CSI Communications | June 2014 | 1ww
w.c
si-i
nd
ia.o
rg
ISS
N 0
97
0-6
47
X |
Vo
lum
e N
o. 3
8 |
Iss
ue
No
. 3 |
Ju
ne
20
14`
50
/-
Cover StoryWhat, Why and How of Software Security 7Cover StoryDeveloping Secure Software 9
Technical TrendsApplication Layer Security Solution for Java Based Web Applications 13
On the Shelf!Book Review of Code Halos: How the Digital Lives of People, Things, and Organizations are Changing the Rules of Business 40
Security CornerA Case Study of SureSwift Software 35
ArticleReaping ROI from Big Data 28
COER School of Management College of Engineering Roorkee (COER)
in association with
Computer Society of India (CSI)
(Division IV-Communications)
AnnounceInternational Conference
onAdvances in Computing, Communications & Informatics
(November 28-30, 2014)
Paper Submission Guidelines: Abstract of around 250 words may be submitted to: [email protected] and the full paper should be in IEEE format. All the
accepted full papers will be published in Peer reviewed Journal/Book which will be published by National Publisher with ISBN No.
For more details download brochure from www.coer.ac.in
Call for Papers Original papers are invited on following Tracks
Awards and Certifi cates
TRACK 1: ADVANCED COMPUTING
TRACK 2: COMMUNICATIONS
TRACK 3 : INFORMATION TECHNOLOGY & INFORMATICS
TRACK 4 : DATA MINING & SOFTWARE ENGINEERING
TRACK 5: E-BUSINESS & GREEN CONVERGENCE SERVICES
Best PhD Thesis Award: The winner of the contest will be
provided a Memento, Certifi cate and a Cash Prize of Rs 5000.
Best Research Paper Award: The best paper award winners of each
track of the contest will be provided a Memento, Certifi cate and a Cash
Prize of Rs 1100.
Dr. Shuchita SharmaConference SecretaryHOD MCA, COER SMMob: +919675408077
Dr. V. K. JainConference ChairmanDirector , COER SMMob: +919997692191
Dr. Vishal SinghalConference Convener Astt. Professor , COER SMMob: +919412023365
Important Dates Registration Fee
Abstract submission July 15, 2014 Students Rs. 2000/-
Acceptance of the Abstract Notifi cation July 30, 2014 Research Scholars Rs.2500/-
Last date for full length selected papers
and payment of registration feeAugust 30, 2014
Academicians Rs.3000/-
Corporate Delegates Rs.5000/-
International Delegates $ 200
Conference date November 28-30, 2014 Residential Delegates*Rs.2000/- per day per person on twin
sharing basis
The conference series ICISS (International Conference on Information Systems Security), held annually, provides a forum
for disseminating the latest research results in information and systems security. ICISS-2014, the 10th edition of this annual
conference, will be held at Institute for Development & Research in Banking Technology (IDRBT), Hyderabad, India during
16-20 December 2014. This conference is co-sponsored by CSI Division IV and CSI SIG-IS.
ICISS-2014 encourages submissions from the academia, industry and government addressing theoretical and practical problems
in information and systems security and related areas. ICISS is interested in all aspects of information systems security.
All the previous proceedings of this conference series are indexed by DBLP. The acceptance ratio of the last nine conferences
has averaged less than 30%, and the proceedings have been published as part of the Springer Verlag series of Lecture Notes in
Computer Science.
Manuscript Submission (Full Paper): 14 Jul 2014Notifi cation of Acceptance: 25 Aug 2014Camera-ready Manuscript Due: 14 Sep 2014
Further, ICISS-2014 invites call for papers for Doctoral Consortium, short talks, and tutorials by 31 August 2014.
For further details, please Visit http://www.idrbt.ac.in/ICISS_2014/
CSI Communications | June 2014 | 3
ContentsVolume No. 38 • Issue No. 3 • June 2014
CSI Communications
Please note:
CSI Communications is published by Computer
Society of India, a non-profi t organization.
Views and opinions expressed in the CSI
Communications are those of individual authors,
contributors and advertisers and they may
diff er from policies and offi cial statements of
CSI. These should not be construed as legal or
professional advice. The CSI, the publisher, the
editors and the contributors are not responsible
for any decisions taken by readers on the basis of
these views and opinions.
Although every care is being taken to ensure
genuineness of the writings in this publication,
CSI Communications does not attest to the
originality of the respective authors’ content.
© 2012 CSI. All rights reserved.
Instructors are permitted to photocopy isolated
articles for non-commercial classroom use
without fee. For any other copying, reprint or
republication, permission must be obtained
in writing from the Society. Copying for other
than personal use or internal reference, or of
articles or columns not owned by the Society
without explicit permission of the Society or the
copyright owner is strictly prohibited.
Published by Suchit Gogwekar for Computer Society of India at Unit No. 3, 4th Floor, Samruddhi Venture Park, MIDC, Andheri (E), Mumbai-400 093.
Tel. : 022-2926 1700 • Fax : 022-2830 2133 • Email : [email protected] Printed at GP Off set Pvt. Ltd., Mumbai 400 059.
