How Project Monitoring and Control process supports all 9 Project Management Knowledge Areas

Project management involves various functions that enable smooth and organized project execution. Th

Project management involves various functions that enable smooth and organized project execution. These various functions grouped together according to their purpose and these groups are referred as knowledge areas. Knowledge areas are based on common features, whereas project management process groups determine the order of project management activities. There are 9 knowledge areas as shown in the below figure.

 

 

Project monitoring and control is the process group that involves the tracking of project progress to acknowledge the deviation in project plan. A project plan is the basis for monitoring activities, conveying status, and making remedial move. Project monitoring and control enables timely corrective actions to be taken when performance deviates significantly from the plan. A deviation is significant if the deviation affects the project from meeting its objective. Project monitoring and controls is very important process as it helps to deliver quality product, in lowest possible cost and time.

Project monitoring and control tracks the project based on all 9 knowledge areas as following

  • Project Scope Management

The client interaction happens to know whether they are satisfied or not. But in this interaction the project can get informal changes in the project scope. This means that project scope is changed without adding project schedule, budget or resources.

For this, monitoring and controlling helps the project scope management by periodically comparing the scope of project and agreeing scope among the stakeholders. The change in scope is corrected and handled by adding the new element or feature with help of stakeholders. The added feature is formally added to the scope and accordingly the budget and schedule are changed.

 

  • Project Time Management

Project time management is about planning schedule the project according to available time. The monitoring and control periodically verifies the planned schedule to know the status of the schedule, influence factors that cause schedule changes, determine that the schedule has changed and manage changes when they occur. To monitor the time, schedule variance is calculated and accordingly the lag or delay can be noticed. The control the project total time the critical path is maintained by adding more resources to the critical path tasks.

 

  • Project Cost Management

Cost management is important to the organization as if project is significantly big, it can affect the company’s ROI. The monitoring and control helps to monitor budget of the project. If any deviation is seen from the budgeted cost the corrective actions are taken. The corrective action ensures that only appropriate project changes are included in a revised cost baseline. The changes are informed to the project stakeholders of authorized changes to the project that affects cost.

 

  • Project Quality Management

Quality of the work deliverables is important in terms of customer satisfaction and organisation reputation. The quality is monitored and controlled throughout the project by evaluating product or service quality requirements specified for the project. Quality requirements include both project processes and product goals. To control the quality of the deliverables the various techniques are used which includes Cause and effect diagram, Pareto chart, Histogram, Run chart, Scatter diagrams, etc.

 

  • Project Human Resource Management

Human resource management includes assigning the right person to the right task. It is also including the identifying number of people required with their expectations. The monitoring and controlling includes the monitoring individual performance, giving them timely feedback, resolving issues and conflicts, and coordinating changes. Controlling part includes taking corrective action if any person is not doing work or managing more people according to scope or schedule deviation from plan.

 

  • Project Communication Management

Communication makes sure that expectation and understanding of the deliverables is same. The main goal of monitoring and controlling communications is to ensure the optimal flow of information throughout project life cycle. There are many documents which has duplicate and interrelated information in project lifecycle. The controlling communication ensures that work performance information, change requests, project

Document updates, and organizational process assets updates are updated everywhere without any ambiguity. For improving communication many internal and external experts are available to help.

 

  • Project Risk Management

The project risk management does not stop after initial risk analysis. It needs continuous monitoring of identified risks, monitoring of residual risks, identifying new risks and evaluating effectiveness of risk response plan. The changes and new risks are documented with action plan to mitigate the new risk. Risk monitoring and control includes risk reassessment, risk audits, technical performance measurements, reserve analysis, and periodic risk reviews.

 

  • Project Procurement Management

Procurement management involves the contracts between vendors (sellers). Project monitoring and control supports procurement management by periodically reviewing performance and comparing it to the agreed upon plan and contractual provisions. 

The changes observed are managed by revising agreement, ensuring appropriate payments to the vendors and coordinating work between vendors and the project.

 

  • Project Integration Management

Integration basically involves and coordinates between all other knowledge areas. It ensures that all elements of the project management come together at the right time. So here monitoring covers the tracking of whole project and managing the change in project work. The project team monitors the performance of the project work and identify the area that requires attention.

 

The project monitoring and control basically involves the tracking of changes in agreed or planned activity. Main purpose of project monitoring and control is to alert the relevant stakeholders about the issues that are causing problems and may cause problem in future. The project management team continuously monitor and control project work to decide if corrective or preventive actions are needed, what the best course of action is, and when to act.

