CSI Communications | June 2014 | 1ww

w.c

si-i

nd

ia.o

rg

ISS

N 0

97

0-6

47

X |

Vo

lum

e N

o. 3

8 |

Iss

ue

No

. 3 |

Ju

ne

20

14`

50

/-

Cover StoryWhat, Why and How of Software Security 7Cover StoryDeveloping Secure Software 9

Technical TrendsApplication Layer Security Solution for Java Based Web Applications 13

On the Shelf!Book Review of Code Halos: How the Digital Lives of People, Things, and Organizations are Changing the Rules of Business 40

Security CornerA Case Study of SureSwift Software 35

ArticleReaping ROI from Big Data 28

COER School of Management College of Engineering Roorkee (COER)

in association with

Computer Society of India (CSI)

(Division IV-Communications)

AnnounceInternational Conference

onAdvances in Computing, Communications & Informatics

(November 28-30, 2014)

Paper Submission Guidelines: Abstract of around 250 words may be submitted to: fdpcoersm@gmail.com and the full paper should be in IEEE format. All the

accepted full papers will be published in Peer reviewed Journal/Book which will be published by National Publisher with ISBN No.

For more details download brochure from www.coer.ac.in

Call for Papers Original papers are invited on following Tracks

Awards and Certifi cates

TRACK 1: ADVANCED COMPUTING

TRACK 2: COMMUNICATIONS

TRACK 3 : INFORMATION TECHNOLOGY & INFORMATICS

TRACK 4 : DATA MINING & SOFTWARE ENGINEERING

TRACK 5: E-BUSINESS & GREEN CONVERGENCE SERVICES

Best PhD Thesis Award: The winner of the contest will be

provided a Memento, Certifi cate and a Cash Prize of Rs 5000.

Best Research Paper Award: The best paper award winners of each

track of the contest will be provided a Memento, Certifi cate and a Cash

Prize of Rs 1100.

Dr. Shuchita SharmaConference SecretaryHOD MCA, COER SMMob: +919675408077

Dr. V. K. JainConference ChairmanDirector , COER SMMob: +919997692191

Dr. Vishal SinghalConference Convener Astt. Professor , COER SMMob: +919412023365

Important Dates Registration Fee

Abstract submission July 15, 2014 Students Rs. 2000/-

Acceptance of the Abstract Notifi cation July 30, 2014 Research Scholars Rs.2500/-

Last date for full length selected papers

and payment of registration feeAugust 30, 2014

Academicians Rs.3000/-

Corporate Delegates Rs.5000/-

International Delegates $ 200

Conference date November 28-30, 2014 Residential Delegates*Rs.2000/- per day per person on twin

sharing basis

The conference series ICISS (International Conference on Information Systems Security), held annually, provides a forum

for disseminating the latest research results in information and systems security. ICISS-2014, the 10th edition of this annual

conference, will be held at Institute for Development & Research in Banking Technology (IDRBT), Hyderabad, India during

16-20 December 2014. This conference is co-sponsored by CSI Division IV and CSI SIG-IS.

ICISS-2014 encourages submissions from the academia, industry and government addressing theoretical and practical problems

in information and systems security and related areas. ICISS is interested in all aspects of information systems security.

All the previous proceedings of this conference series are indexed by DBLP. The acceptance ratio of the last nine conferences

has averaged less than 30%, and the proceedings have been published as part of the Springer Verlag series of Lecture Notes in

Computer Science.

Manuscript Submission (Full Paper): 14 Jul 2014Notifi cation of Acceptance: 25 Aug 2014Camera-ready Manuscript Due: 14 Sep 2014

Further, ICISS-2014 invites call for papers for Doctoral Consortium, short talks, and tutorials by 31 August 2014.

For further details, please Visit http://www.idrbt.ac.in/ICISS_2014/

CSI Communications | June 2014 | 3

ContentsVolume No. 38 • Issue No. 3 • June 2014

CSI Communications

Please note:

CSI Communications is published by Computer

Society of India, a non-profi t organization.

Views and opinions expressed in the CSI

Communications are those of individual authors,

contributors and advertisers and they may

diff er from policies and offi cial statements of

CSI. These should not be construed as legal or

professional advice. The CSI, the publisher, the

editors and the contributors are not responsible

for any decisions taken by readers on the basis of

these views and opinions.

Although every care is being taken to ensure

genuineness of the writings in this publication,

CSI Communications does not attest to the

originality of the respective authors’ content.

© 2012 CSI. All rights reserved.

Instructors are permitted to photocopy isolated

articles for non-commercial classroom use

without fee. For any other copying, reprint or

republication, permission must be obtained

in writing from the Society. Copying for other

than personal use or internal reference, or of

articles or columns not owned by the Society

without explicit permission of the Society or the

copyright owner is strictly prohibited.

Published by Suchit Gogwekar for Computer Society of India at Unit No. 3, 4th Floor, Samruddhi Venture Park, MIDC, Andheri (E), Mumbai-400 093.

Tel. : 022-2926 1700 • Fax : 022-2830 2133 • Email : hq@csi-india.org Printed at GP Off set Pvt. Ltd., Mumbai 400 059.

Editorial Board

Chief EditorDr. R M Sonar

EditorsDr. Debasish Jana

Dr. Achuthsankar Nair

Resident EditorMrs. Jayshree Dhere

Published byExecutive Secretary

Mr. Suchit Gogwekar

For Computer Society of India

Design, Print and Dispatch byCyberMedia Services Limited

PLUSBrain TeaserDr. Debasish Jana

37

Ask an ExpertDr. Debasish Jana

38

Happenings@ICTH R Mohan

39

On the Shelf!Mrs. Jayshree A Dhere

40

CSI Report 43

CSI Reports 44

CSI News 45

Cover Story

7 What, Why and How of Software Security

Satish K Sreenivasaiah and Mohan Jayaramappa

9 Developing Secure Software

Sandeep Godbole

11 Security in Software Development

Sunil Bakshi

Technical Trends

13 Application Layer Security Solution for

Java Based Web Applications

Vijay Gulati and Venkata Swamy Bathina

15 Nuts and Bolts of Code Coverage Testing

Abhinav Vaid

Research Front

19 Template Matching Tool for Remote

Sensing Images

Ashish Joshi, Ankit Kumar, Anil Kumar and Ankush Mittal

22 Digital Image Steganography

Anurag Jagetiya and Dr. C Rama Krishna

Articles

26 SQL Injection – Anatomy and Risk

Mitigation

Navdeep Kaur and Parminder Kaur

28 Reaping ROI from Big Data

Binesh Nair

Practitioner Workbench

30 Programming.Tips() »

Fun with ‘C’ programs

Wallace Jacob

Programming.Learn(“R”) »

31 Basic Statistics Using R

Umesh P and Silpa Bhaskaran

Security Corner

32 Information Security »

A Quick Look at Hadoop Security

Paresh Suvarna and Prashant Wate

35 Case Studies in IT Governance, IT Risk and Information Security »

A Case Study of SureSwift Software

Dr. Vishnu Kanhere

CSI Communications | June 2014 | 4 www.csi-india.org

Important Contact Details »For queries, correspondence regarding Membership, contact helpdesk@csi-india.org

Know Your CSI

Executive Committee (2013-14/15) »President Vice-President Hon. SecretaryMr. H R Mohan Prof. Bipin V Mehta Mr. Sanjay Mohapatrapresident@csi-india.org vp@csi-india.org secretary@csi-india.org

Hon. Treasurer Immd. Past PresidentMr. Ranga Rajagopal Prof. S V Raghavantreasurer@csi-india.org ipp@csi-india.org

Nomination Committee (2014-2015)

Prof. P. Kalyanaraman Mr. Sanjeev Kumar Mr. Subimal Kundu

Regional Vice-PresidentsRegion - I Region - II Region - III Region - IVMr. R K Vyas Mr. Devaprasanna Sinha Prof. R P Soni Mr. Hari Shankar Mishra Delhi, Punjab, Haryana, Himachal Assam, Bihar, West Bengal, Gujarat, Madhya Pradesh, Jharkhand, Chattisgarh,

Pradesh, Jammu & Kashmir, North Eastern States Rajasthan and other areas Orissa and other areas in

Uttar Pradesh, Uttaranchal and and other areas in in Western India Central & South

other areas in Northern India. East & North East India rvp3@csi-india.org Eastern India

rvp1@csi-india.org rvp2@csi-india.org rvp4@csi-india.org

Region - V Region - VI Region - VII Mr. Raju L kanchibhotla Dr. Shirish S Sane Mr. S P Soman Karnataka and Andhra Pradesh Maharashtra and Goa Tamil Nadu, Pondicherry,

rvp5@csi-india.org rvp6@csi-india.org Andaman and Nicobar,

Kerala, Lakshadweep

rvp7@csi-india.org

Division ChairpersonsDivision-I : Hardware (2013-15) Division-II : Software (2014-16) Division-III : Applications (2013-15) Prof. M N Hoda Dr. R Nadarajan Dr. A K Nayak div1@csi-india.org div2@csi-india.org div3@csi-india.org

Division-IV : Communications Division-V : Education and Research (2014-16) (2013-15)

Dr. Durgesh Kumar Mishra Dr. Anirban Basu div4@csi-india.org div5@csi-india.org

Important links on CSI website »About CSI http://www.csi-india.org/about-csiStructure and Orgnisation http://www.csi-india.org/web/guest/structureandorganisationExecutive Committee http://www.csi-india.org/executive-committeeNomination Committee http://www.csi-india.org/web/guest/nominations-committeeStatutory Committees http://www.csi-india.org/web/guest/statutory-committeesWho's Who http://www.csi-india.org/web/guest/who-s-whoCSI Fellows http://www.csi-india.org/web/guest/csi-fellowsNational, Regional & State http://www.csi-india.org/web/guest/104Student Coordinators Collaborations http://www.csi-india.org/web/guest/collaborationsDistinguished Speakers http://www.csi-india.org/distinguished-speakersDivisions http://www.csi-india.org/web/guest/divisionsRegions http://www.csi-india.org/web/guest/regions1Chapters http://www.csi-india.org/web/guest/chaptersPolicy Guidelines http://www.csi-india.org/web/guest/policy-guidelinesStudent Branches http://www.csi-india.org/web/guest/student-branchesMembership Services http://www.csi-india.org/web/guest/membership-serviceUpcoming Events http://www.csi-india.org/web/guest/upcoming-eventsPublications http://www.csi-india.org/web/guest/publicationsStudent's Corner http://www.csi-india.org/web/education-directorate/student-s-cornerCSI Awards http://www.csi-india.org/web/guest/csi-awardsCSI Certifi cation http://www.csi-india.org/web/guest/csi-certifi cationUpcoming Webinars http://www.csi-india.org/web/guest/upcoming-webinarsAbout Membership http://www.csi-india.org/web/guest/about-membershipWhy Join CSI http://www.csi-india.org/why-join-csiMembership Benefi ts http://www.csi-india.org/membership-benefi tsBABA Scheme http://www.csi-india.org/membership-schemes-baba-schemeSpecial Interest Groups http://www.csi-india.org/special-interest-groups

Membership Subscription Fees http://www.csi-india.org/fee-structureMembership and Grades http://www.csi-india.org/web/guest/174Institutional Membership http://www.csi-india.org /web/guest/institiutional-

membershipBecome a member http://www.csi-india.org/web/guest/become-a-memberUpgrading and Renewing Membership http://www.csi-india.org/web/guest/183Download Forms http://www.csi-india.org/web/guest/downloadformsMembership Eligibility http://www.csi-india.org/web/guest/membership-eligibilityCode of Ethics http://www.csi-india.org/web/guest/code-of-ethicsFrom the President Desk http://www.csi-india.org/web/guest/president-s-deskCSI Communications (PDF Version) http://www.csi-india.org/web/guest/csi-communicationsCSI Communications (HTML Version) http://www.csi-india.org/web/guest/csi-communications-

html-versionCSI Journal of Computing http://www.csi-india.org/web/guest/journalCSI eNewsletter http://www.csi-india.org/web/guest/enewsletterCSIC Chapters SBs News http://www.csi-india.org/csic-chapters-sbs-newsEducation Directorate http://www.csi-india.org/web/education-directorate/homeNational Students Coordinator http://www.csi- india .org /web/national-students-

coordinators/homeAwards and Honors http://www.csi-india.org/web/guest/251eGovernance Awards http://www.csi-india.org/web/guest/e-governanceawardsIT Excellence Awards http://www.csi-india.org/web/guest/csiitexcellenceawardsYITP Awards http://www.csi-india.org/web/guest/csiyitp-awardsCSI Service Awards http://www.csi-india.org/web/guest/csi-service-awardsAcademic Excellence Awards http://www.csi-india.org/web/guest/academic-excellence-

awardsContact us http://www.csi-india.org/web/guest/contact-us

CSI Communications | June 2014 | 5

Let us all congratulate on behalf of Computer Society of India, Sri.

Narendra Modi, who has been recently sworn as the 15th Prime Minister

of India. It is a known fact that he is widely acknowledged as a champion

of India’s competency in technology, innovation, e-governance, use of

technology in education, and turning India a global hub of technology.

CSI was proud and privileged to confer upon Sri Narendra Modi the “CSI

e-RATNA” Award in recognition of his services to State and citizens at large

through e-Governance and ICT projects, on the occasion of e-Governance

Knowledge Summit and International Conference on e-Governance in Oct

2011.Sri Modi while addressing the IT professionals at the Nasscom India

Leadership Forum had stated that the use of IT can put India on the road to

fast and inclusive growth. He further, envisages the role of IT as a change

agent which will empower, connect and can bind isolated parts of India

and create harmony and can join people with governments, bridge the gap

between demand and supply, and can bring all closer to knowledge. He

had also coined the popular phrase: IT+ IT = IT (Indian Talent+ Information

Technology = India Tomorrow). Modi’s vision is to create a ‘Digital India’ a

knowledge-based society and economy using IT as the growth engine. He

also believes that E-governance, with increased use of technology to bring

empowerment, equity and effi ciency to the economy and will be a great

problem solver for people in India and emphasizes that “E-governance can

bring minimum government and maximum governance,” All the above, has

set a high expectation by the Indian IT Industry to look forward to the next

phase of growth in IT in the country which will be benefi cial to all of us.

As the demand for electronics and the hardware gadgets is set to

increase from $55 billion in 2014 to $400 billion by 2020, and in order

to conserve the foreign exchange, an ambitious electronics manufacturing

policy focusing on information access devices and value added products

such wearable computers and devices is expected by the industry. Further,

industry sources believe that distributed smart manufacturing using

3D printing technology will become the main stream in the near future.

Further, the IT-BPO sector by 2020, expects its market size to grow

to$300 billion from the current $110 billion. These initiatives are likely

to create millions of new jobs and societies like CSI have a major role in

developing the manpower to meet these requirements.

In the EXCO meeting of the SERACC (in which CSI is a member) held in

Apr 2014 at Kuala Lumpur, Malaysia, Prof. Dong Yoon Kim from South Korea

presented the plans for the IFIP World Computer Congress WCC-2015 in

Daejong, South Korea and requested SEARCC to consider hosting SEARCC

Conference or a workshop at WCC-2015. While it was debated that whether

SEARCC conference could be held in a non-member country, considering

the IFIP’s WCC being held at South Korea and the possibility of interacting

with the other country apex computer bodies from Japan, China, Singapore,

New Zealand, Hong Kong and Myanmar on their joining SEARCC it was in

principle agreed by EXCO to host SEARCC-2015 in South Korea instead of

having it in India as confi rmed in the earlier EXCO. However the fi nal decision

will be made in the next EXCO being planned at the SEARCC-2014 at Kuala

Lumpur, Malaysia. As decided earlier, CSI India will host the SEARCC

International School Software Contest for the year 2014 in India. The CSI

Education Directorate (CSI ED) has already planned the related activities. In

the EXCO, it was also decided to cross promote the events organized by the

SEARCC members to facilitate wider participation. International Young ICT

Professionals Group (InterYIT), a part of IFIP which has objectives such as

being the umbrella organisation for all Young ICT professionals around the

world, fostering communication between Young IT Groups and promoting

representation of young professionals in the computer societies as well as

within IFIP desires SEARCC members to participate in this initiative. It was

informed to EXCO that the YITP Awards, what we at CSI have annually has

similar objectives and CSI can work with InterYIT group.

Considering the reported information that a signifi cant percentage of

the Indian authors indulge in plagiarism, to sensitize our researchers and

academic community on the risks of plagiarism including losing out their

jobs, a one day workshop was held in May 2014 at Chennai with resource

persons drawn from IEEE CS Editorial Board, IIT Madras and a professional

author. It was well attended with over 95 participants. The participants

while providing an excellent feedback, desired workshops in Research

Methodologies and Communication Skills to be organized to help them

further. The chapters interested to organize the workshop on plagiarism in

other parts of the country may pl. get in touch with CSI ED.

I am happy to report that the open page article “An opportunity

seized but not fulfi lled” by Dr. S. Ramani, our past president, published in

The Hindu which can be accessed at http://bit.ly/1gV6OKI has attracted

considerable amount of feedback and initiated a debate. We look forward

to similar thought provoking writings from others to brainstorm and

progress further.

After training about 300 special educators in software packages

for the Integrated Assessment, Evaluation and Programming of Mentally

Challenged Children by partnering with Media Lab Asia and Centre for

Development of Advanced Computing (CDAC), CSI ED has taken up

a pilot initiative in training the Mentally Challenged children / student

trainees in the basic operations of computers and introducing them to

the productivity software such as MS Offi ce and additionally train in the

basics of accounting and package such as Tally which would be of use to

them in pursuing a career is also provided . A brief report appeared in The

Hindu at http://bit.ly/1kyltXj had received queries from entrepreneurs on

scaling up this initiatives and few organizations seeking trained people for

potential employment. Our appreciation to the CSI ED staff for their eff ort.

CSI ED has proposed to organize the “Golden Tech-Bridge”

Programme in Aug 2014 as an intervention of the organization, aimed at

introducing computers and its advantages to the unexposed sections of

society at 50 locations across the country with the support of our student

branches. We look forward to its success.

The CSI Bangalore chapter is gearing up for the fi rst Golden Jubilee

Celebration meeting in the year 2014-15. The meeting scheduled on 14th

June 2014 is expected to have most of the 16 Fellows (inclusive of four

presidents) of CSI at Bangalore to participate and share their impressions

and the growth of CSI in the past and brainstorm on the future of CSI.

CSI has a scheme through which fi nancial grants to the extent of Rs.

25,000/= is being made available for international travel by research students

to present their papers. In a year, eight such grants will be provided. Those

interested in availing this grant may get in touch with the research committee

chaired by Dr. Anirban Basu who is also the chairman of Division V.

A number of events on current interest topics which are either

organized or support by CSI are listed in the calendar of events and I am

sure that our members will make use of the opportunity in presenting

papers and participating in them.

More in the next month message.

With best regards

H R MohanPresidentComputer Society of India

President’s Message H R Mohan

From : President’s Desk:: president@csi-india.orgSubject : President's MessageDate : 1st June, 2014

Dear Members

CSI Communications | June 2014 | 6 www.csi-india.org

EditorialRajendra M Sonar, Achuthsankar S Nair, Debasish Jana and Jayshree Dhere

Editors

Dear Fellow CSI Members,

Gone are the days when a piece of software used to be mono-lithic

having all the logical components: business logic, data services and

presentation services implemented together in the same piece of

software code. There were not many security implications then,

since access to software was limited to few users - mostly internal

employees - through interfaces provided by the software. As of

today, however, distributed computing, client/server computing,

n-tier software applications, cloud-computing, multiple types

of accesses to software through various delivery channels such

as ATMs, client software such as internet browsers and mobile

devices such as phones, tablets etc. have enabled complex

applications and created greater scope for vulnerabilities. Our

dependence on software is also increasing day by day.

Each software application, its various software components and

interconnected devices participating in the application execution

need to be robust. If one of the components or access points has

security loophole it can create issues and vulnerabilities that can be

exploited to cause a security incident. In most of the early systems,

software professionals did not feel the need to worry about software

security aspects during initial states of software development,

and these were usually addressed during coding phase. However,

security professionals today are realising that if security aspects are

thought identifi ed, analysed and taken care of during early phases

of software development life cycle, it can be of great help. Hence,

in this issue we cover Security in Software Development as theme.

We have three articles under cover story that cover aspects such as

need of software security, its building blocks, security environment,

what needs to be secured, why and how it can be done, what are

solutions and so on. The fi rst article in cover story section is about

What, Why and How Software Security by Satish K Sreenivasaiah

and Mohan Jayaramappa of Tata Consultancy Services, Bangalore.

The second article in cover story section is Developing Secure Software by Sandeep Godbole, Member of ISACA India Task

Force. The third article under cover story section is by Sunil Bakshi,

Free-lance Consultant and Trainer, IT governance and Information

Security and it is about Security in Software Development.

In Technical Trends section, we have two articles, the fi rst one

on Application Layer Security Solution for Java Based Web Applications by Vijay Gulati and Venkata Swamy Bathina, Research

& Innovation group of IGATE. The second article is titled Nuts and Bolts of Code Coverage Testing by Abhinav Vaid, an IT Practitioner.

In Research Front section, we have two research based articles –

one titled Template Matching Tool for Remote Sensing Images by

Ashish Joshi, Ankit Kumar, Anil Kumar and Ankush Mittal and the

other titled Digital Image Steganography: Seeing is always NOT believing by Anurag Jagetiya and Dr. C Rama Krishna of Department

of CSE, NITTTR, Chandigarh.

In Article section, we have two articles. First one is by Navdeep

Kaur and Parminder Kauro of Guru Nanak Dev University, Amritsar

on SQL Injection – Anatomy and Risk Mitigation wherein authors

suggest measures to be taken during diff erent phases of software

development cycle for mitigating the risk of SQL injection. Another

article titled Reaping ROI from Big Data is by Binesh Nair of

Vidyalankar School of Information Technology, Mumbai, wherein

author provides inputs on how an organization can reap ROI from

Big Data by building analytics culture in the organization.

Practitioner Workbench section under Programming.Tips() we

have an article Fun with ‘C’ Programs by Prof. Wallace Jacob, where

he is provides an interesting example of array being passed to a

function that changes values of array elements. We have regular

article on “R” under Programming.Learn(“R”) by Umesh P and

Silpa Bhaskaran of Department of Computational Biology and

Bioinformatics, University of Kerala, this time they are covering

Basic Statistics Using R.

In Security Corner column under Information Security section

we have an article titled A Quick Look at Hadoop Security by

Paresh Suvarna and Prashant Wate, IGATE. In the other section

which covers a series of ‘Case Studies in IT Governance, IT Risk

and Information Security’ by Dr. Vishnu Kanhere, Convener SIG

– Humane Computing of CSI, we have a case study of SureSwift Software, in which he elaborates the concept of security in software

development with an example.

In our regular section of Brain Teaser we have crossword puzzle by

Dr. Debasish Jana, Editor, CSI Communications. This time he tests

the readers’ knowledge on “Security in Software Development”. In

the section titled ‘Your Question, Our Answer’, Dr. Jana answers

readers’ questions. Briefs of various ICT news of May 2014 are

compiled and brought to CSIC readers by Mr. H R Mohan, President,

CSI, AVP (Systems), The Hindu, Chennai under ‘Happenings@ICT’.

In the book review section called ‘On the Shelf!’ Mrs. Jayshree

A. Dhere, Resident Editor, CSI Communications reviews recently

received book “Code Halos: How the Digital Lives of People, Things, and Organizations are Changing the Rules of Business” authored by.

We have other regular features like CSI Announcements, CSI

Reports and Chapter and Student Branch, Call for Papers and

so on. Please feel free to send your inputs and feedback to

csic@csi-india.org as your views are important to us and for making

the CSIC magazine a two-way communication.

With warm regards,

Rajendra M Sonar, Achuthsankar S Nair,

Debasish Jana and Jayshree Dhere

Editors

As of today, however, distributed computing, client/server computing, n-tier software applications, cloud-computing, multiple types of accesses to software through various delivery channels such as ATMs, client software such as internet browsers and mobile devices such as phones, tablets etc. have enabled complex applications and created greater scope for vulnerabilities.

Each software application, its various software components and interconnected devices participating in the application execution need to be robust. If one of the components or access points has security loophole it can create issues and vulnerabilities that can be exploited to cause a security incident.

CSI Communications | June 2014 | 7

Security in software development as a

concept is both vast and deep, making it

not so easy for a beginner to gain strong

foothold at the pace that is expected. An

attempt has been made to cover the three

fundamental questions about Security

in Software development and answers

addressed briefl y. The idea is to provide

insights at a high level for someone

who is about to embark on getting his

application/product security compliant.

The three fundamental questions

being - What, Why and How of security in

software development.

What Part?Let us begin with the What part first.

Security as a discipline in Software

development is essential in ensuring

that each and every component in the

application/ product stack adheres to

a certain set of principles or guidelines

in the context of various phases of

SDLC viz., Requirements gathering,

Architecture Definition, Design,

Development, Testing, Go-live and

Support/maintenance. The objective of

these measures is to reduce the number

of vulnerabilities in the application/

product and thereby mitigating the risk

of threats that originate from internal

(disgruntled employees) or external

sources (hackers, a mischievous net

user etc.).

Keeping in line with the context of

security in software development, the

focus of discussion is limited to the details

of the fi rst fi ve phases from requirements

to testing as stated above.