Editorial Board
Chief EditorDr. R M Sonar
EditorsDr. Debasish Jana
Dr. Achuthsankar Nair
Resident EditorMrs. Jayshree Dhere
Published byExecutive Secretary
Mr. Suchit Gogwekar
For Computer Society of India
Design, Print and Dispatch byCyberMedia Services Limited
PLUSBrain TeaserDr. Debasish Jana
37
Ask an ExpertDr. Debasish Jana
38
Happenings@ICTH R Mohan
39
On the Shelf!Mrs. Jayshree A Dhere
40
CSI Report 43
CSI Reports 44
CSI News 45
Cover Story
7 What, Why and How of Software Security
Satish K Sreenivasaiah and Mohan Jayaramappa
9 Developing Secure Software
Sandeep Godbole
11 Security in Software Development
Sunil Bakshi
Technical Trends
13 Application Layer Security Solution for
Java Based Web Applications
Vijay Gulati and Venkata Swamy Bathina
15 Nuts and Bolts of Code Coverage Testing
Abhinav Vaid
Research Front
19 Template Matching Tool for Remote
Sensing Images
Ashish Joshi, Ankit Kumar, Anil Kumar and Ankush Mittal
22 Digital Image Steganography
Anurag Jagetiya and Dr. C Rama Krishna
Articles
26 SQL Injection – Anatomy and Risk
Mitigation
Navdeep Kaur and Parminder Kaur
28 Reaping ROI from Big Data
Binesh Nair
Practitioner Workbench
30 Programming.Tips() »
Fun with ‘C’ programs
Wallace Jacob
Programming.Learn(“R”) »
31 Basic Statistics Using R
Umesh P and Silpa Bhaskaran
Security Corner
32 Information Security »
A Quick Look at Hadoop Security
Paresh Suvarna and Prashant Wate
35 Case Studies in IT Governance, IT Risk and Information Security »
A Case Study of SureSwift Software
Dr. Vishnu Kanhere
CSI Communications | June 2014 | 4 www.csi-india.org
Important Contact Details »For queries, correspondence regarding Membership, contact [email protected]
Know Your CSI
Executive Committee (2013-14/15) »President Vice-President Hon. SecretaryMr. H R Mohan Prof. Bipin V Mehta Mr. Sanjay [email protected] [email protected] [email protected]
Hon. Treasurer Immd. Past PresidentMr. Ranga Rajagopal Prof. S V [email protected] [email protected]
Nomination Committee (2014-2015)
Prof. P. Kalyanaraman Mr. Sanjeev Kumar Mr. Subimal Kundu
Regional Vice-PresidentsRegion - I Region - II Region - III Region - IVMr. R K Vyas Mr. Devaprasanna Sinha Prof. R P Soni Mr. Hari Shankar Mishra Delhi, Punjab, Haryana, Himachal Assam, Bihar, West Bengal, Gujarat, Madhya Pradesh, Jharkhand, Chattisgarh,
Pradesh, Jammu & Kashmir, North Eastern States Rajasthan and other areas Orissa and other areas in
Uttar Pradesh, Uttaranchal and and other areas in in Western India Central & South
other areas in Northern India. East & North East India [email protected] Eastern India
[email protected] [email protected] [email protected]
Region - V Region - VI Region - VII Mr. Raju L kanchibhotla Dr. Shirish S Sane Mr. S P Soman Karnataka and Andhra Pradesh Maharashtra and Goa Tamil Nadu, Pondicherry,
[email protected] [email protected] Andaman and Nicobar,
Kerala, Lakshadweep
Division ChairpersonsDivision-I : Hardware (2013-15) Division-II : Software (2014-16) Division-III : Applications (2013-15) Prof. M N Hoda Dr. R Nadarajan Dr. A K Nayak [email protected] [email protected] [email protected]
Division-IV : Communications Division-V : Education and Research (2014-16) (2013-15)
Dr. Durgesh Kumar Mishra Dr. Anirban Basu [email protected] [email protected]
Important links on CSI website »About CSI http://www.csi-india.org/about-csiStructure and Orgnisation http://www.csi-india.org/web/guest/structureandorganisationExecutive Committee http://www.csi-india.org/executive-committeeNomination Committee http://www.csi-india.org/web/guest/nominations-committeeStatutory Committees http://www.csi-india.org/web/guest/statutory-committeesWho's Who http://www.csi-india.org/web/guest/who-s-whoCSI Fellows http://www.csi-india.org/web/guest/csi-fellowsNational, Regional & State http://www.csi-india.org/web/guest/104Student Coordinators Collaborations http://www.csi-india.org/web/guest/collaborationsDistinguished Speakers http://www.csi-india.org/distinguished-speakersDivisions http://www.csi-india.org/web/guest/divisionsRegions http://www.csi-india.org/web/guest/regions1Chapters http://www.csi-india.org/web/guest/chaptersPolicy Guidelines http://www.csi-india.org/web/guest/policy-guidelinesStudent Branches http://www.csi-india.org/web/guest/student-branchesMembership Services http://www.csi-india.org/web/guest/membership-serviceUpcoming Events http://www.csi-india.org/web/guest/upcoming-eventsPublications http://www.csi-india.org/web/guest/publicationsStudent's Corner http://www.csi-india.org/web/education-directorate/student-s-cornerCSI Awards http://www.csi-india.org/web/guest/csi-awardsCSI Certifi cation http://www.csi-india.org/web/guest/csi-certifi cationUpcoming Webinars http://www.csi-india.org/web/guest/upcoming-webinarsAbout Membership http://www.csi-india.org/web/guest/about-membershipWhy Join CSI http://www.csi-india.org/why-join-csiMembership Benefi ts http://www.csi-india.org/membership-benefi tsBABA Scheme http://www.csi-india.org/membership-schemes-baba-schemeSpecial Interest Groups http://www.csi-india.org/special-interest-groups
Membership Subscription Fees http://www.csi-india.org/fee-structureMembership and Grades http://www.csi-india.org/web/guest/174Institutional Membership http://www.csi-india.org /web/guest/institiutional-