Understanding cross site request forgery in web development

Have you ever experienced that you are browsing something and when clicking any link or an object on

Have you ever experienced that you are browsing something and when clicking any link or an object on a website affects the movement in another website in your browser? You might not be wanting to happen that activity but it is not on your hand. At that time a website loses trust from browser and does those malicious activities which are performed unpredictably.

This vulnerability is called ‘Cross site request forgery’ which is ranked 8th on the list of OWASP top 10 vulnerabilities 2017 and software development companies should pay attention to this during project implementation.

Cross site request forgery (CSRF) is a type of an exploit of a web application where untrusted commands are transmitted from a user which the particular web application trusts. This vulnerability is also known as session riding or one click attack and it is abbreviated as CSRF. The impact of successful CSRF attack has limitations on the capabilities of a victim web application. For example, this attack may result in changing password, transfer of funds or purchasing items without user’s knowledge. Actually, CSRF attack is performed by an attacker to get a target site perform a function via user’s browser without any knowledge of the target user. User cannot know until any unauthorized transaction takes place.  Cross site scripting destroys the trust of user for a particular website whereas CSRF exploits the trust a website has in user’s browser.

How to know we are vulnerable?

To identify whether your application is secured from CSRF or not, you need to check if any links or forms have an unpredictable token. Without these tokens, attackers can find malicious requests. A defence could be, to re-authenticate whenever he tries to submit the request.

Focus on those forms and links which invoke state changing functions, because these are the most important CSRF targets.

We can user some OWASP’s CSRF testing tools to demonstrate the attack and flaws.

Let’s take an example to understand CSRF attack.

Here we have one demo website of bank. We have opened the tab to make a transaction as shown in picture.

 

 If we transfer money (Say $50), we can it in our account history.

Now closing the tab and browsing something else. While browsing we see a link to see photos of cute cats.

We click the link and see some pictures of cute cat. When we come back to our bank’s account we can see that $6000 has been withdrawn automatically.

It clearly indicates that clicking on any link affects another website which thieves some important data.

Prevention

It is recommended to use an existing CSRF defence. There are many frameworks like Spring, Django, Play and Angular JS which are built in CSRF defender. Some programming languages like .NET do it as well. OWASP is having a guard called CSRF Guard which can automatically perform defence actions in Java apps against CSRF. OWASP’s CSRFProtector performs the same defence for PHP and as an Apache filter.

  • Prevention of CSRF generally requires the presence of an unpredictable token in every HTTP request. Such tokens should at least be unique per user session.
  • It is recommended to include the unique token in the hidden field. It includes the value somewhere in the body of HTTP request, restricting its exposure in the URL.
  • In the URL or a parameter, the unique token can also be included. There is still a risk of the exposure of token in front of an attacker.

 

At personal level a user can practise these steps in order to prevent CSRF vulnerability.

  • Have a habit of immediately logging off from any web application you use.
  • Do not save your usernames and passwords into a browser and don’t allow any site to remember your login credentials.
  • Use separate browsers for sensitive browsing and freely browsing.

Integrated HTML enabled newsreader/browser and mail/browser creates more risk as simply viewing a news message or mail message may lead to an execution of the attack.

 

Broken authentication and session management in web development

Your website is your brand, your image and first contact with customers. If that website is not safe

Your website is your brand, your image and first contact with customers. If that website is not safe then your critical business can be at risk. The threats may come in many ways infecting website with malware to spread it to site visitors. A single security breach can be a killer for a small company. Even if security breach in small business doesn’t trigger sensitive data breach, it still can impact on customer trust in view of web development companies.

What is Broken authentication?

Broken authentication and session management is currently ranked 2nd on OWASP top 10 vulnerabilities 2017. It is a vulnerability which allows an attacker to bypass the authentication methods to prevent unauthorized person. There are many authentication schemes including biometric scanner, username and password, picture password, etc. Among all most common authentication method is to use username and password as login credentials. Web application should protect these credentials in order to protect it from breach. These are the ways in which a web application may fail to protect the credentials.

  • Unencrypted connections
  • Predictable credentials
  • Session-id does not time out or does not get invalidated after logout
  • User authentication credentials are not protected when stored
  • Session-ids are used in URL

Unencrypted connections

Any information we send or receive with web application can be intercepted without our knowledge. Your password, username or session is may be tracked somewhere.

