Handling Security Issues in SDLC

ASP.NET software companies in India must take special care while developing internal web applications that are accessed from outside with the help of world wide web. Moreover the increase in personally-owned mobile devices (e.g., watch gear, smartphones, tablets, and laptops) as well as the vast variety of vulnerable mobile apps results into a higher risk of revealing highly confidential and business-related information in the workplace. This is possible when such information is stored on personally-owned devices. Cyber-attacks often exploit such vulnerabilities inherent in applications and operating systems. Hence The software code must be developed following a secure coding guidelines and frequent updates and patches to software are necessary.

Security is unquestionably mandatory and no-one can overlook that. It may take longer and including security into SDLC may result into a more complicated practice.  Nevertheless, the alternatives are not that satisfactory as there are always hackers only too eager to disrupt into systems.

The consequences of not including security within the SDLC process can be catastrophic and could cause distressing concerns for companies' status and earnings. By safeguarding SDLC, unnecessary & un-planned costs can be evaded and security matters can be tackled as there is no need to wait for threats to emerge and then having to spend money in fitting current or probable matters that could have been dodged.

Software companies in India  use secure-SDLC that focuses on enforcing security into the Software Development Life Cycle. Every phase of SDLC will emphasize the enforcement of security – over and above the present set of events. Incorporating S-SDLC into an organization’s structure has many benefits that guarantees a secure product.

The focus of asp .net software companies in India, with respect to security domain, is on phases of SDLC such as design, implementation, delivery, operation, maintenance, and retirement. Information security and privacy experts must be involved in all phases of SDLC so that the overall effectiveness of security controls with respect to privacy concerns are taken care of.

The subsequent list recognizes key security guidelines at each stage in the development life cycle for asp .net software companies in India:

• System feasibility: Pinpoint security requirements, including governing requirements, in-house policies and standards that must be looked at.
• Software plans and requirements: Recognize the vulnerabilities, threats, and risks to software. Outline the desired level of protection. Conduct a cost-benefit analysis.
• Product design: Propose for the security criteria in product design (e.g., access controls or encryption).
• Detailed design: Determine business requirements and legal obligations within the design of security controls in a product or system.
• Coding: Develop the security-related software code, comments and citations.
• Integration product: Investigate security measures and make alterations.
• Implementation: Implement any additional safety dealings prior to go-live.
• Operations and maintenance: Observe the software and system for variations in security controls. Assess current controls against newly-discovered threats and vulnerabilities. Implement proper updates and patches, when essential. Certify the complete effectiveness of application and system security.
• Product retirement: Safeguard information that was used and warehoused (i.e., archived), relocated to another database or system, or sterilized (i.e., erased) from the system.

Thus asp .net software companies in India can identify, reduce, mitigate and eliminate various security threats and adverse impacts that could be present in each stage of SDLC. It ultimately results into reduction in overall cost, efforts and time of delivering the final product or service in IT industry.

.

Legal steps you must take before outsourcing content creation

With the growth of the Internet and the need to create steady content, outsourcing has become incredibly common. In fact, [ CITATION Pat16 \l 1033 ] cites research that shows 79 percent of software development companies are embracing content marketing, while [ CITATION Sta14 \l 1033 ] reported that the global market size of outsourced services in 2014 was $104.6 billion dollars.

Being at the top in your market with content is crucial, as the value of great content drives leads and results in more sales. But before you jump to the abysmal of outsourcing content creation, there are a few things you’ll want to ponder, so that you can not only approach it the correct way but also protect you and your business from any negative effects down the road.

Recognize your content needs

In order to recruit great content creators you have to first delineate what type of content you need.

For instance, you could include:

• Weekly blog posts
• Social media updates
• Guest blogging
• Email marketing
• Pay-per-click ad copywriting

Finding the specific types of content needed may not appear to be a legal step. However, at the kickoff, these are extremely essential things to ponder, all of which will enable you to sketch both your job advertisement and various aspects of your binding agreement.

Assign copyright

The act of simply compensating someone does not automatically turn over copyright of that content to the end user. Unless you explicitly list the terms of use in your agreement, the content creator maintains ownership of that content. In this case, you only have an implicit license, therefore, you’ll need definite permission to re-purpose any of that content for other stuffs, such as turning a blog post into an e-book or social-media posts.

It’s also essential that you consider safeguarding against the indemnification for images or content that may be the property of others. At the end of the day, you will be accountable if the content published on your site or in your materials is found to break the copyright law.

For text-based copy, using a service such as Copyscape is standard practice. But with image attribution, this is particularly tough, since there’s no good way to test the copyright short of either buying the rights or waiting for an angry copyright act warning from the owner who feels intruded.

Be clever and understand copyright upfront so you can evade any negative consequences.

Explicitly sketch outsourcing requirements.

Be as specific as possible when delineating requirements so that freelancers know your expectations, including benchmarking and measuring triumph or disaster. You may also want to include a SLA that clearly outlines performance details, measurements and standards. 

Cogitate on legal liabilities in your content.

You may need to take further provisions if the content you’ll be outsourcing is subjected to any regulatory requirements. For example, if you’re publishing medical content or financial advice, you may need to include relevant disclaimers or ensure materials produced meet certain standards to protect yourself lawfully.

If the content you publish on your website is such that you could be held legally liable for, be sure your outsourced creators are able to meet any essential requirements.

Preparing in advance for closure.

Ideally, you’ll find in a freelancer a long-term association for your content creation needs. But since turnover is unavoidable, it’s far better to protect yourself from start. Your termination clause is immensely important, as it sets forth the conditions under which the customer may exit the outsourcing association.

The termination clause needs to state the common reasons that give rights to you and your software development company to exit the clause along with the rights of the contractor. It’s also advisable to include both party’s respective privileges upon termination with regards to ongoing privacy and protection here as well.

Put everything in the contract.

Now that you’ve enclosed all your legal bases, document them in a formal written contract that both you and your freelancers will agree on. In most cases, it’s advisable to consult with an actual lawyer to do this. However, you can get started by finding similar contract agreements to work from. 

Take out an insurance policy.