membershipBecome a member http://www.csi-india.org/web/guest/become-a-memberUpgrading and Renewing Membership http://www.csi-india.org/web/guest/183Download Forms http://www.csi-india.org/web/guest/downloadformsMembership Eligibility http://www.csi-india.org/web/guest/membership-eligibilityCode of Ethics http://www.csi-india.org/web/guest/code-of-ethicsFrom the President Desk http://www.csi-india.org/web/guest/president-s-deskCSI Communications (PDF Version) http://www.csi-india.org/web/guest/csi-communicationsCSI Communications (HTML Version) http://www.csi-india.org/web/guest/csi-communications-
html-versionCSI Journal of Computing http://www.csi-india.org/web/guest/journalCSI eNewsletter http://www.csi-india.org/web/guest/enewsletterCSIC Chapters SBs News http://www.csi-india.org/csic-chapters-sbs-newsEducation Directorate http://www.csi-india.org/web/education-directorate/homeNational Students Coordinator http://www.csi- india .org /web/national-students-
coordinators/homeAwards and Honors http://www.csi-india.org/web/guest/251eGovernance Awards http://www.csi-india.org/web/guest/e-governanceawardsIT Excellence Awards http://www.csi-india.org/web/guest/csiitexcellenceawardsYITP Awards http://www.csi-india.org/web/guest/csiyitp-awardsCSI Service Awards http://www.csi-india.org/web/guest/csi-service-awardsAcademic Excellence Awards http://www.csi-india.org/web/guest/academic-excellence-
awardsContact us http://www.csi-india.org/web/guest/contact-us
CSI Communications | June 2014 | 5
Let us all congratulate on behalf of Computer Society of India, Sri.
Narendra Modi, who has been recently sworn as the 15th Prime Minister
of India. It is a known fact that he is widely acknowledged as a champion
of India’s competency in technology, innovation, e-governance, use of
technology in education, and turning India a global hub of technology.
CSI was proud and privileged to confer upon Sri Narendra Modi the “CSI
e-RATNA” Award in recognition of his services to State and citizens at large
through e-Governance and ICT projects, on the occasion of e-Governance
Knowledge Summit and International Conference on e-Governance in Oct
2011.Sri Modi while addressing the IT professionals at the Nasscom India
Leadership Forum had stated that the use of IT can put India on the road to
fast and inclusive growth. He further, envisages the role of IT as a change
agent which will empower, connect and can bind isolated parts of India
and create harmony and can join people with governments, bridge the gap
between demand and supply, and can bring all closer to knowledge. He
had also coined the popular phrase: IT+ IT = IT (Indian Talent+ Information
Technology = India Tomorrow). Modi’s vision is to create a ‘Digital India’ a
knowledge-based society and economy using IT as the growth engine. He
also believes that E-governance, with increased use of technology to bring
empowerment, equity and effi ciency to the economy and will be a great
problem solver for people in India and emphasizes that “E-governance can
bring minimum government and maximum governance,” All the above, has
set a high expectation by the Indian IT Industry to look forward to the next
phase of growth in IT in the country which will be benefi cial to all of us.
As the demand for electronics and the hardware gadgets is set to
increase from $55 billion in 2014 to $400 billion by 2020, and in order
to conserve the foreign exchange, an ambitious electronics manufacturing
policy focusing on information access devices and value added products
such wearable computers and devices is expected by the industry. Further,
industry sources believe that distributed smart manufacturing using
3D printing technology will become the main stream in the near future.
Further, the IT-BPO sector by 2020, expects its market size to grow
to$300 billion from the current $110 billion. These initiatives are likely
to create millions of new jobs and societies like CSI have a major role in
developing the manpower to meet these requirements.
In the EXCO meeting of the SERACC (in which CSI is a member) held in
Apr 2014 at Kuala Lumpur, Malaysia, Prof. Dong Yoon Kim from South Korea
presented the plans for the IFIP World Computer Congress WCC-2015 in
Daejong, South Korea and requested SEARCC to consider hosting SEARCC
Conference or a workshop at WCC-2015. While it was debated that whether
SEARCC conference could be held in a non-member country, considering
the IFIP’s WCC being held at South Korea and the possibility of interacting
with the other country apex computer bodies from Japan, China, Singapore,
New Zealand, Hong Kong and Myanmar on their joining SEARCC it was in
principle agreed by EXCO to host SEARCC-2015 in South Korea instead of
having it in India as confi rmed in the earlier EXCO. However the fi nal decision
will be made in the next EXCO being planned at the SEARCC-2014 at Kuala
Lumpur, Malaysia. As decided earlier, CSI India will host the SEARCC
International School Software Contest for the year 2014 in India. The CSI
Education Directorate (CSI ED) has already planned the related activities. In
the EXCO, it was also decided to cross promote the events organized by the
SEARCC members to facilitate wider participation. International Young ICT
Professionals Group (InterYIT), a part of IFIP which has objectives such as
being the umbrella organisation for all Young ICT professionals around the
world, fostering communication between Young IT Groups and promoting
representation of young professionals in the computer societies as well as
within IFIP desires SEARCC members to participate in this initiative. It was
informed to EXCO that the YITP Awards, what we at CSI have annually has
similar objectives and CSI can work with InterYIT group.