From a layered technology stack

perspective, security aspects span across

the presentation layer, business logic and

the database layers. Any kind of interfaces,

be it batch or real-time with third party /

internal systems in the enterprise, need to

adhere to security guidelines. To quickly

summarize, Security is one of the key

ingredients of non-functional aspects

of an application/product by which its

trustworthiness is ascertained.

Why Security and Why Now?Day in day out, the online security breach

incidents across the globe has mandated

software security as a non-negotiable

requirement for any application / product

that has intent of getting it right in the

market place. Given the digital age and

time in which we live today, it wouldn’t

be exaggerating to say that Security as

a discipline is gaining unprecedented

importance in the life cycle of Software

development. Recent resignation of the

CEO of one of the large retailers in North

America due to online data breach and

theft of customer’s credit card/personal

information details, is an eye-opener and

just a tip of the ice-berg of how high the

stakes are, as any kind of customer data

breach aff ects both the reputation and

profi tability of the companies impacted.

A decade ago or earlier, software

application development teams

emphasized on getting the functional

features right and the implementation

of non-functional aspects (read it as

Security) of an application took a distant

second/third place (after its other non-

functional cousin performance).

This can be attributed primarily to

lack of awareness on software security;

skill set shortage, non-availability of

right tools to evaluate security as a

metric across various phases of SDLC.

Lately, there has been an increased

interest in the area of Security, surge in

the availability of security testing tools

both open source and licensed software,

knowledge base on vulnerability databases

made available by the industry bodies like

OWASP[1] (Open Web Application Security

project), CWE (Common Weakness

Enumeration), web application security

consortium (www.webappsec.org ) etc.

Having understood the What and

Why parts, further sections briefl y

describe the How part of Security in

software development.

How Part? Security Requirements: The process

of collecting security requirements

is different from gathering functional

requirements as most of the functional

use cases are provided by business

users. But when it comes to defining

security requirements, the business

users are less aware and probably even

care less as most of the requirements

don’t relate to business functionality and

their presence / absence do not visually

impact the end user/consumer. The

above scenario is truer for non-banking/

non-financial applications (ex., media

sites, and retail branding portals). More

often than not, security requirements go

unstated but at the same time expected

to be a part of the application/product

implicitly. Hence, the situation calls

for an architect/security lead to work

closely with the business team and

ensure he understands the business

requirements and correspondingly draft

the appropriate use cases for security. It

is recommended to have a requirements

tracking tool to ensure all of them are

captured and are being tracked across

the SDLC phase for traceability.

A few key factors that help in

determining the level of security

requirements are, type of an online

application (transactional / non-

transactional), kind of data it stores or

shares (sensitive, personal, confidential

or public data), hosting network

(internet, intranet, extranet), regulatory

compliance needs of the business

domain, external or internal interfaces

with third party tools as a part of the

application / product

Below is the indicative list of key

security requirements from OWASP

ASVS[2] (Application Security verfi cation

Standards) that an online application need

to comply with,

• Authentication & Authorization

• Session Management

• Input Validation

• Output Encoding

• Cryptography – provided the

application uses any sensitive data

(credit cards, SSN etc)

• Error Handling and Logging

• Data Protection

• Communication Security

• HTTP Security and

• Security confi guration

What, Why and How of Software Security Security in Software development

Cover Story

Satish K Sreenivasaiah* and Mohan Jayaramappa***Consultant, Tata Consultancy Services, Bangalore**Senior Consultant, Tata Consultancy Services, Bangalore

CSI Communications | June 2014 | 8 www.csi-india.org

Again, each of the above

requirements needs to be verifi ed against

the type of business, application/product

is catering to.

Security Architecture and Design: Once

the security requirements are drafted and

being tracked in the tool, next step is to

focus on Security Architecture and Design.

As per the OWASP ASVS, Security review

is to be planned in a way to certify an

application at any of the 4 diff erent levels

from Level 1 – Level 4. ASVS comprises

of reviewing an application/product in an

automated, manual, design review and

an end – end review of the application,

third party software code base, libraries,

frameworks etc.

As referred in OWASP, during the

design phase, Threat modeling[3] (a

technique to do security analysis) is

to be adopted for an eff ective way of

identifying threats and vulnerabilities for

an application/product. By identifying

the risks early in the game and devising

strategies to mitigate them avoids a lot of

re-work later across SDLC phases.

Also, the key design principles like

defense in depth, secure by default,

minimizing the attack surface etc. need

to be discussed and fi nalized during the

security architecture and design phase.

This process goes through a couple of

iterations before getting fi nalized. For

ex., an intranet application might want to

consider lesser security features for an

application hosted on LAN (Local area

network) as it is already protected by

LAN security. However, design principle

of defense in depth recommends that

security needs to be enabled across

the layers and not only at the periphery

as threats always don’t originate from

outside the LAN and can originate from

internal employees as well. Similarly, each

design principle needs to be carefully

evaluated based on the business domain

application/product is addressing.

Based on the above security

requirements verifi cation and architecture

review, an application/product is rated at

the corresponding maturity level (from

Level 1 – Level 4).

Security Coding Guidelines: Post the

design phase, the security coding

guidelines are to be followed and a stringent

code review process to be put in place to

ensure the right implementation. OWASP

provides security coding guidelines to

most of the known vulnerabilities that

exist in the industry today. Below is an

indicative list of vulnerabilities (top 10)

stated by OWASP[4] that needs eff ective

handling during coding phase.

A1 Injection – SQL Injection/ XPath etc.

A2 Broken Authentication and Session

Management

A3 Cross-Site Scripting (XSS)

A4 Insecure Direct Object References

A5 Security Misconfi guration

A6 Sensitive Data Exposure

A7 Missing Function Level Access Control

A8 Cross-Site Request Forgery (CSRF)

A9 Using Components with Known

Vulnerabilities

A10 Unvalidated Redirects and Forwards

The OWASP has developer cheat

sheets for each of the vulnerabilities

stated above in order for the development

teams to incorporate the code.

Security testing: Termed into diff erent

areas of Static and Dynamic testing of

the application code base and of the

application at run time respectively.

SAST – Static Application Security

testing – This phase tests the code base

as and when it is ready for release into

UAT/ production environments. There

are various tools both open source from

OWASP and licensed software for SAST

that scans through the code and generates

report detailing the vulnerabilities at code

level. Although, the automated report

provides a few false positives, security

team needs to work with the application

team and ensure only the appropriate

SAST defects are taken forward for fi xing.

DAST – Dynamic Application Security

testing – This is the fi nal phase of testing

wherein the application is tested at

runtime after it is functionally and non-

functionally ready in terms of security

requirements, design, code and SAST

fi xes incorporated with agreed upon

SAST defects. The DAST test is executed

and report provides details of the

vulnerabilities and recommendations for

fi xing them.

ConclusionWith the above said process of adhering

to security in software development,

application/product will have a high level of

trustworthiness and ensures that it avoids

the negative publicity, loss of reputation

and the related downward spiral that gets

associated with security fl aws.

Although the whole process looks

tedious and highly involved, it is good to

remind ourselves that quality/reliability of

an application/product is not an accident

and it is by choice and rigorous execution.

References[1] www.owasp.org(Open Web Application

Security Project).

[2] https://www.owasp.org/images/4/4e/

OWASP_ASVS_2009_Web_App_Std_

Release.pdf (Page no.16)- Material taken

under Creative Commons Attribution

ShareAlike 3.0 License5; Authors :

Mike Boberski (Booz Allen Hamilton),

Jeff Williams (Aspect Security), Dave

Wichers (Aspect Security) ; Title : OWASP

Application Security Verifi cation standard

2009 – Web Application Standard.

[3] https://www.owasp.org /index.php/

Category:Threat_Modeling – Material

taken under Creative Commons 3.0

License[5] ; Title: Category: Threat

Modeling.

[4] https://www.owasp.org /index.php/

Top10#OWASP_Top_10_for_2013-

Material taken under Creative Commons

3.0 License[5]; Title: Category: Top 10

OWASP Project, Tab 2 Title : OWASP Top

10 for 2013.

[5] Creative Commons 3.0 License link -

http://creativecommons.org/licenses/

by-sa/3.0/ n

Abo

ut th

e A

utho

rs

Satish K Sreenivasaiah is a consultant in Tata Consultancy Services based out of Bangalore. He is part of the Product Trustworthy

Centre of Excellence that is responsible for ensuring software Security and Performance. He has overall experience of 15+ years in

IT industry and has held various positions of Solutions Architect, Lead Architect, Practice Manager and Relationship Manger across

the geographies.

Mohan Jayaramappa is a senior consultant in Tata Consultancy Services based out of Bangalore. He heads the Product Trustworthy

Centre of Excellence that is responsible for ensuring software Security and Performance.

He has overall experience of 25 years in IT industry and has worked in various positions in web, desktop and mainframe technologies

CSI Communications | June 2014 | 9

BackgroundWith technology impacting all spheres of

our lives, secure technology has become

an inherent and non-negotiable attribute,

for all users and stakeholders. Almost all

technologies of the day rely on software

in some measure or the other as a

component, driver, enabler or the product

itself. Needless to say security of the

technology product or service is closely

linked to the security of the underlying

software.

Introductory texts related to computers,

often began with a diff erentiation of the

concept of hardware and software. While

the concept of hardware and software is

probably well understood by almost all users

what is less understood is the primacy of

software in making things work. Even those

functions that are considered functions

of hardware or infrastructure are fi nally

dependent on the underlying software. For

example, functions driven by hardware

components such as switches and routers

owe their existence to the software that

runs them. The software in such devices

could be in the form of fi rmware that is

burnt into the hardware, nevertheless it still

is software. Since software is omnipresent,

the security of software and security

enabled by software is very important for

the eff ective functioning of systems, devices

and infrastructure. Vulnerable software can

lead to serious consequences.

Security Devices: Not a Solution for all IllsIt is very important that the software be

robust and free of vulnerabilities. If the

software is weak, insecure or infested

with security vulnerabilities it is very

unlikely that an external solution would

compensate for the inherent defects.

For example, if the software has serious

vulnerabilities related to authentication,

it is highly improbable that an external

device or solution can compensate or

protect from this vulnerability. Traditional

security devices like fi rewalls do not

operate at the application layer on the

TCP/IP stack, and thus are not ‘application

aware’. It is therefore not possible to

compensate for weak and vulnerable

software operating above the application

layer with an external ‘add- on’ that

operates at lower layers. None of the

traditional fi rewalls can protect vulnerable

software or applications that are inherently

insecure. This limitation does not negate

the importance of essential security

controls like fi rewalls, they are necessary;

however it is important to understand

their functions and boundaries. The best

approach to secure software is to ensure

that it is built using the right approach,

methodology and tools. The inherent

strength and capability of the software

is thus of prime importance for ensuring

security.

Security: The Building BlocksLet us determine what is required to

develop such ‘secure software’ and

identify the associated building blocks.

Secure software development should

be viewed as a process driven approach,

enabled with appropriate tools in a

secure environment. Secure software

development is not a ‘bolt-on’ solution, but

a process that needs to be ingrained as an

integral part of the software development.

Factors that are necessary for secure

software can be classifi ed into two major

buckets:

a�Enabling Factors

b�Direct Factors

Enabling Factors are those that

ensure the software development process

and associated environment enables

and supports the development of secure

software that is free from vulnerabilities.

Enabling factors may not guarantee or

generate secure software. However they are

essential in structuring an environment for

Direct Factors to be eff ective. Direct Factors

are components that should be included

when developing secure and robust

software. These are directly associated with

the software development process. Direct

Factors are much closer to the software

development activities and touch the

software code directly.

Enabling FactorsSecure EnvironmentAs with all mature environments, a robust

and controlled software development

environment is a prerequisite. An

uncontrolled or vulnerable environment

may lead to unauthorized modifi cations

and changes. Lack of a secure change

management process would result

into a signifi cant risk. A robust and

controlled development environment is an

essential hygiene factor in any software

development process.

Mature Software Development ProcessA commonly accepted principle related

to software development is that any

modifi cation that is unplanned or that

happens late in the software development

process requires re-work and is expensive.

The corollary of this statement is that

security needs to be built in early as

part of the development process. The

software development methodology be

it traditional SDLC or ‘Agile’ ought to

consider the security requirements early

in the development process and not as an

afterthought. The security requirements

should be defi ned based on the risk

assessment. Results of a risk assessment

are important in determining the security

to be implemented. The impact of a risk is

best understood by the risk management

professionals, system owners and users

rather than the programmers. It is thus

important that the role of all stakeholders

be recognized and the participation of

stakeholders be ensured as part of secure

software development, when identifying

the security requirements of the software.

Security needs to be addressed across

all phases of the development. A security

requirement that remains undefi ned and

which is discovered during implementation

is challenging and expensive to fi x.

Such unpleasant discoveries can lead to

signifi cant time and cost over runs. Further,

corrective actions, tend to be a ‘patchwork’

and not an integrated solution. It is therefore

important that security be addressed

across all phases when developing

software. Adequate traceability for security

requirements across the requirement,

design, development and implementation

phases should be ensured. This provides a

structured process to ascertain and verify

the security implemented in the software.

Project Management The project management practices should

incorporate security as part of software

project management. Organizations that

defi ne and implement security as a part

of the project management eff ectively

Developing Secure Software

Cover Story

Sandeep GodboleMember, ISACA India Task Force

CSI Communications | June 2014 | 10 www.csi-india.org

institutionalize security. This helps the

organization in ensuring that security

is eff ectively addressed across multiple

software projects in the organization.

Direct FactorsSecure CodingSecure coding practices are key to

ensuring that vulnerabilities are not

introduced when developing software.

All features, facilities or functionality

in any software is deployed as code. A

vulnerable service or feature points to

weaknesses in the corresponding code.

A programming or coding error can

cause damage and prove to be extremely

costly. It is important that no coding

fl aws and therefore no vulnerabilities be

introduced due to poor coding practices.

Many organizations haves standardized

and defi ned secure coding practices.

These coding practices serve as a guide

to developers in ensuring that appropriate

constructs and functions are used

and that common errors are avoided.

Developing standard libraries and web

services for commonly used functionality

is an approach that is deployed by many

organizations. Not only does it ensure

modularity and avoid duplicate eff ort,

but it also ensures that security is built

into the code. Organizations like OWASP

have shared knowledge base and tools to

support development of secure software.

Programmers can enhance their skill levels

by updating themselves on numerous

inputs like these that are available.

Validations Malformed inputs are one of the most widely

deployed attack vectors against applications.

It is therefore important that all inputs be

validated from the functional perspective as

well as from the security perspective. Many

attacks including buff er overfl ows, Injection

Attacks, Cross Site Scripting Attacks (XSS)

occur because user inputs are not validated.

When defi ning validations, it is important

to weed out malformed inputs that can

severely impact security. Inputs refer to

information sought from the users and also

all other data elements that come from the

user or client end. This includes content like

cookies and URL parameters too.

Security AssessmentA wide variety of tools are available to

support secure software development.

While some of them are commercial tools

others are available free of cost. These

include tools like code scanners that parse

the code and identify constructs that seem

to introduce vulnerabilities. This approach

that parses code to identify vulnerabilities

is referred to as static code analysis. Many

tools specifi c to the technology used for

development are available for use.

While static code analysis is helpful,

the other approach referred to as dynamic

testing is often deployed to test software

for vulnerabilities. Unlike static code

analysis, dynamic scanners scan the ‘live’

application for vulnerabilities. While static

analysis identifi es potential vulnerabilities,

dynamic assessment actually demonstrates

the existence vulnerabilities. This makes

dynamic testing a preferred approach.

Both these approaches however do

tend to fl ag false positives – vulnerabilities

identifi ed erroneously, even though they

are absent. It is here that professional

skills and manual eff ort plays a role in

identifying such false positives. The tools

complimented by professional ability

are an eff ective means to implement

quality assurance, oversight and testing

processes. All software should undergo

such testing prior to implementation or

delivery. This phase is not a substitute

for building security across the software

development process. Rather, it is an

assurance mechanism and a part of the

chain to assure adequate security.

Secure Software: A P-D-C-A ApproachA closer examination of the discussion

above identifi es that the activities related

to secure software development map

closely to the P-D-C-A cycle. Defi nition

and implementation of security standards,

secure environment and security

requirement defi nition comprise the ‘Plan’

Phase. Implementing the secure coding

standards is a part of the ‘Do’ Phase.

Security assessment, oversight and other

quality assurance activities associated

with traceability, static and dynamic

assessments is the ‘Check’ Phase.

Learning from the results and taking

corrective actions where warranted is the

‘Act’ Phase.

ConclusionAn important aspect of the secure

software development is that it requires

the participation and contribution of

multiple stakeholders. Sponsors, users,

developers, IT support staff , security

professionals all play a very important

part in building security. From the

organizational perspective it highlights

the need to educate all stakeholders and

defi ne activities related to security across

multiple organizational roles.

Security is an essential and non-

negotiable aspect of any software.

Applications and software diff er in their

functionality, usage and technology.

However, the high level approach to building

security remains the same. No software

would be considered to be eff ective or even

functional if security is not incorporated as

a key property or attribute. Building security

is neither diffi cult nor very expensive if it is

done the correct way. With a disciplined

approach, sincere eff orts and a mindset

that recognizes the importance of security

in software development; secure software is

well within reach.

References [1] www.owasp.org : There is a rich

collection of resources available

at OWASP. This includes tools,

applications and publications.

[2] OWASP Testing Guide

h t t p s : // w w w . o w a s p . o r g /

images/5/56/OWASP_Testing_

Guide_v3.pdf

[3] OWASP Secure coding Practices

Quick Reference Guide

h t t p s : // w w w . o w a s p . o r g /

images/0/08/OWASP_SCP_Quick_

Reference_Guide_v2.pdf

[4] Secure Coding Guidelines, Microsoft

http://msdn.microsoft.com/en-us/

library/d55zzx87(v=vs.90).aspx

[5] FxCop Tool from Microsoft

http://msdn.microsoft.com/en-us/

library/bb429476.aspx

[6] Paros Tool http://sourceforge.net/

projects/paros/

[7] Burp Tool http://portswigger.net/

burp/ n

Sandeep Godbole, works as Dy General Manager for Information Security at Syntel. He has a rich experience

spanning 20 years in IT Security, IT Assurance and Governance. He holds multiple certifi cations and qualifi cations in

these areas. Sandeep volunteers on the ISACA India Task Force. He is presently the President of ISACA Pune Chapter.

He can be reached at president@isacapune.orgAbo

ut th

e A

utho

r

CSI Communications | June 2014 | 11

BackgroundProliferation of information technology

has been shifting trends over a period

of time. Today we cannot think of any

organization without IT. However threats

and vulnerabilities are responsible

for creating challenges in security of

information. With changing technology

and the threat scenarios are also aff ecting

the way organizations manage their

information security.

Apart from changes in technology

the customer expectations are also

driving business in changing the approach

on delivering services using IT. Today the

business is focused on using technology

for delivering services to customers.

Applications are the vehicles that take

services to customers using network

(internet) highways. Organizations use

multiple channels to deliver services for

example banking services are available

to customers though internet (internet

banking), Mobile banking though mobile

apps (or applications?), ATMs, Any branch

banking, Fund transfers (for example

National Electronic Fund Transfer(NEFT),

Real-time Gross settlement (RTGS)

of RBI) and so on. In order to ensure

these services are delivered securely

organizations ensure that security is

built around the infrastructure, that

includes network (fi rewall, IDS/IPS)

Anti-virus, website authentications, user

authentication with multi-factor access

controls however there are incidents of

fraud and information leakage on rise.

There are two weak links in the

process humans (users) and applications.

Weakness in humans can be addressed

using awareness training, however

application security must be part of

application and need to be addressed

while developing an application.

Threats and Vulnerabilities Associated with Application (OWASP top ten)With use of internet based technologies

and clouds organizations have hosted

applications that can be accessed

from internet and/or intranet. These

applications might contain vulnerabilities

if exploited can compromise the security

of information. Attackers tried to exploit

these vulnerabilities to launch the attacks

like SQL Injection, Cross site scripting.

OWASP (Open web application Security

project) identifi es top ten security threats

every years. Threats identifi ed in 2013 are

listed below. (Source: www.owasp.org)

• Injection (SQL Injection): Attacker

can access and modify databases

• Broken Authentication and Session Management: attackers can assume

users’ identity

• Cross-Site Scripting (XSS): Allows

attackers to hijack user sessions.

• Insecure Direct Object References: Attackers can access data.

• Security Misconfi guration: Attacker

can us gaps in confi guration to attack.

Sensitive Data Exposure: Attackers

may steal or modify Sensitive data.

• Missing Function Level Access Control: Attackers will be able access

functionality.

• Cross-Site Request Forgery (CSRF): Allows the attacker to control victim’s

browser.

• Using Components with Known Vulnerabilities: Attacker exploits

components that run with full

privileges.

• Invalidated Redirects and Forwards: Attackers redirect victims to phishing

or malware sites.

Detecting Problems in ApplicationMany organization’s direct their

application security eff orts on automated

detective and/or corrective solutions

such as application scans, penetration

testing, grey-box – white box testing,

web application fi rewalls, rather than

preventing the defects from occurring

in the fi rst place. Subsequently security

defects are fi xed based on report, however

this approach requires lot of rework and

high cost.

These detective controls many

times cannot detect absence of security

control mechanism within application for

example session management cannot be

identifi ed by automated tools. This sort of

logic fl aw is identifi ed by manual source-

code review and/or manual penetration

testing. However these techniques suff er

from scalability and high cost, associated

with testing and there after fi xing the

problem. Also very few organizations

can aff ord to perform the level of manual

testing required for their entire application

portfolio. The problem is further escalated

by bugs such as insuffi cient authorization,

which can be detected only by human

expertise. While the security community

and security tool developers already have

a strong understanding of insuffi cient

authorization, there is simply no practical

method of detecting such a vulnerability

using a completely automated mechanism.

Solutions1. Do not expect security from usersApplication developers cannot depend

upon user for security. For example in case

the application is developed using web

based technologies and users are expected

to access it using diff erent browsers (like

internet explorer, Google chrome etc.),

application may not depend upon users to

secure their browsers, but embed security

within application. In case application is

hosted on internet, it is subject to various

application level attacks that need to be

closed by adopting secure development

and coding practices. Another example

can be access from mobile where user

may or may not have secured the device

from which they are accessing the data.

2. Secure SDLCUntil recently security was an

afterthought for Software development

life cycle(SDLC); normally developers

used to check the security related aspects

of application through penetration testing,

which would result in a huge amount of

rework. For example, if a security related

vulnerability, bug or fl aw is detected after

development then correction of the same

will require re-examining all the aspects

starting from requirements till coding.

This entire exercise will increase the cost

and eff orts of the project. To overcome

this issue, latest research studies suggest

that the security should be incorporated

right from the beginning in the SDLC.

Information security trends indicate

that embedding security within application

development helps in addressing various

issues that may arise subsequently.

For example, when multiple users are

expected to access application hosted

at central location from diff erent nodes,

the application should be able to provide

Security in Software Development

Cover Story

Sunil BakshiFree-lance Consultant and Trainer, IT governance and Information Security

CSI Communications | June 2014 | 12 www.csi-india.org

access depending upon the function the

specifi c users has to perform. This requires

developers to design role defi nition and

provide functionality for assigning these

roles to diff erent users.

The following table describes the

additional steps that need to be added

to the traditional SDLC phases to make it

Secure SDLC.

3. Standard coding practicesOrganizations must adopt standard coding

practices that can prevent the security fl aws

being introduced within the applications. For

example input validation can prevent 80%

of security vulnerabilities being introduced.

Avoiding open ended loops and complex if

statements reduce the possibilities of error/

bug and writing code for error handling

helps in preventing abrupt termination of

application during operation. IT may be

noted here that handling errors must be

done appropriately so as not to reveal more

than suffi cient information that can provide

clues to an attacker.

4. Developer EducationDeveloper education is a preventive

technique that seeks to empower

developers with the knowledge to write

secure code. Research has showed that

education and awareness improves the

quality and security of application. A

single training class is a point-in-time

activity, and the value of the education

diminishes over time unless the

developers are continuously in touch

with material and are updated on new

and emerging techniques. Moreover,

given the pressures of building software

under strict deadlines, software

developers could forget about specific

security defects due to cognitive burden.

Thus, developer education is important

but not sufficient for preventing

application security defects.

ConclusionsDetective techniques are ineffi cient when

compared to preventive techniques as

a result of extremely high remediation

costs in the software development life

cycle (SDLC). It has been established long

back that is most cost eff ective to plan

SDLC Phase Security Steps

Requirement Defi nition • To identify security requirements including compliance for privacy and data loss.

• To determine risks associated with security and prepare mitigation plan.

• To train users on identifi cation and fi xing of security bugs.

Design Phase • To ensure security requirements are considered during design phase e.g. access controls for

privacy sensitive data.

• To identify possible attacks and design controls e.g. implementing least privilege principle for

sensitive data, and apply layered principle for modules.

Development Phase • To develop and implement security coding practices such as input data validation and avoiding

complex coding.

• To train developers on security coding practices.

Testing Phase • To review code for compliance of secure coding practices.

• To develop test cases for security requirement testing.

• To ensure security requirements are tested during testing.

• To test application for identifi ed attacks.

Implementation Phase • To analyze all functions and interfaces are secured.

• To perform security scan of application after implementation.

Maintenance Phase • To monitor for vulnerabilities on a continuous basis,

• To issue the patches for fi xing the reported vulnerabilities, accordingly,

• To evaluate the eff ectiveness of countermeasures periodically.

