NATIONAL · 84 201416 Development of the Drugs Survey - AKS Software The development of a software system refers to an abstract representation of

Chapter 7

AKS Software

NATIONALDRUG SURVEY

Ministry of Health & Family Welfare | National Drug Survey 2014-1682

AKS Software

Ministry of Health & Family Welfare | National Drug Survey 2014-16 83

National Institute of Biologicals

In the project report on modality for planning and designing the Survey to Study the Extent of Problems of Spurious and Not of Standard Quality Drugs in

the Country prepared by National Institute of Biologicals (NIB) and submitted to Ministry of Health & Family Welfare, Govt. of India, it was proposed to use a software for mapping and monitoring Drug Survey activities in the field, at National Coordinating Centre (NCC), NIB and Drug Testing Laboratories. Ministry accorded its approval to the proposal and entrusted designing and development of the software to NIB.

ABOUT AKS SOFTWARE

NIB developed an in-house AKS software which enabled: (a) Sample Drawing Officers to forward online Drugs sampling data, from field to NIB, (b) collation, segregation, analysis and retrieval of Drug sampling data. Further, this software also mapped sampling activities of the Sample Drawing Officers in the field and facilitated track and trace of Drug samples at various stages of Drug Survey. Salient features of AKS software are shown (Exhibit 7.1 ).

Exhibit 7.1

SOFTWARE


AKS Software

Development of the Drugs Survey - AKS Software

The development of a software system refers to an abstract representation of that system. Development is concerned with making sure that the software system will meet the requirements of the project and ensuring that future requirements can be incorporated with ease (1). A phased approach was adopted for development of the software (Exhibit 7.2).

Exhibit 7.2Various Phases of AKS Software

Planning l Identification of personnel

l Identification of information

l Identification of scope

l Fixation of software tools

l Fixation of timelines

Preparation l Software development

l Trial using dummy data

l Feedback from Core Expert Committee

l Security audit

Validation and Operationalization l Offline demonstration at special DCC Meeting

l Field Validation

l Pilot Field Study

l Training

l Main Drug Survey

Maintenance l Corrective maintenance: Correction of errors

l Perfective Maintenance: Improving implementation system

l Adaptive Maintenance: Porting the software to work in a new environment

Statistical Analysis l Generation of excel sheet as per the format desired

by ISI, Hyderabad

12345



PHASE I: PLANNING

Planning is essential to develop a project management plan which requires the assessment and acquisition of the resources needed to achieve a goal. Planning for the development of the Software to be used under Drugs Survey involved:

1. Identification of the officials for the designing and development of the software: A two-member software development team of NIB which had earlier developed Haemo-Vigil software for Haemovigilance Programme of India (2,3) was entrusted with designing and development of software.

2. Identification of the Scope of the software : The functional utility and scope of the software in relation to various stakeholders is as hereunder: (Exhibit 7.3).

Exhibit 7.3Scope of software in relation to various stakeholders

3. Identification of the information that needs to be captured by the software: Drugs Survey-Core Expert Committee finalized the Data Form for capturing the information with respect to drawing of Drugs Samples by the Sample Drawing Officers. The AKS software was designed accordingly.


AKS Software

4. Fixation of the software tools: It was planned that software application must be web based so that it can be accessible on any web browser. The PHP 5.2 platform was selected for the software for smooth and uninterrupted usage. It was decided to use MYSQL database because of its easy availability (free of cost). The choice of server for running the software was the National Informatics Centre (NIC) APACHE server to enhance the safety, integrity and confidentiality of the stored data. Further, it was planned to design the software in such a manner so that it can operate both on Linux as well as Windows Operating Systems (Exhibit 7.4).