Considering the reported information that a signifi cant percentage of
the Indian authors indulge in plagiarism, to sensitize our researchers and
academic community on the risks of plagiarism including losing out their
jobs, a one day workshop was held in May 2014 at Chennai with resource
persons drawn from IEEE CS Editorial Board, IIT Madras and a professional
author. It was well attended with over 95 participants. The participants
while providing an excellent feedback, desired workshops in Research
Methodologies and Communication Skills to be organized to help them
further. The chapters interested to organize the workshop on plagiarism in
other parts of the country may pl. get in touch with CSI ED.
I am happy to report that the open page article “An opportunity
seized but not fulfi lled” by Dr. S. Ramani, our past president, published in
The Hindu which can be accessed at http://bit.ly/1gV6OKI has attracted
considerable amount of feedback and initiated a debate. We look forward
to similar thought provoking writings from others to brainstorm and
progress further.
After training about 300 special educators in software packages
for the Integrated Assessment, Evaluation and Programming of Mentally
Challenged Children by partnering with Media Lab Asia and Centre for
Development of Advanced Computing (CDAC), CSI ED has taken up
a pilot initiative in training the Mentally Challenged children / student
trainees in the basic operations of computers and introducing them to
the productivity software such as MS Offi ce and additionally train in the
basics of accounting and package such as Tally which would be of use to
them in pursuing a career is also provided . A brief report appeared in The
Hindu at http://bit.ly/1kyltXj had received queries from entrepreneurs on
scaling up this initiatives and few organizations seeking trained people for
potential employment. Our appreciation to the CSI ED staff for their eff ort.
CSI ED has proposed to organize the “Golden Tech-Bridge”
Programme in Aug 2014 as an intervention of the organization, aimed at
introducing computers and its advantages to the unexposed sections of
society at 50 locations across the country with the support of our student
branches. We look forward to its success.
The CSI Bangalore chapter is gearing up for the fi rst Golden Jubilee
Celebration meeting in the year 2014-15. The meeting scheduled on 14th
June 2014 is expected to have most of the 16 Fellows (inclusive of four
presidents) of CSI at Bangalore to participate and share their impressions
and the growth of CSI in the past and brainstorm on the future of CSI.
CSI has a scheme through which fi nancial grants to the extent of Rs.
25,000/= is being made available for international travel by research students
to present their papers. In a year, eight such grants will be provided. Those
interested in availing this grant may get in touch with the research committee
chaired by Dr. Anirban Basu who is also the chairman of Division V.
A number of events on current interest topics which are either
organized or support by CSI are listed in the calendar of events and I am
sure that our members will make use of the opportunity in presenting
papers and participating in them.
More in the next month message.
With best regards
H R MohanPresidentComputer Society of India
President’s Message H R Mohan
From : President’s Desk:: [email protected] : President's MessageDate : 1st June, 2014
Dear Members
CSI Communications | June 2014 | 6 www.csi-india.org
EditorialRajendra M Sonar, Achuthsankar S Nair, Debasish Jana and Jayshree Dhere
Editors
Dear Fellow CSI Members,
Gone are the days when a piece of software used to be mono-lithic
having all the logical components: business logic, data services and
presentation services implemented together in the same piece of
software code. There were not many security implications then,
since access to software was limited to few users - mostly internal
employees - through interfaces provided by the software. As of
today, however, distributed computing, client/server computing,
n-tier software applications, cloud-computing, multiple types
of accesses to software through various delivery channels such
as ATMs, client software such as internet browsers and mobile
devices such as phones, tablets etc. have enabled complex
applications and created greater scope for vulnerabilities. Our
dependence on software is also increasing day by day.
Each software application, its various software components and
interconnected devices participating in the application execution
need to be robust. If one of the components or access points has
security loophole it can create issues and vulnerabilities that can be
exploited to cause a security incident. In most of the early systems,
software professionals did not feel the need to worry about software
security aspects during initial states of software development,
and these were usually addressed during coding phase. However,
security professionals today are realising that if security aspects are
thought identifi ed, analysed and taken care of during early phases
of software development life cycle, it can be of great help. Hence,
in this issue we cover Security in Software Development as theme.
We have three articles under cover story that cover aspects such as
need of software security, its building blocks, security environment,
what needs to be secured, why and how it can be done, what are
solutions and so on. The fi rst article in cover story section is about
What, Why and How Software Security by Satish K Sreenivasaiah
and Mohan Jayaramappa of Tata Consultancy Services, Bangalore.
The second article in cover story section is Developing Secure Software by Sandeep Godbole, Member of ISACA India Task
Force. The third article under cover story section is by Sunil Bakshi,
Free-lance Consultant and Trainer, IT governance and Information
Security and it is about Security in Software Development.