Last, but not the least -- and let’s keep it short and simple -- it’s definitely worth investing in an insurance policy when it comes to defending your legal rights as a content creator and purchaser. At the end of the day, you need to be prepared for any legal complications that could occur from the content you publish -- or, at the very least, be fully aware of who’s liable for anything that may happen.

Conclusion

Though the Internet has distorted the rules and lines of outsourcing somewhat, it’s advisable to stick to guidelines and follow the rules to protect yourself. If you have any doubts, consult a lawyer.

Bibliography

Robles, P. (2016). Patricio Robles. Patricio Robles. Patricio Robles.

Statistica. (2014). Statistica. Statistica.

Fitting enterprise systems into systems

Enterprise systems, developed by software companies in India, are used by large companies and small- and medium-sized enterprises (SMEs) to reorganize and streamline their internal and external operations.

Enterprise systems are used to enable the seamless integration and exchange of information between the several departments within an organization. In order to accomplish this, strictly defined control mechanisms must be in place in the system, which protect the company's data and safeguard the company against unauthorized and unintentional uses of the system. This is perfect for total control; however, is only attainable to a certain degree. The outline of controls in the enterprise system may have unintended organizational consequences, due to organizational necessities. The introduction of an enterprise system increases power differentials, which help to increase control in the organization. This results in amplified rigidity, and a probable decrease in organizational flexibility and resilience. On the other hand, enterprise systems can also cause drift, resulting from the unforeseen consequences of these power differential, as well as from the role of insights of people in resolving a problem within the enterprise system. This decrease in control may serve in some situations as an enabler to organizational flexibility.

Software companies in India recommend workforces to have decreased or increased authority, as an outcome of assignments of dissimilar authorization levels to carry out jobs in the system. Moreover, people with better knowledge of the system seem to attain authority as more people bank on their proficiency in order to carry out their tasks. Monitoring is another source of influence, where the person carrying out the monitoring is realized to control what the subordinate is performing in the system. Monitoring in this case depends on the accurate assignment of authorization levels to the correct individuals.Thus creation of authorization level shapes in the system, together with the monitoring abilities of the system and the making of proficiency by several actors, leading to the creation of power differentials. These power differentials then delivered to escalate the control in the company.

An enterprise system can be segregated, based on local contexts of communication, and reform them across time space. This is attained with the widespread nature of the enterprise system, which is configured in a central site. The segregation process then outcomes in increased control, produced by the significance of the configuration of the enterprise system, and the concentration of power in the hands of nominated individuals. As control increases, stiff mechanisms are put,by software companies in India, into place to create the organization more inelastic and robust. As such, the processes and procedures in the company are frozen, and firm rules apply regarding access to and manipulation of company information. Depending on the degree of this stiffness in rules (imposed by the enterprise system), the company may convertinto too unbending to respond efficiently to circumstances of change and pressure, and consequently becomingless resilient. Manipulation or soothing of those rules may, still, lead to more elasticity (with the price of fractional loss of control), and hence resilience can trulyrise.

On the other hand, an enterprise system can also be understood to integrate. This is accomplished with the scattered nature of enterprise systems, which can be installedwith the help of software companies in India, in many locations across time space. As anoutcome of the integration, there may be drift because of the influence of unintentional consequences of the system and the role of ethics of people in cracking a problem. This decline in control may serve to increase the resilience of the company, because the workforces operate the system for their individual use and are, therefore, able to react more to change when this happens. On the other hand, when the workforces fully follow the processes and procedures uttered by the system, then there is less or no drift, and the control structures enforced by the system are rebuilt. In this case resilience may actually decrease.

Thus fitting enterprise system into enterprise systems can produce higher rigidity into an organization at the same time it can also increase flexibility depending upon the organization necessities.Software companies in India can configure enterprise systems and its authorization levels as it is asked for.

Domain Based Security

Domain Based Security is being used more and more for the identification, analysis and documentation of security issues in enterprise communication & information systems projects particularly in the military domain and for the Asp.net software companies in india. The procedure incorporates numerous security related activities in the early stages of the systems lifecycle to support in the specification of high-level, technology independent security functionality solutions.

The article focuses on: 

• Ranking risks according to an correct value system 
• Modeling business connections in an extensible manner

The DBSy Model(Domain based security)

The DBSy approach uses simple models to characterize the requirements for security in an organization using two different but related viewpoints: the InfoSec Business Model signifies the security aspects of the business, while the InfoSec Infrastructure Model signifies the logical provision of strong boundaries that enforce separation. When combined, they create an InfoSec Architecture Model. This model forms the basis for showing a systematic and rigorous risk assessment.

The InfoSec business model defines security domains for Asp.net software company india and the networks between them. The model specifies the limits of what info can be processed and replaced between security domains to form the set of security requirements for the business. In particular, connections that are not explicitly demonstrated are not permitted and are required not to occur. A security domain is characterized by a set of information assets, which may be valued to the organization, as well as the people that work with the information and the applications and services that perform on their behalf. Connections between domains are categorized by the nature of the interaction that is required (such as interpersonal messages, or shared access to a database) and the sensitivity and integrity requirements of the information exchange. The model can also signify the kinds of physical environment from which a domain can be accessed.

The InfoSec infrastructure model defines computing infrastructure that are essential to be logically separatefor Asp.net software companies india , so that statistics cannot be replaced between them except at recognizable and manageable points of connection, referred to as causeways. An island is characterized by the strength of separation between it and any other islands and by the people who achieve its computing infrastructure.

An InfoSec architecture model combines the business and infrastructure views, by showing which security domains are reinforced by which islands of infrastructure. Where there are links between securities domains that are hosted on different islands, the connections must be reinforced by an appropriate causeway.

Risk Assessment Method

The DBSy method uses a rational risk framework for linking the risks to which information assets are exposed.Assets are collected together as a focus of interest, and the risk assessment process for C#.net software companies in india is applied to each focus of interest in turn.

The key factors defining the risk to a particular focus of interest are:

• Business Impacts confidentiality, integrity or availability of the focus of interest.
• Sets of people who might demand to impose damage (threat sources) and their motivation for doing so.
• People with different opportunities to impose damage (threat actors) and their capability to do damage, who may also be threat sources or could be influenced by others.
• The means by which each threat performer might cause damage (causes of compromise).