Table: Security steps in various phases of SDLC

and prevent defects upfront rather than

fi nding and fi xing them later.

End Notes[1] www.owasp.org

[2] http://www.sans.org/reading-room/

whitepapers/securecode/software-

engineer ing-secur i ty-process-

sdlc-1846

[3]   h t t p s : // w w w . m i c r o s o f t .

c o m /s e c u r i t y /s d l /d e f a u l t .

aspx?mstLocPickShow=True

[4] http://www.veracode.com/security/

software-development-lifecycle

[5] www.isaca.org

n

Sunil Bakshi, MCA, AMIIB, CISA,CISM, CGEIT, CRISC, CISSP,PMP, CEH, ISO27001 LA, ISO14001 LA, ISO9001

LA, COBIT Foundation. Member, ISACA India task force and CRISC Certifi cation committee. Past chairman and

chapter patron for CSI Pune chapter. Has 36 years of experience in IT with public and private sector. Currently

free-lance consultant and trainer in IT Governance, Security and Audit fi eld.

Abo

ut th

e A

utho

r

CSI Communications | June 2014 | 13

Current Industry ChallengesCurrently web applications leverage multiple

application security libraries/ frameworks

for building secure web applications. There

defi nitely is a need to have a centralized

security framework, which can act as

security layer at the application level

providing value addition for the web

application developers, so they don’t need to

worry about integrating multiple libraries/

frameworks to protect the web applications

from top vulnerabilities.

Also many people are ignorant of the

fact that there are so many vulnerabilities

that one needs to be cognizant of

while ensuring the security of the web

applications at the application layer.

Following are some of the top

vulnerabilities:

One more challenge that the industry is

facing is that there are a lot of duplicate

confi guration settings or duplicate eff orts

one has to undertake in order to build/

confi gure the security framework or even

to customize one. We are addressing that

issue also so that we can save eff orts and

eliminate redundant work that is carried

out while implementing the security

frameworks for each web application.

Web Application Security Frameworks in the Market PlaceThere are plenty of frameworks in the

market right now, such as Apache Shiro,

Spring Security Framework, OWASP

ESAPI, JAAS, Hibernate Validator, Apache

commons validator and so on. The reason

why it is essential to build a custom

security framework is because none of the

above-listed frameworks provides all-in-

one solution, and the implementation of

some of the above-listed frameworks is

also very complicated.

So our solution addresses these

issues by having a unifi ed framework. It

simplifi es the customization and makes

it easy to consume the web application

security framework.

Web Application Security Framework: Proposed SolutionIn order to address these challenges,

IGATE’s unifi ed Web Application Security

Framework secures web applications

from top security threats, providing clear

value addition to the development team to

use the framework to address all the top

vulnerabilities with ease.

Instead of re-inventing the wheel,

IGATE’s Web Application Security

Framework solution leverages the security

frameworks already available in the

open source market. These open source

API’s are integrated together to provide

a pluggable centralized framework, with

easy confi guration settings, that takes

care of top security needs at the

application layer.

The Web Application Security

Framework also eliminates the

duplicate configurations that one has

to go through in each application if

they were configuring the security

frameworks available in the market

place independently.

Other features of the Web

Application Security Framework are: (a)

it should be highly confi gurable, (b) it

should be easily extendable, (c) it should

be readily integrated into any existing Java

based web application in production or a

new web application that we are building

from scratch.

Application Layer Security Solution for Java Based Web Applications

Vijay Gulati* and Venkata Swamy Bathina***Senior Principal Architect, Research & Innovation group of IGATE**Senior Technical Architect, Research & Innovation group of IGATE

Technical Trends

• Injection

• Broken Authentication and Session

Management

• Cross-Site Scripting (XSS)

• Insecure Direct Object References

• Security Misconfi guration

• Sensitive Data Exposure

• Missing Function Level Access Control

• Cross-Site Request Forgery

• Using Components with Known

Vulnerabilities

• Unvalidated Redirects and Forwards

• Improper Error Handling

Abstract— In the era of Web 2.0, where every organization is extensively using the internet to do their business and provide services to

their customers, they tend to forget one most essential thing - that is, “SECURITY”, until some negative impact happens due to breach

of it. In addition, as we are opening doors to multiple channels such as conventional web, mobile, Voice Response Unit, phone rep, and

so on, it is becoming increasingly important to secure our applications from various attacks.

Most e-business applications have standard security features such as fi rewalls, SSL, etc. already in place. But these are not suffi cient

to protect applications from various vulnerabilities. Any web application, which is hosted for public access, needs to have an application

layer security in place apart from the network layer security, or transport layer security, etc.

The Web Application Security Framework described in this paper will protect web applications from various vulnerabilities such

as Cross Site Scripting, Penetration, Injections, Custom Attacks such as CSRF, and so on. Also, as each application is diff erent from

the other, their security needs are also diff erent. Hence it is important to have a framework that is highly confi gurable as per

application needs.

CSI Communications | June 2014 | 14 www.csi-india.org

Web Application Security Framework Proposed Solution off ers the following features

High Level Architecture

Integration Steps

As the Web Application Security

Framework is based on a pluggable

component-based architecture, it should

be easy to integrate into the applications

that are already in production or the

applications that are built from scratch

by following the simple integration steps

described below:

• Confi gure Client Component

• Confi gure External Confi guration

Settings

• Suppress or activate any module,

for e.g. if somebody wants to use a

diff erent authentication mechanism,

they should be free to do so.

• Overriding Internal Confi gurations

• Extend or Override Module

Implementation

ConclusionIn conclusion it is essential to have

a centralized web application

security framework which is easily

confi gurable and adopts the best

practices in implementing a security

framework.

Our Web Application Security

Framework Solution provides the

following benefi ts:

Saves lot of Time and Eff ort

Wraps top security features for Web

Application Security

Deals with top security threats listed

above in a distinct framework

Eliminates the need to integrate

multiple framework libraries, so

developers don’t need to worry about

studying and understanding diff erent

libraries/ frameworks

Enables painless customization

as most of the parameters are

confi gurable

Integrates well with any J2EE

environment

Allows any module to be activated or

de-activated.

Adopts industry best practices in

securing the web applications

Simplifi es maintenance and

production support of web

applications

Eliminates lot of redundant code or

redundant confi gurations

Tackles the top security threats and

prevents various vulnerabilities at the

application layer

With numerous benefi ts, this solution

can be a key diff erentiator solution for

securing Java based web applications.

AcronymsAcronym Expansion

VRU Voice Response Unit

XSS Cross Site Scripting

CSRF Cross Site Request

Forgery

SSL Secure Socket Layer

JAAS Java Authentication

and Authorization

Service

OWASP ESAPI The Open Web

Application Security

Project Enterprise

Security API

API Application Program-

ming Interface

SQL Structured Query

Language

References[1] https://www.owasp.org

[2] http://commons.apache.org/proper/

commons-validator/

[3] http://projects.spring.io/spring-

security/

[4] http://hibernate.org/validator/

[5] http://commons.apache.org/proper/

commons-validator/

[6] http://shiro.apache.org/

n

• Secure Input Validation (core and

custom for all forms and user

supplied input) in confi gurable

manner

• Preventing various Injections and

vulnerabilities such as XSS, SQL

Injection, etc.

• Preventing sensitive data exposure

- Encoding of response with format

confi gurable as per application

needs

• Provide support to prevent custom

attacks such as CSRF by generating

anti CSRF tokens

• Cryptography – Confi gurable

cryptographic algorithm, database

encryption, etc.

• Application Security Confi gurations

• Validation of Redirect and Forwards

• Session Management – session

creation, confi gurable session

timeout, etc.

• Authentication

• Authorization

• Function level access control

• Insecure direct object references

• Proper Error handling mechanisms

Abo

ut th

e A

utho

rs

Vijay Gulati is a Senior Principal Architect in Research & Innovation group of IGATE. He has vast experience in Information

Technology with strong expertise in Java-based technologies. He has extensive experience in architecting and designing large

business applications, especially in the fi nancial services vertical.

Venkata Swamy Bathina is a Senior Technical Architect in Research & Innovation group of IGATE, with over 16 yrs of total experience

on Software Engineering which includes Enterprise Architecture, Solution Architecture, Application Design & Development, Delivery

Management and Technology Solutions. He has extensive experience in Enterprise Web Applications, Enterprise Integration projects,

Business Intelligence Frameworks, was involved in Enterprise level Architecture, Solution Architecture and Application Architecture,

Design, Development, Deployment using Java/ J2EE technologies. As part of technology strategy, he played instrumental role in

defi ning SOA Strategy, Reference Architecture and Integration Strategy Defi nition using Sun JCAPS SOA Suite. He Architected multi-

tiered applications and Business Application Systems for various customers in USA, Europe, Middle East and APAC regions.

CSI Communications | June 2014 | 15

Nuts and Bolts of Code Coverage Testing

Abhinav VaidIT Practitioner

Technical Trends

Abstract— Software Testing has evolved and matured over the past few years on all the fronts, be it process or technical. When it

comes to Code Coverage Testing, there always remain debates with novel & professionals alike each claiming its own defi nition of

Code Coverage. The biggest universally accepted myth is that 100% code coverage guarantees exceptional quality. There are books

and material available on the subject which are not wrong, but lack the clarity which is needed for actual implementation. The current

paper is an attempt to tailor the entire subject in one crisp document and so goes the title, “Nuts and Bolts of Code Coverage Testing”.

The paper starts with defi ning Code Coverage along with clearing out myths on Code Coverage. It demonstrates a real-time example

of Code Coverage implementation and how/where other testing activities are involved and their relation with Code Coverage. It

presents a methodical way to implement Code Coverage (highlighting the best practices along with pit falls to check out of). It also

presents a real time case study of one of the heaviest products in the Industry, where it reached to a point where testing became

almost untrack able and how Code Coverage Implementation helped to bring the Testing activity back on track.

What is Code Coverage ?Code Coverage is one of the measurement

criterion used to identify the Test

Coverage of Application Under Test. This

is typically used to publish the numbers

to the management/stake holders so that

they can make more informed decisions

before releasing a product.

Code Coverage is performed to

know the amount of Application Code

being exercised during testing (regardless

of Black Box, White Box, or Grey Box)

Testing.

This term is often confused with

Statistical Code Analysis which is a

completely diff erent activity done typically

by developers, dev. leads and some of the

most commonly techniques include code

inspections, walkthroughs etc.

Why Code Coverage?Over the past few years, the software

development tools have evolved in terms

of maturity levels (simplicity from the

development perspective but at the cost of

increasing internal complexities). Most of

the development Tools are wizard driven

& feature rich but they come with a lot of

overhead. The codebase of the application

not only includes its own codebase, but

also of OS, support/3rd party libraries. It

makes Testing a daunting task as the size

of codebases associated with the product

remains complex and bulky. Development

Team does have Unit Test cases where

the scope is limited. The fi nal gate always

remains to be the Testing Team and no

matter how hard the Team tries, there

would always remain areas where the

code will be running multiple times and

on the other side there will be areas where

the application code will never be tested.

Historical data proves that it’s

impossible to release bug free products

which are destined to come when the

Product goes live. Manual Test Team

cannot be blamed as their job is to

execute the tests based on the Test Cases

generated from Functional Requirements

documentation. At the same time,

Automated Regression Tests can’t be

blamed as their scope is limited to ensure

nothing is broken where inputs are again

in terms of black and white (0’s and 1’s).

And similar is the case with system,

integration, grey box, and performance

testing.

Code Coverage: is the Test execution

performed on the Product with the

internal binaries hooked to a Coverage

Tool so that an accurate analysis can be

drawn as to how much code was actually

exercised during test execution. It draws

a measurement criterion of the untested

code of the application.

What Code Coverage Testing is not? It is never intended to replace:a. Manual Testing

b. Automated Testing

c. Grey Box Testing

d. Unit Testing

e. Static Analysis Tool – which includes

code walkthroughs, reviews etc.

Implementing Code Coverage Following are the high level objectives

that should be thoroughly studied and put

together in order to implement eff ective

Code Coverage Testing.

1. Draw the right expectations –

It’s always important to clearly set

expectations so that there is no scope of

ambiguities in future. Following are the

key expectations to be considered -

a. Objective Indicator of Test Coverage

of application code

b. Links to uncovered Packages /

Classes / Methods / Branches

c. Links to uncovered Folders / Files /

Lines

d. Drill down support right from the

namespace to individual line of code

e. Early detections of uncovered Test

Coverage to avoid later investments

(which are higher multiple times as

the Project Progresses)

f. Remove redundancy (same code

being exercised in multiple tests) in

testing

g. Increased Confi dence for Releases

2. Selecting the Tool: What to look for

while selecting a Code Coverage Tool –

there are many factors that need to be

considered when it comes to selecting the

Code Coverage Tool. The most important

key factors are mentioned below:

3. Code Coverage Strategy (Short Term and Long Term)4. Execution and Reporting – This is one

of the most critical part which is often

neglected by the Engineering teams. The

product owners/stake holders need this

information. The information not only needs

to be accurate, but at the same time crisp

(with meaningful data) and presentable.

A Real Time Implementation For the Purpose of demonstration, let’s do

a real-time implementation and see how

Code Coverage Testing is diff erent from

other types of Testing.

Application Under Test: Consider a web

or UI form (as displayed in Fig. 1) with only

3 controls, User ID, Password, and Login

CSI Communications | June 2014 | 16 www.csi-india.org

with an option to minimize, maximize

and close.

Black Box Testing: Enter a legitimate User

ID and the Password and click the submit

button. Expected outcome would be

getting to the home page.

Grey Box Testing: Would include going

to the database and validating that the

User ID and Password are authentic.

Expected behavior would be accurate

credentials.

Load/Performance Testing: Would

include multiple users logging in to the

form (with some ramp up patterns)

using their respective credentials,

followed by constant load and finally

ramp down. Expected outcome would

be conformance to SLA’s (be it response

time, CPU/memory utilizations etc.).

Automated Testing: A script would add

user id from an external fi le and then hit

the submit button in un-attended mode.

Expectation would be the execution report

marking the result as pass.

Code Coverage Testing: Code Coverage

can be generated for each of the Tests

mentioned above. The expectation would be

to publish the results and increase tests to

increase coverage. A typical Code Coverage

Report looks like shown in Fig. 2 and 3 below.

Code Coverage has a typical

jargon associated with it. It is not as

hard as it sounds at the first place. For

example, terms like Branch Coverage,

Sequence Point Coverage and so on.

The key terms are explained below

SNO Deciding Factor for Tool Selection Code Coverage tool

1. Uncovering Untested Areas Lines/nodes that remain untested

2. Execution modes For example, support for debug/run mode.

3. Identifying Repetitive Tested Areas

4. Quality of Test Reporting Metrics Should be intuitive/meaningful

5.Capacity to drill down from the top most module to pin

pointing the code/function

6.Accuracy of results during evaluation of the Tool before

making a recommendation

7. User Friendliness Should be intuitive/meaningful

8. Logging levels For example, basic, verbose etc.

9. Coverage Extensibility

10. Merging of Results Merging can be done manually as well as automated.

Popular Tools support both the modes of merging

Table 1

Fig. 1: Application Under Test

CSI Communications | June 2014 | 17

Fig. 2: Code Coverage Report

Fig. 3: Code Coverage Report 2

CSI Communications | June 2014 | 18 www.csi-india.org

Line Coverage - Line coverage captures

the number of lines that were executed

during testing activity. Later, the numbers

are compared with the total number

of executable lines (codebase of the

Application under Test). There is a

downside of Line Coverage because it

measures the line formats rather than the

code. For example, it is possible to format

a program in a single line and achieve

100% line coverage with only one test.

Statement/Branch Coverage - Statement

and branch testing are relatively stronger

than Line Coverage, but have the weakness

that interactions between decision

outcomes can mask errors during testing.

Decision Coverage - By requiring decision

outcomes to be performed independently

during testing, basis path testing can

expose additional errors.

For example, please refer to the

following code- func()(if (condition1)a = a + 1;if (condition2)a = a -1;)

If the expectation from the function is to

have the value of variable “a” unchanged

under all circumstances, it makes testing a

challenging task. Now let’s consider all the

Tests for testing this piece of code.

1.� Branch Testing - The branch testing

can be accomplished by executing

two tests that do not detect error. The

tests would be -

a.  The fi rst test to make both decision

outcomes to be false, in which case

the value of “a” will not get aff ected.

b.  The second test to make both

decision outcomes to be true.

2.� Statement Testing - The statement

testing can be accomplished only by

the later test

3.�Basis Path Testing – From the above

example, it can be concluded that neither

statement nor branch testing is suffi cient

to detect the error. In this particular

example, Basis Path Test will successfully

detect the error.

Code Coverage is measured as percentage

of application code executed during the

testing activities. Code Coverage can be

measured at various levels – in terms of

programming language like – Namespaces,

Classes, Methods, and Branches or in terms

of physical parameters like - Folders, Files

and Lines. And the idea is simple, generate

coverage add tests to increase coverage till

you reach the targeted coverage.

Note: 100% Code Coverage can never claim

that the product is bug free. It can help

ensuring that the code is 100% tested.

Case StudyA Case Study of Code Coverage

Implementation for Testing an

Application

Summary/Challenge: The codebase of

the Application was increasing from one

version to the next. This was primarily

because it had to support backward

compatibility (for legacy versions) as

well as add new features, do patch/SP

releases. The increasing complexities and

the bulkiness of product made testing a

challenge as well as an expensive task. It

needed around 8-9 months of eff ort to

just to test the regression suites manually

(with a team size of 70 engineers). In

order to control the situation, the test

suites were automated via as is basis, and

the execution time was reduced to 7 days

for un-attended test execution. The team

could spend qualitative time in enhancing

the existing automation suites and testing

for new feature/patch/bug fi x releases.

Later it was discovered that there was

no actual criterion to understand as to

how much application code was actually

tested. There were high possibilities of -

1. Cases where code was hitting the

same sequence hundreds of times

(maybe more)

2. Cases where the code was never

reaching out during Testing

SolutionA couple of popular Code Coverage

Tools were evaluated and the Application

was tested after confi guring the Code

Coverage. The Test Results of various Tools

were compared. The results of the Code

Coverage were alarming but accurate.

The best fi t Code Coverage Tool was

recommended, a Code Coverage strategy

was put together along with highlighting

the current as well as future targets.

The table mentioned below was put

together and shared in common dashboard.

The high level objectives included –

1. Highlighting and publishing the

current state of the Product

2. Use the number as a benchmark

to set the targets for subsequent

releases and

3. To bring back the clarity in Testing

with a continuous focus on

improvement

4. Highlight/bring in clarity in the Test

Organization as well as Product

Management team

The table below uses 10 %( a random

number) as targeted increased coverage

for subsequent releases

Release Categorization

Functional/Manual Testing

Automated Test Execution

Performance and Load Testing

Total % of Code Coverage Achieved

Release X(baseline

Coverage)A% - Benchmark B% - Benchmark C% - Benchmark

Release Y

Targeted Coverage

Actual Coverage

Targeted Coverage – A

%+10%

Targeted Coverage –

B %+10%

Targets are normally not for

the increased coverage but

for application stability

Release Z

Targeted Coverage

Actual Coverage

Table 2: Code Coverage Dashboard Metrics

CSI Communications | June 2014 | 19

Recommended Best Practices of Code Coverage Testing

1. Ensure covering all application

paths/workfl ows in terms of decision

trees in the code

2. Ensure covering all data values –

this can be done by patterns with diff erent

sets of data and can avoid extra fat/tests.

3. Code Coverage Tool should

determine where the controls/sequences

are being tested/not being tested, which

can save a lot of fat/extra tests being

tested by automated suites. It can cover

the classes, methods, branches but not

the business logic.

4. Give graphical representation of

the results in terms of real time charts &

metrics.

5. Education – Ensure that the stake

holders are aware of the shortcomings

and the benefi ts of implementing Code

Coverage so that the expectations are

clearly set and visible.

6. Testing is Proportional to

Complexity. It is a known fact that 80%

of the bugs are always found in 20% of

the code. Identifi cation, Planning, and

execution of Eff ective strategy can make a

huge diff erence and bring in value to the

Organization.

Analysis Some Important Points to recap –

1. Code Coverage can never replace any

other form of Testing

2. Testing activity is always proportional

to complexity of the application

3. Testing eff orts should be focused on

the error prone software and/or error

prone components.

4. Making informed decisions; whether

it is taking calculated risks or

confi dence in application stability. A

couple of examples include -

 a. Facilitating Quicker Release

Cycles

 b. Shrinking down the execution

time

 c. Percentage of un-tested code in

Application

 d. How have been the Code

Coverage’s from x Release x to

y release and what’s the target

benchmark set for forthcoming

release?

Take Away/Where to go from Here: The

Code Coverage is typically done by the

development Team. This is an attempt

to help manual/functional/automation

testers to get started on Code Coverage

Testing. I strongly recommend starting

with a real-time implementation taking

the sample project for getting started.

But before doing some tests, download

a couple of Code Coverage Tools and

learn how to hook on to the binaries of

the Application under Test. Aim for the

Tool that works best for your product

and justifi es business needs. Go through

the internals of the Application under

Test (an area which is always a black box

for a tester). This should be followed by

going through the Tools to narrow down

for selection. Once a Tool is selected and

basic Tests and some benchmarking is

done. You are good to go. There is enough

information available in the websites,

Books, journals to help you make a

baseline, creating a long term strategy

to make a signifi cant impact on the

whole testing lifecycle and eventually the

Product.   n

Abo

ut th

e A

utho

r

Abhinav Vaid, is an IT Practitioner with 15 years of experience in various blue chip companies including Motorola,

McAfee, and Lotus. He is the author of building automated test systems and a regular writer in various technical and

research journals. He is also the Foundation Member of Indian ISTQB Certifi cation Board.

CSI Communications | June 2014 | 20 www.csi-india.org

ResearchFront

Template Matching Tool for Remote Sensing Images

Ashish Joshi*, Ankit Kumar**, Anil Kumar*** and Ankush Mittal*****Assist. Professor THDC-IHET,New Tehri**Assist. Professor DBIT Dehradun***Scientist/Engineer, IIRS (ISRO), Dehradun****Director Research, G.E.U, Dehradun

IntroductionTemplate matching has proven to be a

promising technology in the fi eld of image

processing for the diff erent applications

related to Remote Sensing, Medical, and

other related areas. A template based

approach provides several application

framework to known digital image

processing concepts for the exaction and

detection of various features in the image

portions itself providing the required

information from the specifi c image

portions. A large variety of application

uses the image registrations to gather

information from the physical aspects of

the image. A template matching in basic

is matching the specifi c objects of the

source image using a template image.

General approaches used in objection

recognition is basically classifi ed into 2

broad categories

1. Area based

2. Feature based methods

Area based methods sometimes called

correlation types deal with the images

without attempting to detect salient objects

window of preferred size or the search

window is used for estimation of objects.

Whereas features based methods

focus on the features of the images as

contrast color hue saturation etc.

Literature Review Template matching is the process of

indenting any object in the main image

better called us source image with a

template, small portion or any diff erent

image. It can be achieved through a variety

of methods like SAD (Sum of Absolute

Diff erence), NCC (Normalized Cross-

Correlation)[1][2][3] etc having diff erent

computation measures for processing in

the source image and the template image

itself. Feng et al[4] showed how an basic

process of template matching can be

enhanced to a time variant scale to make

template matching faster by dissolving

template to basic haar like feature and

thus making it more suitable to multi

scale template matching thus replacing

multiple element-by-element fl oating

point multiplications with several

additions thus signifi cantly improves

the speed. Neal et al proposed an

algorithm GENetic Imagery Exploitation

(GENIE) for image feature extraction

and classifi cation purpose. Jyoti et al[5]

in their paper displays a comparative

and largely used area based search

techniques it provides an view of classic

and recent area based methods used.

Classifi es area based search into further

categories as:

a. Cross-correlation based

b. Fourier based

c. Mutual Information based

d. Optimization methods (simulated

annealing ) etc

Degree of Similarity between

methods using vectors between two

image A= (x1, y1) and B = (x2,y2) is to

be given in the form of dot product given

by AB = x1 x2 + y1 y2 in general images.

Coarsening defi ned as:

[5,6]

…………eq(1)

Where X,Y defi nes the block location in

the source image and D is the disparity

parameter. It computes the " tie points

" of the images and the results are been

displayed. It is used by robots for exploring

its environment as a work proposed by

Levine m.d.et.al[6] through matching sub

regions in the image.

Traditional matching algorithms

constitutes of the conventional methods

that were proven to be computationally

intensive and time consuming by recent

studies. e.g. of methods include SAD NCC

etc which are given as equation (2) and

equation (3):

[7]…….…eq (2)

Ideally SAD score in this case must

be 0 if template is taken from the same

image itself but in case if the template is

taken from the other Registered image

of the same area or the other image or

the template is itself available we have

to calculate the minimum score over

the search region of the source image

portions.