Exhibit 7.4Software Tools

Application Web Based

Platform PHP 5.2

Database MYSQL

Server NIC APACHE Server

Operating System Works on Linux as well as Windows

5. Fixing of Timelines for each of the following activities:-

a. Coding: The purpose of the coding of software development is to translate the software design into source code. Each component of the design needs to be implemented as a program module. The end-product of this phase is a set of program modules that have been individually tested. During coding, each module is unit tested to determine the correct working of all the individual modules. It involves testing each module in isolation as this is the most efficient way to debug the errors identified at this stage. (1)

b. Integration and System Testing: It usually consists of three different kinds of testing activities: (1)

i) α – testing: It is the system testing performed by the development team.

ii) β – testing: It is the system testing performed by a friendly set of customers.

iii) Acceptance testing: It is the system testing performed by the



customer himself after product delivery to determine whether to accept or reject the delivered product.

c. Security Audit by External agency : As per Government of India guidelines third party Auditing Agency hired from CERT-IN panel of National Informatics Centre (NIC) is required to perform the audit at two stages i.e. :

i) In-house local server of NIB

ii) Online Staging Sever of NIC

The external audit is required to counter the web security threats such as: (4)

c1. Cross Site Scripting (XSS):

XSS allows attackers to execute script in the victim’s browser, which can hijack user sessions, deface websites, insert hostile content, conduct phishing attacks, and take over the user’s browser using scripting malware. The malicious script is usually JavaScript, but any scripting language supported by the victim’s browser is a potential target for this attack.

l Input data shall be validated and / or encoded at client and server side

c2. Injection Flaws:

Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. Attackers trick the back-end database into executing unintended commands via supplying specially crafted data. Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application.

l Input data should be validated and / or encoded at client and server side. Parameterized queries should be used

lDatabase account used by the application should be of least required privilege. Default administrative database account shall not be used

lStored procedures should be used

lError handling should be performed to provide minimal information


AKS Software

c3. Malicious File Execution:

Malicious file execution occurs in application environments where user provided files and file names are accepted by the application without validation.

lHost server can be compromised through remote code execution and remote root-kit installation.

lInput data shall be validated at client and server side.

lUser supplied files or file names shall be validated and file type / file extension shall be checked. Executable file extension shall not be allowed to be uploaded.

lUploaded files should be checked for acceptable size.

lSegregated folders should be used for uploaded files with “write” or “read and write” permissions only. This should be with no execute permissions.

c4. Insecure Direct Object Reference:

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. An attacker can manipulate direct object references to access unauthorized objects, unless an access control check is in place.

lAccess control checks should be implemented to access all referenced objects.

lReference to an object should be through a mapped index value.

lDirectory traversal should not be allowed at web server or application level.

c5. Cross Site Request Forgery (CSRF):

CSRF attack forces a logged-on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim.

lEach page should implement a random token which cannot be automatically submitted by a crafted attack.

lFor sensitive transactions, re-authentication or transaction signing should be implemented.



lOnly POST method should be used for access to sensitive data.

c6. Information Leakage and Improper Error Handling:

lApplications can unintentionally leak information about their configuration and internal workings through application errors or debug messages.

lApplication should provide customized error messages.

lError handling should be performed to provide minimal information.

c7. Broken Authentication and Session Management:

lImproper account management and session handling may lead to compromise of user account and unauthorized access to information.

lStrong authentication shall be implemented.

lApplication should prompt user to provide the old password during password change.

lSession management lifecycle should be incorporated.

lApplication should ensure that user credentials and session identifiers are protected throughout.

lMeasures such as, cache control directives should be implemented to prevent sensitive information misuse.

lApplication should have provision for the user to close the active session.

lApplication should enforce suspension/ invalidation of a user session after a configured period of inactivity.

lA new session-ID should be generated after successful authentication.

c8. Insecure Cryptographic Storage:

Insecure cryptographic measures for handling of data could lead to information disclosure.

lStrong cryptographic controls should be implemented.

c9. Insecure Communications:

Insecure communication could lead to information disclosure during transit.


AKS Software

lEncryption (such as, SSL) should be used for sensitive data like user credentials, credit card details, and personal data. \

lEncryption should be used for the login page and the entire authenticated session.

c10. Failure to Restrict URL Access (Forceful Browsing):

Unpublished / hidden URLs may be easily guessed, discovered / brute forced. Such URLs can be exploited to perform unauthorized operations.

l Proper access control shall be used to restrict access to URLs and application modules.

d. Submission of the Security Audit Certificate to NIC: The Security Audit Certificate obtained from the third party Auditing Agency hired from CERT-IN panel of National Informatics Centre (NIC) needs to be submitted to Cyber Security Division of NIC for testing of the developed software on staging server of NIC before uplinking it on the main server of NIC.