Conclusion

Domain Based Security", abbreviated to "DBSy", is a model-based approach to help examine information security risks in a business context and provide a clear and direct mapping between the risks and the security controls desired to manage them.

References

• http://eprints.soton.ac.uk/262276/1/BAE_paper1.pdf
• https://en.wikipedia.org/wiki/Domain_Based_Security

Access Control Domain

Access control Domain encompasses :

• Discretionary, Mandatory, and Non-Discretionary models 
• Identification methods, Authentication methods
• Accountability, monitoring, and auditing practices 
• Intrusion detection systems/Intrusion Prevention Systems 
• Likely threats to access control practices and technologies 
• A Framework that dictates how Subjects access Objects

The types of Access Control are :

• DAC
• MAC
• RBAC 

Discretionary Access Control – DAC

A system that uses discretionary access control (DAC) allows the holder of the resource to specify which subjects can access specific resources. This model is called discretionary as the control of access is based on the discretion of the owner.

For example, a manager for a definite department in the Custom software development company might be made the holder of the files and resources within his/her domain.

The most common application of DAC is through ACLs, which are spoken and fixed by the owners and enforced by the operating system.

• DAC permits the privileges i.e. granting and revoking of access control to be left to the discretion of the individual users
• It is highly flexible 
• Not appropriate for –
  -- High assurance systems, e.g. a military system 
  -- Many complex commercial security requirements 
• It is Identity-based 

Mandatory Access Control –MAC

In a mandatory access control (MAC) model, users and data owners do not have asmuch liberty to determine who can access files. The operating system makes the final conclusion and can outweigh the users’ wishes.

This model is much more structured and strict and is based on a security label system. Users are provided a security clearance (secret, top secret, confidential, and undefined), and data is classified in the same way. The clearance and grouped data is stored in the security labels, which are bound to the specific subjects and objects.

A given IT infrastructure in software development company can implement MAC systems in many places and at different levels. OS uses MAC to guard files and directories.

Database management systems apply MAC to regulate access to tables and views. Best commercially available application systems apply MAC, often independent of the operating systems and/or DBMSs on which they are installed.

OS constrains the ability of a subject or initiator to access or perform some operation on the object. Subject is usually a process thread and objects are constructs like files, tcp/udp ports, shared memory segments etc.

Whenever Subject tries to access Object, an authorization rule enforced by the operating system kernel inspects the security attributes and chooses whether access can take place.

Information classification is necessary, label-based

• Well suited to the requirements of government and industry organizations that process classified and sensitive information 
• Such environments usually require the ability to control actions of individuals beyond just an individual's capability to access information permitting to how that information is labeled based on its sensitivity 

RBAC 

• In RBAC model, a role is well-defined in terms of the tasks and operations that the role will need to carry out, whereas a DAC sketches which subjects can access what objects. 
• RBAC uses a centrally administrated set of controls to determine how subjects and objects act together. This type of model allows access to resources to be based on the role the user holds within the company example Software Development Company. 
• A role can be thought of as a set of transactions that a user or set of users can perform within the context of an organization i.e. a collection of permissions.
• A transaction can be thought of as a transformation procedure plus a set of associated data items 
• Roles are group oriented; created for job functions 
• Roles are plotted on the principle of least privilege 
• Role-based access control policy bases access control decisions on the functions a user is permitted to perform within an organization 
• RBAC provides a means of naming and describing many-to-many relationships between individuals and rights 
• A user has access to an object based on the assigned role. 
• Roles are defined based on job functions. 
• Permissions are defined based on job authority and responsibilities within a job function. 
• Operations on an object are invocated based on the permissions. 
• The object is concerned with the user’s role and not the user. 

Conclusion: 

Thus, the Custom Software Development Company should carry out structured ways for Access Control and assigning roles to the employees based on the privileges. This leads to secure access and intact security in the company or a firm which restrict the entities from using unauthorised information.

Sniffers & Sniffing Attacks

A sniffer is an application that captures network packets. Sniffers are known as network protocol analyzers. While protocol analyzers are actually network troubleshooting tools used by software development companies in india, they are also used by hackers for hacking network. If the network packets are not encoded, the data inside the network packet can be recited using a sniffer. Sniffing refers to the process used by attackers to capture network traffic by a sniffer. Once the packet is seized using a sniffer, the contents of packets can be examined. Sniffers are used by hackers to capture delicate network information, such as account information, passwords etc.

Different types of attacks are as following:

1.1 A LAN sniff

A sniffer arranged on an internal LAN can scan the whole IP range lasciviously. This helps in providing more details such as live hosts, server inventory, open ports etc. Once a list of open ports is collected, a port-specific vulnerability attack is possible.

1.2 A protocol sniff

This technique involves sniffing data associated to the network protocols being used. First, a list of protocols is formed based on the captured data. This is further isolated to create special sniffers for each attack. For example, in a system sniff capture, if the ICMP protocol is not seen, it is expected to be blocked. However, if UDP packets are seen, a distinct UDP sniffer is started to capture and decipher Telnet, PPP, DNS and other connected application details.

1.3 An ARP sniff

In this popular method, the hacker captures a lot of data in order to create a map of IP addresses and the associated MAC addresses. Such a map is further used to create ARP poisoning attacks, packet-spoofing attacks, or to dig into router-based vulnerabilities.

1.4 TCP session stealing

This method is a simple form of sniffing, in which a network interface in licentious mode captures traffic between a source and a destination IP address. Details such asservice types,port numbers, TCP sequence numbers and the data itself are of interest to hackers. Upon capturing packets, advanced hackers can create fictitious TCP sessions to fool the source and destination, and be the man in the middle to take over the TCP session.

1.5 Application-level sniffing

From the data packets sniffed and captured, a few complicated application details are found out for information burglary or to create further attacks. As an example, the capture file can be analyzed to perform SQL query analysis, OS fingerprinting, reveal application-specific TCP port data information, etc. In alternative approach, generating a mere list of applications running on a server is decent enough to plan an application-specific attack on it.