In case of NCC which is given as :

[7]…………….eq(3)

Recent studies on SAD, NCC based

matching methods they are comparatively

slower as per our requirement . Shou-Der

Wei et al[7] in their study showed achieving

results faster with multilevel partions

using winner update strategy applied in

conjunction with an upper bound for cross

cooretaion derived from Cauchy-Schwarz

inequality given as shown in equation 4 :

[7]……………………eq(4)

The summation of cross correlation

is done into diff erent levels with the

partition order determined by the gradient

energies of the partitioned regions in the

template image itself. Thus, this winner

update scheme in conjunction with the

upper bound for NCC can be employed

to skip unnecessary calculation.Similar

works done by Stefano et al[8] shows the

matching process by enhanced Bounded

Correlation that again reduces the number

of computation used by NCC producing

the same results. Fedwa et al[9] in their

paper showed an matching process using

Abstract—Images are a tremendous source of information which are largely used for information extraction and largely found

applications are in Remote Sensing Medical science and so on. Template matching has provided basics and advance functionality

for the image processing e. g of these include the object recognition, Motion Estimation, feature based template matching and many

more in a variety of images like Medical Images, Remotely sensed Images etc. A variety of algorithms exist for comparison of images

and making the template matching process fast and reliable .This comparative study with implementation approach focus on the core

basics of the template Matching in remote sensing images of types multispectral Images aiming to detect and observe object and its

motion in registered and simple multispectral images. Also the implementation approach shows how SAD is advantageous over SSD.

General Terms Algorithms, Performance, Design, Experimentation, Programming.

Keywords Template Matching, Single Band-Multi Spectral Images, Correlation, Image Registration.

CSI Communications | June 2014 | 21

the fourth central movement which forms

an estimator in the higher statistics theory

it lowers the impact of the Gaussian

noisewhich may come in the transmission

to produce the fast desired results.also

uses the BDM and SSD. Which are shown

in equations 2, 5, 6 .

eq (5)

Where dx,y = f(x+k,y+l) – g(k,l),

f(x+k,y+l),g(k,l) denotes the luminance or

other real features

[9]………eq(6)

Considering the various types of

the images our research focus most

generally we are dealing with single band,

multispectral and hyper spectral images

in Remote sensing images. Works by

Taejung Kim et al[10] shows how center

of roads can be tracked through least

square correlation matching method

around an user given input. Similar works

by Mohamed Ali et al[11] shows the use of

canny edge detection algorithm for the

feature extraction and enhancement of

remote sensing images achieving a very

high enhancement level. Mihai Datcu et

al[12] showed the Bayesian way of thinking

and introduce a pragmatic approach to

extract structural information from RS

images by selecting from a library of a

priori models those which best explain

the structures within an image. Michael

Schroder et al[13] presented Gibbs–Markov

random fi eld (GMRF) for the descriptor

of the spatial information in remote

sensing data.

Dealing with such type of images

certain problem may arise like fi rstly

images basically comprises of diff erent

bands with diff erent information contained

in it like spectral, Radiometric, Textual,

Geometric and Contextual etc. Secondly

the image most probably will have color

combinations in false color composite

where it will not be an easy task to identify

and detect certain objects. The above

mentioned strategies SAD Correlation

are applied in our approach with images

in generic binary and comparative

results with conclusions are shown in the

proceeding headings.

Study AreaFor our research we have taken image

of San Francisco from the world views

2 satellites which is in the raw form.

WorldView-2 is Digital Globe’s second

next-generation satellite, built by Ball

aerospace, and has the most advanced

technologies and sensing capabilities. In

our research work image belongs to the

one of the famous place of San Francisco

Oakland Bridge.

Proposed WorkA SAD and SSD based approach has been

implemented in our system. We have

tried to match the specifi ed template

image which is to be extracted from the

source image itself using one source

image. We took java as platform for our

implementation by developing a tool

which is able to match images using

the algorithms. We have extracted few

template images using source image

and then tried to match using mentioned

algorithms so that we could get the

nearest match. An algorithmic approach

to our applied process is explained below:

Step 0:- Initialize the values in the

system. Select the search window as the

template image size itself in the source

image.

Step 1:- Load the source image and

the template images in the single band

format we choose an grey scale image for

it. If the source image is in multispectral

convert it using any tool or extract the

single band values to the image if in

vector form give weights to the bands

and perform the conversion. Our tool is

capable to reading and displaying a muti

spectral ,hyper spectral, and single band

images in generic binary format.

Step 2:- Compute SAD by moving

the template image over the source image

using equation 2.

Step 3:- SAD will compute to 0 as we

have chosen the template image from the

same image itself.

Step 4 :- If match is found it returns

the pixel position where the SAD was

initially calculated in the source image.

Step 5:- if no match is found fi rst

check the search window has processed

all the source image if yes return match

found. it would be least possible as in our

case return not possible.

Step 6:- If selection is correlation

compute the mth and sq variables, where

sq is calculated by squaring each pixel in

the template image and then calculating

their sum as a whole ,whereas the mth

vaiable is calculated by multiplying

source value at a particular pixel with the

overlapping template values and then

addying them as a whole over search

window. If the values of mth and sq are

found to be equal return the initial pixel

values of the source image.

Results and DiscussionsWith our experimental setup we are able

to perform template matching strategies

using SAD and SSD for image object

analysis in remote sensing images. As

we have taken a remotely sensed image

for our implementation part which is

multiband image. Therefore for processing

part we will have either to extract the

values in each band and match it with

template if the given template is also in

multiband image format. Which is tedious

and complex task. Secondary we can take a

grey scale image of the same multispectral

image in generic binary formatas we took

in our implementation. The values here

may exceed the normal display range so

we have implemented some mechanisms

to make it work. The outcomes in the

following fi gures show how SAD and SSD

mechanisms are implemented with the

images we have taken.

Our tool which is implemented in java having func onality of Mul spectral image reading

and Template matching.

Part of image we took as source image for implementa on.

Template images we took for our

research were of low sizes in the range of

32X32 as shown below.

CSI Communications | June 2014 | 22 www.csi-india.org

The template image

Result post SAD algorithm usage

Results post SSD usage

Experimental results show that match

occurred by both the methods is same.

AcknowledgementsWe are highly thankful to Digital Globe for

providing images the satellite used in our

research is world view 2.

ConclusionIn our research we proved how an template

matching mechanism can be implemented

on remotely sensed images using SAD

and correlation based mechanisms SSD.

Existing template matching techniques

proved to be inadequate for the multiband

images also proving to be computationally

intensive.

Above stated algorithmic

mechanisms may fi nd application in

remote sensing fi elds like monitoring in

harbors , also it can be much benefi cial

for semi- automatic image registration

process where geo related information

has to matched regardless of the lat- long

coordinate’s not available at the moment

Besides these may fi nd applications ins

medical science imaging where it is helpful

in detection of tumors etc.

References[1] Lisa Gottesfeld Brown ,"A Survey of

Image Registration Techniques" ACM

Computing Surveys, VoI 24, No. 4,

December1992.

[2] Manjusha Deshmukh,Udhav Bhosle,

"A Survey Of Image Registration"

International Journal Of Image Processing

(IJIP), Volume (5) : Issue (3) , 2011.

[3] Barbara Zitova, Jan Flusser, "Image

registration methods: a survey" Image and

Vision Computing 21 (2003) 977–1000.

[4] Feng Tang ,Hai Tao, "Fast Multi-scale

Template Matching Using Binary

Features". IEEE workshop on Applications

of Computer Vision (WACV'07).

[5] Jyoti Joglekar, Shirish S. Gedam, "Area

Based Image Matching Methods – A

Survey". International Journal of Emerging

Technology and Advanced Engineering

Volume 2, Issue 1, January 2012.

[6] Levine M D, O'Handley D A, Yagi G M,

"Computer Determination of Depth

Maps". Computer Graphic and Images

Processing vol. 2, 131-150, 1973.

[7] Shou-Der Wei and Shang-Hong Lai,

"Fast Template Matching Based on

Normalized Cross Correlation With

Adaptive Multilevel Winner Update", IEEE

Transactions On Image Processing, Vol. 17,

No. 11, November 2008.

[8] Stefano Mattoccia, Federico Tombari,

and Luigi Di Stefano ,"Fast Full-Search

Equivalent Template Matching by

Enhanced Bounded Correlation," IEEE

transactions on image processing, vol. 17,

no. 4, april 2008.

[9] Fedwa Essannouni and Driss Aboutajdine,

"Fast Frequency Template Matching Using

Higher Order Statistics," IEEE transactions

on image processing, vol. 19, no. 3,

march 2010.

[10] Taejung Kim, Seung-Ran Park, Moon-

Gyu Kim, Soo Jeong, and Kyung-Ok Kim,

"Tracking Road Centerlines from High

Resolution Remote Sensing Images by

Least Squares Correlation Matching,"

Photogrammetric Engineering & Remote

Sensing Vol. 70, No. 12, December 2004,

pp. 1417– 1422.

[11] Mohamed Ali David Clausi, "Using

The Canny Edge Detector for Feature

Extraction and Enhancement of Remote

Sensing Images"

[12] Mihai Datcu, Klaus Seidel, and Marc

Walessa, "Spatial Information Retrieval

from Remote-Sensing Images—Part I:

Information Theoretical Perspective," IEEE

Transactions On Geoscience And Remote

Sensing, Vol. 36, No. 5, September 1998.

[13] Michael Schroder, Hubert Rehrauer,

Klaus Seidel, and Mihai Datcu, "Spatial

Information Retrieval from Remote-

SensingImages—Part II: Gibbs–Markov

Random Fields," IEEE transactions on

geoscience and remote sensing, vol. 36,

no. 5, september 1998.

n

Abo

ut th

e A

utho

rs

Ashish Joshi received his M. Tech. degree from Graphic Era University and is member of CSI. Currently he is working as an Assistant

Professor in THDC-IHET. He has published and presented papers in IEEE and Springer. His areas of interest include Image Processing,

Network Security, and Data Mining.

Ankit Kumar received MCA and M. Tech. degrees from Graphic Era University Dehradun. He is currently working with Dev Bhoomi

Institute of Technology Dehradun as Assistant Professor. He is Oracle Certifi ed Professional from Oracle University. His areas of

interest are Big Data, Image preprocessing, Soft Computing & Data Mining.

Dr. Anil Kumar received degrees viz. B. Tech., M.E., and Ph.D. in Photogrammetry and Remote Sensing Engineering from IIT Roorkee.

He is presently working in Indian Institute of Remote Sensing (ISRO, Dept. of Space, Govt . of India), Dehradun, India as Scientist/

Engineer 'SF'. His areas of interest are Soft Computing Application for Images, Digital Image Processing, Digital Photogrammetry,

LiDAR, and GPS.

Dr. Ankush Mittal is Director Research at Graphic Era University Dehradun. He has published several books and research publications.

His areas of interest include Computer Network Operating Systems and Image processing.

CSI Communications | June 2014 | 23

Imagine hiding your secret

information in a digital media without

scrambling its original contents.

This property of hiding Information is

highly desirable for military, corporate

and private applications in order to

secure their secret communication.

This philosophy is in contrast with the

popular science of Cryptography where

message is encrypted by a secret key.

But, in many situations detection of

encrypted message by intruder may lead

to attack on the transmission source aka

attack on availability. For instance, in a

war like scenario detection of encrypted

signal may cause enemy to jam the

signal. Therefore, it would be a good

practice to hide the secret message in an

innocuous carrier before transmission.

This information hiding practice is

popularly known as Steganography.

It is a science of hiding or embedding

secret information in routine message

exchange between two parties in a way

which is undetectable and irremovable

by adversary[1][2].

Steganography is a Greek word,

where, Stega means covered, and

Nography means writing i.e. concealed

writing. In Steganography, original

contents are not scrambled hence

adversary cannot suspect the existence

of hidden secret inside simple message.

Even, ancient history witnessed footprints

of Steganography and illustrated various

ingenious methods of Steganography. An

old but famous approach was to use lemon

juice as an ink in writing secret messages.

This message remains invisible unless the

paper is put in contact with heat. The past

is fi lled with many such exciting instances

of hiding secrets[3]. Around in 1985,

introduction of digital technology had

shown the world innovative techniques to

apply Steganography techniques including

one of the most fascinating one of hiding

information in digital images.

Fig. 1 depicts the principle of

Steganography where the secret

information to be concealed in cover

object is termed as payload. Cover

object may be text, image, audio, or

video. Any media with large amount

of redundancy is a good choice for

cover object. Redundancy refers to the

number of bits in cover image which can

be overwritten without any significant

loss in the quality of cover object. As a

matter of fact, digital images, despite

compression have high degree of

redundancy in them; therefore digital

images are mostly used as cover objects

in Steganography. And, the combination

of payload embedded in cover object is

referred as stego object. The embedding

algorithm is the way used to hide

the secret in cover. It is generally not

fixed and open area of research[4].

Readers must not relate Watermarking

with Steganography as latter is the

hidden point to point communication.

Whereas, Watermarking is open to all

and broadcast in nature i.e. everybody

can see the presence of Watermark on

the document but find it very difficult

to remove or reproduce it. Purpose of

Watermark is not to hide the document

but preserve its integrity and prove the

ownership[5].

Relevance with CryptographyCryptography scrambles a message

with a secret key to make it unreadable

by the adversary, while, Steganography

hides the message within a cover object.

A scrambled message might attract

suspicion; while an “invisible” message

crafted with Steganography method is

likely to be bypassed by the adversaries

without any doubt. As the essence of

cryptography lies in the secrecy of its key,

similarly, Steganography is useless once

the hiding technique is disclosed. In fact,

many Steganography tools also provide

option to encrypt the embedded message

after hiding secret information in it.

In cryptography, if adversary cannot

remove the encryption she can easily

modify or destroy the fi le, making it

unreadable or useless to the intended

recipient. In contrast, Steganography

provides a means of communication

where secret message cannot be removed

without much change in cover object.

The embedded message will remain

secret unless an adversary can fi nd a way

to detect it. In order to be successful,

Steganography techniques must satisfy

following requirements:

• The integrity of the secret

information should remain intact after

it has been embedded inside the cover

object i.e. any change in Stego object must

not compromise the originality of secret

information.

• The Stego object must appear same

as cover object to the senses of adversary.

Otherwise, adversary may doubt the

presence of secret and try to extract or

destroy it.

Strong Steganography techniques

fulfi ll both the above stated criteria; where

as weak techniques may change the

secret information during Steganography

and defeat the whole purpose[6]. Till date,

various Steganography techniques are

invented namely substitution, transform

Digital Image Steganography “Seeing is always NOT believing”

Anurag Jagetiya*and Dr. C Rama Krishna***M. E. (CSE) student **Associate Professor, Department of CSE, NITTTR, Chandigarh

Fig. 1: Principle of Steganography

ResearchFront

CSI Communications | June 2014 | 24 www.csi-india.org

domain, spread spectrum, statistical

methods, distortion, cover generation,

etc[7]. But this article is confi ned to

the discussion of only substitution

technique to demonstrate the concept of

Steganography.

In substitution technique redundant

part of cover object is replaced with the

secret payload message. Least Signifi cant

Bit (LSB) insertion is a popular substitution

technique used with image fi les. Generally,

this method does not increase the fi le

size of Stego object however size may

noticeably increase if the size of secret

message is large. Many substitution

techniques based software often reject to

hide secret fi les larger than a fi xed ratio of

size between secret and cover images.

Steganography in Digital ImagesA digital image is fi nite collection of

picture elements called pixels; each of

pixels is having a particular location and

value. Hence, colors and intensities of light

on diverse areas of an image found to be

diff erent. Color at every pixel is determined

by the mixture of all three components

of primary colors namely: Red, Green

and Blue (RGB). This color value can be

represented in binary, hexadecimal or

decimal format. The number of bits used

to represent RGB component determines

the color quality of an image. Many image

fi le formats takes 8-bits to represent single

pixel i.e. 2-3 bits per color component.

However, it is found that 24-bits per

pixel give much better image quality but

increased fi le size. Consequently, images

will consume more storage capacity

and take noticeable time to download.

Therefore, to minimize the size of images,

two types of fi le compression techniques

are in general practice, namely, lossy and

lossless. GIF (graphic interchange format)

and BMP (bitmap fi le) are examples of

lossless compression which is in general

recommended media type since both of

these preserve their originality and gives

high quality images[12]. While, popularly

used JPEG (joint photographic experts

group) is an example of lossy compression

technique. Its advantage is that it saves

more space than BMP or GIF, but loses

its originality because the compression

techniques remove the parts of digital

media which cannot be perceived by

human visual perception. Figure 2 (A)

illustrates a 24-bit BMP image of size 768

KB and its size shrink to only 41 KB when

transformed into JPEG. It clearly depicts the

availability of great amount of redundant

data in BMP images and makes it a good

choice as cover image in Steganography.

The diff erence in the originality of BMP

and JPEG images is undetectable to human

eyes but their histograms i.e., plot between

number of pixels and color values indicate

some diff erences.

The basic principal of image

Steganography is based upon the

limitations of human visual perception

system that cannot

distinguish the

diff erence between

similar like colors.

To understand the

instance, a box is

shown in fi gure 3(A)

which is fi lled with a

color of hexadecimal

value FF3232 (decimal

equivalent: 255, 50, 50) and another one

whose color values are a bit changed to

FE3030 (254, 48, 48) is shown in Fig. 3 (B).

It’s obvious that the diff erence between

both of them is imperceptible. Variations

in colors of an image are obtained by

combinations of Red, Green, and Blue

colors on a pixel. A 24-bit BMP image

have 8-bits for each color component

i.e. Red, Green, and Blue (RGB) so there

are total 28 diff erent values possible of

every color. And, as shown in Fig. 3 the

diff erence between 11111111 (255) and

11111110 (254) in the value of red intensity

is likely to be undetected by human eyes.

This leads to the clue that quality of

picture will not be degraded signifi cantly

if secret message is stored in the least

signifi cant bit of pixel values. In this way,

whole secret message is embedded in the

cover image. This approach is known as

Least Signifi cant Bit (LSB) Substitution

method of Steganography. Experimental

result of image Steganography obtained

by a tool named Stegomagic is shown

in Fig. 4. In this demonstration, a secret

image of 84 KBytes is embedded into an

original 24 bit BMP image of dimensions

512 * 512. Size of BMP can be calculated

as: (512*512*3)/ 1024=768 Kbytes.

Resultant, Stego object in Fig. 4 (C)

indicates no perceptible diff erence with

original cover image. Moreover, size

Fig. 3: Similar like colors

Fig. 4: Genera ng stego objectFig. 2: BMP, JPEG images and their histograms generated in Scilab

CSI Communications | June 2014 | 25

of stego object also remained same as

original cover image.

For further clarifi cation of image

Steganography, suppose a secret

character value ‘B’ is to be hidden in an 8

bit cover image. ASCII value of alphabet B

is 01000010; and supposes 8 consecutive

pixels from the top left corner of the cover

image are as follows: 00100101 11100001

11001000 00100101 11001010 11101000

11001001 00101111.

In this approach, secret character’s

binary value will be copied bit-by-bit and

in left-to-right order at LSB position of

every pixel value of cover image in same

order. The result may look like:

00100100 11100001 11001000

00100100 11001010 11101000 11001001

00101110

Defi nitely, large images can store

more secret information with ease but, at

the same time, it may arouse doubt and

consume more bandwidth on Internet.

One of the applications of Steganography

can be seen in today’s color laser

printers of HP and

Xerox brand that add

tiny yellow dots to each

page[8]. These dots are

barely visible and contain

date and time stamps as well as encoded

printer serial numbers. On the contrary to

this, adversary may attempt Steganalysis

to identify the presence of secret message.

The basic principle of Steganalysis

includes the extraction of secret image,

destruction of hidden message to avoid

later extraction, and fi nally instead of

actual hidden message, a diff erent or

modifi ed message is to be embedded.

It is seen in the Fig. 4 that the changes

in the stego object are undetectable to

human eyes, but histograms of original

image and stego object depicted

in Fig. 5 indicate some changes on

the peaks.

There are various other methods for

Steganalysis viz. to carefully compare the

hex code of image fi le with the same fi les

available on Internet. Hex code snap shot

of Lena cover and Stego object is shown

in Fig. 6. There are many software to be

used for this purpose e.g. stegdetect[9],

stegsecret[10] etc.

Although Steganography hides the

existence of secret information embedded

inside the message. The limitation of

Steganography is that the amount of secret

data to be eff ectively embedded into the

cover depends upon the size of the cover

itself. In case of image Steganography, it

is found by experimental results as shown

in Table 1 that the size of cover should be

at least 8 to 10 times of secret object in

order to create Stego object. Another

limitation of Steganography is same as

of Symmetric Key Cryptography, in which

the sender and receiver have to privately

agree upon a secret way of information

exchange. Steganography may prove as

dangerous if used by the people with

wrong intentions, In fact, it is believed

that terrorists used Steganography

techniques to hide their secret messages

in digital photographs on the web to plan

the 9/11 attack on world trade center[11].

Both Steganography and Steganalysis

are emerging area of research due to its

applications in forensics, intelligence,

military etc. Till now more than 725 digital

Steganography applications have been

identifi ed by Steganography Analysis and

Research Center[12].

Fig. 5: Histogram comparison of cover image (A) and Stego object (B)

Fig. 6: Hex code snap shot of cover image (A) and Stego object (B) with some of the highlighted changes

Table 1: Indicating fi t ratio between Cover and Secret image. Results obtained by software stegomagic.

Cover Image(Size in KB)

Secret Image(Size in KB) Fit Ratio

768 384 Νο 2

768 208 Νο 3.69

768 109 Νο 7.05

768 84 Yes 9.14

CSI Communications | June 2014 | 26 www.csi-india.org

References[1] H Wu, H Wang, C Tsai and C Wang,

“Reversible image Steganography scheme

via predictive coding”, 1 (2010), ISSN:

01419382, 35-43.

[2] James C Judge, “Steganography: Past,

Present, Future”, SANS Institute, 2001.

[3] Herodotus, The Histories, Penguin Classics;

Reprint edition, September 1, 1996.

[4] N Johnson, “Survey of Steganography

Software”, Technical Report, January,

2002.

[5] Dr. Natarajan Meghanathan, “Basics of

Digital Watermarking, Steganography

vs. Watermarking”, course notes, Jackson

State University, Jackson MS 39217.

[6] Shashikala Channalli, Ajay Jadhav,

“Steganography An Art of Hiding Data”,

Sinhgad College of Engineering, Pune,

Shashikala Channalli et al /International

Journal on Computer Science and

Engineering Vol.1(3), 2009, 137-141.

[7] Neil F Johnson, Stefan C. Katzenbeisser, “a

survey of stenographic techniques”, Chapter

3 in Stefan Katzenbeisser (ed.), Fabien A P

Petitcolas (ed.) Information Hiding Techniques

for Steganography and Digital Watermarking,

Artech House Books, 2000.

[8] Seth Schoen, “Secret Code in Color

Printers Lets Government Track You”,

Electronic Frontier Foundation, Press

Release, October 16, 2005, url: www.eff .

org/press/archives/2005/10/16

[9] Niels Provos and Peter Honeyman,

“Hide and Seek: An Introduction to

Steganography”, IEEE Computer Society,

1540-7993/03, May/ June 2003.

[10] Alfonso Muñoz, Stegsecret application,

url: www.stegsecret.sourceforge.net

[11] Federal Plan for Cyber Security and

Information Assurance, Research and

Development, National Science and

Technology Council, April 2006.

[12] S ShyamalaDevi, M Anandbabu,

“Hiding of information in multimedia

fi les”, International Journal of Computer

Application and Engineering Technology,

Volume 1-Issue 4, October 2012.

PP.95-108

n

Abo

ut th

e A

utho

rs

Mr. Anurag Jagetiya is an Assistant Professor at MLV Government Textile & Engineering College, Bhilwara

(Rajasthan). He is pursuing M.E. in Computer Science & Engineering from NITTTR, Chandigarh. He is having

more than 7 years of academic experience. His research interests are Computer Network and Cyber Security.

E-mail: anurag.mlvtec@gmail.com

Dr. Rama Krishna Challa is an Associate Professor at NITTTR, Chandigarh. He has done his Ph.D. from IIT Khargpur,

M.Tech. from CUSAT, Cochin and B. Tech from JNTU, Hyderabad. He has 18 years of teaching and research

experience. He has more than 50 papers to his credit in many international and national journals and conferences.

His research interests are Wireless Networks, Distributed Computing, Cryptography and Network Security.

CSI Communications | June 2014 | 27

ArticleNavdeep Kaur* and Parminder Kaur** *Master’s Degree, M. Tech. in Software Systems, Guru Nanak Dev University, Amritsar**Assistant Professor, Department of Computer Science & Engineering, Guru Nanak Dev University, Amritsar

SQL Injection – Anatomy and Risk MitigationSQL Injection or Insertion is still one of the

top vulnerabilities according to OWASP

Top10-2013. SQL Injection is consistently

growing day by day and hence has become a

buzz word. But what made this happen? It is

due to the lack of security awareness during

development of web applications. Developers

are mandated to deliver functionality on time

and on budget but not to develop secure

applications, which results in development

of vulnerable web applications. Inaccurate

Security Requirements, Poor Design,

Confi guration Mistakes, Insecure or bad

Coding Techniques, Complexity, Invalidated

User Input, Password Management Flaws

are major causes which make SQL Injection

possible. To prevent or mitigate the risk of

SQL Injection, there is a need to integrate

security during development of web

application.

What is SQL Injection?“SQL Injection” refers to an attack where

malicious users can inject SQL commands

into an SQL statement, via input fi elds

of web forms. Injected SQL commands

can alter SQL statement and have an

unauthorized access to the Database,

there by compromising the security

of a web application. SQL Injection

attack mainly happens due to Input

validation vulnerabilities. The common

vulnerabilities that make SQL Injection

possible in web application are:

• No or Improper user input validations.

• Constructing dynamic SQL queries

using simple string concatenation.

• Confi guring an application with an

over privileged database login.

• Improper exception and error

handling.

