Importance of Broken authentication and session management in web development

Your website is your brand, your image and first contact with customers. If that website is not safe

Your website is your brand, your image and first contact with customers. If that website is not safe then your critical business can be at risk. The threats may come in many ways infecting website with malware to spread it to site visitors. A single security breach can be a killer for a small company. Even if security breach in small business doesn’t trigger sensitive data breach, it still can impact on customer trust in view of web development companies.

What is Broken authentication?

Broken authentication and session management is currently ranked 2nd on OWASP top 10 vulnerabilities 2017. It is a vulnerability which allows an attacker to bypass the authentication methods to prevent unauthorized person. There are many authentication schemes including biometric scanner, username and password, picture password, etc. Among all most common authentication method is to use username and password as login credentials. Web application should protect these credentials in order to protect it from breach. These are the ways in which a web application may fail to protect the credentials.

  • Unencrypted connections
  • Predictable credentials
  • Session-id does not time out or does not get invalidated after logout
  • User authentication credentials are not protected when stored
  • Session-ids are used in URL

Unencrypted connections

Any information we send or receive with web application can be intercepted without our knowledge. Your password, username or session is may be tracked somewhere.

Prevention: Enable encryption on requests that contain sensitive information

Predictable credentials

If user sets predictable or easily guessed credentials in his account, any unauthorized user can get the access of it.

Prevention: Set a password in such a way that it can’t be predicted. User can use a combination of numbers, alphabets and symbols.

Session-id does not time out or does not get invalidated after logout

Application does not discard the session id after some amount of time or logging out. It fails to prevent session-id value.

Prevention: Invalidate the session-id after predetermined time or log off.

User authentication credentials are not protected when stored

If the stored user credentials are stolen then it can be used by any unauthorized entity to gain the access of system.

Prevention: All the credentials should be hashed and then stored.

Session-ids are in URL

Session id value is transmitted to URL string where it can be visible to an attacker. It fails to protect session-id.

Prevention: Make sure all the information is sent into the body part of post request.

How the vulnerability can be compromised

Here are some examples of weak authentication protection on one of the test web application.

The login page has not secured connection which can be known with browser notification.

 

  • System is allowing user to set password which can easily be guessed.

 

  • Login credentials are not communicated by encrypting the first. You can see password can easily be tracked.

Affected items: Login page (If breached than whole website may be at risk)

Severity: High

Broken authentication and session management has become priority for software development companies to secure the system from breach. While developing any critical web application developers have to take authentication related steps into consideration to protect it from attacker. For any web application, login page is most the critical page. So, by performing some security steps for login page, we can protect our whole web application.

Enhancing Scrum Meetings - an important way to manage the SCRUM workflow

What is SCRUM? Scrum, an iterative and incremental Agile methodology was coined from a concept of th

What is SCRUM?

Scrum, an iterative and incremental Agile methodology was coined from a concept of the game ‘RUGBY’ where the forwards of a team form up with arms interlocked and heads down, and push forward against a similar group from the opposing side. The analogy in a product development process is to work together and move ahead as a team to achieve the goal.

The most noteworthy aspect of an Agile methodology is that it does not follow any rigidness. A fully Agile enterprise would not have a business or technical side rather would work directly to delivering the best business value. Hence, software development companies are shifting towards agile project management.

The scrum team

A scrum team is the group that actually works on a scrum project. It all begins with the Product Owner and his or her vision for the project. Next there is the Scrum Development Team. They are a team which works across various functions in a self-lead and coordinated atmosphere. The Scrum Master is the manager for this team because of his or her authority and leadership inside the group. The job of the Scrum Master is to manage and monitor all the issues that occur during a development process. A scrum sprint is the basic unit of a scrum workflow.

What are scrum meetings?

After the planning of the entire project plan, scrum meetings are held daily to set the day’s work. Usually held in the morning, these meetings are called ‘daily scrums’ and serve as the starting phase of each day’s work.

Daily, before the start of the day’s work, the entire team meets up to have a meeting- which is lead by the scrum master. The sole purpose of this meeting is for each team member to illustrate his or her work for the day and to inform coordination required from peers. This meeting is neither a status reporting session nor an issue solving exercise. Most agile/Scrum textbooks specify that each member of a team should address only three key topics in a daily scrum meeting:

  • What was done on the previous day?
  • What is to be done today?
  • What are the hindrances being faced?

Rules to be followed during a scrum meeting

A general rule of thumb is that a scrum team with ‘n’ members will take about ‘2n+5’ minutes for a daily scrum meeting if the team is well prepared for it. As an example, a small team with 6 members will take 17 minutes for daily scrums, while a larger team will take more time.  Of course, if the project needs a huge number of people, a single scrum team will not be effective. It is broken down into smaller teams. A scrum team should have 7 ± 2 members (i.e., 5 to 9 members).