In Technical Trends section, we have two articles, the fi rst one
on Application Layer Security Solution for Java Based Web Applications by Vijay Gulati and Venkata Swamy Bathina, Research
& Innovation group of IGATE. The second article is titled Nuts and Bolts of Code Coverage Testing by Abhinav Vaid, an IT Practitioner.
In Research Front section, we have two research based articles –
one titled Template Matching Tool for Remote Sensing Images by
Ashish Joshi, Ankit Kumar, Anil Kumar and Ankush Mittal and the
other titled Digital Image Steganography: Seeing is always NOT believing by Anurag Jagetiya and Dr. C Rama Krishna of Department
of CSE, NITTTR, Chandigarh.
In Article section, we have two articles. First one is by Navdeep
Kaur and Parminder Kauro of Guru Nanak Dev University, Amritsar
on SQL Injection – Anatomy and Risk Mitigation wherein authors
suggest measures to be taken during diff erent phases of software
development cycle for mitigating the risk of SQL injection. Another
article titled Reaping ROI from Big Data is by Binesh Nair of
Vidyalankar School of Information Technology, Mumbai, wherein
author provides inputs on how an organization can reap ROI from
Big Data by building analytics culture in the organization.
Practitioner Workbench section under Programming.Tips() we
have an article Fun with ‘C’ Programs by Prof. Wallace Jacob, where
he is provides an interesting example of array being passed to a
function that changes values of array elements. We have regular
article on “R” under Programming.Learn(“R”) by Umesh P and
Silpa Bhaskaran of Department of Computational Biology and
Bioinformatics, University of Kerala, this time they are covering
Basic Statistics Using R.
In Security Corner column under Information Security section
we have an article titled A Quick Look at Hadoop Security by
Paresh Suvarna and Prashant Wate, IGATE. In the other section
which covers a series of ‘Case Studies in IT Governance, IT Risk
and Information Security’ by Dr. Vishnu Kanhere, Convener SIG
– Humane Computing of CSI, we have a case study of SureSwift Software, in which he elaborates the concept of security in software
development with an example.
In our regular section of Brain Teaser we have crossword puzzle by
Dr. Debasish Jana, Editor, CSI Communications. This time he tests
the readers’ knowledge on “Security in Software Development”. In
the section titled ‘Your Question, Our Answer’, Dr. Jana answers
readers’ questions. Briefs of various ICT news of May 2014 are
compiled and brought to CSIC readers by Mr. H R Mohan, President,
CSI, AVP (Systems), The Hindu, Chennai under ‘Happenings@ICT’.
In the book review section called ‘On the Shelf!’ Mrs. Jayshree
A. Dhere, Resident Editor, CSI Communications reviews recently
received book “Code Halos: How the Digital Lives of People, Things, and Organizations are Changing the Rules of Business” authored by.
We have other regular features like CSI Announcements, CSI
Reports and Chapter and Student Branch, Call for Papers and
so on. Please feel free to send your inputs and feedback to
[email protected] as your views are important to us and for making
the CSIC magazine a two-way communication.
With warm regards,
Rajendra M Sonar, Achuthsankar S Nair,
Debasish Jana and Jayshree Dhere
Editors
As of today, however, distributed computing, client/server computing, n-tier software applications, cloud-computing, multiple types of accesses to software through various delivery channels such as ATMs, client software such as internet browsers and mobile devices such as phones, tablets etc. have enabled complex applications and created greater scope for vulnerabilities.
Each software application, its various software components and interconnected devices participating in the application execution need to be robust. If one of the components or access points has security loophole it can create issues and vulnerabilities that can be exploited to cause a security incident.
CSI Communications | June 2014 | 7
Security in software development as a
concept is both vast and deep, making it
not so easy for a beginner to gain strong
foothold at the pace that is expected. An
attempt has been made to cover the three
fundamental questions about Security
in Software development and answers
addressed briefl y. The idea is to provide
insights at a high level for someone
who is about to embark on getting his
application/product security compliant.
The three fundamental questions
being - What, Why and How of security in
software development.
What Part?Let us begin with the What part first.
Security as a discipline in Software
development is essential in ensuring
that each and every component in the
application/ product stack adheres to
a certain set of principles or guidelines
in the context of various phases of
SDLC viz., Requirements gathering,
Architecture Definition, Design,
Development, Testing, Go-live and
Support/maintenance. The objective of
these measures is to reduce the number
of vulnerabilities in the application/
product and thereby mitigating the risk
of threats that originate from internal
(disgruntled employees) or external
sources (hackers, a mischievous net
user etc.).
Keeping in line with the context of
security in software development, the
focus of discussion is limited to the details
of the fi rst fi ve phases from requirements
to testing as stated above.
From a layered technology stack
perspective, security aspects span across
the presentation layer, business logic and
the database layers. Any kind of interfaces,
be it batch or real-time with third party /
internal systems in the enterprise, need to
adhere to security guidelines. To quickly
summarize, Security is one of the key
ingredients of non-functional aspects
of an application/product by which its
trustworthiness is ascertained.
Why Security and Why Now?Day in day out, the online security breach
incidents across the globe has mandated
software security as a non-negotiable
requirement for any application / product
that has intent of getting it right in the
market place. Given the digital age and
time in which we live today, it wouldn’t
be exaggerating to say that Security as
a discipline is gaining unprecedented
importance in the life cycle of Software
development. Recent resignation of the
CEO of one of the large retailers in North
America due to online data breach and
theft of customer’s credit card/personal
information details, is an eye-opener and
just a tip of the ice-berg of how high the
stakes are, as any kind of customer data
breach aff ects both the reputation and
profi tability of the companies impacted.