e. Up linking of Drugs Survey – AKS Software on NIB Website

f. Hands on training to the end users

PHASE II: PREPARATION

The software development was initiated in the month of July 2014 and was subjected to software testing. A dummy data was fed into the software and the results were compared from the data generated by the software. After the software cleared the testing phase, the prototype software developed was presented to the members of the Drugs Survey Core Expert Committee in the meeting held on 31st July 2014. After the incorporation of the amendments to the software as suggested by the members of Drugs Survey Core Expert Committee, the software was sent for Security Audit by External agency on 10th Oct 2014. The audit was done at 2 Stages i.e.

a. In-house local server of NIB from 16th Oct 2014 to 21st Oct 2014

b. Online Staging Sever of NIC from 1st Nov 2014 to 6th Nov 2014

Security Audit Certificate was obtained and submitted to NIC on 13/11/2014. This was followed by Security Audit conducted by NIC. NIB received VPN Certificate from NIC on 19/11/2014, hence empowering NIB to uplink the Software on the NIB Website. This innovative software was developed in-house



by NIB, free of cost, in a span of 5 months. However, Rs.33,708(US$ 500) had to be spent on its security audit as per requirement of NIC. Drugs Survey Core Expert Committee members decided to have a field validation of the software before up linking it on NIB Website.

PHASE III: SOFTWARE VALIDATION AND OPERATIONALIZATION

Presentation and Demonstration of the software at Drugs Consultative Committee (DCC) Meeting at Central Drugs Standard Control Organization (CDSCO)- 27th October 2014)

A Special Meeting of the Drugs Consultative Committee was held under the chairmanship of Dr. G. N. Singh, Drugs Controller General of India on 27th October, 2014 at CDSCO Hqrs., FDA Bhawan, New Delhi. Drugs Controllers of the 36 States/UTs participated in the meeting. The Drug Survey Software developed by NIB was one of the agenda items discussed in the meeting (Exhibit 7.5(a) & (b)).

Exhibit 7.5 (a)


AKS Software

A presentation on Software along with its offline Demonstration was given. Subsequently, Drugs Survey – Core Expert Committee informed the participants of the DCC that to recognize the contribution of the Software Development Team for developing & designing the Software, the Committee decided to name this Software as AKS after the initials of its two developers, i.e., AK for Dr. Akanksha Bisht and S for Mr. Sunish Singhal. State Drugs Controllers appreciated the features of the AKS software and provided their valuable inputs for improving the functional utility of the software.

Field validation of AKS software held at Chennai -21st November, 2014

A workshop to validate AKS software to be used for Drugs Survey was conducted at Chennai on 21st November, 2014.The Drugs Control Officials from the States/UT of Tamil Nadu, Kerala, Andhra Pradesh, Telangana, Karnataka, Goa and Puducherry participated in the workshop (Exhibit 7.6). A dummy Drugs Sampling data was provided to the Drug Control officials to enter the same in AKS software during the Workshop (Exhibit 7.7). The inputs and suggestions received from the participants during the workshop were incorporated into the software to make it more user friendly.

Exhibit 7.5 (b)



Exhibit 7.6

Exhibit 7.7


AKS Software

Pilot Study -6th-9th January 2015

A pilot field study to validate AKS Software and the statistical design of Drugs Sampling Methodology prepared by Indian Statistical Institute, Hyderabad was conducted from 6th -9th January 2015 in National Capital Region. About 80 Drug Control Officials, Representatives of Civil Society and Pharmacy Council of India who participated in the Pilot Study were given hands-on training on AKS Software at NIB (Exhibit 7.8, 7.9).

Exhibit 7.8

Exhibit 7.9



Training for Trainers - 19th-20th January 2015

Hands-on training on AKS Software for 56 trainers drawn from all across the country, comprising of 28 Drugs Control Officers and 28 representatives of Civil Society/Pharmacy Council of India was conducted at National Institute of Biologicals, NOIDA on 19th-20th January 2015 (Exhibit 7.10(a) & (b)).

Exhibit 7.10 (a)

Exhibit 7.10 (b)


AKS Software

Training for Trainees -24th-27th Feb, 2015

The 28 teams comprising of 56 trainers provided hands on training on AKS Software to more than 1800 trainees comprising of Drugs Inspectors and representatives of Civil Society/Pharmacy Council of India at 28 training centres across the country (Exhibit 7.11, 7.12, 7.13 & 7.14).