Ways to have an effective scrum meeting

Most experts and practitioners of the scrum workflow, follow the following steps to have an effective scrum meeting:

  • Daily meetings of scrum are to be conducted at the same time and in the same place. Preferably mornings or if not possible, at the end of the day are the best times to have these meetings.
  • Meetings should be crisp and short but effective. Long meetings become tedious and the team members get distracted.
  • As the meetings are a time bound activity, it should be tech free zones. Use of mobiles or laptops might lighten the concentration and also waste precious time.
  • The scrum master should project the daily data to illustrate as mobiles or laptops should not be allowed.
  • All team members should prepare before hand for the meeting and the scrum master should make a routine of letting who to speak when.
  • The time should be utilized only to capture the discussion during the meeting not to resolve those issues.

Why are Scrum Meetings Necessary?

An important portion to cover in this context is as to why a scrum meeting required if all the information is available in the Agile project management tool like VersionOne. Well, there are a lot of advantages that a real time meeting offers. The summarization of the necessity of scrum meetings is:

  • Information is very specific and tied to stories and tasks in the agile project management tool being used. These tasks need proper planning and prioritization which is to be decided while in the meeting.
  • Any incomplete work of the previous day-not included on the current day’s schedule can be continued. Total dependence on the tool might leave out those tasks.
  • The incomplete task has to be justified with a proper planning for it.
  • The meeting also makes all the team members get a brief idea regarding the current day’s work.
  • The inputs of everyone are an essential takeaway from every meeting.

Scrum accelerates software delivery and business innovation and changes the way project teams work. Its help the software development companies meet client needs, provide value to their customers, and helps the organization deliver effective services quickly.

WannaCry Ransomware

A prodigious cyber attacked organisations around the globe using tools stolen from the US NSA (Natio

A prodigious cyber attacked organisations around the globe using tools stolen from the US NSA (National Security Agency). There are reports of 150 countries affected since Friday which includes Russia and China too. The most serious attack was in the UK on NHS (National Health Service).

The ransomware attack happened on Friday and is considered to be one of the biggest so far hitting organisations from Russian Interior Ministry to FedEx, a delivery firm. News are that around 40 NHS organisations were hit affecting their operations and appointments getting cancelled.

What is a Ransomware?

It is a combination of ransom and software, and refers to any kind of malware that demands a ransom from a user in exchange for the return of the kidnapped file. This threat works like kidnapping in real life, except the things in captive are files –multimedia files, office files, system files or files that your system relies on to, or your confidential data. How does it spread? Typical methods such as attachment through un-solicited emails, clicking on a link on an email which are claimed to be from a delivery company or a bank , peer to peer file sharing networks being passed by activation keys through popular software such as Microsoft office, adobe etc

Types of attacks:

  • File coder: Which encrypts the files of your system and can be read only if decrypted.
  • Lock screen: Locks your computer and stops you from using it until you pay the ransom.

Fig: Countries affected initially in few hours according to Kaspersky’s research.

How does the malware work and who’s behind it?

This attack was deployed via a worm- that spreads by itself between the computers. The worm will hunt down all the vulnerable machines and infects them once it enters an organization. Many experts reported that the attack was built to exploit a weakness in Microsoft systems named EternalBlue identified by NSA. A group of hackers known as The Shadow Brokers stole the NSA tools and made it freely available in April claiming a protest against US President Donald Trump.

Many computers in hospitals were running on Windows XP and Microsoft stopped supporting this OS in 2014 and left it vulnerable to attacks. Government also warned the NHS to upgrade from Microsoft XP but NHS did no action on the matter and left an opportunity open to the hackers to attack the systems.

The above WannaCry Attack was shown on a save environment on a security researcher’s system. The virus took over user’s file and demanded $300 to restore the files.

Organisations in Europe and Asia are warning employees not to click on links of emails and attachments. And the ransom shouldn’t be paid as there is no guarantee that the files will be restored.

Microsoft is arguing that there shouldn’t be an obligation that it has to update all users and not just the one who pays extra for security on older versions. If the update is for an individual then it is not that huge but if the network is for big organisations like UK’s NHS then it will obviously be expensive and complex.

6 Easy Steps to Protect Yourself

Recently, there is no such tool or solution for WannaCry decryption, so users are strongly advised to follow preventive measures in order to protect their systems.