1.6 Web password sniffing

As the name suggests, HTTP sessions are stolen and analyzed for user ID and password stealing. While the Secure Socket Layers (SSL) are combined for securing HTTP sessions on the network, there are many internal websites that still use standard but less protected encryption. It is easy to capture Base64 or Base128 packets and run a deciphering agent in contrast to crack the password. In modern sniffers, SSL sessions can also be captured and analyzed for information, though this method is not very simple.

1.7 Detecting sniffers

As mentioned earlier, since sniffers work mutely, it is very difficult to perceive them on a network. There are few tricks that can provide a clue to a likelysniffer presence. There are two ways to detect a sniffer, network-basedand host-based.In host-based detection, you can use small services to detect if the NIC is running in a licentious mode on any host in a network. Since the elementary requirement for a sniffer to work is to put the network interface in “read all” mode, restrictingit can very effectively help shutting down stray sniffers.In case of network-based discovery, anti-sniffer software can be run to sense the presence of specific signature packets. In alternative approach, scripts can be run to check each network host for the occurrence of known processes, sniffers etc. Modernanti-spyware or anti-virus software are proficient of detecting sniffing software and disabling it.

IT Outsourcing Risk Factors

IT outsourcing is purchasing from the outside vendor or the use of external service providers to effectively deliver IT-enabled business process, various application and IT service solution for business outcomes. IT outsourcing companies in India should improvise their service delivery in a way that it minimizes the risks to vendors.

Due to increased regulatory scrutiny and relationship of the companies with their service providers and the variety of external service providers, the decision to outsource has become more complicated and risky. This regulatory can be in terms of size, scope, and geographical location.

There are various benefits of the outsourcing. IT software development companies outsource many projects, assets etc. for carrying out business activities. Along with the IT outsourcing benefits, there also exists risks and risk factors that leads to many positive or negative outcomes.

The various risks factors associated with the outsourcing and their implications for global outsourcing are described as follows:

1) IT Outsourcing Risk factor - People

Implications for the Global Outsourcing : Globally distributed teams with different skills and experience contribute to risk

2) IT Outsourcing Risk factor – Knowledge (Functional, Technological, Managerial)

Implications for the Global Outsourcing : The extent of functional, technological, and managerial knowledge contributes to risk in offshore outsourcing. Managerial knowledge is extremely important in a global context.

3) IT Outsourcing Risk factor - Cultural

Implications for the Global Outsourcing : Country specific cultures can add risk in global outsourcing. Language and work ethics vary from country to country and that may contribute to risk.

4) IT Outsourcing Risk factor - Political

Implications for the Global Outsourcing : The major concern for global outsourcing Political instability is as the government rules and regulations may have adverse effect on outsourcing.

5) IT Outsourcing Risk factor - Financial

Implications for the Global Outsourcing : The financial aspect looks into Accounting standards and variation in currency exchange rate that contribute to risk.

6) IT Outsourcing Risk factor - Quality Standards

Implications for the Global Outsourcing : Quality standards vary from one country to another and contribute to risk.

7) IT Outsourcing Risk factor - Measurement

Implications for the Global Outsourcing : Performance measurement standards vary from country to country which contributes to risk.

8) IT Outsourcing Risk factor - Scope, Cost, and Time Estimates

Implications for the Global Outsourcing : It is quite difficult to accurately determine scope, cost, and time estimates in global outsourcing. This contributes to risk.

9) IT Outsourcing Risk factor – Company Specific Risks

Implications for the Global Outsourcing : Different companies in foreign countries have different management and core competencies. Those contribute to risk.

10) IT Outsourcing Risk factor - Legal Contracts and Intellectual Property

Implications for the Global Outsourcing : IP standards and law vary from one country to another and contribute to risk.

11) IT Outsourcing Risk factor - Security

Implications for the Global Outsourcing : Security is also a major concern in global outsourcing as protection and control of data pose a problem.

12) IT Outsourcing Risk factor – Disaster Recovery

Implications for the Global Outsourcing : Loss of control over disaster recovery contribute to risk.

13) IT Outsourcing Risk factor – Contract Management

Implications for the Global Outsourcing : Contract management in global outsourcing is a risky business as monitoring the project activities become a challenge.

14) IT Outsourcing Risk factor - Relationships & Alliances

Implications for the Global Outsourcing : Inability to manage relationships and alliances constitutes the risk in global outsourcing.

15) IT Outsourcing Risk factor – Geographic Location

Implications for the Global Outsourcing : Vendor’s geographic location comprises of various risks. Communication infrastructure failure in offshore projects incurs significant loss.

16) IT Outsourcing Risk factor - Multi-vendor Arrangements

Implications for the Global Outsourcing : In global outsourcing with multivendor arrangements, coordination has to be effective and efficient. Otherwise execution becomes a problem and contributes to risk.

Conclusion: Thus, the IT outsourcing companies should think strategically about the risks factors for outsourcing different functions or the segments. The companies should consider different aspects while outsourcing like what needs to be outsourced, what amount of the data should be provided for outsourcing to the supplier. This will eventually lead to risk mitigation.

Mobile OS Architecture Trends

The design of Mobile OS has experienced a three-phase evolution in the past decade: from the PC-based operating system to an embedded operating system to the current smart phone-oriented operating system. The Mobile OS architecture has gone from simple to complex to something in-between, while this entire evolution process. This evolution process is driven naturally by the technology advancements in the internet, as well as in software and hardware because of the advancement in the custom software development companies.

The technological advancements by web development companies have resulted in a variety of different competing mobile operating system solutions on the market driven by different actors. Few of these actors include Bada by Samsung, iOS of Apple, Android by Google, RIM’s BlackBerry OS, Symbian of Nokia, Windows Phone by Microsoft, webOS by HP and few embedded Linux distributions such as MeeGo and Maemo to mention few of them.

Some of the most popular mobile operating systems are described below:

Android OS

As of 2011, Android has the largest installed base of any mobile OS and its devices also sell more than Windows, iOS and Mac OS devices combined as of 2013 (Mahapatra, 2013). As of July 2013 the Google Play store has had over 1 million Android apps published, and over 50 billion apps downloaded (PHONEARENA, 2014). One of the developer survey conducted between April and May 2013 found that 71% of mobile developers develop for Android (DEVECO, 2013).