Exhibit 7.11

Exhibit 7.12



Exhibit 7.13

Exhibit 7.14


AKS Software

AKS Software for main Drug Survey

The main Drug Survey was rolled out across the country on 06th April, 2015 in 34 States and U.Ts except in West Bengal and Delhi. The Drugs sampling was rolled out in West Bengal and Delhi subsequently. Sampling from imported Drugs under Drugs Survey from all the notified ports of the country was carried out from 1st July, 2015 to 30thSeptember, 2015. The AKS Software was used to map and monitor the following activities during the main Drug Survey:

a) Online Transmission of Drug Sampling Data to NCC- NIB, NOIDA

Unique User Id & Password were provided by NIB to each and every Sample Drawing Officer for entering the Drugs sampling data into AKS Software. Sample Drawing Officers after entering the Drugs sampling information into AKS Software dispatched the Drugs samples drawn from retail outlets, Government sources and ports to NIB by speed post.

b) Uplinking of Visual Inspection Data on AKS Software.

The Drugs samples dispatched by the Sample Drawing Officers from the field were subjected to visual inspection by the CDSCO Drugs Inspectors deputed at NIB. Each of these Drug Inspectors was provided Unique User Id & Passwords by NIB to access the AKS Software. The Drug Inspectors after doing the visual inspection of the Drug Samples for suspected Spurious Drugs uplinked their observations on AKS Software.

c) Online transmission of the data to 10 Central/State Drugs Testing Laboratories

The Drugs Sampling Data was forwarded via AKS Software by NIB to 10 Central/State Drugs Testing Laboratories prior to dispatch of these drugs samples to the drug testing laboratories for test and analysis.

d) Uplinking of test/analysis reports by Central/State Drugs Testing Laboratories

Subsequent to test and analysis of drugs samples the reports were uplinked to AKS software by drugs testing laboratories for which each laboratory had been provided a unique User Id & Passwords by NIB.

e) Updating the status w.r.t. the release of payments to retail outlets towards the purchase of the Drugs drawn under Drugs Survey

The Finance Division of NIB was provided Unique User ID and Password



to update in AKS software the status of payment details released to the Retail Outlet towards the purchase of the Drugs drawn under Drugs Survey.

PHASE IV: MAINTENANCE

AKS Software maintenance involved performing any one or more of the following three kinds of activities: (1)

lCorrective maintenance: Correcting errors that were not discovered during the product development phase

lPerfective maintenance: Improving the implementation of the system, and enhancing the functionalities of the system according to the customer’s requirements

lAdaptive maintenance: Porting the software to work in a new environment

Under corrective maintenance the errors encountered were resolved in the AKS Software during the following stages of the Drugs Survey:

lData entry by the Sample Drawing Officer

lSample receiving and visual inspection of the Drugs samples by CDSCO Drugs Inspectors deputed at NIB

lForwarding of Drugs Samples data to 10 Central/State Drugs Testing laboratories

lUplinking of the test and analysis reports by the Drugs Testing Laboratories

Also, new requirements of the respective users i.e., Sample Drawing Officers, CDSCO Drugs Inspectors , Central/State Drugs Testing laboratories and Finance Division of NIB were incorporated in the software. Under Perfective maintenance the corrections made under corrective maintenance were improved and functionalities of the systems were enhanced as per the requirements.

PHASE V: STATISTICAL ANALYSIS OF THE DRUGS SURVEY DATA

An Excel Sheet was generated by AKS software as per the format designed by ISI, Hyderabad and this was used by them for statistical analysis of the Drugs Survey data.


AKS Software

REFERENCES

(1) Module 7: Software Engineering Issues ; Lesson 33: Introduction to Software Engineering Version 2 EE IIT, Kharagpur 2, Page: 14-15 (http://www.nptel.ac.in/courses/108105057/Pdf/Lesson-33.pdf )

(2) Bisht A, Singh S, Marwaha N. Hemovigilance program-India. Asian J Transfus Sci. 2013;7:73–4.

(3) Marwaha N, Singh S, BishtA : Setting up Haemovigilance Programme from very first step. The Indian Perspective. ISBT Science Series (2014); 9: 178-183

(4) https://security.nic.in/docs/6 Application Security Guidelines.pdf

Documents

NATIONAL · 84 201416 Development of the Drugs Survey - AKS Software The development of a software system refers to an abstract representation of