  • Keep your system Up-to-date: First of all, if you are using supported, but older versions of Windows operating system, keep your system up to date, or simply upgrade your system to Windows 10.
  • Using Unsupported Windows OS?If at all you are using unsupported windows versions with Windows XP, Server 2003, Vista or 2008, you should apply the emergency patch released by Microsoft today.
  • Enable Firewall:Enable firewall if not already done in individual systems or an organisation
  • Keep your Antivirus software up-to-date:Virus definitions released recently have already been updated to protect against this latest threat.
  • Backup Regularly:Always have a good backup in place to have a tight grip on all your critical and confidential data to an external storage device that is not always connected to your PC.
  • Beware of Phishing:Always be aware of uninvited documents sent as an email and never click on links inside those documents unless verifying the source or the individual.

 

Why Poor Planning Can Lead To Project Failure?

What were the causes which resulted in project failure? How to manage software projects in a best wa

What were the causes which resulted in project failure? How to manage software projects in a best way to avoid excessive costs, risks in software development companies?

A survey done by KPMG on the Unsuccessful Information Technology Projects revealed that the three most common reasons for project failure are:

  • Poor project planning: A weak project plan and an inadequate risk management approach can lead to project failure. Risk management becomes more important as the organization expands.
  • A weak business case: The need for the project should directly map with the organization’s business needs.
  • Lack of top management involvement: The project should be backed up by the management to secure the buy-ins and support at every stage of the project development.

Some of the specific areas wherein poor planning can lead to failures are:

 Goal and vision

  • Failure to interpret the question “what are we reallytrying to achieve?”
  • Failure to document the clear vision and communicate it to the organization.
  • Project objectives are not aligned with the overall business goals of the organization as a whole.
  • Project defines its vision and goals, but the document is put on a shelf and never used as a guide for subsequent decision making
  • Lack of coordination between multiple projects spread throughout the organization.

Planning

We need to ensure that the detailed work has to be mapped out over the next few months to ensure that the project resources are correctly assigned once the project actually begins in the IT organization. These include how we manage scope, issues, risks, work plan, etc

  • Failure to plan - diving into the performance and execution of work without planning.
  • Working under constant and rigorous schedule pressure
  • Failure to manage management or customer expectations
  • Planning should be seen as a team activity rather than only the Project Manager’s duty.
  • Failure to break a large project plan into small deliverable tasks.
  • Unclear roles and responsibilities may lead to confusion and gaps.
  • Some team members are burdened with overload resulting in low efficiency in critical areas of the project while others are underutilized.
  • Requirements should be prioritized as the team focus is not wasted on lower priority items.
  • Failure to provide sufficient user training with the changing demands of the project.
  • Change requests should be handled formally while accessing changes in schedule or budget.

 Stakeholder engagement issues

  • Failing to identify/view the project through the eyes of the stakeholder results in a failure to appreciate how the project will impact the stakeholders.
  • One stakeholder group should not dominate the project while ignoring the needs of other.
  • Failure to include needed “change management” activities into the scope of the project.
  • Failure to inculcate effective communication between employees from top management to lower management who are involved in the project

 Leadership and governance

  • Failure to establish a governance structure with respect to the needs of the project
  • Appointing a Sponsor who lacks the expertise, seniority, training to perform the role effectively.
  • The Project Manager lacks the interpersonal or business skills to coordinate with team members and make things happen for the success of the project.
  • The Project Manager Micromanages the project causing the team to de-motivate and fail to track things sufficiently.

Requirements Issues

  • Vague or open ended requirements (like requirements that end with ‘etc’)
  • Each requirements should support the project’s objective and should have an effective Return on Investment (ROI)

Team issues

  • Lack of clarity in roles and responsibilities which results in confusion and errors.
  • Inefficient team members to complete the work that is committed
  • Projects are done while expecting the team members to work “off the side of the desk” i.e. to work full time while also meeting project milestones.
  • The team lacks the Subject Matter Expertise needed to complete the project successfully
  • Failure to provide the team with appropriate training with changing demand.
  • Expecting the team to work which is already exhausted in doing overtime.

 Estimation

  • Those team members who will perform the work are excluded from the estimating process
  • Estimates are provided without a corresponding statement of scope and based on insufficient information or analysis.
  • Big items are estimated and the small scale activities are omitted
  • Failure to build contingency plans
  • Depending too much on the tools to deliver proper estimations.