The layers of Android platform are as follows :

• Linux Kernel: Android relies on Linux for core system services such as process management, security, memory management, and many more.

• Android Runtime: it provides a set of core libraries which supports most of the functionality in the core Java libraries. Android Virtual Machine known as Dalvik VM relies on the Linux kernel for some underlying functionality.

• Libraries: Android includes a set of C/C++ libraries which are exposed to developers through the Android application framework including surface manager, media libraries, system C libraries, 3D libraries etc.

• Application Framework: it provides an access layer to the framework APIs used by the core applications and allows components to be used by the developers

iOS

• iOS(previously iPhone OS) is a mobile operating system developed by Apple Inc. and  is exclusively distributed for Apple hardware. iOS is the operating system that powers iPod Touch, iPad, Apple TV and iPhone. It promoted a new style of user interaction for limited input devices, small screen, specifically, direct manipulation. On-screen interface elements, and to perform interface operations are controlled by touch-based gestures like tap and hold, tap, swipe, and pinch. iOS is derived from Mac OS X.

iOS is made up of following  abstraction layers:

• Core OS: The kernel of the operating system including basic low-level features: system support—DNS, threads, math, sockets, memory—general security services— private/public keys, certificates, encryption— Bluetooth, sound and image processing, and external hardware management.

• Core Services: Fundamental system-services, which are subdivided in different frameworks and based on C and Objective C. IT include basic application services including SQLite, calendar events, XML support, accounts, location data management, contacts, networking,  and store purchasing. 

• Media Layer: Considers the high-level frameworks that are responsible for using graphics both 2d and 3d, video- and audio technologies.

• Cocoa Touch: The UIKIT, which is an Objective- C based framework and provides a number of functionalities that are necessary for the development of an iOS Application like the User Interface Management. Also APIs for building applications— multitasking, notifications, interface views, access to device data and touch input are included. 

Windows Phone

Windows Phone is a proprietary smart phone operating system developed by Microsoft. It is the successor to Windows Mobile, though it is incompatible with the earlier platform. Windows Phone was launched in 2010 under the name Windows Phone 7. Large number of hardware manufacturers including HTC, Samsung, LG, and Nokia are developing Windows Phone devices. Both Nokia and Microsoft announced in February 2011 that Windows Phone 7 would be the primary OS for all future Nokia smart phones. Windows Phone 7 received a major upgrade (7.5 Mango) in February 2011, adding features that had been missing in the original release. The Second generation Windows Phone 8 was released in October 2012 (NCSU, 2014).

Windows Phone 7’s architecture required a hardware layer that meets Microsoft’s minimum system requirements: a multi-touch capacitive display, 256MB RAM, a DirectX 9-capable GPU, an accelerometer, 8GB of flash memory, a compass, a 5-megapixel camera, proximity and light sensors, an A-GPS, an ARM7 CPU and six physical buttons: back, start, and search; camera, volume, and power/sleep(Windows, 2011). Windows Phone kernel handles low-level device driver access as well as basic storage, security and networking.Three libraries: a UI model for user-interface management, an App Model for application management, and a Cloud Integration module for web search via push notifications, location services ,Bing, and so on sit above the kernel (NCSU, 2014). The application-facing APIs include XNA, Silverlight, HTML/JavaScript and the Common Language Runtime (CLR) that supports C# or VB .Net applications. Kernel itself is a proprietary Windows OS design for embedded devices that combines Windows Embedded CE 6.0 R3 and Windows Embedded Compact 77. Windows Phone 8 replaced the Windows CE kernel with one based on Windows NT and this is meant in part to mimic the Windows 8 desktop OS, which allows for easier porting of applications between the two operating systems, usually carried out in many application development companies.

Author Signature - Sanika Taori

Marketing a Custom Software

Custom software is specially developed for some specific Custom Software Development company or other user with specific needs. As such, it can be contrasted with the use of software packages developed for the mass market, such as commercial off-the-shelf (COTS) software, or existing free software.

Custom software development is often considered expensive compared to off-the-shelf solutions or products. This can be true if one is speaking of typical challenges and typical solutions. However, it is not always true; custom software development by a reputable supplier is often a matter of building a house upon a solid foundation and, if managed properly, it is possible to do this quickly and to a high standard. In many cases, COTS software requires customization to correctly support the buyer's operations. The cost and delay of COTS customization frequently adds up to the expense of developing custom software.

Business processes are an important intellectual property for any software development organization. Fine-tuning and enforcing your processes through smart, fully-automated applications can help set your company apart from your competitors. Most custom software companies in India don't market their product correctly. Marketing should focus not on products but on customers. If marketing were supposed to focus the product, it would be called “producting.”But it's not is it? It's called “marketing,” which means that marketing is supposed to focus on the marketplace—and the marketplace is made up of people: customers and prospects. This focus on marketplace instead of product must form the basis of your strategic and tactical marketing—when you lose this focus your marketing loses its meaning. Start off by segmenting your market.

There are some option for creating marketing strategies. Try company size and industry sector as variables. i.e. you are looking for medium sized companies in the financial services sector. The company size and industry sector would be dependent on the previous experience of your team. Speaking of that, have you got case studies on your previous engagements? Client testimonials are also good. Your revenue comes from services. Your revenue does not come from custom software development in isolation. Position yourself to as a services firm that provides solution. Your solutions should solve business problems. What problems do your solutions solve? What problems do your clients/prospects have? Do you provide customization of 'boxed product'? Do you improve system performance or functionality? Do your solutions provide benefit to the technical side or the end-user side? What does your service methodology provide that other service providers don't? Who benefits the most from your solutions and how? The answer to these questions will build your value proposition and create a compelling story that clients will want to hear!

Identify your niche by analysing your past project successes. And ask some questions to yourself. like:

• What technologies were used?
• What business department did you serve?
• What business process or function did you improve?
• Did you save your client money?
• Did you improve a process?
• What industry did you serve?

Break these criteria down into a basis and you will start to see where your company has been successful - then you can begin to replicate that success.

According to those criteria plan strategy for marketing your custom software.