• To stop SQL Injection these

vulnerabilities should be removed

during development of web

application.

SQL Injection AnatomyFigure 1 illustrates an example for Tautology

based attack, showing how SQL Injection

happens. The attacker is attempting to

put SQL commands to extract data from a

database. As shown in Fig. 1, attacker enters

a tautology statement in textbox which is

concatenated with the SQL Query at the

backend and executed by the database.

Database reveals the confi dential data at front end to the attacker. In this way, a simple SQL statement is used to compromise the whole database.

What SQL Injection Can Do? SQL Injection is a kind of attack which is very diffi cult to stop, because it happens as a normal functioning of web application. SQL Injection even bypasses the Authentication and Authorization of Web Application. It crosses the Network level (Firewalls and Intrusion detection System) and Operating system security.

Web Application having SQL Injection Vulnerabilities is exposed to all types of threats as explained by STRIDE. STRIDE is a threat categorization model introduced by Microsoft. The acronym STRIDE (spoofi ng, tampering, repudiation, information disclosure, denial of service, elevation of privilege) for threat categorization of SQL Injection is explained as below-S- Bypass Authentication and

AuthorizationT-Steal and Modify DataR- Void or Delete Transactions and

Drop TablesI-Disclosure of Sensitive DataD-Destroy Data and make it UnavailableE-Get and use Administrator credentials

It shows that SQL Injection is powerful attack which destroys the database and steals the billions of money from banks which leads to crisis in Organization. So, there is a need to stop SQL Injection before they stop you.

SQL Injection MitigationIt is clear that, SQL Injection vulnerability is due to a fl aw in Web Application Development. It is not a Database or Web Server Problem. When we talk about

security, there are three ways to secure a

web application –

1. Penetrate and Patch

2. Operational Environment

3. Secure Software Engineering

The dominating idea i.e. secure

software engineering means addressing

security during development, off ers

reduction in future expenditures , time as

well as more in-depth defensive layers. So

there is a need to take a holistic approach.

Security should be weave in throughout the

complete software development lifecycle

starting from Requirements Phase to Testing

phase. While designing a secure Web

Application which is free from SQL Injection

vulnerability, the three thumb rules, which

should keep in mind are -

1. All Input is Evil

2. Defense In Depth

3. Think from Attackers

Perspective

To mitigate SQL Injection, Diff erent

activities which should be performed

during development are shown in Fig. 2.

As applications are rarely static and

need to be enhanced and adapted to

suit changing business requirements,

so vulnerabilities should be removed in

their respective phase as the application

evolves. Some measures to be taken in

each phase to mitigate SQL Injection are

explained below phase by phase –

Requirement Phase

Developing secure web applications that

can withstand malicious SQL Injection

Fig. 1: How SQL Injec on Happens

Fig. 2: SQL Injec on Mi ga on in SDLC

CSI Communications | June 2014 | 28 www.csi-india.org

attacks requires a careful injection of security considerations into early stages of development lifecycle. Decisions taken in this phase will help us in implementing security in Design and coding phase. Following are some tasks which are necessary to perform for SQL Injection mitigation- • Incorporate Security Modelling

(Misuse Case, Attack trees, Vulnerability Cause Graph) - Security modelling is a collective term for modelling techniques of security concepts such as threats, attacks and vulnerabilities. The security modelling identifi es potential vulnerabilities, threats and countermeasures. Security Modelling is done to reduce the knowledge gap between Developers and Security Experts. The modelling techniques like vulnerability cause graphs (VCG), Attack trees and Misuse cases are used to elicit Security requirements for the mitigation of SQL Injection Vulnerability. The main role of these modelling techniques are-VCG- shows the causes of vulnerability in graphical formAttack Tree- shows how the system is threatened and exploited by attackersMisuse Case- is “Inverse Use Case” which shows the threats a vulnerability is exposed to and countermeasures to mitigate vulnerability.

• Elicit Accurate Security Requirements by using Security ModellingIf Security modelling is properly done, then it is very easy for designers and developers to implement security to mitigate SQL Injection.

Design PhaseNow the system needs to be designed in such a way that all the security considerations have been taken into account. At Design time SQL Injection is prevented by – • Proper Design review or audit • Incorporate Threat Modeling. • Data Flow diagram (DFD) and

Architecture diagram Analysis • Examine Entry and Exit points

Coding phaseDuring Coding, lot of vulnerabilities are introduced due to less skilled or unaware developers. SQL Injection vulnerability is introduced due to bad coding practices.

To prevent SQL Injection following coding techniques should help:- • Validate the user input (whitelisting /

blacklisting) • Never use Dynamic  SQL  queries by

string concatenations. • Use Parameterized commands with

dynamic SQL queries. • Stored Procedure is the best option to

prevent attack. • Implement the principle of Least

privilege. • All sensitive and confi dential

information like passwords should be stored in encrypted form.

• Implement strong client side as well as server side validation for all user inputs

• Use Regular expression to validate and limit the input data.

• Implement error handling, don’t show error messages to the user.

• Use Quoteblock function • Keeping untrusted data separate from

backend commands and queries. • Escape or fi lter or sanitize the special

characters in user inputs. • Use Exception handling to catch all

possible exceptions. • Set length limits, range on input data

in form fi elds and validate data for content length and format.

• Make schema, table names unique. • Try to avoid query strings for building

Web pages. • Audit the code to fi nd vulnerabilities.

Testing phaseSecurity testing focuses on the testing potential security bugs that might be exploited by the hackers. Security testing goal is to ensure that the software being tested is robust and continues to function in an acceptable way even in existence of malicious attacks. During testing SQL Injection is mitigated as:– • Ethical Hacking • Perform penetration tests. • Implement static and dynamic

testing for code walkthroughs and inspection.

• Perform Fuzz Testing (Provide random unexpected inputs in input fi elds which are connected to a database and observe the outputs and error messages generated for the

wrong inputs). • Perform static code analysis or reviews

GreenSQLGreenSQL is unifi ed software solution provides Database Security, Dynamic Data Masking, and Database Activity Monitoring in one product. GreenSQL is an open source software as a proxy server (communication interface) or database  fi rewall  between the database server and web server is implemented.  It includes a graphical user interface for confi guring and monitoring a fi rewall. This supports  Microsoft SQL Azure  ,  SQL Server  (all versions),  MySQL  .The  software  automatically checks queries on security and forwards them only after review.  The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known database administrative commands (DROP, CREATE, etc).How it helps us – • Blocks SQL Injection attacks • Secures data • Prevents Unauthorized Database

Access • Masks Sensitive Data

ConclusionsSQL Injection vulnerabilities are known for more than a decade, and they are still one of the most prevalent vulnerabilities in web applications. Today, wide variety of automated detection tools are available in the market which made easy to detect and exploit SQL Injection(SQLI) vulnerabilities. SQLI vulnerabilities have high damage potential and can completely compromise the web application. So by raising the awareness and following few simple best practices during development of web applications will help completely preventing SQLI vulnerabilities.

References[1] OWASP Top 10 list 2013: https://www.

owasp.org/index.php/Top_10_2013-Top_10

[2] GREENSQL: http://www.greensql.com/

[3] Threat Modeling Process: http://msdn.

microsoft.com/en-us/library/ff648644.

aspx

[4] SeaMonster-Providing tool

support for security modelling:

http://www.shieldsproject.eu/files/docs/

seamonster_nisk2008.pdf

[5] G. Sindre and A.L. Opdahl , “Eliciting

security requirements with misuse cases”,

Requirements Eng (2005) 10: 34–44,DOI

10.1007/s00766-004-0194-4 n

Abo

ut th

e A

utho

rs Navdeep Kaur obtained her bachelor’s degree, B. Tech. in Computer Science & Engineering from Punjab Technical University and currently pursuing

Master’s Degree, M. Tech. in Software Systems at Guru Nanak Dev University, Amritsar. She has published 3 research papers in International journals

and 1 research paper in National Conference. Her research area includes Software Security (web application vulnerabilities).

Parminder Kaur, is working as Assistant Professor in the department of Computer Science & Engineering, Guru Nanak Dev University, Amritsar. She has

published around 45 research papers in International/National journals as well as Conferences. Her research area includes Component-based Software

Engineering, Open Source Systems, Web Engineering and Software Security.

CSI Communications | June 2014 | 29

A recent Gartner report that came out September this year made a not so surprising revelation that, most companies are still not generating positive ROI on Big Data. As per the report, big data investments currently

earn 50 cents for every dollar invested.

Fig. 1: Big Data ROI [Source: Wikibon Research, 2013]

A big reason for this underperformance is that, companies just want to follow the herd without understanding its true purpose. As Gartner report points out, enterprises which had no clue about Big Data are actually running Big Data projects.

A survey conducted by Gartner revealed that, determining how to get value from Big Data, defining a strategy and obtaining skills and capabilities to be three most compelling challenges faced by the adopters of the Big Data

technology.

Fig. 2: Top Big Data challenges [Source: Gartner, September 2013]

Although from the above statistics

and reports, there would be an immediate

temptation to term Big Data a hype than

a practical business reality; one must try

to study case studies of those enterprises

which have used and are using Big Data

successfully. Examples include, Amazon,

T-Mobile, eBay etc. to name few known

biggies.

While, there are lots of case studies

appearing in business reviews, blogs,

articles, practitioners opinions etc. touting

the success of Big Data technology; there

are hundreds of smaller players who are

tumbling, fumbling and looking confused

over the implementation of Big Data and

its expected ROI.

After analyzing some of the successful

implementations of Big Data Analytics; I

believe, following are some of the points that

can be kept in mind while contemplating

on the integration of Big Data Analytics to

enterprise decision making.

Why you need Big Data?As per the recent Gartner report, more

than 60% of the respondents do not even

have a clue on what to do with Big Data.

This is in parallel with the fi ndings shown

in Fig. 2, which enlists ‘determining how

to get value from big data’ and ‘defi ning

strategy’ to be the biggest two challenges

in Big Data implementations.

Amassing huge volume of data is

one thing (perhaps, easier with the plunge

in storage costs), analyzing those data

is another thing and fi nally, integrating

the insights into the decision making is a

totally diff erent thing!

Any enterprise must begin by

identifying a business problem! What

is it that you are trying to achieve? Are

you planning to expand your business

market? Or are you concerned about

the high customer attrition rates? Both

of these require different analysis on

different datasets. Just amassing huge

volumes of data from multiple sources

is not profitable, without having or

knowing a business problem. Also,

analyzing data just because, there is

huge data without a clear goal will

make reaping ROI all the more difficult.

Thus, asking right business questions is

critical in giving a business context to

the Big Data technology, in giving clarity

on WHAT data is to be analyzed and

HOW it should be analyzed.

Finally, it is equally important to have

a positive culture within the enterprise for

data-driven decision making so that, the

insights drawn from voluminous data using

diff erent complex statistical packages are

not pushovers. It is important that the

BIG Data Analytics is integrated with the

decision making process.

Thus, aligning Big Data Analytics with

the enterprise’s core business strategies is

the most critical ingredient in reaping the

maximum ROI.

ERP is not One of the Options but, the Only Option!For drawing insights which can infl uence

critical decision making, the complex

analysis must be made on data which

is of high quality and highly consistent.

Otherwise, the scenario would resemble,

‘Garbage In Garbage Out’!

For collecting data which is of high

quality and is highly consistent at the same

time, it becomes necessary to adopt an

enterprise-wide system which integrates

all the business processes of the enterprise.

Without which, it would be independent

‘silos’ (systems) for each process and

extracting and organizing data in such an

environment is intensely complex and the

cost would be prohibitively high.

Although the adoption of ERP systems

in India is on the rise, the SMB’s are fi nding

the path more of thorns than roses! But,

the reasons seem genuine. Firstly, the most

deterrent factor is the cost with most of the

ERP solutions being priced exorbitantly. But,

the advent of SaaS based ERP solutions has

provided the mid-market companies with a

great opportunity to leverage ERP systems

to stay competitive. Gartner estimates

SaaS ERP in India to grow at a CAGR of 28

per cent. Also, the survey concludes that

the adoption has been more in the SMB

segment than the large enterprises.

The second deterrent factor is the

customization. Every enterprise has a unique

set of business processes and fi nding a

single suite which meets every requirement

is impossible. Also, customization can be a

complicated and expensive activity which

may even result in making compromises in

the ‘best practices’ embedded system.

Binesh NairLecturer and Core-Member, R&D Cell, Vidyalankar School of Information Technology, MumbaiArticle

Reaping ROI from Big Data Abstract—The current dramatic underperformance of Big Data with respect to the hype that is in the air is due to less knowledge of

Big Data and lack of alignment of the Big Data Analytics to the Strategic objectives of the organization. Also, Mid-Market segment

needs to introspect and ask right questions before implementing Big Data. Finally, breeding an Analytics Culture and having Data

Scientists who can see the Big Picture will decide the swing of ROI in any enterprise.

CSI Communications | June 2014 | 30 www.csi-india.org

However, despite the challenges, it

becomes imperative for enterprises in

this highly competitive market to have an

enterprise-wide system so that, they can

increase the value of data by providing for

analysis data which is correct, complete,

current, consistent and is in context.

Small is BeautifulThe American Marketing Association’s

fi rst conference which happened in the fi rst

quarter of this year, thrown a startling story

that, very few are actually working with

anything approaching Big Data! In fact, a

survey by Tom H.C. Anderson coined a new

terminology of what is a ‘MID DATA’.

Fig. 3: ROI versus size of Data [Source: Tom H.C Anderson, March 2013 Edi on]

As can be seen in the fi gure, the size

of Mid Data sample is between 100,000

to 10,000,000 which by the way is huge.

Also, as the research output in the fi gure

exemplifi es that, as the size of the underlying

data sample reaches the Big Data horizon,

the ROI as well as the practicality of the

implementation starts dropping.

If one thinks, this does make sense,

for example, if an enterprise wants to

understand the purchase patterns of the

customers, it can achieve so by focusing

on the customer data extracted of POS,

social media etc. It would be make less

sense to club this data with accounting

data or purchase data! Also, it may make

little sense to compare customers in US

with customers of India.

Thus, by focusing hard on ‘WHAT’, it

becomes clear about the ‘WHICH’ smaller

datasets (MID DATA) to be considered for

the mining process. Focusing on relevant

datasets instead of being carried away

by the idea of building a BIG data source;

the enterprise can, not just make the

implementation practical but, also allows

reaping a higher ROI.

Build an Analytics CultureAnalytics is not just Stats,Quants or

Statistical Tools; it defi nitely boils down you

how an enterprise integrates it into everyday

decision making. For this, the leaders must

be leading from the front to foster a culture

of analytics in the organization.

Leaders in the C-Suite must have a

passion for collecting objective data and

basing them for everyday decision making;

they must set an example for the rest of the

enterprise. The top-level management must

be able to translate this culture to the mid-

level managers because, ultimately, for data-

driven decision making, it not just enough

to have the C-suite executives but also,

every staff member must be incorporating

analytics in their every-day working.

One widely adopted practice is to

have an internal/external analytics team

consisting of Data Scientists who will

work cross-functionally in the enterprise.

They will do the job of collecting data,

determining the quality of data required

for building predictive models, building

statistical models and presenting the

insights with eff ective data visualizations

to key business stakeholders. However,

for producing any critical impact in the

business; it becomes important not be

make them a ‘silo’ and integrate them with

rest of the business units of the enterprise.

See the Big PictureAnalytics is all about solving business

problems using knowledge discovered

from massive amounts of data (in

terabytes or even petabytes) using various

statistics, data mining, machine learning

etc. Thus, it becomes pivotal to align

analytics to business.

Organizations often have this

challenge wherein, employees who are good

quantitatively lack business knowledge; and

those who have good business know-how

may not be good with numbers. The attempt

must be to close the gap.

Analytics is an inter-disciplinary data

science and demands a unique blend of

business knowledge and quantitative

knowledge. Working on data without

understanding the underlying business will

reap misleading results which defi nitely

will impact the business. For example, a

statistician working on building predictive

models for marketing campaigns must

understand that, all media’s behave

diff erently and one media may even

infl uence the other, like, a potential

customer who sees an ad frequently in the

television may relate easily to the hoarding

along the highway.

Thus, an enterprise requires resources

who are not just statisticians but, those

who have a holistic view of the business

as well so that, they will be in a position

to distinguish relevant and irrelevant

patterns. Insights would not be obvious

but, something which was unknown in the

past and prompts the decision makers to

incorporate it in how business is done!

ConclusionReaping a positive ROI from Big Data

maybe a slow process but, a defi nite one!

The learning curve for the organizations

that do not have an analytical culture

may have a steep learning curve but, I

believe, the above fi ve points are critical

for reaping success wi th Big Data.

References[1] ‘Forget Big Data, Think Mid Data’,

Tom H C Anderson, Anderson

Analytics, March 7th, 2013.

[2] Survey Analysis: Big Data Adoption

in 2013 Shows Substance Behind the

Hype, 12th September, 2013.

[3] Matt Asay, ‘Gartner on Big Data:

Everyone’s Doing It, No One Knows

Why’, Enterprise, 18th September,

2013.

[4] ERP Implementation in the Mid Market

Segment, PriceWaterHouseCoopers,

Pages 5-7, 2013.

[5] Jeff Kelly, ‘Enterprises Struggling to

Derive Maximum Value from Big

Data’, wikibon.org, September 19th,

2013, 12:36 PM IST.

[6] Ada Wong, Harry Scarbrough,

‘Critical Failure Factors in ERP

Implementation’, Pacifi c Asia

Conference on Information Systems

2005, Sections 1-8, NATL SUN

YAT-SEN UNIV, Bangkok, Thailand,

PP.492-505. n

Binesh Nair, is currently a Lecturer and a core-member of the R&D Cell at Vidyalankar School of Information

Technology, Mumbai. His areas of interests are Data Mining and Analytics. He has published several papers at the

International level. Contact: +91 900 4282 394 Email: binesh.nair@vsit.edu.in

Abo

ut th

e A

utho

r

CSI Communications | June 2014 | 31

Programming.Tips() »

Fun with ‘C’ programs

Practitioner Workbench

Wallace JacobSenior Assistant Professor, Tolani Maritime Institute

If an array is passed to a function and the

values of the array are changed in the called

function, then those changes are refl ected

in the calling function. The program below

and its corresponding output testify the

aforementioned statement:

Program listing one

#include<stdio.h>

#defi ne SIZE 10

void arraypassex(int *);

main()

{

int num[SIZE];

int i;

for(i=0;i<SIZE;i++)

num[i]=i;

printf(“\nBefore calling arraypassex(int

*)”);

for(i=0;i<SIZE;i++)

printf(“\nnum[%d]=%d”,i, num[i]);

arraypassex(num);

printf(“\nAfter calling arraypassex(int

*)”);

for(i=0;i<SIZE;i++)

printf(“\nnum[%d]=%d”,i, num[i]);

return 0;

}

void arraypassex(int *x)

{

int j;

for(j=0;j<SIZE;j++)

x[j]+=j;

return;

}

Output of the above program:

Before calling arraypassex(int *)

num [0]=0

num [1]=1

num [2]=2

num [3]=3

num [4]=4

num [5]=5

num [6]=6

num [7]=7

num [8]=8

num [9]=9

After calling arraypassex(int *)

num [0]=0

num [1]=2

num [2]=4

num [3]=6

num [4]=8

num [5]=10

num [6]=12

num [7]=14

num [8]=16

num [9]=18

Is it possible to ensure that the array

elements remain immutable in the called

function? Well, it is possible with the help

of the keyword const. The program below

illustrates how this can be accomplished:

Program listing two

#include<stdio.h>

#defi ne SIZE 10

void arraypassex(const int *);

main()

{

int num[SIZE];

int i;

for(i=0;i<SIZE;i++)

num[i]=i;

printf(“\nBefore calling arraypassex(int

*)”);

for(i=0;i<SIZE;i++)

printf(“\nnum[%d]=%d”,i, num[i]);

arraypassex(num);

printf(“\nAfter calling arraypassex(int

*)”);

for(i=0;i<SIZE;i++)

printf(“\nnum[%d]=%d”,i, num[i]);

return 0;

}

void arraypassex(const int *x)

{

int j;

for(j=0;j<SIZE;j++)

x[j]+=j; /*error: assignment of read-

only location */

return;

}

n

Abo

ut th

e A

utho

r Wallace Jacob is a Senior Assistant Professor at Tolani Maritime Institute, Induri, Talegaon-Chakan Road,

Talegaon Dabhade, Pune, Maharashtra. He has contributed articles to CSI Communications especially in the

Programming.Tips section under Practitioner Workbench.

E-mail: wallace_jacob@yahoo.co.in

Offi ce Contact No: 02114 242121

“Most good programmers do programming not because they expect to get paid or get adulation by the public, but because it is

fun to program.”

- Linus Torvalds, Software Engineer behind development of the Linux Kernel

CSI Communications | June 2014 | 32 www.csi-india.org

Programming.Learn("R") »

Basic Statistics Using RAs we have mentioned in the previous issues, R package is developed

for statistical applications. It provides built-in functions for various

statistical operations based on probability distributions, statistical

tests, regression models, classifi cation models, machine learning,

time series analysis, resampling etc. We shall look into some of

them in a nutshell in each of the coming issues. In the current issue,

let us discuss how R supports basic statistical operations like mean,

median, maxima, minima, standard deviation etc.

MeanArithmetic mean of a set of data values can be calculated simply

using the function mean ( ). For example,

> dataset<-c(21,22,23,24, 25,26,27,28,29,30)

> M<-mean(dataset)

> M

[1] 25.5

MedianMedian, which is the ordinal measure of the central location of the

data values can be calculated using the function median ( ).

Example:

> median(dataset)

[1] 25.5

RangeThe function range ( ) gives the range of all the values given as

input. In other words, it gives the maximum and minimum values

in the given dataset. See the example given below which gives the

range of the values given in the vector dataset.

Example:

> range(dataset)

[1] 21 30

Minima and maximaThe functions min ( ) and max ( ) can be used to obtain the

minimum and maximum values of a set of input values.

Example:

> max(dataset)

[1] 30

> min(dataset)

[1] 21

QuantileQuantile split the input data values. There are basically four

quantiles for every input dataset. The fi rst quantile is the value

that cuts the fi rst 25% of the given data set while second quantile

cuts the fi rst 50%, third quantile, the fi rst 75% and fourth quantile,

100%. The function that achieves this is quntile( ).

Example:

> quantile(dataset)

0% 25% 50% 75% 100%

21.00 23.25 25.50 27.75 30.00

VarianceThe function var ( ) calculates the variance of the input values.

Example:

> var(dataset)

[1] 9.166667

Standard DeviationStandard Deviation is the square root of variance. It is calculated

using the function sd ( ).

Example:

> sd(dataset)

[1] 3.02765

Correlation Coeffi cientThis property measures how two variables are co-related. Its value

varies from -1 to +1. The function cor ( ) computes the correlation

between two values.

Example:

> dataset1<-c(21,22,23,24,25,26,27,28,29,30)

> dataset2<-c(0.1,0.2,0.3,0.4,0.5,0.6,0.7,0.8,0.9,1.1)

> cor(dataset,dataset2)

[1] 0.9964518

CovarianceCovariance tells how two variables are varying together. The

function cov ( ) is used to fi nd out the covariance in R.

Example:

> cov(dataset1,dataset2)

[1] 0.9666667

In addition to all these specifi c statistical functions, the function

summary ( ) will provide us with all the most basic statistical

properties. See the example below:

> summary(dataset)

Min. 1st Qu. Median Mean 3rd Qu. Max.

21.00 23.25 25.50 25.50 27.75 30.00

n

Practitioner Workbench

Umesh P and Silpa BhaskaranDepartment of Computational Biology and Bioinformatics, University of Kerala

R is an implementation of the S programming language combined with lexical scoping semantics. R was created by Ross Ihaka and Robert

Gentleman. R is named partly after the fi rst names of the fi rst two R authors and partly as a play on the name of S.

- Wikipedia

CSI Communications | June 2014 | 33

Information Security »

A Quick Look at Hadoop Security

Security Corner Paresh Suvarna* and Prashant Wate**

*Technical Specialist, IGATE**Technical Architect, IGATE

IntroductionIn this era of Big Data, with cheap data

storage devices and cheap processing

power becoming available, organizations

are collecting massive volumes of data, with

the intent of deriving insights and making

decisions. While most of the focus is on

collecting data, having all data at one place

increases the risk of data security and any

kind of data breach can lead to negative

publicity and a loss of customer confi dence.

Hadoop is one of the main

technologies powering Big Data

implementations. In this article, we cover

some of the ways in which data security

can be ensured while implementing Big

Data solutions using Hadoop.

Evolution of Hadoop SecurityDuring the initial development of Hadoop,

security was not a prime focus area. In most

of the cases, the Hadoop platform was being

developed using data sets where security

was not a prime concern because the data

was publicly available. However, as Hadoop

has become mainstream, organizations are

putting a lot of data from varied sources

onto a Hadoop cluster, creating a possible

data security situation. The Hadoop

community has realized that more robust

security controls are needed and has

decided to focus on the security aspect and

new security features are being developed.

While the use of basic features

provided by Hadoop itself are of

importance, organizations cannot be

parochial, instead they must have a

holistic approach for securing Hadoop.

Hadoop security in itself is a very vast area

and ever evolving to cater to the growing

market. A high level overview of Hadoop

security is given in the following sections.

Big Data Security – A Three -Tier ApproachHadoop security can be considered to be

a multi-layered approach. Each layer has

diff erent set of security approaches and

techniques, as depicted in Fig. 1.