 Decision making problems

  • Key decisions are made by people who lack the subject matter expertise to be making the decision
  • Lack of “situational awareness” results in ineffective decisions being made
  • Decision fragments are left unanswered (parts of the who, why, when, where and how components of a decision are made, but others are never finalized) resulting in confusion
  • Failure to establish clear ownership of decisions or the process by which key decisions will be made

 Project tracking and management

  • Proper monitoring lets the Project Manager identify where resources are needed to complete the project on time.
  • Project is tracked based on large work items rather than smaller increments
  • Failure to monitor supplier or vendor performance on a regular basis

 Risk management

  • Risk management is seen as an independent activity rather than an integral part of the  planning process

Conclusions

The past failure should not de-motivate the project managers from further efforts. The instances of IT project failures gives us the opportunity to focus on the relevant aspects that can be derived from vulnerable areas where IT projects are more likely to fail.

Managers can review the following points to reduce the probability of project failure by considering the following ways:

  • Make sure to plan before starting the development or implementation of the project.
  • Set up the necessary processes to calculate and inform the risk.
  • Ensure that the IT project has clear objectives and goals.
  • Understand project trade-offs when making changes.
  • Use the duration of the task to estimate the schedule.
  • Get the support from the executive/top management and get their consent and feedback at every stage of project.
  • Ensure that the team members communicate to avoid the communication gap.
  • The users should also participate in design and implementation of your project to get appropriate feedback.
  • Make sure you have the appropriate skills needed to fulfil the project’s demand.

In avoiding the above points, it can help the Project Manager to mitigate risks associated with Project Management that can led to failure of IT projects in software development companies.

 

Learning from our mistakes with Causal Analysis and Resolution

Handling problems and defects in software development projects is difficult in many organizations. T

Handling problems and defects in software development projects is difficult in many organizations. The problems’ analyses, when performed, usually do not focus on the problems sources and root causes. As a result, bad decisions are taken and the problem is unsolved. This leads to dissatisfaction, increased costs, and lack of quality. Causal analysis and resolution prevents the introduction of defects into a product by integrating into each phase of the project thereby improving quality and productivity. Defects and problems arise from other projects or from the earlier phases of the current project. Causal analysis and resolution activities are therefore the communicating lessons learned among projects. It helps the software development companies to improve the quality and process performance of their activities and enhances the productivity.

Identification of the team members and their roles is critical. One person needs to oversee the causal analysis process. The responsibilities of the causal analysis team leader would be conducting the defect causal analysis meetings, monitoring completion of actions, updating the status of actions and providing feedback to management, and other staff. The contribution of these staff is important, because they are knowledgeable of the causes, have an interest in the defect information, and can benefit from the result of the analysis. The defect causal analysis team members are responsible for attending causal analysis meetings, documenting the results of defect causal analysis meetings, and implementing the recommended corrective action.

Selecting defects and other problems for causal analysis:

  • Project managers, group heads identify the defects, problems, and incidents
  • Metrics, problem reports, internal audit reports, test reports, assessment findings, training feedback, peer reviews, etc. are the sources of problem and defect data

The process by which the proposed actions are arrived at to address the selected defects:

  • Defects and problems are analyzed to determine their root causes
  • Common causes are identified
  • Proposed actions and time periods are identified to prevent the future occurrence of problems and defects

Project manager identifies proposed actions to prevent the future occurrence of identified defects and problems. These proposed corrective actions or preventive actions are planned for by a proposed change to a specific process element such as the operational process, checklist, template, guideline, etc. The project manager then defines the time period by which the above actions are to be implemented. Group head prioritizes the corrective and preventive actions to be taken up for implementation to prevent the recurrence of defects and problems. The quantitative benefits received as a result of the process improvement is measured and recorded.

The effects of changes in process performance are evaluated as follows:

  • Project manager or group heads review and verify the effectiveness of completed actions in terms of benefits, realization, improvements etc.
  • Measures for measuring the benefits are:
  • Reduction in defect rates
  • Improvement in productivity
  • Reduction in cycle time
  • Improved customer satisfaction
  • Improved survey results
  • Increase in number of bids won
  • Elimination of defect type
  • Improvement in link-up time

Tools used for doing causal analysis are:

  • Project documents
  • Pareto charts
  • Histograms
  • Cause and effect (fishbone) diagrams
  • Check sheets

Data is recorded for use across the project and organization as follows:

  • Project manager disseminates the status of previously implemented changes and results
  • Project manager or group heads raises process improvement proposal
  • Project manager attaches project end causal analysis and uploads in process database
  • Project manager shares results of activities forums, awareness newsletters

A causal analysis meeting can be held two weeks after coding begins. Defects reported through review methods, or inspections can be used to identify common errors early in the coding process. This proactive approach is preventative and corrective. Causal analysis and resolution can begin as early as the concept definition stage, using defects found through inspection of the requirements. It provides a mechanism to the software development companies to evaluate their processes and adds value to the organizations.