A decade ago or earlier, software
application development teams
emphasized on getting the functional
features right and the implementation
of non-functional aspects (read it as
Security) of an application took a distant
second/third place (after its other non-
functional cousin performance).
This can be attributed primarily to
lack of awareness on software security;
skill set shortage, non-availability of
right tools to evaluate security as a
metric across various phases of SDLC.
Lately, there has been an increased
interest in the area of Security, surge in
the availability of security testing tools
both open source and licensed software,
knowledge base on vulnerability databases
made available by the industry bodies like
OWASP[1] (Open Web Application Security
project), CWE (Common Weakness
Enumeration), web application security
consortium (www.webappsec.org ) etc.
Having understood the What and
Why parts, further sections briefl y
describe the How part of Security in
software development.
How Part? Security Requirements: The process
of collecting security requirements
is different from gathering functional
requirements as most of the functional
use cases are provided by business
users. But when it comes to defining
security requirements, the business
users are less aware and probably even
care less as most of the requirements
don’t relate to business functionality and
their presence / absence do not visually
impact the end user/consumer. The
above scenario is truer for non-banking/
non-financial applications (ex., media
sites, and retail branding portals). More
often than not, security requirements go
unstated but at the same time expected
to be a part of the application/product
implicitly. Hence, the situation calls
for an architect/security lead to work
closely with the business team and
ensure he understands the business
requirements and correspondingly draft
the appropriate use cases for security. It
is recommended to have a requirements
tracking tool to ensure all of them are
captured and are being tracked across
the SDLC phase for traceability.
A few key factors that help in
determining the level of security
requirements are, type of an online
application (transactional / non-
transactional), kind of data it stores or
shares (sensitive, personal, confidential
or public data), hosting network
(internet, intranet, extranet), regulatory
compliance needs of the business
domain, external or internal interfaces
with third party tools as a part of the
application / product
Below is the indicative list of key
security requirements from OWASP
ASVS[2] (Application Security verfi cation
Standards) that an online application need
to comply with,
• Authentication & Authorization
• Session Management
• Input Validation
• Output Encoding
• Cryptography – provided the
application uses any sensitive data
(credit cards, SSN etc)
• Error Handling and Logging
• Data Protection
• Communication Security
• HTTP Security and
• Security confi guration
What, Why and How of Software Security Security in Software development
Cover Story
Satish K Sreenivasaiah* and Mohan Jayaramappa***Consultant, Tata Consultancy Services, Bangalore**Senior Consultant, Tata Consultancy Services, Bangalore
CSI Communications | June 2014 | 8 www.csi-india.org
Again, each of the above
requirements needs to be verifi ed against
the type of business, application/product
is catering to.
Security Architecture and Design: Once
the security requirements are drafted and
being tracked in the tool, next step is to
focus on Security Architecture and Design.
As per the OWASP ASVS, Security review
is to be planned in a way to certify an
application at any of the 4 diff erent levels
from Level 1 – Level 4. ASVS comprises
of reviewing an application/product in an
automated, manual, design review and
an end – end review of the application,
third party software code base, libraries,
frameworks etc.
As referred in OWASP, during the
design phase, Threat modeling[3] (a
technique to do security analysis) is
to be adopted for an eff ective way of
identifying threats and vulnerabilities for
an application/product. By identifying
the risks early in the game and devising
strategies to mitigate them avoids a lot of
re-work later across SDLC phases.
Also, the key design principles like
defense in depth, secure by default,
minimizing the attack surface etc. need
to be discussed and fi nalized during the
security architecture and design phase.
This process goes through a couple of
iterations before getting fi nalized. For
ex., an intranet application might want to
consider lesser security features for an
application hosted on LAN (Local area
network) as it is already protected by
LAN security. However, design principle
of defense in depth recommends that
security needs to be enabled across
the layers and not only at the periphery
as threats always don’t originate from
outside the LAN and can originate from
internal employees as well. Similarly, each
design principle needs to be carefully
evaluated based on the business domain
application/product is addressing.
Based on the above security
requirements verifi cation and architecture
review, an application/product is rated at
the corresponding maturity level (from
Level 1 – Level 4).
Security Coding Guidelines: Post the
design phase, the security coding
guidelines are to be followed and a stringent
code review process to be put in place to
ensure the right implementation. OWASP
provides security coding guidelines to
most of the known vulnerabilities that
exist in the industry today. Below is an
indicative list of vulnerabilities (top 10)
stated by OWASP[4] that needs eff ective
handling during coding phase.
A1 Injection – SQL Injection/ XPath etc.
A2 Broken Authentication and Session
Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfi guration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known
Vulnerabilities
A10 Unvalidated Redirects and Forwards
The OWASP has developer cheat
sheets for each of the vulnerabilities
stated above in order for the development
teams to incorporate the code.
Security testing: Termed into diff erent
areas of Static and Dynamic testing of
the application code base and of the
application at run time respectively.
SAST – Static Application Security
testing – This phase tests the code base
as and when it is ready for release into
UAT/ production environments. There
are various tools both open source from
OWASP and licensed software for SAST
that scans through the code and generates
report detailing the vulnerabilities at code
level. Although, the automated report
provides a few false positives, security
team needs to work with the application
team and ensure only the appropriate
SAST defects are taken forward for fi xing.