Data Transfer & Integration Layer

The first layer of security is at

the integration cusp between the

F ig. 1: Three- er Security Approach for Hadoop

CSI Communications | June 2014 | 34 www.csi-india.org

different source systems and Hadoop

ecosystem. For data ingestion into and

dissemination out of Hadoop, there are

different methods and techniques which

can transfer data back and forth from

source systems. Security aspects of

some of the tools/techniques for data

transfer are listed below:

• Apache Flume – Flume can be

used for collecting, aggregating,

and moving large amounts of data

from multiple sources into Hadoop

Distributed File System (HDFS). If

multiple users need to transfer the

data using Flume agent to HDFS,

proxy users can be created and

mapped to a single principal user.

Alternately, Kerberos principal can

be used to access Hadoop directly.

• Apache Sqoop – Apache Sqoop can

be used to transfer data to and from

relational databases to Hadoop.

It provides role-based access and

execution restrictions using ‘Admin’

and ‘Operator’ roles. This enforces

restrictions on execution of activities

like import and export of data by end

users.

• External Tools – Extract, Transform

and Load (ETL) tools or custom

built applications can connect to

Hadoop data stores like HBase or

Hive. These data stores support

Kerberos, Lightweight Directory

Access Protocol (LDAP) & custom

pluggable authentication. The

external applications can access

Hadoop as itself or by impersonating

the connected user using proxy

privileges which can be confi gured in

Hadoop.

• File Transfer – Secured File Transfer

Protocol (SFTP) is a good option for

data transfer. Also if an FTP server

is to be used, then it will be better to

use single user access of FTP server

or use proxy user credentials with

required permissions.

OS Layer - Authorization &

Authentication

The Hadoop file system is similar to a

Portable Operating System Interface

for uniX (POSIX) file system and gives

administrators and users the ability to

apply file permissions and control read

and write access. The interconnect of

the base Operating System (OS) and

Hadoop cluster is another layer which

has to be secured. Big Data applications

are typically deployed on Hadoop

infrastructure that resides on top of the

OS. It is important to consider OS users,

group policies and the file permissions

at the OS layer, while securing the

Hadoop cluster.

For overcoming the OS related

concerns, Hadoop should be configured

using a user id, which is not the root

user or is not part of the root users

group. This user can act as a super-user

for Hadoop Name Node and can have

the rights to start and stop Hadoop

processes. In a Hadoop ecosystem,

several users, namely ‘hdfs’, ‘mapred’,

‘yarn’ are created during installation.

Typically, a common Unix group is

created to provide access to these

Hadoop internal users. But, for end users

who need to access HDFS, it is best to

use proxy users for the same instead of

giving group access. In order to further

enhance the security of Hadoop cluster,

security features integral to Hadoop

must be fully utilized in addition to OS

users and file permissions.

Hadoop Integral Security Layer

Hadoop provides several security control

features. Subsequent releases of Hadoop

are expected to provide enhanced security

features. Following are some of the

essential security features available in

Hadoop:

• Authentication  •  Remote Procedure Calls (RPC)

Connections: To mutually

authenticate the users, Simple

Authentication & Security

Layer/Generic Security Services

Application Programming

Interface (SASL/GSSAPI) is used

for Kerberos implementation on

RPC connection

 •  Hypertext Transfer Protocol

(HTTP) Web Consoles:

A pluggable HTTP user

authentication mechanism

allows deploying organizations

to configure their own

browser based authentication

for JobTrackers Web User

Interface. This could include

HTTP Simple and Protected

GSSAPI Negotiation Mechanism

(SPNEGO) authentication

•  Delegation Tokens: Initial

authentication to NameNode is

done using Kerberos credentials.

Thereafter, the user obtains

delegation token for subsequent

authentication to namenode

without utilizing kerberos key

servers

• Authorization •  HDFS File Permissions: Namenode

enforces access control to HDFS

fi les based on fi le permissions -

Access Control Lists (ACLs) of

users and groups

•  Task Authorization – Job Tokens:

Job tokens are created by the

JobTracker and shared with its

associated TaskTrackers. This

ensures that the task tracker

performs tasks assigned by its

corresponding JobTracker only

•  Data Block Control – Block Access

Tokens: When users need fi le

accesses on NameNode, fi le

permissions are checked. The

namenode issues Block access

tokens using Hash Based Message

Authentication Code (HMAC-

SHA1) that could be sent to

the DataNode for block access

requests. This helps to establish

the connection between the HDFS

permissions and access to data

blocks

• Encryption •  RPC Encryption: RPC connections in

Hadoop use SASL which supports

encryption

•  Data Transfer Protocol: Data

Transfer between clients and

hadoop services can be confi gured

for encryption

•  HTTP Secure (HTTPS) Encryption:

Data transferred over HTTP

protocol is encrypted by using

Secure Sockets Layer (SSL) -

HTTPS. SSL can be confi gured to

authenticate the server as well as

the client

•  Shuffl e Encryption: Shuffl e is

the data movement between

Mappers and Reducers over

HTTP protocol. HTTPS can be

enabled for encrypting shuffl e

traffi c by confi guring the required

parameters

Third-Party Hadoop Security SolutionsAlthough, Hadoop incorporates many

security features, there still exist

CSI Communications | June 2014 | 35

gaps. This has given opportunity

to other vendors to come up with

security solutions for Hadoop. Some of

these are:

Open-source solutions

Some of the open source security solutions

for Hadoop are as follows:

• Sentry - Delivers fi ne-grained

authorization to data

• Knox Gateway- Provides perimeter

security which integrates easily into

existing security infrastructure

• Intel’s Project Rhino - aims to

enhance existing data protection

capabilities of Hadoop ecosystem

Commercial solutions

Some of the commercial hadoop security

solutions are as follows:

• Dataguise for Hadoop – Provides

Discovery, Data masking &

Encryption for sensitive data

• IBM’s InfoSphere Data Privacy for

Hadoop – Provides data masking,

monitoring & Auditing

• Zettaset Orchestrator – Provides

Encryption for data-at-rest and

data-in-motion, Fine-grained, role-

based access

• Protegrity Big Data Protector - Enables

data protection and access control

ConclusionDuring the initial days of Big Data

implementations using Hadoop, the

prime motivation was to get data into the

Hadoop cluster and perform analytics

on it. As organizations have matured

their understanding of Big Data, the data

security and privacy policies of such

implementations are being questioned.

Though Hadoop lacks a robust security

and privacy framework, the increasing

interest in this area is ensuring that

appropriate solutions are developed.

While security and privacy issues can

be addressed to an extent using existing

Hadoop mechanisms, more robust tools

and techniques are needed.

References[1] Data Security for Hadoop – Add-on

Choices Proliferating, Merv Adrian,

Gartner, 2014. http://blogs.gartner.

com/merv-adrian/2014/02/23/

data-security-for-hadoop-add-on-

choices-proliferating/

[2] Hadoop security: A jungle of options,

Michael Steinhart, AllAnalytics.

com, 2014. http://www.allanalytics.

c o m / d o c u m e n t . a s p ? d o c _

id=272302&page_number=2

[3] Wire encryption in Hadoop, Vinay

Shukla, Hortonworks, 2013. http://

h o r t o n wo r k s . c o m / b l o g /w i re -

encryption-hadoop/

[4] Big Data Security: The Evolution

of Hadoop’s Security Model, Kevin

T Smith, InfoQ, 2013. http://www.infoq.

com/articles/HadoopSecurityModel

[5] Apache Sqoop: Highlights of Sqoop 2,

Kathleen Ting- Customer Operations

Engineer, Cloudera, Jan 2012.

https://blogs.apache.org/sqoop/

entry/apache_sqoop_highlights_of_

sqoop

[6] Hadoop Security Design, Owen

O’Malley & team, Yahoo, 2009.

https://issues.apache.org /jira/

secure/attachment /12428537/

security-design.pdf

n

Abo

ut th

e A

utho

rs

Paresh Suvarna, Technical Specialist, IGATE- Paresh has 14 years of experience in Information Technology and is part

of the Technology Center of Excellence (CoE) of Research & Innovation group at IGATE. He has rich experience in

architecting and implementing database solutions including data modeling, data migration, database performance &

optimization, etc. in Big Data, NoSQL & RDBMS realm. Email – paresh.suvarna@igate.com

Prashant Wate, Technical Architect, IGATE - Prashant has 14 years of experience in IT and is currently part of the

Technology Center of Excellence (CoE) of Research & Innovation group, IGATE. He has extensive experience in

architecting and implementing database solutions including Big Data, NoSQL databases, Analytics, data modeling,

data migration and database optimization. Email - prashant.wate@igate.com

Kind Attention: Prospective Contributors of CSI Communications -

Please note that cover themes of future issues of CSI Communications are planned as follows -

• July 2014 - Business Analytics• August 2014 - Software Engineering • September 2014 - IT History

Articles and contributions may be submitted in the categories such as: Cover Story, Research Front, Technical Trends and Article.

Please send your contributions before 20th of a month for consideration in subsequent month’s issue.

For detailed instructions regarding submission of articles, please refer to CSI Communications March 2014 issue, where Call for Contributions is published on page 37.

[Issued on behalf of Editors of CSI Communications]

CSI Communications | June 2014 | 36 www.csi-india.org

Security in Software Development: Software Development has come a long way from the early days of programming, when almost

all programmers used assembly-language. From FORTRAN and COBOL in the 1950s, through BASIC, PASCAL and C in 1960-80s, to

PYTHON, JAVA, PHP in the 1990s programming has come a long way. The current thinking in software development has also moved

from Procedural in the 1960s, Object-Oriented in the 1990s to Agile Alliance in 2000s. On the other hand software project cost and

price are still largely estimated using a top of the mind approach. Even software development methodologies and tools take over 15 to

20 years to percolate down to programmers and become popular enough to be regularly used.

It is no surprise that software security has been a neglected area over the years. Security is considered as an add-on, to be

provided if the client / customer wants it or if there are incidents and you have no choice but to provide a fi x. Security even today is

considered and incorporated in software at a much later stage in the software development process. But as with add-ons and elements

introduced later in the life cycle, such add-ons seldom provide really secure solutions.

The reasons for this are varied ranging from cost and time constraints / considerations on one hand to an attitude /

culture issue with the developers on the other. Quite often for developers the concept of building in security from the beginning is

anathema. It could be due to a number of factors. For one it means that the iterations go up that much more. It is always easier for

the fi nal code to be cleared for security bugs / issues only once. It also requires that developers learn, understand and use security

concepts and tools, something which they consider out of their scope.

Given this background the current Case in Information Systems is being presented. Although every case may cover multiple

aspects it will have a predominant focus on some aspect which it aims to highlight.

A case study cannot and does not have one right answer. In fact answer given with enough understanding and application of mind

can seldom be wrong. The case gives a situation, often a problem and seeks responses from the reader. The approach is to study the

case, develop the situation, fi ll in the facts and suggest a solution. Depending on the approach and perspective the solutions will diff er

but they all lead to a likely feasible solution. Ideally a case study solution is left to the imagination of the reader, as the possibilities

are immense. Readers’ inputs and solutions on the case are invited and may be shared. A possible solution from the author’s personal

viewpoint is also presented.

Case Studies in IT Governance, IT Risk and Information Security »

Security Corner Dr. Vishnu Kanhere

Convener SIG – Humane Computing of CSI (Former Chairman of CSI Mumbai Chapter)

SureSwift Software is an upcoming startup

that is well on its way to being successful.

The entire team is young enthusiastic and

charged up to perform and achieve. The

development team is headed by Rohit the

team leader, who is chairing the Saturday

review meeting as usual.

Dhanesh the experienced

programmer that he was, looked at the

Agenda, noted that there were just 4 items

and started making plans for an afternoon

movie. The fi rst three items covering

review of ongoing projects passed off in a

few minutes.

The last point was about Security

issues in Software. “Let us give it to the

Infosec team, it is their baby”- rang out

the chorus. Rohit looked at Dhanesh.

Dhanesh echoed the sentiment. Security

was handled by the infosec team and

after the coding was complete and the

software ready, just prior to its release

it was handed over to the security team.

The security consultants did a code

review and carried out tests, came up with

bugs which were then resolved and the

software was released. This had become

a bit of a pain as it entailed reworking

to get rid of the bugs and develop fi xes,

increased the costs and delayed the

release dates. Most of the programmers

were unhappy about this. Their argument

was that “no software was 100% secure

and security vulnerabilities were bound

to be discovered post release and would

get fixed anyway.” In fact they had

postponed the ISO 27001 certification

exercise claiming that it was really

necessary for the IT department and

the Data Centre rather than for the

development team.

Rohit pointed out that they had

received a strong letter from their key client

– the Millionaire Bank. They were unhappy

with the software as their IT Audit had

discovered some critical security fl aws in

the software. They wanted to know what

steps SureSwift was planning to take to

avoid such incidents in the future.

Priyanka raised her hand and voiced

a fundamental query. She was quick to

point out that the Bank like others must be

mandatorily deploying fi rewalls and using

SSL (Secure Sockets Layer) encryption

which should really restrict and protect

the application access. If these had been

compromised there was precious little

they could do.

Dhanesh suggested looking at the

RFQ (Request for Quotation) and the

evaluation matrix used by Millionaire

Bank for the software project in question.

It was a long laundry list covering – Ease

of Use, Maintainability, Complexity,

Completeness, Volatility, Reusability,

Documentation, Resource usage,

Correctness, Architecture, Portability, and

Integrity.

Pramila chipped in – how can they

hold us responsible if security is not on the

list anyway?

Rohit seemed visibly upset and

elaborated that – “there is something

called warranties and software being

fi t for use, and an application for a bank

simply had to be secure.”

Tea was served and after a quick

consensus it was decided to call in Amar

the security consultant to help them

work out a strategy. Amar joined in and

suggested a way forward.

A Case Study of SureSwift Software

CSI Communications | June 2014 | 37

SolutionThe situation:The events and details of the case seem to

indicate that in general there is a very low

level of awareness regarding information

security in software applications. The

Software Development process itself

appears to look at security as an add-on to

be checked and deployed towards the end

of the development cycle.

Given the mindset of most

programmers ‘Security’ is an obstacle

to quick development and rapid

deployment. It often makes the

program heavy and slow. With the

looming deadlines and tight budgets

implementing security is viewed as

a handicap. In fact most developers

seldom study the subject and have only

a vague idea about information security.

The main priority for developers when

creating an application is making the

application work and security is the last

thing that they are worrying about.

The consequences:Applications with poor security are a

potential for severe brand damage, loss of

reputation and image, privacy issues and

fi nancial loss from client and third party

claims. They may also result in escalating

costs with the substantial modifi cations

and fi xes needed to the software pre- and

post- release even after deployment.

The Strategy:(1) The strategy needs to focus on

integrating security in the software

development life cycle itself. It is true

that developers are not security experts

and security consultants are not good

at software development. Educating the

developers in information security and

having security consultants as a part of the

team to collaborate with the developers

when developing an application is a good

beginning.

(2) A security review and assessment

identifying potential threat scenarios

and building abuse cases before the

actual development starts will help

identify issues based on needs and

expectations of interested parties. For

too long software products have been

developed to suit the convenience of the

developer. They need to be built keeping

in mind by whom, for what and how they

are going to be used.

(3) During the design stage a risk analysis

exercise followed by an external review

needs to be undertaken.

(4) The testing process should

incorporate risk based security tests.

(5) Post code review the application

should undergo penetration testing.

(6) Finally the fi eld feedback and user

trials should incorporate security aspects.

There are many classifi cation systems

available for threat analysis. STRIDE

focuses on threats as Spoofi ng, Tampering,

Repudiation, Information Disclosure, Denial

of Service, and Elevation. It primarily looks

at the application from the perspective of

the attacker. The other method DREAD,

classifi es risks according to Damage

Potential, Reproducibility, Exploitability,

Aff ected Users and Discoverability.

Abuse cases need an external and

user perspective to design them and

adequate external inputs need to be

taken. It is like taking a blind person on

board to design a mobile phone intended

to be used by the blind. Without this

input it will rarely be user friendly and

feature rich. The same is true if software

development is to be secure. You need

to think like a hacker if not actually get

help from one.

The immediate benefit that would

be realized is that the development

process itself will become more secure.

It can avoid wasted time and effort of

addressing application security flaws

close to launch of the software as it

happens in the traditional development

models and will help prevent the

complexities of repeating the test phase

later in the development cycle or after

the application is deployed.

A vulnerability management

program based on the above will

make the applications more secure. It

would cover system discovery, asset

classification, vulnerability testing,

prioritization, remediation, root cause

analysis, and improvement.

Software applications using this

integrated approach cannot claim to

be free of security issues or 100%

secure. No application can ever aim to

be fool proof. It will nevertheless assist

in detecting and fixing security flaws

both efficiently and effectively, thereby

reducing costs, time and achieving the

stated objectives.

It is clear that one cannot expect

an application to be secure by treating

security as an add-on and only

considering it at much later stages in

the development. Integrating security

throughout the development life cycle

will be the appropriate strategy to adopt.

Any software development

process depends on people, process

and technology. While the suggested

methodologies will ensure safe, secure

technologies and robust processes the

human element is equally important.

To achieve this it is necessary to

create awareness about information

security in the software development

fraternity, to educate them in the

three principles of confidentiality,

integrity and availability (CIA), and

then go on to develop a cascade of

policies, procedures, best practices

and guidelines.

Emergence of Industry standards

on secure development will eventually

lead to a wide spread adoption of these

principles making secure software

development the norm rather than the

exception that it currently is.

An effective solution is generally

expected to proceed on these lines. n

Abo

ut th

e A

utho

r

Dr. Vishnu Kanhere Dr. Vishnu Kanhere is an expert in taxation, fraud examination, information systems security and system audit

and has done his PhD in Software Valuation. He is a practicing Chartered Accountant, a qualifi ed Cost Accountant and a Certifi ed

Fraud Examiner. He has over 30 years of experience in consulting, assurance and taxation for listed companies, leading players

from industry and authorities, multinational and private organizations. A renowned faculty at several management institutes,

government academies and corporate training programs, he has been a key speaker at national and international conferences and

seminars on a wide range of topics and has several books and publications to his credit. He has also contributed to the National

Standards Development on Software Systems as a member of the Sectional Committee LITD17 on Information Security and

Biometrics of the Bureau of Indian Standards, GOI. He is former Chairman of CSI, Mumbai Chapter and has been a member of

Balanced Score Card focus group and CGEIT- QAT of ISACA, USA. He is currently Convener of SIG on Humane Computing of CSI

and Topic Leader – Cyber Crime of ISACA(USA). He can be contacted at email id vkanhere@gmail.com

CSI Communications | June 2014 | 38 www.csi-india.org

Solution to May 2014 crossword

Brain Teaser Dr. Debasish Jana

Editor, CSI Communications

Crossword »Test your Knowledge on Security in Software DevelopmentSolution to the crossword with name of fi rst all correct solution provider(s) will appear in the next issue. Send your answers to CSI

Communications at email address csic@csi-india.org with subject: Crossword Solution - CSIC June 2014

CLUESACROSS1. A process of converting data having many possible representations

into a standard form (16)

5. A software that controls the incoming and outgoing network traffi c (8)

7. The degree of resistance to, or protection from, harm (8)

8. The art of writing or solving secret codes (12)

11. Provides pluggable dynamic authentication for applications and

services (3)

16 The act of confi rming the truth of an attribute of an entity (14)

17. A type of network security attack where the attacker takes control of

a communication (9)

19. A character encoding standard (7)

20. A list of software weaknesses (3)

22. Parses the code and identify constructs that seem to introduce

threats.(4, 7)

23. A weakness that makes a threat possible (13)

25. An open-source web application security project (5)

26. An operating system (4)

27. Cross-Site Scripting (3)

DOWN2. Authentication, authorization and accounting (3)

3. A possible danger that may act to breach security (6)

4. An attempt to acquire sensitive information by redirecting to a false

site (8)

6. A list of known good inputs (9)

7. Static application security testing (4)

9. Provides remote access to a targeted computer system (6)

10. Used by attackers to gain unauthorized access to systems or data (6, 8)

12. An action taken to harm an asset (6)

13. A safeguard that addresses a threat and mitigates risk (14)

14. A method of bypassing normal authentication (8)

15. A technique used to attack data driven applications through code

injection (3, 9)

18. Process of creating computer software (6)

21. Dynamic application Security testing (4)

22. Cross-Site Request Forgery (4)

23. A malware program (5)

24. An open-standard application protocol for directory access (4)

Did you hear about Code Injection Attack?

Code injection attack could be disastrous as attackers may inject harmful code that can change the desired course of execution.

(More details can be found in https://www.owasp.org/index.php/Command_Injection)

We are overwhelmed by the responses and solutions received from our enthusiastic readers

Congratulations !for ALL correct answers to May 2014 month’s crossword received from the

following readers:.

Dr. Madhu S Nair (Dept of Computer Science, University of Kerala, Kariavattom,

Thiruvananthapuram, Kerala), Jestin Joy (Dept of Computer Applications,

Cochin University of Science and Technology, Kerala) and Kamala Kannan K

(Dept of Computer Science & Engineering, Anna University, Chennai)

1 2

3 4

5 6

7

8 9

10

11 12 13

14 15

16

17 18

19

20 21

22

23 24

25

26

27

CSI Communications | June 2014 | 39

Ask an Expert Dr. Debasish Jana

Editor, CSI Communications

Your Question, Our Answer“The more you like yourself, the less you are like anyone else, which makes you unique.”

~ Walt Disney

On C++ Multiple Inheritance and Virtual Base ClassFrom: Ansuman Mahanty, Dr. B. C. Roy Engineering College, Durgapur, West Bengal

I am getting few compilation errors for the following program. This is giving an error where I am using multiple inheritance using virtual base class. What and why it went wrong in compilation?

1. #include<iostream>2. using namespace std;3. class Base4. {5. public:6. Base(int i) {7. cout << “Parameterized Base constr called\n”;8. }9. };10. class Derived1: public virtual Base11. {12. public:13. Derived1() : Base(0) {14. cout << “Default Derived1 constr called\n”;15. }16. };17. class Derived2: virtual public Base18. {19. public:20. Derived2() : Base(0) {21. cout << “Default Derived2 constr called\n”;22. }23. };24. class Grand_child : public Derived1, 25. public Derived226. {27. public:28. Grand_child() {29. cout << “Default Grand_child constr called\n”;30. }31. };32. int main()33. {34. Grand_child d;35. return 0;36. }

The compilation errors are:

main.cpp: In constructor ‘Grand_child::Grand_child()’:main.cpp:28:17: error: no matching function for call to ‘Base::Base()’ Grand_child() { ^main.cpp:28:17: note: candidates are:main.cpp:6:2: note: Base::Base(int) Base(int i) { ^main.cpp:6:2: note: candidate expects 1 argument, 0 providedmain.cpp:3:7: note: constexpr Base::Base(const Base&) class Base ^main.cpp:3:7: note: candidate expects 1 argument, 0 providedmain.cpp:3:7: note: constexpr Base::Base(Base&&)main.cpp:3:7: note: candidate expects 1 argument, 0 provided

A In virtual inheritance, in this particular example, the default Base constructor (constructor that does not take any argument) is being called from Grand_child constructor. Normally a derived class’s constructor calls the super or base class constructor either explicitly or implicitly. For example, in your example, Derived1 default constructor is explicitly calling Base constructor with integer argument as it is written as:

Derived1() : Base(0) {

However, if you would have written as below:

Derived1() {

Then, Derived1 default constructor would have implicitly called Base constructor without any argument i.e. Base’s default constructor.In Grand_child constructor, it’s written as:Grand_child() {This is equivalent to:

Grand_child(): Derived1(), Derived2(), Base() {That is implicit default constructor call of Base as well as implicit default constructor call of Derived1 and Deribed2, order is Base, Derived1, Derived2 constructors . Because of virtual inheritance, the Grand_child constructor will call Derived1 and Derived2 constructor but in turn, Derived1constructor cannot call Base constructor. Similarly for Derived2 constructor when called by it’s derived class i.e. Grand_child constructor. So, the solution is that you require a default constructor in Base as:

Base() { cout << “Default Base constr called\n”; }

So, the corrected program is as below:

1. #include<iostream>2. using namespace std;3. class Base4. {5. public:6. Base() {7. cout << “Default Base constr called\n”;8. }9. Base(int i) {10. cout << “Parameterized Base constr called\n”;11. }12. };13. class Derived1: public virtual Base14. {15. public:16. Derived1() : Base(0) {17. cout << “Default Derived1 constr called\n”;18. }19. };20. class Derived2: virtual public Base21. {22. public:23. Derived2() : Base(0) {24. cout << “Default Derived2 constr called\n”;25. }26. };27. class Grand_child : public Derived1, 28. public Derived229. {30. public:31. Grand_child() {32. cout << “Default Grand_child constr called\n”;33. }34. };

35. int main()

36. {

37. Grand_child d;

38. return 0;

39. }

And, now, it compiles and runs fi ne.

The output is as below:

Default Base constr calledDefault Derived1 constr calledDefault Derived2 constr calledDefault Grand_child constr called

Do you have something to ask? Send your questions to CSI Communications with subject line ‘Ask an Expert’ at email address csic@csi-india.org

CSI Communications | June 2014 | 40 www.csi-india.org

Happenings@ICT H R Mohan

President, CSI, AVP (Systems), The Hindu, ChennaiEmail: hrmohan.csi@gmail.com

ICT News Briefs in May 2014The following are the ICT news and headlines of interest in May 2014. They have been compiled from various news & Internet sources including the dailies - The Hindu, Business Line, and Economic Times.