Prevention: Enable encryption on requests that contain sensitive information

Predictable credentials

If user sets predictable or easily guessed credentials in his account, any unauthorized user can get the access of it.

Prevention: Set a password in such a way that it can’t be predicted. User can use a combination of numbers, alphabets and symbols.

Session-id does not time out or does not get invalidated after logout

Application does not discard the session id after some amount of time or logging out. It fails to prevent session-id value.

Prevention: Invalidate the session-id after predetermined time or log off.

User authentication credentials are not protected when stored

If the stored user credentials are stolen then it can be used by any unauthorized entity to gain the access of system.

Prevention: All the credentials should be hashed and then stored.

Session-ids are in URL

Session id value is transmitted to URL string where it can be visible to an attacker. It fails to protect session-id.

Prevention: Make sure all the information is sent into the body part of post request.

How the vulnerability can be compromised

Here are some examples of weak authentication protection on one of the test web application.

The login page has not secured connection which can be known with browser notification.

 

  • System is allowing user to set password which can easily be guessed.

 

  • Login credentials are not communicated by encrypting the first. You can see password can easily be tracked.

Affected items: Login page (If breached than whole website may be at risk)

Severity: High

Broken authentication and session management has become priority for software development companies to secure the system from breach. While developing any critical web application developers have to take authentication related steps into consideration to protect it from attacker. For any web application, login page is most the critical page. So, by performing some security steps for login page, we can protect our whole web application.

Enhancing Scrum Meetings - an important way to manage the SCRUM workflow

What is SCRUM? Scrum, an iterative and incremental Agile methodology was coined from a concept of th

What is SCRUM?

Scrum, an iterative and incremental Agile methodology was coined from a concept of the game ‘RUGBY’ where the forwards of a team form up with arms interlocked and heads down, and push forward against a similar group from the opposing side. The analogy in a product development process is to work together and move ahead as a team to achieve the goal.

The most noteworthy aspect of an Agile methodology is that it does not follow any rigidness. A fully Agile enterprise would not have a business or technical side rather would work directly to delivering the best business value. Hence, software development companies are shifting towards agile project management.

The scrum team

A scrum team is the group that actually works on a scrum project. It all begins with the Product Owner and his or her vision for the project. Next there is the Scrum Development Team. They are a team which works across various functions in a self-lead and coordinated atmosphere. The Scrum Master is the manager for this team because of his or her authority and leadership inside the group. The job of the Scrum Master is to manage and monitor all the issues that occur during a development process. A scrum sprint is the basic unit of a scrum workflow.

What are scrum meetings?

After the planning of the entire project plan, scrum meetings are held daily to set the day’s work. Usually held in the morning, these meetings are called ‘daily scrums’ and serve as the starting phase of each day’s work.

Daily, before the start of the day’s work, the entire team meets up to have a meeting- which is lead by the scrum master. The sole purpose of this meeting is for each team member to illustrate his or her work for the day and to inform coordination required from peers. This meeting is neither a status reporting session nor an issue solving exercise. Most agile/Scrum textbooks specify that each member of a team should address only three key topics in a daily scrum meeting:

  • What was done on the previous day?
  • What is to be done today?
  • What are the hindrances being faced?

Rules to be followed during a scrum meeting

A general rule of thumb is that a scrum team with ‘n’ members will take about ‘2n+5’ minutes for a daily scrum meeting if the team is well prepared for it. As an example, a small team with 6 members will take 17 minutes for daily scrums, while a larger team will take more time.  Of course, if the project needs a huge number of people, a single scrum team will not be effective. It is broken down into smaller teams. A scrum team should have 7 ± 2 members (i.e., 5 to 9 members).

Ways to have an effective scrum meeting

Most experts and practitioners of the scrum workflow, follow the following steps to have an effective scrum meeting:

  • Daily meetings of scrum are to be conducted at the same time and in the same place. Preferably mornings or if not possible, at the end of the day are the best times to have these meetings.
  • Meetings should be crisp and short but effective. Long meetings become tedious and the team members get distracted.
  • As the meetings are a time bound activity, it should be tech free zones. Use of mobiles or laptops might lighten the concentration and also waste precious time.
  • The scrum master should project the daily data to illustrate as mobiles or laptops should not be allowed.
  • All team members should prepare before hand for the meeting and the scrum master should make a routine of letting who to speak when.
  • The time should be utilized only to capture the discussion during the meeting not to resolve those issues.

