their properties. [Familiarity]
  6. Describe real-world applications of cryptographic primitives and protocols. [Familiarity]
  7. Summarize security definitions related to attacks on cryptographic primitives, including attacker capabilities and goals.[Familiarity]
  8. Apply appropriate known cryptographic techniques for a given scenario. [Usage]
  9. Appreciate the dangers of inventing one’s own cryptographic methods. [Familiarity]
  10. Describe quantum cryptography and the impact of quantum computing on cryptographic algorithms. [Familiarity]

 

 

IAS/Web Security

[Elective]

Topics:

  • Web security model
    • Browser security model including same-origin policy
    • Client-server trust boundaries, e.g., cannot rely on secure execution in the client
  • Session management, authentication
    • Single sign-on
    • HTTPS and certificates
  • Application vulnerabilities and defenses
    • SQL injection
    • XSS
    • CSRF
  • Client-side security
    • Cookies security policy
    • HTTP security extensions, e.g. HSTS
    • Plugins, extensions, and web apps
    • Web user tracking
  • Server-side security tools, e.g. Web Application Firewalls (WAFs) and fuzzers

 

Learning outcomes:

  1. Describe the browser security model including same-origin policy and threat models in web security. [Familiarity]
  2. Discuss the concept of web sessions, secure communication channels such as TLS and importance of secure certificates, authentication including single sign-on such as OAuth and SAML. [Familiarity]
  3. Describe common types of vulnerabilities and attacks in web applications, and defenses against them. [Familiarity]
  4. Use client-side security capabilities in an application. [Usage]

 

IAS/Platform Security

[Elective]

Topics:

  • Code integrity and code signing
  • Secure boot, measured boot, and root of trust
  • Attestation
  • TPM and secure co-processors
  • Security threats from peripherals, e.g., DMA, IOMMU
  • Physical attacks: hardware Trojans, memory probes, cold boot attacks
  • Security of embedded devices, e.g., medical devices, cars
  • Trusted path

 

Learning outcomes:

  1. Explain the concept of code integrity and code signing and the scope it applies to. [Familiarity]
  2. Discuss the concept of root of trust and the process of secure boot and secure loading. [Familiarity]
  3. Describe the mechanism of remote attestation of system integrity. [Familiarity]
  4. Summarize the goals and key primitives of TPM. [Familiarity]
  5. Identify the threats of plugging peripherals into a device. [Familiarity]
  6. Identify physical attacks and countermeasures. [Familiarity]
  7. Identify attacks on non-PC hardware platforms. [Familiarity]
  8. Discuss the concept and importance of trusted path. [Familiarity]

IAS/Security Policy and Governance

[Elective]

See general cross-referencing with the SP/Security Policies, Laws and Computer Crimes.

Topics:

  • Privacy policy (cross reference SP/Social Context/Social implications of computing in a networked world; cross reference SP/Professional Ethics/Accountability, responsibility and liability; cross reference SP/Privacy and Civil Liberties/Legal foundations of privacy protection)
  • Inference controls/statistical disclosure limitation
  • Backup policy, password refresh policy
  • Breach disclosure policy
  • Data collection and retention policies
  • Supply chain policy
  • Cloud security tradeoffs

 

 

Learning outcomes:

  1. Describe the concept of privacy including personally private information, potential violations of privacy due to security mechanisms, and describe how privacy protection mechanisms run in conflict with security mechanisms. [Familiarity]
  2. Describe how an attacker can infer a secret by interacting with a database. [Familiarity]
  3. Explain how to set a data backup policy or password refresh policy. [Familiarity]
  4. Discuss how to set a breach disclosure policy. [Familiarity]
  5. Describe the consequences of data retention policies. [Familiarity]
  6. Identify the risks of relying on outsourced manufacturing. [Familiarity]
  7. Identify the risks and benefits of outsourcing to the cloud. [Familiarity]

 

IAS/Digital Forensics

[Elective]

Topics:

  • Basic Principles and methodologies for digital forensics.
  • Design systems with forensic needs in mind
  • Rules of Evidence – general concepts and differences between jurisdictions and Chain of Custody.
  • Search and Seizure of evidence: legal and procedural requirements
  • Digital Evidence methods and standards.
  • Techniques and standards for Preservation of Data.
  • Legal and Reporting Issues including working as an expert witness
  • OS/File System Forensics
  • Application Forensics
  • Web Forensics
  • Network Forensics
  • Mobile Device Forensics
  • Computer/network/system attacks
  • Attack detection and investigation
  • Anti-forensics

 

Learning outcomes:

  1. Describe what is a Digital Investigation is, the sources of digital evidence, and the limitations of forensics. [Familiarity]
  2. Explain how to design software to support forensics. [Familiarity]
  3. Describe the legal requirements for use of seized data. [Familiarity]
  4. Describe the process of evidence seizure from the time when the requirement was identified to the disposition of the data. [Familiarity]
  5. Describe how data collection is accomplished and the proper storage of the original and forensics copy. [Familiarity]
  6. Conduct data collection on a hard drive. [Usage]
  7. Describe a person’s responsibility and liability while testifying as a forensics examiner. [Familiarity]
  8. Recover data based on a given search term from an imaged system. [Usage]
  9. Reconstruct application history from application artifacts. [Usage]
  10. Reconstruct web browsing history from web artifacts. [Usage]
  11. Capture and interpret network traffic. [Usage]
  12. Discuss the challenges associated with mobile device forensics. [Familiarity]
  13. Inspect a system (network, computer, or application) for the presence of malware or malicious activity. [Usage]
  14. Apply forensics tools to investigate security breaches. [Usage]
  15. Identify anti-forensic methods. [Familiarity]

 

IAS/Secure Software Engineering

[Elective]

Fundamentals of secure coding practices covered in other knowledge areas, including SDF/SE. SE/Software Construction; Software Verification and Validation.

Topics:

  • Building security into the Software Development Lifecycle (cross-reference SE/Software Processes)
  • Secure Design Principles and Patterns
  • Secure Software Specifications and Requirements
  • Secure software development practices (cross-reference SE/Software Construction)
  • Secure Testing is the process of testing that security requirements are met (including Static and Dynamic analysis).
  • Software Quality Assurance and benchmarking measurements

 

Learning outcomes:

  1. Describe the requirements for integrating security into the software development lifecycle. [Familiarity]
  2. Apply the concepts of the Design Principles for Protection Mechanisms, the Principles for Software Security (Viega and McGraw), and the Principles for Secure Design (Morrie Gasser) on a software development project. [Usage]
  3. Develop specifications for a software development effort that fully specify functional requirements and identifies the expected execution paths. [Usage]
  4. Describe software development best practices for minimizing vulnerabilities in programming code. [Familiarity]
  5. Conduct a security verification and assessment (static and dynamic) of a software application. [Usage]