Voices & Views• About 70% of the global off shoring

capability is centered around India – Cap Gemini.

• With many subscribers holding multi-SIMs, the company sees an opportunity as the total number of Indian mobile users will not be more than 500-550 million – Idea Cellular MD.

• The tele-shopping market in India is estimated to be worth Rs. 2,000 crore and has been growing at more than 40% over the last four-fi ve years.

• IT infra market will touch $1.9 b this year and will touch $2.35 billion by 2017 – Gartner.

• The global IT services opportunity by 2017 will be $752 billion and that for APJC is forecast to be $159 billion with $11.9 billion as Indian share having a CAGR of 10.2% - IDC.

• There are over 350,000 telecom towers in the country and a substantial number of them are still not connected to the power grid.

• At least 20 per cent of the villages in the North-East do not have mobile connectivity - TRAI.

• The Indian analytics market is set to be $1.15 billion by 2015 from the current $ 375 million with over 500 companies operating in this segment.

• India today has a little over 2,630 MW of solar and about 20,000 MW of wind power capacity. The growth in both these major has been far below potential.

• Flipkart.com, acquiring fashion e-retailer Myntra.com is seen as an early phase of consolidation in the Rs. 62,000-crore e-commerce market.

• Oracle’s victory over Google on API copyright may impact software development.

• The digital payment industry is expected to grow at 40% to touch Rs. 120,120 crore by end 2014. Out of around 800 million online transactions in 2013, nearly 53 per cent were done through credit (21%) and debit (32%) cards.

• Cisco estimates that about 50 billion devices will be connected to the Internet by 2020.

• India is aiming for a big chunk of China’s domestic IT-BPO business, which is estimated to grow to $84 billion in the next six years.

Govt, Policy, Telecom, Compliance• IPR: US does not blacklist India.• The DoT is planning to set up an

application development center to provide testing facilities, support for launch and commercial run and storage capacities to

selected entrepreneurs, .with an outlay of Rs. 1,000 crore over a three-year period.

• The National Telecom Policy 2012 targets 175 million broadband subscribers by 2017 and 600 million by 2020. Rural telecom penetration in India is targeted to be 70% by 2017 and 100% by 2020.

• DoT seeks infra sector tax breaks for tower fi rm.

• BSNL exploring ways to improve Internet connectivity in north-eastern States

• The National Cyber Safety and Security Standards will release a comprehensive set of guidelines for private and public sector companies to secure their online data.

• Telecom user-base rises to 933 million in March. The country’s overall wireless tele-density rose to 72.94.

• Rs. 5,000-cr project to improve mobile connectivity in North-East through Universal Service Obligation Fund.

• The Kerala cell of Telecom Enforcement Resource and Monitoring (TERM), under Telecom Dept., has given clean chit for mobile towers in the State in respect of compliance to radiation norms.

• DIPP Secretary discusses FDI in e-commerce with industry.

• Nasscom expects Modi to make India fully digital.

• As Narendra Modi took charge of the BJP’s Parliamentary Committee, the twitter handle @PMOIndia was renamed @PMOIndiaArchive.

IT Manpower, Staffi ng & Top Moves• BPO fi rm EXL may hire 6,000 this fi scal.• Cognizant ended the March quarter with

around 178,600 employees of which 167,300 were service delivery.

• Low-skilled IT jobs ‘grounded’ as fi rms look for ‘cloud’ professionals.

• US war veterans are increasingly hired by Indian BPO fi rms.

• 5,000 workers at Nokia Chennai plant opt for voluntary retirement scheme.

• The analytics professionals in India obtain a 250% hike in their salaries from entry level analysts to manager.

• Infosys stops giving loans and advances for employees for car, home, personal computer, telephone, medical, marriage, education and personal loans, salary advances, and loans for rental deposits, ranging from one month to eight years. It has $41 million in these kinds of loans and advances.

• Nandan Nilekani is the top choice of Infosys employees for the new CEO’s job.

• Infosys received 9.11 lakh job applications in 2013-14 while touching the record 14.23 lakh in 2005-06.

• Infosys President BG Srinivas resigns.Company News: Tie-ups, Joint Ventures, New Initiatives• Ericsson in India now has the largest

number of employees (18,000) making it the largest operations for the telecom equipment maker in the world.

• Technopark–based Seaview Support

Systems is introducing MobScan, a

computer mouse with in-built scan

technology.

• India is the hub of innovation and delivery

for Cap Gemini, and its headcount in

India crossed 50,000 recently making it

the largest employee base in the world.

It employs a total of 1.34 lakh personnel

across 44 countries.

• Autodesk to sell software under monthly

installment scheme. Its entire software

portfolio free of charge for students

across India.

• Happiest Minds is creating a platform

that will help the company bag deals in

the Internet of Things (IoT) or machine-

to-machine solutions.

• Out of 60,000 student innovators, a team

from Hyderabad wins Microsoft Imagine

Cup.

• Brands are earmarking about 10-20% of

their total advertising spend on digital

marketing, of which selfi e campaigns are

becoming a major part.

• Cognizant is betting on Code Halo – the

information fl owing between computing

devices – to drive its consulting business.

• Infotech Enterprises renamed as Cyient,

targets $1-billion revenue.

• ItzCash eyes 60% growth in pre-paid

consumer cards.

• Hannover Milano Fairs, will hold the

world’s largest IT trade exhibition, CeBIT,

for the fi rst time in India during Nov 12-14

at Bangalore.

• Viom Networks, Japan’s NEDO tie up to

cut diesel use in towers.

• LED TV maker Vu Technologies goes

online to sell more and cheaper too.

• IBS Software tooling up Gatwick airport

operations.

• Lean Start up is a methodology that asks

entrepreneurs to vet their ideas with

stakeholders, get feedback and fi ne-tune

the idea before going ahead with product

development.

• Election results drive data usage for

telecom fi rms.

• IIIT Hyderabad to handhold start-ups with

early-stage funding, mentoring.

• Samsung’s new series of printers

with near-fi eld communication (NFC)

capability, which will allow printing from

smartphones.

• Microsoft launches a new initiative -

ThinkNext partnering with iSPIRT and TiE.

• Ojus ATM employs a range of modern

and traditional global health practices,

such as AYUSH (ayurveda, yoga, unani,

siddha and homeopathy), acupuncture

and energy medicine.

• Microsoft unveils Skype Translator n

CSI Communications | June 2014 | 41

On the Shelf!

Book Review »

Code HalosHow the Digital Lives of People, Things, and Organiza ons are Changing the Rules of Business

Book Title : CODE HALOS

Author : Malcolm Frank, Paul Roehrig and Ben Pring

ISBN : 978-81-265-4860-6

Price : Rs. 599/-

Publisher : Wiley India Pvt. Ltd., New Delhi.

Mrs. Jayshree A Dhere

Resident Editor, CSI Communications

We welcome the arrival of a book titled Code Halos from Wiley India and present here a brief review of this thought provoking book for all those who are concerned with the new age economy, changing nature of business and survival in the new world created by the digital disruption happening all around us. The book is described as a Playbook for Managers. It is written by three authors Malcolm Frank, Paul Roehrig and Ben Pring who are the men behind Cognizant’s Center for Future of Work. Based on the insight they have gathered through the years of their experience of engaging with various clients for helping them create business advantage with the available new technologies, they see a kind of signifi cant pattern emerge, which they name as Code Halo Solutions and present in this book a framework that is useful for all types of businesses and people who intend to start and win their digital journey in years to come.

The term Code Halo is defi ned as the fi eld of information that surrounds any noun – any person, place or thing. Authors describe the word “halo” as the one that refers to the data that accumulates around people, devices and organizations, to the data that is robust, powerful and continually growing in richness and complexity. There is “code” contained in these halos and authors go about explaining how companies, brands, employers and partners can use it for enhancing their understanding of people and objects more deeply, since it is not easy to decode the information within the invisible fi eld. Authors write about how new business models that are commercially viable can be created out of the knowledge gained and state that this simply cannot happen automatically.

The book has three parts – fi rst part is all about Digits over Widgets. In this part it is explained how handful of companies - like Amazon, Apple, Facebook, Google, Netfl ix and Pandora – collectively generated $1 trillion of market value during the past decade by leveraging consumer technologies in new ways. They transformed customer expectations, established new operating models and violently disrupted about a dozen mature industries – such as Nokia, Motorola, Borders, Barnes & Noble, AOL, Blockbuster, HMV and so on – who lost on average more than 90% of their 2003 enterprise value. Authors assign the success of the trillion-dollar club to the common denominator that is at the heart of the business models of these

new age companies and that is : the creation and management of Code Halos.

Next they go onto introducing the SMAC Stack, which is the foundation that makes creation of Code Halos possible. The SMAC Stack has four components viz. Social, Mobile, Analytics and Cloudwhich provide the infrastructure for the Code Halo economy. While explaining the importance of the rich customer experience created by new age companies, authors give an example of a local bank where you might be a customer for 15 years and upon inserting your ATM bank card, the fi rst thing you see is Press 1 for English, Press 2 for … etc. The sophisticated fi nancial institution which claims to be your partner does not know what language you speak. They help you carry out your fi nancial transactions and would have record of all of their details but do not know what language you speak. They only know that what is in their system of records rather than what is in your Code Halo. It feels that they don’t know you and your real fi nancial life. This is an example of how traditional business is unaware of the Code Halos surrounding people. This is but natural because mere deployment of SMAC Stack of technologies is not suffi cient. Creating Code Halos and deriving meaning out of them requires their integration into well-codifi ed and well-understood business processes – such as sales, customer service, research & development or supply-chain management.

In the light of this, authors describe fi ve business code halos viz. Customer, Product, Employee, Partner and last but not the least Enterprise itself. Customer Code Halo is important for relationship building while Product Code halos help shift value from Widgets to

Digits which is becoming richer due to Internet of Things. Employee Code Halos provide new ways for team members to connect and solve problems, while Partner Code Halos are weavers of webs. The Enterprise Code Halo is an aggregate of four other code halos and hence a Brand aggregator. Creating winning Code Halo Solutions is far more than just deploying one or two elements

of SMAC Stack technologies and hence authors devote a complete chapter to discuss the anatomy of a winning code halo solution. They state that 5 elements are essential for such a solution viz. – Amplifi er, Application Interface, Algorithm, Data and Business model. Authors provide numerous examples based on trillion-dollar club organizations to explain in detail the meaning of these fi ve elements. In the process they provide four anatomy lessons and also explain what should not be done and provide examples of failure as well such as say Microsoft Zune.

While explaining the key importance of SMAC Stack, authors compare it with steam power, steel and electricity which fueled the

The term Code Halo is defi ned as the fi eld of information that surrounds any noun – any person, place or thing. Authors describe the word “halo” as the one that refers to the data that accumulates around people, devices and organizations, to the data that is robust, powerful and continually growing in richness and complexity.

CSI Communications | June 2014 | 42 www.csi-india.org

industrial corporate model, and inform that the new technology stack is providing the foundation for knowledge corporate model. In coming five years they suggest that organizations of all sizes will need to develop mastery of SMAC technologies, which is easier said than done. They address the problem of making sense of this new wave of technology to seize competitive advantage by providing historical perspective of corporate computing to see where and how the SMAC model fits today; by providing overview of current SMAC technologies and their pervasiveness and describing view of how this model is already upending several established industries. So far as historical perspective is concerned they place the SMAC stack in the fifth wave of corporate IT – mainframe (1960-76), minicomputer (1976-92), client/server (1992-2002) and Internet PC (2002-12) being the first four waves. Each wave had a “killer” technology application such as general ledger with mainframe, ERP with client/server and eCommerce with the Internet PC. Each wave is represented as “S” curve since business productivity which these technology models created in the form of cost savings, revenue generation, or productivity gains would form an S shape over time. One key message that authors give is that these technologies need to be deployed in an integrated manner in order to create the technology architecture for the new age business since SMAC stack’s power and value only comes when these technologies work in harmony. They are not simply glued onto traditional corporate model but in many cases they are creating entirely new business model. Authors provide examples of Wikipedia over Encyclopedia Britannica and Craiglist over newspaper ads to elaborate the impact of the power of appropriate implementation of SMAC stack.

While explaining how and where Code Halo solution concepts apply to an organization, and where they can fi nd a starting point, authors provide an answer in the form of Crossroads Model which they have developed based on their research fi ndings and their consulting work with many leading companies. For any organization starting on the digital journey, while external factors like nature of their products and/or services, industry structure, and customer base’s demographics do have an impact on next steps to be taken, the internal factors like organization culture (does it support change?), IT team (is it strong having right capabilities?) and organization’s execution capability also play a role. Authors explain the fi ve stages of the Crossroads model for winning with Code Halos viz. – Ionization (fertile context for innovation), the Spark (where Code Halos emerge in an industry), Enrichment (when the code Halo solutions scale) and the Crossroads (where markets fl ip). They provide examples to explain Crossroads model across multiple industries.

Last chapter in the fi rst part of the book is devoted to Code halo Economy where economics of information is explained. Although one might be excited about bringing Code halos to the organization, important questions to ask are what is it going to cost and what fi nancial returns can be expected for the organization. To understand Code Halo economics, authors collaborated with Oxford Economics and futurist Thornton May to survey 300 Global 2000 corporations and interviews were conducted with leading companies in insurance, banking and fi nancial services, healthcare, life sciences, technology, consumer goods/retail, manufacturing and communications/media across the US, UK, Germany and France. Authors found through this research that among those who participated in their research, investment in business analytics yielded an average 8.4% increase in revenues and an average of 8.15% improvement in cost reductions in last fi nancial year – resulting in $766 billion in economic benefi t over

the previous year. This indicates how meaning makers are winning based on code. Thus authors predict that separating ‘Signal’ from ‘Noise’ will be the killer business skill over the next decade. This chapter provides information on how to make meaningful returns.

While people and organizations are still creating map for the way forward, authors claim that they already know a lot about what works and what does not and provide advice on some critical rules to follow so that the chances of success signifi cantly increase. Part II of the book has four chapters explaining four principles of success in the Code Halo Economy. These are – Delivering beautiful products and experiences, Not being evil (Earning and keeping trust in the transparent world), Managing your career based on Code (Winning in the Wierarchy) and fi nally Making IT your Halo Heroes (in short Transforming your Technology Organization). Chapter on “Not being Evil” is especially important for all those people who are frightened by the sudden threat to privacy of data and various vulnerabilities of the virtual world, which apparently make it fragile. The chapter puts the dark side of the digitized world into a certain context by providing an example of automobiles - e.g. they discuss that over the past century we have come to a point of equilibrium with cars, balancing the benefi ts with the inherent risks. As awful as car-associated crime is, we accepted a certain level of carjackings, drive-by shootings, smuggling, drunk-driving accidents, road rage and basic car theft as part of downside of personal transportation. We don’t live in the fear of our cars as we have learnt how to manage the risks. In the same manner, we need not be afraid of the reducing level of privacy and many threats of the virtual world but we should learn to balance the risks and gain from the benefi ts of digital revolution. The chapter also talks about how the meaning of privacy is evolving in the new age and why the law will never be able to catch up with the changing world. The chapter provides advice on how action can be taken to avoid evil, and what organizations can to do build trust among their customers.

Changing structure of organization in the digital world is termed as Wierarchy as against Hierarchy and authors provide advice on how to manage one’s career in this new fl attened structure. Finally they provide advice for aligning IT along three horizons – extend and defend core businesses, build emerging businesses and third creating viable options. In addition to aligning IT, two more critical suggestions are provided for IT departments – one to fund their own transition and second to tear down the wall between the IT and the business.

The third part of the book provides more tactical details for the

Crossroads model and how to apply it to organization’s challenges and

opportunities. There is a chapter telling on how to seize advantage during

ionization by sensing, innovating and preparing to pilot. Next there is a

chapter which talks about creating a spark by piloting the best Code Halo

solution and another chapter on enriching and scaling at Internet speed

which helps turn a spark into a blaze and fi nally a chapter that provides

insight on winning in the new code rush. There are detailed instructions

in each chapter on how to go about achieving this. In the conclusion,

authors say that by 2020, much will change and ultimate success will

require open mind, perseverance and courage. They make a strong

argument that very existence of organization’s business can become

diffi cult if the organization does not venture to adopt data and analytics.

With this book authors have provided clues on how to ride the new wave

of digital disruption confi dently and affi rmatively.

The book is a must read for variety of readers ranging from those

in business as well as those who intend to manage their careers in the

new age economy as the book is all about understanding the Future

of Business which is being shaped by ever growing digitization. It

provides food for thought and for debates on a variety of topics like

how to deploy the new age technologies in the best possible manner,

new meaning of data privacy, transformation of IT organizations, need

of new age regulations and so on. n

The book is a must read for variety of readers ranging from those in business as well as those who intend to manage their careers in the new age economy as the book is all about understanding the Future of Business which is being shaped by ever growing digitization.

CSI Communications | June 2014 | 43

Application for Travel Grants to Researchers

Research Committee of Computer Society of India has decided to fund CSI Life Members and CSI Student Members to the extent of Rs. 25000/ for

travelling abroad to present research papers at Conferences.

CSI Life Members/ CSI Student Members who have been invited to present papers abroad and have received partial or no funding are eligible to apply

for the same. In case of multiple authors of a research paper, only one author is eligible to apply.

Applications should be sent by email to div-5@csi-india.org with the Subject : Travel Grants with the following details.

1. Name of the Applicant, Organization Details and Bio Data of Applicant

2. CSI Life Membership/ CSI Student Membership Number

3. Name of the International Conference with details of the organizers

4. Venue and Date of the Conference

5. Copy of the Research Paper

6. Copy of the Invitation Letter received from the organizers

7. Details of funding received from/ applied to, any other agency

8. Justifi cation for requesting support ( in 100 words)

9. Two References (including one from head of the organization/institution)

Interested members have to apply within July 31, 2014 for Conferences held before October, 2014.

Please note that CSI intends to make it an ongoing process and provide travel grants every six months.

Dr Anirban BasuChairman,

CSI Research Committee and Division V (Education and Research)

CSI History – Update & AppealAs Computer Society of India (CSI) will be turning 50 in 2015, a series of Golden Jubilee events/activities are planned in the coming

two years. In this context, a compilation on “CSI History” - highlighting the signifi cant milestones of CSI from its inception is being

brought out.

To facilitate the compilation, inputs are requested from CSI Chapters, CSI members and all who have been associated with CSI at

various capacities at the chapter, regional, national and international levels. Kindly provide us with all possible information relevant

to this compilation as write-ups, documents, publications, photographs and in all other forms at your earliest.

Until now, the response to our requests HAS NOT BEEN VERY SIGNIFICANT. We had received inputs from a limited no. of people

and chapters. You may see all the inputs received and stored in a shared folder at http://goo.gl/ou0zJ

We value your contributions and involvement in shaping the CSI and promoting its objectives over the years. Inputs on signifi cant events,

happenings, initiatives & activities during your long and fruitful association with CSI will be very useful in creating the CSI History.

The successful compilation of CSI History highlighting the signifi cant milestones of CSI from its inception depends on the quantum

and quality of inputs we receive from you all.

In this context, once again we request you to provide us with all information relevant to the proposed History of CSI as brief write-

ups, documents, publications, photographs and in all other forms at your earliest. We will use your contributions in the primer with

due acknowledgement.

While soft copies of the inputs can be sent by email to csi.history@gmail.com the hard copies (documents/publications/photos/)

may pl. be sent to:

Director - Education, Computer Society of India, Education Directorate, CIT Campus, IV Cross Road, Taramani, Chennai - 600113.

Ph: +91-44-22541102 / 1103 / 2874.

After use, they will be returned back to you if you desire. The inputs provided will be used with suitable acknowledgement.

We request your valuable inputs and support in this activity of creating a comprehensive History of CSI.

CSI Communications | June 2014 | 44 www.csi-india.org

CSI Report

Interventions in Integration – Promoting Digital Inclusiveness The Initiatives of Computer Society of IndiaComputer Society of India (CSI) has been in the service of the nation for the last 50 years. In this special year of its Jubilee, CSI has embarked initiatives of social relevance and human virtues in reciprocation to the support and encouragement showered upon the organization.

The Special Child has been a challenge for educationists, sociologists, and certainly to the parents and the family. CSI has launched few simple initiatives aimed at alleviating the issues surrounding the special child, normally destined to seclusion and segregation.

The CSI “Interventions in Integration” deploys technology as the basic platform of operation. The challenge is to utilize the features and advantages of computers to lessen the daily hardships and transform the special child to a contributing member of the mainstream society.

CSI envisions to impart simple knowledge and basic skills on computers to the special children, primarily awakening an interest and affi nity to the technology. Quite often, the Mentally Challenged Child, particularly the mild categories, possesses residual abilities and cognition in specifi c domains, say, numbers, arithmetic, basic science, geography, etc. These may not be high level skills, but still remarkable with potential and utilizational value. At times the skills are obscured by defi ciencies in expression or speech, but the skills do exist and can be detected and developed systematically.

The challenge to the trainers is to explore the abilities and to create plans for comprehensive growth. Technology acts as the enabling medium facilitating the transition of the special child.

CSI has recently launched a special training programme to teach the basic computer familiarity to a pilot group of Mentally Challenged Children. They volunteered for the programme, and were found to be enthusiastic, with clear objectives and aspirations. The children have become keen students of computers, considering vocations in accounting, offi ce activities, and other options requiring the

basic computer familiarity. The children were a group of four namely Kishorekumar, Chittesh, Pavithran and Anupriya.

The group has displayed good grasping abilities. In spite of the diffi culties of expression and speech, the understanding of the subject is encouraging. The students appear excited and motivated after their initial induction to technology, and they are even getting impatient to study more and work on the systems, and even to quickly grab some jobs!

The CSI Programme incorporates training the Mentally Challenged children in the fundamental operations of computers and introducing them to the frequently used software products such as MS Offi ce. In addition, the basics of accounting are also proposed to be of use to them in pursuing a career. In this case, the skills in the accounting software Tally are being imparted. This programme is scheduled to be of 15 to 20 days duration, and is customized to the learning pace of the students. The programme is fl exible enough to be modifi ed in contents and delivery to suit the learning abilities and the performance pattern of every individual student.

In this pilot attempt, four children (three boys and one girl) are getting trained at the CSI Education Directorate at Taramani. Parents of the children are also involved in the training process which is being handled by ED staff Ms. Sri Vidya and Ms. Miraclin as computer trainers with good exposure to packages. After completion of the training and review, CSI plans to design technical courses for the special children, to enable them to the benefi ts of technology, the vehicle for transformation. CSI fervently hopes to transport the special children to the world of opportunities and participation by these technology initiatives, which will help them to lead meaningful lives.

CSI has also trained nearly 300 Special Educators in software packages for the Integrated Assessment, Evaluation and Programming of Mentally Challenged Children partnering with Media Lab Asia and Centre for Development of Advanced Computing (CDAC).

This software accepts inputs from the interdisciplinary team of special educators to create individualized plans for training. The system integrates the three major RCI approved evaluation and assessment methodologies such as FACP, MDPS and BASIC-MR and FACP-PMR. Algorithms have been drawn from the currently followed

manual processes. Strength and needs of each individual are suggested based on these algorithms. Areas of achieved independence, areas required for strengthening and problem areas are identifi ed for each person. Based on this analysis, optimal long term goal and short term objectives are identifi ed and suitable lesson plan is recommended for each. A grouping algorithm incorporated in the tool helps to create homogenous groups for group teaching of the special children.

The system has inbuilt facility for periodic assessment and evaluations. It also helps the special educators to arrive at a comprehensive picture of an individual’s performance level in adaptive behaviour. The system follows the principle that the assessment is the fi rst necessary step in program planning, followed by the designing of Individualized Program Plan. It also provides a platform for the quarterly evaluation to determine the eff ectiveness of the program. New goals and objectives can be set, if needed. The software is equipped to manage the programming of the special child from three to eighteen years.

The system enhances the uniformity in evaluation, reducing the subjectivity factor. Graphical representation of the development pattern of the special child is a major advantage for parents and teachers. The system decrease the cumbersome manual tasks, and consequently, the special educators get more time to take care of the real developmental needs of the special child. The system, created by a technical partnership between the research laboratories of CDAC Trivandrum and Media Lab Asia, has already been deployed at several special schools.

In keeping with the lofty objectives, CSI looks forward to more opportunities in serving the country. CSI hopes to promote Digital Inclusiveness by these initiatives and interventions to take technology to all segments of society, to ensure that the advantages of technology benefi t everyone including the last and the least. CSI shall endeavour to make this transformation possible in the Golden Year of service to the nation. n

CSI ED trainers Ms.Miraclin and Ms. SriVidya training the MR Children along with their parents

CSI President Mr. H.R. Mohan with the MR Children, their parents and ED staff

CSI Communications | June 2014 | 45

CSI Reports

From CSI SIGs / Divisions / Regions and Other News »Please check detailed reports and news at:

 http://www.csi-india.org/web/guest/csic-reports

SPEAKER(S) TOPIC AND GISTELECTRONICS AND COMMUNICATION SCIENCES UNIT, INDIAN STATISTICAL INSTITUTE WITH CSI KOLKATA CHAPTER AND DIVISION II-SOFTWARE, IEEE CSI COUNCIL, IFIP

Prof KS Ray, Prof Bimal Kumar Roy, Prof D Dutta Majumder, Prof Greg Adamson, Prof TV Gopal, Dr MGPL Narayana, Prof B Chanda, Mr FC Kohli, Prof Aditya Bagchi, Dr Arundhati Bhattacharya, Dr Supriya Kummamuru, Dr Pinakpani Pal, and Dr Swagatam Das

Informa on is informa on, not ma er or energy.—Norbert Wiener, Cyberne cs: Or the Control and Communica on in the Animal and the Machine

7 March 2014: Seminar on “Norbert Wiener, Cybernetics, Humanity & Technology”

Prof Ray gave presentation on the life and works of Norbert Wiener.