Why are Scrum Meetings Necessary?

An important portion to cover in this context is as to why a scrum meeting required if all the information is available in the Agile project management tool like VersionOne. Well, there are a lot of advantages that a real time meeting offers. The summarization of the necessity of scrum meetings is:

  • Information is very specific and tied to stories and tasks in the agile project management tool being used. These tasks need proper planning and prioritization which is to be decided while in the meeting.
  • Any incomplete work of the previous day-not included on the current day’s schedule can be continued. Total dependence on the tool might leave out those tasks.
  • The incomplete task has to be justified with a proper planning for it.
  • The meeting also makes all the team members get a brief idea regarding the current day’s work.
  • The inputs of everyone are an essential takeaway from every meeting.

Scrum accelerates software delivery and business innovation and changes the way project teams work. Its help the software development companies meet client needs, provide value to their customers, and helps the organization deliver effective services quickly.

WannaCry Ransomware

A prodigious cyber attacked organisations around the globe using tools stolen from the US NSA (Natio

A prodigious cyber attacked organisations around the globe using tools stolen from the US NSA (National Security Agency). There are reports of 150 countries affected since Friday which includes Russia and China too. The most serious attack was in the UK on NHS (National Health Service).

The ransomware attack happened on Friday and is considered to be one of the biggest so far hitting organisations from Russian Interior Ministry to FedEx, a delivery firm. News are that around 40 NHS organisations were hit affecting their operations and appointments getting cancelled.

What is a Ransomware?

It is a combination of ransom and software, and refers to any kind of malware that demands a ransom from a user in exchange for the return of the kidnapped file. This threat works like kidnapping in real life, except the things in captive are files –multimedia files, office files, system files or files that your system relies on to, or your confidential data. How does it spread? Typical methods such as attachment through un-solicited emails, clicking on a link on an email which are claimed to be from a delivery company or a bank , peer to peer file sharing networks being passed by activation keys through popular software such as Microsoft office, adobe etc

Types of attacks:

  • File coder: Which encrypts the files of your system and can be read only if decrypted.
  • Lock screen: Locks your computer and stops you from using it until you pay the ransom.

Fig: Countries affected initially in few hours according to Kaspersky’s research.

How does the malware work and who’s behind it?

This attack was deployed via a worm- that spreads by itself between the computers. The worm will hunt down all the vulnerable machines and infects them once it enters an organization. Many experts reported that the attack was built to exploit a weakness in Microsoft systems named EternalBlue identified by NSA. A group of hackers known as The Shadow Brokers stole the NSA tools and made it freely available in April claiming a protest against US President Donald Trump.

Many computers in hospitals were running on Windows XP and Microsoft stopped supporting this OS in 2014 and left it vulnerable to attacks. Government also warned the NHS to upgrade from Microsoft XP but NHS did no action on the matter and left an opportunity open to the hackers to attack the systems.

The above WannaCry Attack was shown on a save environment on a security researcher’s system. The virus took over user’s file and demanded $300 to restore the files.

Organisations in Europe and Asia are warning employees not to click on links of emails and attachments. And the ransom shouldn’t be paid as there is no guarantee that the files will be restored.

Microsoft is arguing that there shouldn’t be an obligation that it has to update all users and not just the one who pays extra for security on older versions. If the update is for an individual then it is not that huge but if the network is for big organisations like UK’s NHS then it will obviously be expensive and complex.

6 Easy Steps to Protect Yourself

Recently, there is no such tool or solution for WannaCry decryption, so users are strongly advised to follow preventive measures in order to protect their systems.

  • Keep your system Up-to-date: First of all, if you are using supported, but older versions of Windows operating system, keep your system up to date, or simply upgrade your system to Windows 10.
  • Using Unsupported Windows OS?If at all you are using unsupported windows versions with Windows XP, Server 2003, Vista or 2008, you should apply the emergency patch released by Microsoft today.
  • Enable Firewall:Enable firewall if not already done in individual systems or an organisation
  • Keep your Antivirus software up-to-date:Virus definitions released recently have already been updated to protect against this latest threat.
  • Backup Regularly:Always have a good backup in place to have a tight grip on all your critical and confidential data to an external storage device that is not always connected to your PC.
  • Beware of Phishing:Always be aware of uninvited documents sent as an email and never click on links inside those documents unless verifying the source or the individual.