Some common marketing methods are as follows :

• Continuous Search Engine Optimization
• Affiliates marketing
• Write newsletters and press releases
• Get involved in online forums and blogs

Thus, the custom software development companies in India should use these strategies and points while marketing the custom software.

Introduction to Information Rights Management

Information Rights management

There is only one technology that fully secures access to the data regardless of where it travels. The solution is to build the classification metadata, the access controls, and the information about which rights are allowed to individual users’ right in to the data itself. This solution is known as Information Rights Management (IRM). The software development companies use this as a solution to protect the data. 

IRM is essentially a combination of encryption and access controls that are built into document creation and viewing software applications, so that encrypted content can be decrypted and viewed based on access rights.We examine the history of rights management technologies that began with the digital entertainment industry and led to today’s IRM solutions that apply similar controls to any unstructured data.

IRM shrinks the security perimeter to the information itself. With IRM, you are not protecting the location where the information lives, nor the network it lives on. Instead, you are applying access control, encryption, and auditing to the information itself. That way, regardless of which disk the information resides on, which networks it travels across, or which database it may be resident in, IRM is able to provide a persistent level of security to the information wherever it goes.

IRM provides security protections not only for data at rest and data in transit, but also for data in use—which, is hard to accomplish. IRM technologies are able to prevent things like data being copied to a clipboard and pasted into another application. IRM can allow authorized users to open content while also limiting their ability to edit that content or make printed copies of it. With this level of control for data in use also comes auditing of all access to the information, even after it has left the perimeters of your network. These controls are basically impossible to implement with any other technology. 

With its fine-grained data-in-use features, the most valuable thing that IRM brings to the security landscape is the ability to control access to information, every time it is accessed, from any place it is copied to, and for every single copy, anywhere—along with the ability to revoke that access at any time. Imagine the scenario where your custom software development company has shared millions of e-mails, images, spreadsheets, documents, presentations, and so on with your business partners, customers, potential acquisitions, and employees (both current and long gone). Now imagine being able to revoke access to all that information and ensure that, as your business relationships and trusts change, you can maintain appropriate access to information even when it has long left the confines of your file servers, content management systems, and networks. The security of the data is persistent. Unlike nearly every other data security technology, the information is never given to the application or end user in an uncontrolled manner.

IRM technology extends the reach of information access control to well beyond places where you can typically deploy identity and access control technology. However, as with any technology, IRM has pros and cons.

Thus, every software development organization take into account IRM for data protection. IRM is not a replacement for existing security solutions, but it is an excellent tool to complement them. IRM represents a powerful tool for reducing risk of data loss.

Author Signature - Venu Majumdar

Industrial Safety Products

Security is among the very most typical goals of a business. This expands not only to software  development companies but to workers and patrons too. This resulted in the creation of industrial security merchandises to be used by various sectors. Under these kinds of industrial goods, distinct classes might even be discovered.

The general types for industrial security products are chemicals, arc flash protection and janitorial supply, cutlery, emergency response, facility upkeep, fall protection, female care goods, flooring, fire fighting and carpet attention and heat stress supplies. Equipment for hand, head, eyes and hearing protection is, in addition, discovered on the list. To develop a fuller comprehension of all of these matters, learn about special kinds below the general classes.

Hand, hearing and head protection

Head the hand and ears are widely used to be able to create a worker work readily. Hands are used in a number of the very most essential elements of creation while the head is likewise essential in managing some manufacturing procedures. Hearing is in taking up company directions also important. These motives are enough for firms to supply industrial products for protection of the hand, head and ears.

The most typical examples of hand protection are a wide range of hand gloves, glove accessories and glove dispensers. Hand gloves contain chemical resistant gloves, cotton gloves, inspector gloves and finger cots. In regards to head protection, goods including speciality hard hats, warm weather and cold protection, hard hat replacing and suspensions are accessible. For hearing protection functions, earplugs, earmuffs and accompanying accessories are likewise being offered in a record of industrial security products.

Description of the several equipments is as follows :

Eye protection

Eye protection is now a crucial variable in regards to the topic of industrial security. With 21% of the absolute variety of workplace injuries per year associated with the eyes, the requirement for protective eye wear is now a sensitive issue for a lot of the individuals belonging to the sectors that are involved.

Head safety

Industrial safety helmets are extremely critical in such surroundings where an employee is exposed to some kind of risk. When they are useful :-

• Shields head, your face, neck, and shoulders against splashes, spills, and drips.
• Safety Helmets shield against impacts from debris or falling items, electrical shocks and burns, penetration and flammability
• The stiff shell of the safety helmet deflect and will resist an impact to the head.
• The suspension system will absorb shock which is found in the helmet.
• The suspension should suspend the shell 1 1/4″ for shock absorption and breathing

Industry safety gates

Industrial security gates are utilized in factories where there are lots of workers, or different individuals, doing lots of distinct jobs through the day; they’re additionally used in huge loading docks. There are several distinct occupations being done in factories, meaning there are plenty of folks running around and on buildings sites. This is why you may find many distinct, and why security is the most essential matter on sites of the nature, brilliantly coloured industrial security gates installed where they’re needed.

Fire protection

Fire is a serious threat to the physical safety and security of any workplace. Fire protection comes in many forms, from rescue and escape equipment to fire extinguishers and fire-fighter gear. The fire protection needs of your company will depend on the size and type of business you have, as well as the type of emergency response plan you employ.

Thus, all the organizations including the software development companies should consider the Industry safety standard and use of the safety equipments. 

Author Signature - Venu Majmudar

Risk Analysis

Introduction

The objective of a security program is to mitigate risks. Mitigating risks does not mean eliminating them; it means reducing them to an acceptable level. To make sure your security controls are effectively controlling the risks in your environment, you need to anticipate what kinds of incidents may occur. You also need to identify what you are trying to protect, and from whom. That’s where risk analysis, threat definition, and vulnerability analysis come in. What is being protected? What are the threats? And where are the weaknesses that may be exploited?

Threat Definition

Evaluating threats is an important part of risk analysis. By identifying threats, you can give your security strategy focus and reduce the chance of overlooking important areas of risk that might otherwise remain unprotected. Threats can take many forms, and in order to be successful, a security strategy must be comprehensive enough to manage the most significant threats.