DAST – Dynamic Application Security
testing – This is the fi nal phase of testing
wherein the application is tested at
runtime after it is functionally and non-
functionally ready in terms of security
requirements, design, code and SAST
fi xes incorporated with agreed upon
SAST defects. The DAST test is executed
and report provides details of the
vulnerabilities and recommendations for
fi xing them.
ConclusionWith the above said process of adhering
to security in software development,
application/product will have a high level of
trustworthiness and ensures that it avoids
the negative publicity, loss of reputation
and the related downward spiral that gets
associated with security fl aws.
Although the whole process looks
tedious and highly involved, it is good to
remind ourselves that quality/reliability of
an application/product is not an accident
and it is by choice and rigorous execution.
References[1] www.owasp.org(Open Web Application
Security Project).
[2] https://www.owasp.org/images/4/4e/
OWASP_ASVS_2009_Web_App_Std_
Release.pdf (Page no.16)- Material taken
under Creative Commons Attribution
ShareAlike 3.0 License5; Authors :
Mike Boberski (Booz Allen Hamilton),
Jeff Williams (Aspect Security), Dave
Wichers (Aspect Security) ; Title : OWASP
Application Security Verifi cation standard
2009 – Web Application Standard.
[3] https://www.owasp.org /index.php/
Category:Threat_Modeling – Material
taken under Creative Commons 3.0
License[5] ; Title: Category: Threat
Modeling.
[4] https://www.owasp.org /index.php/
Top10#OWASP_Top_10_for_2013-
Material taken under Creative Commons
3.0 License[5]; Title: Category: Top 10
OWASP Project, Tab 2 Title : OWASP Top
10 for 2013.
[5] Creative Commons 3.0 License link -
http://creativecommons.org/licenses/
by-sa/3.0/ n
Abo
ut th
e A
utho
rs
Satish K Sreenivasaiah is a consultant in Tata Consultancy Services based out of Bangalore. He is part of the Product Trustworthy
Centre of Excellence that is responsible for ensuring software Security and Performance. He has overall experience of 15+ years in
IT industry and has held various positions of Solutions Architect, Lead Architect, Practice Manager and Relationship Manger across
the geographies.
Mohan Jayaramappa is a senior consultant in Tata Consultancy Services based out of Bangalore. He heads the Product Trustworthy
Centre of Excellence that is responsible for ensuring software Security and Performance.
He has overall experience of 25 years in IT industry and has worked in various positions in web, desktop and mainframe technologies
CSI Communications | June 2014 | 9
BackgroundWith technology impacting all spheres of
our lives, secure technology has become
an inherent and non-negotiable attribute,
for all users and stakeholders. Almost all
technologies of the day rely on software
in some measure or the other as a
component, driver, enabler or the product
itself. Needless to say security of the
technology product or service is closely
linked to the security of the underlying
software.
Introductory texts related to computers,
often began with a diff erentiation of the
concept of hardware and software. While
the concept of hardware and software is
probably well understood by almost all users
what is less understood is the primacy of
software in making things work. Even those
functions that are considered functions
of hardware or infrastructure are fi nally
dependent on the underlying software. For
example, functions driven by hardware
components such as switches and routers
owe their existence to the software that
runs them. The software in such devices
could be in the form of fi rmware that is
burnt into the hardware, nevertheless it still
is software. Since software is omnipresent,
the security of software and security
enabled by software is very important for
the eff ective functioning of systems, devices
and infrastructure. Vulnerable software can
lead to serious consequences.
Security Devices: Not a Solution for all IllsIt is very important that the software be
robust and free of vulnerabilities. If the
software is weak, insecure or infested
with security vulnerabilities it is very
unlikely that an external solution would
compensate for the inherent defects.
For example, if the software has serious
vulnerabilities related to authentication,
it is highly improbable that an external
device or solution can compensate or
protect from this vulnerability. Traditional
security devices like fi rewalls do not
operate at the application layer on the
TCP/IP stack, and thus are not ‘application
aware’. It is therefore not possible to
compensate for weak and vulnerable
software operating above the application
layer with an external ‘add- on’ that
operates at lower layers. None of the
traditional fi rewalls can protect vulnerable
software or applications that are inherently
insecure. This limitation does not negate
the importance of essential security
controls like fi rewalls, they are necessary;
however it is important to understand
their functions and boundaries. The best
approach to secure software is to ensure
that it is built using the right approach,
methodology and tools. The inherent
strength and capability of the software
is thus of prime importance for ensuring
security.
Security: The Building BlocksLet us determine what is required to
develop such ‘secure software’ and
identify the associated building blocks.
Secure software development should
be viewed as a process driven approach,
enabled with appropriate tools in a
secure environment. Secure software
development is not a ‘bolt-on’ solution, but
a process that needs to be ingrained as an
integral part of the software development.
Factors that are necessary for secure
software can be classifi ed into two major
buckets:
a�Enabling Factors
b�Direct Factors
Enabling Factors are those that
ensure the software development process
and associated environment enables
and supports the development of secure
software that is free from vulnerabilities.