Prof Majumder spoke on his association with Prof Wiener during his visit

at ISI in 1955-56. Prof Greg Adamson of University of Melbourne, Australia

delivered an illuminating lecture on Norbert Wiener through SKYPE.

He presented not only Norbert Wiener’s life and work but also about

his stay in India and his views about India. He made analyses of close

resemblances of Prasanta Chandra Mahalanabis and Norbert Wiener on

various scores. Dr Narayana spoke on genesis of formation of Cybernetics

Centre at Hyderabad. Mr Kohli, student of Norbert Weiner, dwelt on

Cybernetic Approach for Business Solution Design. He discussed several

terms like Cybernetics Infl uence Diagram (CID) in the context of today’s

application of cybernetics in business as solution providers. Dr Arundhati

gave presentation on “Cybernetics and Science of Military Command

and Control”. She emphasized the need of training and methodologies in

Command and Control 2W and the relevance of cybernetics in this area.

She presented a case study on Indian BMD – Ballistic Missile Defence.

Dr Kummamuru gave presentation on “Evolution of a Cybernetic Model :

Outcome of TCS Consulting Practice”. She made use of several diagrams to

show use of cybernetics in emerging area of consulting practice. Prof Gopal

started his presentation on “What impacts the Progress of Cybernetics?’.

In his presentation, he had many other posers, particularly in the arena of

future of cybernetics and introduced several terms for explaining study,

understanding future and new cybernetics, as emerging in a multiplicity

of fi elds.

CSI UDAIPUR CHAPTER, SIG-WNS, THE INSTITUTION OF ENGINEERS (INDIA) UDAIPUR LOCAL CENTER

RS Vyas, Prince Komal Boonlia, Dr Dharm Singh, Dr BR Ranwah, AS Choondawat and Dr Navneet Agarwal

Guests, organizers and par cipants

17 May 2014: World Telecommunication and Information Society Day

(WTISD) 2014

Chief Guest Vyas congratulated organizers for celebrating this day to draft

the policies which is need of the hour. Mr Boonlia discussed about various

threats due to increasing use of Internet and suggested various remedies

for the same. Dr Dharm Singh talked about various broadband protocols in

use, generation gap in Internet technologies and devices from traditional

to modern ones. Dr BR Ranwah spoke about activities to be organized in

near future. Mr Choondawat spoke about key areas of telecommunications.

Essay competition was organized on 12 May as part of celebration of WTISD

Day on the theme "Broadband for Sustainable Development".

Dear CSI Member -

Your hard copy of CSI Communications magazine is sent to the address, which you have provided to CSI. Please ensure that this

address is correct and up-to-date.

In case you need any help from CSI, please write an email to helpdesk@csi-india.org for assistance.

You may send your feedback and comments on the contents of CSI Communications - Knowledge Digest fo IT Community to

csic@csi-india.org.

- On behalf of editors of CSI Communications.

CSI Communications | June 2014 | 46 www.csi-india.org

CSI News

From CSI Chapters »Please check detailed news at:

 http://www.csi-india.org/web/guest/csic-chapters-sbs-news

SPEAKER(S) TOPIC AND GIST

CHENNAI (REGION VII)HR Mohan, Prof. CR Muthukrishnan, Prof. S Karmalkar,

Prof. San Murugesan, Prof. LS Ganesh, Prof. Feroz Ali

Khader and Prof. Gopalaswamy Ramesh

3 May 2014: Workshop on “Avoiding the Risks of Plagiarism in Research Publication”

Mr. Mohan briefed on the importance of avoiding plagiarism and informed

that this program would be repeated at diff erent parts of the country in

clusters of educational institutions. Prof. Muthukrishnan delivered keynote

address highlighting about plagiarism, potential dangers and tips to avoid.

Other sessions were - Research writing and plagiarism: An introduction by

Prof. Karmalkar, Why you should prevent plagiarism? by Prof. Murugesan,

Issues in research writing in social science and management by Prof. Ganesh.

Copyright and copyright infringement in publication by Prof. Khader, Special

considerations in writing for publications in computer science and software

engineering by Prof. Ramesh.

Prof. Karmalkar, HR Mohan, Prof. CR Muthukrishnan, Prof. San Murugesan & Prof. Gopalaswamy Ramesh on the stage

Dr. Robin Jeff rey, Visiting Research Professor at

National University of Singapore & Author of the

Book-"Cell Phone Nation", Dr. Ashok Jhunjhunwala,

Mr. HR Mohan and Mr. VK Cherian

5 May 2014: A lecture session on “Cell phone nation: How mobile phones changed India”

Lecture was organized with IEEE, IEEE CS, IEEE COMSOC, COAI & TCOE.

Mr. Mohan briefed on impact of growth in cellular communications.

The speaker showcased importance and critical part played by mobile

phones and entire communication systems in our day-to-day life tracing

references from his book "Cell Phone Nation", which probed mobile phone

universe in India - from contests of great capitalists and governments

to control Radio Frequency spectrum, to ways ordinary people build

troublesome, addictive device into their daily lives. He elaborated on first

comprehensive study about communication revolution and its impact on

Indian society and highlighted positive impact which mobile telecom

industry has created to improve livelihood of people. He briefly touched

on negative coverage which is appearing due to rumours spread about

effects of EMF radiations from mobile phones and mobile towers.

Dr. Robin Jeff rey, Visi ng Research Professor, Ins tute of South Asian Studies, Na onal University of Singapore & Author of the Book-"Cell Phone Na on"

COIMBATORE (REGION VII)Dr. A Selvakumar, N Valliappan, Dr. R Nadarajan,

Dr. M Sundaresan, L Venkatesan and Prof. Dr. E

Balagurusamy.

30 April 2014: Installation of offi ce bearers 2014–15 and Speech on

"e-Governance"

Mr. Valliappan presented Annual Report of the year 2013-2014 which

was followed by introduction of incoming team by Dr. Nadarajan.

Dr. Sundaresan briefed about new projects planned for the year. Chief

guest Prof. Balagurusamy pointed out lack of responsibility, accountability,

objectiveness and transparency in e-governance. He suggested that

CSI should come forward to solve issues in e-governance. He asked

academicians, industrialists and software experts to encourage young

minds to show their skills in creativity and innovations.

Standing L-R: L Venkatesh, C Ravi, E Chandra Blessie, Dr. Elijah Blessing, Vinoth Rajsingh, Subramani P, S Arumugam, Shankar Dhandapani, Dr. NK Karthikeyan, R Ravikumar, V Sivaramasamy, A Sivabalan, Si ng L-R: N Valliappan, Dr. A Selvakumar, Dr. E Balagurusamy, Dr. M Sunderasan, R Murali

CSI Communications | June 2014 | 47

TRIVANDRUM (REGION VII)Mr. John T. George 3 May 2014: Dr. A.K. Pujari Memorial Speech on “Genesis of CSI-

Trivandrum Chapter”

Mr. George spoke about history of MINSK Computer, which was installed

under his leadership in1965 in ISRO, Trivandrum. He informed that his

association with SR Thakur of PRL, Ahmedabad, founder member of CSI and

National conference of CSI held at Trivandrum in 1968 culminated in formation

CSI-Trivandrum Chapter in 1976. His presentation included old photographs,

paper tape outputs, plots, illustrations, parts like core memory planes and

sample CSI- Communications & newsletters of those days. His talk covered

activities of this chapter in those days as well as the computer usage in R &D

activities in ISRO. He also spoke about stiff resistance for computerization in

local industries, fearing loss of employment opportunities, and also about the

present IT scenario in the state.

Mr. John T. George delivering Dr. A K Pujari Memorial Speech

Offi ce bearers - M Jayalakshmy, Prof K Babu,

Vishnukumar S, Dr. M Sasikumar & Mr Rajesh

Prabhakaran Nair and Ph.D. thesis award winner

Dr. Sreelekshmi

3 May 2014: Award Ceremony during Annual General Body Meeting- 2014

(AGM38-2014)

Offi ce bearers spoke about chapter activities in AGM38-2014. Mr.

Sreekanth P Krishnan announced various awards instituted by the chapter

for the year 2014. 1) Dr. Venkitakrishnan Memorial award (Ms. Dia Nainika

Nair, T.K.M. College of Engineering, Kollam) and 2) Prof. Krihnankutty

Memorial award (Ms. Priyanka Suresh M.S., T.K.M. College of Engineering,

Kollam). Best Project awards to students of B.Tech Course from Engineering

Colleges affi liated to this chapter. First prize was shared for the projects

“Implementation of Effi cient Shortest Path Algorithm” and “Web Application

for crowd Funding” and the second prize for “Education Portal & Admission

System”. Dr. Sreelakshmi, the third prize winner of CSI- India for her Ph.D

thesis was felicitated on this occasion. In reply to the award, Dr. Sreelakshmi

spoke about her thesis on "Steg Analysis".

Mr Sathish Babu handing over the memento to Dr. Sreelakshmi

From Student Branches »(REGION-I)

III UTTRAKAND STATE STUDENT CONVENTION AT BIRLAINSTITUTE OF APPLIED SCIENCES, BHIMTAL�

12th Apr 14 : Prof. Dhami, Vice Chancellor – Kamaun Univeristy with

Prof. Bisht, Director, Birla Inst., Bhimtal inaugurating the Student

convention

30th April 2014 : Ghaziabad Chairman Mr. Saurabh , Director Prof. S C Gupta,

Director D. R. Somashekar, Mr. Anil Ji, Principal Kavita Saxena with prize

winner in quiz contest

RAJ KUMAR GOEL INSTITUTE OF TECHNOLOGY, GHAZIABAD

CSI Communications | June 2014 | 48 www.csi-india.org

(REGION - II)GOVT. COLLEGE OF ENGINEERING & CERAMIC TECHNOLOGY, KOLKATA GOVT. COLLEGE OF ENGINEERING & CERAMIC TECHNOLOGY, KOLKATA

WORKSHOP ON “BIG DATA” WORKSHOP ON “ANDROID APPLICATIONS AND DEVELOPMENT”

22.02.2014 : Mr. Sumit Misra during his deliberation 25.04.2014 : Dr. Debasish Jana during his deliberation

(REGION-III) (REGION-V) MODI INSTITUTE OF MANAGEMENT & TECHNOLOGY KOTA(RAJ.) SRINIVAS INSTITUTE OF TECHNOLOGY, MANGALORE

11.04.2014 : Guest Lecture on Usability Engineering Dr. Mrs. Maya

Ingle, Professor, DAVV, Indore“Basic of NS-2” on 17 – 03 – 14 by Dr. Mohit. P. Tahaliani

(REGION-V) (REGION-VI)CSI STUDENT BRANCH OF GUDLAVALLERU ENGINEERING DEOGIRI INSTITUTE OF ENGINEERING AND COLLEGE, GUDLAVALLERU MANAGEMENT STUDIES, AURANGABAD

Dr. Naveensivadasan delivering guest lecture on Big data computing

on 26th April 2014.

During One-day Rural Reach Program 0n “Science and Technology Meet”

on 7th March, 2014, csi student member demonstrating the use of a Tablet

to the school students

(REGION-VI)MITSOM COLLEGE CSI STUDENT BRANCH, PUNE INSTITUTE OF BUSINESS MANAGEMENT AND RESEARCH (IBMR), PUNE

21st & 22nd March, 2014 “ Understanding the Technology of

Cloud Computing” Dr. C.M.Joshi, Prof. Sadanand Borse, Mr. Sanjay

Suryadevra, Mr. Amol Jadhav , Brig. Harinder Singh

Shekhar Sahasrabudhe, Prof. Asheesh Dixit, Dr.K.Nirmala, Dr.Sandeep Pachpande, Swapnil Shukla & Mayur Tendulkar during the inauguration of a new student branch

CSI Communications | June 2014 | 49

(REGION-VII) AVS ENGINEERING COLLEGE, SALEM EINSTEIN COLLEGE OF ENGINEERING, TIRUNELVELI

02.05.2014: Workshop on by Dr. G.Tholkappia arasu, Principal,

AVS Engineering College

7th Apr 2014 : Dr. R.Velayutham, Prof. A Ezhilvanan, Dr. K Ramar, Prof. M

Suresh & Ms. C Kanthimathi in Code debugging and

C programming event.

RAJAGIRI COLLEGE OF SOCIAL SCIENCES - KOCHI AMRITA SCHOOL OF ARTS AND SCIENCES-KOCHI

20th March 2014: One day Android Workshop inaugurated by Mr.

Biju M G, Chairman, CSI, Cochin Chapter

Two Day Hands on workshop on Agile Software Development on 22nd March,

2014 by Sri. Abhilash Chandran

J AMAL MOHAMED COLLEGE, TIRUCHIRAPPALLI

Winners of overall Champion trophy in Inter-Collegiate Technical

Symposium – SWAP 2K13

Repeating instruction for your Information -

Please send your student branch news to Education Director at director.edu@csi-india.org. News sent to any other email id will not be considered. Low-resolution photos and news without gist will not be published. Please send only 1 photo per event, not more.

Please send your student branch news to Education Director at director.edu@csi-india.org. News sent to any other email id will not be considered. Low-

resolution photos and news without gist will not be published. Please send only 1 photo per event, not more.

CSI Communications | June 2014 | 50 www.csi-india.org

Marking the 50th year of Service, Computer Society of India (CSI) Launches

The CSI Golden Tech-Bridge Programme

In this Golden Jubilee Year, CSI launches the “Golden Tech-Bridge” Programme as an intervention of the organization, to introduce computers and

its advantages to the unexposed sections of society. The one day Programme will be conducted on 9 August 2014 at 50 Student Branches across

the country, with 50 participants each to mark the 50th year of CSI’s services, co-ordinated by the CSI Education Directorate.

Despite the rapid developments, there are still segments of population yet to adopt and get benefi ted from the technological advances. The group is

fairly extensive, comprising of housewives, elders, destitutes, economically disadvantaged, etc. As the nation aspires for digitally inclusive growth, it

is important to assure technology to all citizens. CSI attempts to reach them and teach them, including the last and the least, through this initiative.

The Programme, an initiation to computers, the technology, the applications and the potential consists of lectures on the basics of computers,

common applications, etc., supported by demonstrations and a visit to a factory or a laboratory to directly witness the practical deployment of

technology. The digital divide needs to be demolished and all citizens need to be integrated into the mainstream technology society to reap the

benefi ts of the advancements and to improve the quality of life. This is a modest attempt at the inclusive digital development of the country –

indeed, a tribute from CSI to a great Nation !

All details of the programme are given in the website -  http://www.csi-india.org/golden-tech-bridge-programme . The CSI Education Directorate,

Chennai co-ordinates and implements the Programme. Please contact Mr. Sekar, CSI-ED for information and guidance on 98403-41902 or by eMail

admn.offi cer@csi-india.org .

CSI Membership = 360° Knowledge

Your membership in CSI provides instant

access to key career / business building

resources - Knowledge, Networking,

Opportunities.

CSI provides you with 360° coverage for your Technology goals

Learn more at www.csi-india.org

WE INVITE YOU TO JOINComputer Society of India

India's largest technical

professional associationJoin usand

become a member

I am interested in the work of CSI . Please send me information on how to become an individual/institutional* member

Name ______________________________________ Position held_______________________

Address______________________________________________________________________

______________________________________________________________________

City ____________Postal Code _____________

Telephone: _______________ Mobile:_______________ Fax:_______________ Email:_______________________

*[Delete whichever is not applicable]

Interested in joining CSI? Please send your details in the above format on the following email address. helpdesk@csi-india.org

CSI Communications | June 2014 | 51

(ADVERTISING TARIFF)Rates eff ective from April, 2014

Computer Society of IndiaUnit No. 3, 4th Floor, Samruddhi Venture Park, MIDC, Andheri (E), Mumbai-400 093

Tel. 91-22-2926 1700 • Fax: 91-22-2830 2133

Email: hq@csi-india.org

CSI - CommunicationsCOLOUR

Colour Artwork (Soft copy format) or positives are required for colour advertisement

Back Cover ` 50,000/-

Inside Covers ` 40,000/-

Full Page ` 35,000/-

Double Spread ` 65,000/-

Centre Spread

(Additional 10% for bleed advertisement)

` 70,000/-

MECHANICAL DATA

Full page with Bleed 28.6 cms x 22.1 cms

Full Page 24.5 cms x 18.5 cms

Double Spread with Bleed 28.6 cms x 43.6 cms

Double Spread 24.5 cms x 40 cms

Special Incentive to any Individual/Organisation for getting sponsorship 15% of the advertisement valueSpecial Discount for any confi rmed advertisement for 6 months 10%Special Discount for any confi rmed advertisement for 12 months 15%

All incentive payments will be made by cheque within 30 days of receipt of payment for advertisement

All advertisements are subject to acceptance by the editorial team

Material in the form of Artwork or Positive should reach latest by 20th of the month for insertion in the following month.

All bookings should be addressed to :

Executive Secretary

Computer Society of IndiaTM

Unit No. 3, 4th Floor, Samruddhi Venture Park, MIDC, Andheri (E), Mumbai-400 093

Tel. 91-22-2926 1700 • Fax: 91-22-2830 2133 Email: hq@csi-india.org

Dear Member,

CSI Digital Magazine - DigiMag

Now you can access your daily digest of knowledge CSI – Communications on just one click. Keeping in my mind our members

convenience CSI has launched the new CSI Digital Magazine - DigiMag. Visit www.csi-india.org to access the Magazine

CSI fi rst app - "CSI Communications"Technology is bringing new tools every minute to us. One such tool is the world of Apps. They are easy, handy and fun to experience.

Computer Society of India being the oldest and one of the renowned societies in the IT industry is spreading its wings to reach out to

its members and serve them better with the help of these tools. With this aim we bring to you our very own, the all new and the very

fi rst app – "CSI Communications".

Go to Play store and search for “CSI Communications” to download the same on your android phone. Kindly register to access this app.

Registration link is available on login screen.

Happy Reading!

CSI Communications | June 2014 | 52 www.csi-india.org

CSI Calendar 2014

Prof. Bipin V Mehta

Vice President, CSI & Chairman, Conf. CommitteeEmail: bvmehta@aesics.ac.in

Date Event Details & Organizers Contact Information

July 2014 events

2-5 Jul 2014 National Workshop on Parallel and Hetrogeneous Computing (NWPHC 2014) with focus on "Big data Analytics and Machine Learning "Organized by the Student branch CSI and NVIDIA CUDA Teaching Center at CV Raman

College of Engg., IT dept., in association with CSI div IV.

Mr. A K Sahoo, Dr. Rachita Misra

nwphc2014@gmail.com

4-5 Jul 2014 ICIS-14: International Conference on Information ScienceAt Cochin. Organized by the Dept. of CSE, College of Engineering Cherthala in association

with CSI Cochin Chapter & Div III, IV & V and sponsored by Technical Education Quality

Improvement Programme (TEQIP II). http://www.iciscec.in/

Ms. Sony P

iciscec@gmail.com

August 2014 events

8–9 Aug 2014 ICICSE: II International Conference on Innovations in Computer Science and EngineeringAt Hyderabad. Organized by Guru Nanak Institutions, Ibrahimpatnam, Hyderabad in

association with CSI Div IV

Dr. H S Saini

hssaini@gmail.com

Dr D D Sarma

drddsarma@gmail.com

20 Aug 2014 Workshop on "Ethernet LAN Construction using Crossover and Patch Cable"At Hyderabad. Organized by CSI SB and Dept. of IT, Nalla Malla Reddy Engineering College,

Hyderabad

Mr. K C Arun

hodit@nmrec.edu.in

22-24 Aug 2014 BiDA2014: National Workshop on Big Data Analytics

At Hyderabad. Organised by CR Rao Advanced Institute of Mathematics, Statistics & Computer

Science. Supported by CSI Div III. Website: http://www.crraoaimscs.res.in/bida

Dr. Saumyadipta Pyne

spyne@broadinstitute.org

25-27 Aug 2014 NITC 2014 : ICT For Inclusive Development. Organised by The Computer Society of Sri Lanka (CSSL). At Colombo, Sri Lanka. For CFP and other details, pl. visit http://www.nitc.lk/

info@cssl.lk / events@cssl.lk

28–30 Aug 2014 International Contest on Programming & Systems Development (ICPSD’14)

www.icpsd.gibsbd.org

Dr. Anirban Basu

abasu@pqrsoftware.com

November 2014 events

28-30 Nov 2014 International Conference on Advance in Computing Communication and Informatics Dr. Vishal Singhal, Convener

December 2014 events

12-14 Dec 2014 49th Annual Convention ,Organised by Computer Society of India, Hyderabad Chapter In association with JNTU-Hyderabad & DRDO Theme: Emerging ICT for Bridging Future

At Venue: JNTUH, Kukatpally, Hyderabad

http://www.csihyderabad.org/csi-2014

Sri. J A Chowdary

Sri. GautamMahapatra

csi2014@csihyderabad.org

16-20 Dec 2014 ICISS-2014: International Conference on Information Systems Security.

At Institute for Development & Research in Banking Technology (IDRBT), Hyderabad, India.

Co-sponsored by CSI Division IV and CSI SIG-IS. Website:

http://www.idrbt.ac.in/ICISS_2014/

iciss2014@idrbt.ac.in

19-21 Dec 2014 EAIT-2014: Fourth International Conference on Emerging Applications of Information TechnologyAt Kolkata. Organized by CSI Kolkata at Indian Statistical Institute, Kolkata

https://sites.google.com/site/csieait/ For paper ssubmission visit

https://cmt.research.microsoft.com/EAIT2014

Prof. Aditya Bagchi

Dr. Debasish Jana

Prof. Pinakpani Pal

Prof. R T Goswami

csieait@gmail.com

Registered with Registrar of News Papers for India - RNI 31668/78 If undelivered return to : Regd. No. MH/MR/N/222/MBI/12-14 Samruddhi Venture Park, Unit No.3, Posting Date: 10 & 11 every month. Posted at Patrika Channel Mumbai-I 4th fl oor, MIDC, Andheri (E). Mumbai-400 093 Date of Publication: 10 & 11 every month

ICRITO’20143rd International Conference on Reliability, Infocom Technologies and Optimization

(Trends and Future Directions)October 8-10, 2014 at Noida, India

Organized byAmity Institute of Information Technology, Amity University Uttar Pradesh, Noida, India

In Association withComputer Society of India (CSI) Division IV-Communication

Technically Sponsored by Knowledge Partner IEEE UP Section (India) Project Management Institute (PMI)

In this globally competitive environment scientifi c analysis of system under study is the key issues in attaining market leadership.

This competitive advantage through quality process, product and services in the market place is possible through the development of

knowledge bases and easy access to structured databases on systems, processes and technology based on quantitative study. Further

due to ever emerging new trends of fashion and taste as well as technology, predicting future with certainty can be the daydream.

This theme is most appropriate in the current context as well as in the future. The Conference will not only take stock of trends and

developments at the globally competitive environment, but will also provide future directions to young researchers and practitioners.

Besides, it will help in sharing of experience and exchange of ideas, which will foster National/International collaboration. The Conference

would be of immense benefi t to Management, Researchers, Academicians, Industry and participants from Technical Institutes, R & D

Organizations and students working in the fi eld of IT.

Original papers are invited from research scholars, academicians, students and Industrialists. The topics of the Conference would include

but not restricted to: Quality Assurance, Reliable and Secure Communications, Software Reliability and Testing, Infocom Systems,

Reliability, Power Systems Reliability, Reliability and Maintenance Models, Fault Tolerance in Hardware and Software systems, Free

and Open Source Software, Natural Language Processing, Cloud Computing, Computer Architecture and Embedded Systems, Artifi cial

Intelligence and Expert Systems, Data Mining & Data Warehousing, Network Technologies, Convergence Technologies, Human-Computer

Interface, Information and Network Security, Mobile Computing, Software Engineering, Advances on Computing Mechanisms, Software

and Web Engineering, ICT Act and Cyber Laws, Rural Applications of IT, E-Governance, Soft Computing, Financial Optimization, Inventory

Management, Fuzzy Systems, Knowledge Management, Supply Chain Management, Stochastic Petrinets, Risk Analysis, Infrastructure

Systems Safety and Risk, Probabilistic Fracture Mechanism and Fatigue Analysis, Probabilistic Safety Assessment, Project Management,

Risk Management, Change Management, IT Projects Delivery.

Submissions: Submissions must be of original contributions and should not have been presented or published anywhere. Authors of

the accepted papers must guarantee that at least one of the authors will attend the conference and present the paper. Paper should not

exceed 10 pages following the IEEE format.

Important Dates:

Last date for receiving full paper : July-10-2014

E-mail notifi cation of paper acceptance : July-30-2014

Last date for receiving camera-ready paper with modifi cations : August-10-2014

For Additional Details, Pl. Contact:Prof. Sunil Kumar Khatri, General Chair, ICRITO’2014 at icrito2014@gmail.com

Phone: 0120-4392276-77(O), 8130977443(M)

Website: www.amity.edu/aiit/icrito2014