How do you know you’re defending against the right threats?

For example, if an software development organization were to simply purchase and install a firewall (and do nothing else) without identifying and ranking the various threats to their most important assets, would they be secure? Probably not. These statistics are from Verizon’s 2010 Data Breach Investigations Report (DBIR), the result of a collaboration between Verizon and the U.S. Secret Service. This is a breakdown of “threat agents,” which are defined in the report as “entities that cause or contribute to an incident.” 

This particular study illustrates the point that insider threats should be an important consideration in any security program. Many people that haven’t seen real-world security breaches don’t know this, so they focus exclusively on external threats.

There are numerous other studies that show different results, including later DBIR reports (because different environments experience different threats, and the threat landscape always changes) but they all point to the insider threat as a serious concern. Security professionals know that many real-world threats come from inside the organization, which is why just building a wall around your trusted interior is not good enough. Regardless of the breakdown for your particular organization, you need to make sure your security controls focus on the right threats. To avoid overlooking important threat sources, you need to consider all types of threats.

This consideration should take into account the following aspects of threats:

• Threat vectors
• Threat sources and targets
• Types of attacks
• Malicious mobile code
• Advanced Persistent Threats (APTs)
• Manual attacks

Threat Vectors

A threat vector is a term used to describe where a threat originates and the path it takes to reach a target. An example of a threat vector is an e-mail message sent from outside the software development organization to an inside employee, containing an irresistible subject line along with an executable attachment that happens to be a Trojan program, which will compromise the recipient’s computer if opened.

A good way to identify potential threat vectors is to create a table containing a list of threats you are concerned about. It is important to understand threat vectors and consider them when designing security controls, to ensure that possible routes of attack for the various threats receive appropriate scrutiny. Understanding threat vectors is also important for explaining to others, such as management, how the protective mechanisms work and why they are important.

Risk Analysis

A risk analysis needs to be a part of every security effort. It should analyze and categorize the assets that need to be protected and the risks that need to be avoided, and it should facilitate the identification and prioritization of protective elements. It can also provide a means to measure the effectiveness of the overall security architecture, by tracking those risks and their associated mitigation over time to observe trends. How formal and extensive should your risk analysis be? That really depends on the needs of your organization and the audience for the information. In a larger, well structured environment, a more detailed risk analysis may be needed. 

A quantitative approach to risk analysis will take into account actual values—the estimated probability or likelihood of a problem occurring along with the actual cost of loss or compromise of the assets in question. One commonly used approach to assigning cost to risks is annualized loss expectancy (ALE). This is the cost of an undesired event—a single loss expectancy (SLE)—multiplied by the number of times you expect that event to occur in one year—the annualized rate of occurrence (ARO).

Annualized Loss (ALE) = Single Loss (SLE) * Annualized Rate (ARO).

But there are problems with the ALE approach. How can you assign ARO to every potential loss? For example, how many times a year will your car be involved in a fender bender? In reality, many years may go by in between accidents, but occasionally you may have two or three accidents in a single year. Thus, your ARO can be highly variable. Even defining SLE can be difficult. How much will a fender-bender cost? It could be anywhere from nothing to several thousand dollars. An analytical mind might be bothered by the variability and ambiguousness of the numbers. In fact, there is a lot of guesswork involved.

Because the results of an ALE analysis are hard to defend, prove, support, and demonstrate, this approach is tending to fall out of favor. However, the basic principle of identifying threats, vulnerabilities, and risks remains valid. 

A qualitative approach to risk analysis, which may suffice in smaller environments or those with limited resources, can be just as effective. In an software development company, You can identify your assets (for example, a web server, a database containing confidential information, workstation computers, and a network). You can identify the threats to those assets (malware, hack attacks, bugs and glitches, power outages, and so forth). And you can assign a severity level to help you prioritize your remediation. If the severity is high enough, you will probably want antivirus capability on the endpoints as well as on the network, a high-quality stateful firewall, a timely patching program that includes testing, and uninterrupted power supplies (UPSs).

Thus, a proper risk analysis should be carried out to mitigate the risk occurring in an organization. 

Computer & Network Policies in Information Security : Part-2

Network Policies

This group of policies applies to the network infrastructure to which computer systems are attached and over which data travels in a software development organization. Policies relating to network traffic between computers can be the most variable of all, because an organization’s network is the most unique component of its computing infrastructure, and because organizations use their networks in different ways. These example policies may or may not apply to your particular network, but they may provide inspiration for policy topics you can consider. 

• Extranet Connection Access Control: All extranet connections (connections to and from other organizations’ networks outside of the organization, either originating from the external organization’s remote network into the internal network, or originating from the internal network going out to the external organization’s remote network) must limit external access to only those services authorized for the remote organization. This access control must be enforced by IP address and TCP/UDP port filtering on the network equipment used to establish the connection. 

• System Communication Ports: Systems communicating with other systems on the local network must be restricted only to authorized communication ports. Communication ports for services not in use by operational software must be blocked by firewalls or router filters. 

• Inbound Internet Communication Ports: Systems communicating from the Internet to internal systems must be restricted to use only authorized communication ports. Firewall filters must block communication ports for services not in use by operational system software. The default must be to block all ports, and to make exceptions to allow specific ports required by system software. 

• Outbound Internet Communication Ports: Systems communicating with the Internet must be restricted to use only authorized communication ports. Firewall filters must block communication ports for services not in use by operational system software. The default must be to block all ports, and to make exceptions to allow specific ports required by system software. 

• Unauthorized Internet Access Blocking: All users must be automatically blocked from accessing Internet sites identified as inappropriate for the organization’s use. This access restriction must be enforced by automated software that is updated frequently.

• Extra net Connection Network Segmentation: All extranet connections must be limited to separate network segments not directly connected to the corporate network.

• Virtual Private Network: All remote access to the corporate network is to be provided by virtual private network (VPN). Dial-up access into the corporate network is not allowed. 

• Virtual Private Network Authentication: All virtual private network connections into the corporate network in an IT software development company require token-based or biometric authentication.  Employee and contractor home systems may connect to the corporate network via a virtual private network only if they have been installed with a corporate-approved, standard operating system configuration with appropriate security patches as well as corporate-approved personal firewall software or a network firewall device.

Author Signature: Venu Majmudar

Computer & Network Policies in Information Security : Part-1

Computer Policies

This group of policies applies to computers and information systems in a software development company. Authentication policies often form the largest collection of policy statements in a computer environment because authentication systems and variations are so complex and because they tend to have the greatest impact on the average computer user. Password policies are often the largest subset of authentication policies. 

• Account/Password Authentication: A unique account and password combination must authenticate all users of information systems. The account name must be used only by a single individual, and the password must be a secret known only to that individual.

• New Account Requests: The manager responsible for a new end user must request access to corporate information systems via a new account. End users may not request their own accounts. The new account request must be recorded and logged for the record. When the account is no longer needed, the account must be disabled.

• Account Changes: The manager responsible for the end user must request changes in access privileges for corporate information systems for a system account. End users may not request access-privilege changes to their own accounts. The request must be recorded and logged for the record. 

• Two-Factor Authentication: All administrators of critical information servers must be authenticated via a token card and PIN code. The individual must be uniquely identified based on possession of the token card and knowledge of a secret PIN code known only to the individual user.

• Desktop Command Access: Access to operating system components and system administration commands on end-user workstations or desktop systems is restricted to system support staff only. End users will be granted access only to commands required to perform their job functions.

• Generic User Accounts: Generic system accounts for use by people are prohibited. Each system account must be traceable to a single specific individual who is responsible and accountable for its use. Passwords may not be shared with any other person. 

• Inactive Screen Lock: Computer systems that are left unattended must be configured to lock the screen with a password-protected screensaver after a period of inactivity. This screen locking must be configured on each computer system to ensure that unattended computer systems do not become a potential means to gain unauthorized access to the network. 

• Login Message: All computer systems that connect to the network must display a message before connecting the user to the network. The intent of the login message is to remind users that information stored on the organization’s information systems belongs to the organization and should not be considered private or personal. The message must also direct users to the corporate information system usage policy for more detailed information. The message must state that by logging on, the user agrees to abide by the terms of the usage policy. Continuing to use the system indicates the user’s agreement to adhere to the policy. 

• Failed Login Account Disabling: After ten successive failed login attempts, a system account must be automatically disabled to reduce the risk of unauthorized access. Any legitimate user whose account has been disabled in this manner may have it reactivated by providing both proof of identity and management approval for reactivation. 

• Password Construction: Account names must not be used in passwords in any form. Dictionary words and proper names must not be used in passwords in any form. Numbers that are common or unique to the user must not be used in passwords in any form. Passwords shorter than eight characters are not allowed. 

• Password Expiration: Passwords may only be used for a maximum of 3 months. Upon the expiration of this period, the system must require the user to change their password. The system authentication software must enforce this policy. 

• Password Privacy: Passwords that are written down must be concealed in a way that hides the fact that the written text is a password. When written, the passwords should appear as part of a meaningless or unimportant phrase or message, or be encoded in a phrase or message that means something to the password owner but to nobody else. Passwords sent via e-mail must use the same concealment and encoding as passwords that are written down, and in addition must be encrypted using strong encryption. 

• Password Reset: In the event that a new password must be selected to replace an old one outside of the normally scheduled password change period, such as when a user has forgotten their password or when an account has been disabled and is being reactivated, the new password may only be created by the end user, to protect the privacy of the password.

• Password Reuse: When the user changes a password, the last six previously used passwords may not be reused. The system authentication software must enforce this policy. 

• Employee Account Lifetime: Permanent employee system accounts will remain valid for a period of 12 months, unless otherwise requested by the employee’s manager. The maximum limit on the requested lifetime of the account is 24 months. After the lifetime of the account has expired, it can be reactivated for the same length of time upon presentation of both proof of identity and management approval for reactivation. 

• Contractor Account Lifetime: Contractor system accounts will remain valid for a period of 12 months, unless otherwise requested by the contractor’s manager. The maximum limit on the requested lifetime of the account is 24 months. After the lifetime of the account has expired, it can be reactivated for the same length of time upon presentation of both proof of identity and management approval for reactivation. 

• Business Partner Account Lifetime: Business partner system accounts will remain valid for a period of 3 months, unless otherwise requested by the manager responsible for the business relationship with the business partner. The maximum limit on the requested lifetime of the account is 12 months. After the lifetime of the account has expired, it can be reactivated for the same length of time upon presentation of both proof of identity and management approval for reactivation. 

• Same Passwords: On separate computer systems, the same password may be used. Any password that is used on more than one system must adhere to the policy on password construction. 

• Generic Application Accounts: Generic system accounts for use by applications, databases, or operating systems are allowed when there is a business requirement for software to authenticate with other software. Extra precautions must be taken to protect the password for any generic account. Whenever any person no longer needs to know the password, it must be changed immediately. If the software is no longer in use, the account must be disabled. 

• Inactive Accounts: System accounts that have not been used for a period of 90 days will be automatically disabled to reduce the risk of unused accounts being exploited by unauthorized parties. Any legitimate user whose account has been disabled in this manner may have it reactivated by providing both proof of identity and management approval for reactivation. 

• Unattended Session Logoff: Login sessions that are left unattended must be automatically logged off after a period of inactivity. This automatic logoff must be configured on each server system to ensure that idle sessions do not become a potential means to gain unauthorized access to the network. 

• User-Constructed Passwords: Only the individual owner of each account may create passwords, to help ensure the privacy of each password. No support staff member, colleague, or computer program may generate passwords.

• User Separation: Each individual user must be blocked by the system architecture from accessing other users’ data. This separation must be enforced by all systems that store or access electronic information. Each user must have a well-defined set of information that can be located in a private area of the data storage system. 

• Multiple Simultaneous Logins: More than one login session at a time on any server is prohibited, with the exception of support staff. User accounts must be set up to automatically disallow multiple login sessions by default for all users. When exceptions are made for support staff, the accounts must be manually modified to allow multiple sessions.

All the software companies take into account the above mentioned points for the Computer Policies to ensure the Information Security in an organization or a firm for mitigating the risk against the unauthorized entity.

Author Signature - Venu Majmudar