Enabling factors may not guarantee or
generate secure software. However they are
essential in structuring an environment for
Direct Factors to be eff ective. Direct Factors
are components that should be included
when developing secure and robust
software. These are directly associated with
the software development process. Direct
Factors are much closer to the software
development activities and touch the
software code directly.
Enabling FactorsSecure EnvironmentAs with all mature environments, a robust
and controlled software development
environment is a prerequisite. An
uncontrolled or vulnerable environment
may lead to unauthorized modifi cations
and changes. Lack of a secure change
management process would result
into a signifi cant risk. A robust and
controlled development environment is an
essential hygiene factor in any software
development process.
Mature Software Development ProcessA commonly accepted principle related
to software development is that any
modifi cation that is unplanned or that
happens late in the software development
process requires re-work and is expensive.
The corollary of this statement is that
security needs to be built in early as
part of the development process. The
software development methodology be
it traditional SDLC or ‘Agile’ ought to
consider the security requirements early
in the development process and not as an
afterthought. The security requirements
should be defi ned based on the risk
assessment. Results of a risk assessment
are important in determining the security
to be implemented. The impact of a risk is
best understood by the risk management
professionals, system owners and users
rather than the programmers. It is thus
important that the role of all stakeholders
be recognized and the participation of
stakeholders be ensured as part of secure
software development, when identifying
the security requirements of the software.
Security needs to be addressed across
all phases of the development. A security
requirement that remains undefi ned and
which is discovered during implementation
is challenging and expensive to fi x.
Such unpleasant discoveries can lead to
signifi cant time and cost over runs. Further,
corrective actions, tend to be a ‘patchwork’
and not an integrated solution. It is therefore
important that security be addressed
across all phases when developing
software. Adequate traceability for security
requirements across the requirement,
design, development and implementation
phases should be ensured. This provides a
structured process to ascertain and verify
the security implemented in the software.
Project Management The project management practices should
incorporate security as part of software
project management. Organizations that
defi ne and implement security as a part
of the project management eff ectively
Developing Secure Software
Cover Story
Sandeep GodboleMember, ISACA India Task Force
CSI Communications | June 2014 | 10 www.csi-india.org
institutionalize security. This helps the
organization in ensuring that security
is eff ectively addressed across multiple
software projects in the organization.
Direct FactorsSecure CodingSecure coding practices are key to
ensuring that vulnerabilities are not
introduced when developing software.
All features, facilities or functionality
in any software is deployed as code. A
vulnerable service or feature points to
weaknesses in the corresponding code.
A programming or coding error can
cause damage and prove to be extremely
costly. It is important that no coding
fl aws and therefore no vulnerabilities be
introduced due to poor coding practices.
Many organizations haves standardized
and defi ned secure coding practices.
These coding practices serve as a guide
to developers in ensuring that appropriate
constructs and functions are used
and that common errors are avoided.
Developing standard libraries and web
services for commonly used functionality
is an approach that is deployed by many
organizations. Not only does it ensure
modularity and avoid duplicate eff ort,
but it also ensures that security is built
into the code. Organizations like OWASP
have shared knowledge base and tools to
support development of secure software.
Programmers can enhance their skill levels
by updating themselves on numerous
inputs like these that are available.
Validations Malformed inputs are one of the most widely
deployed attack vectors against applications.
It is therefore important that all inputs be
validated from the functional perspective as
well as from the security perspective. Many
attacks including buff er overfl ows, Injection
Attacks, Cross Site Scripting Attacks (XSS)
occur because user inputs are not validated.
When defi ning validations, it is important
to weed out malformed inputs that can
severely impact security. Inputs refer to
information sought from the users and also
all other data elements that come from the
user or client end. This includes content like
cookies and URL parameters too.
Security AssessmentA wide variety of tools are available to
support secure software development.
While some of them are commercial tools
others are available free of cost. These
include tools like code scanners that parse
the code and identify constructs that seem
to introduce vulnerabilities. This approach
that parses code to identify vulnerabilities
is referred to as static code analysis. Many
tools specifi c to the technology used for
development are available for use.
While static code analysis is helpful,
the other approach referred to as dynamic
testing is often deployed to test software
for vulnerabilities. Unlike static code
analysis, dynamic scanners scan the ‘live’
application for vulnerabilities. While static
analysis identifi es potential vulnerabilities,
dynamic assessment actually demonstrates
the existence vulnerabilities. This makes
dynamic testing a preferred approach.
Both these approaches however do
tend to fl ag false positives – vulnerabilities
identifi ed erroneously, even though they
are absent. It is here that professional
skills and manual eff ort plays a role in
identifying such false positives. The tools
complimented by professional ability
are an eff ective means to implement
quality assurance, oversight and testing
processes. All software should undergo
such testing prior to implementation or
delivery. This phase is not a substitute
for building security across the software
development process. Rather, it is an
assurance mechanism and a part of the
chain to assure adequate security.
Secure Software: A P-D-C-A ApproachA closer examination of the discussion
above identifi es that the activities related
to secure software development map
closely to the P-D-C-A cycle. Defi nition
and implementation of security standards,
secure environment and security
requirement defi nition comprise the ‘Plan’
Phase. Implementing the secure coding
standards is a part of the ‘Do’ Phase.
Security assessment, oversight and other
quality assurance activities associated
with traceability, static and dynamic
assessments is the ‘Check’ Phase.
Learning from the results and taking
corrective actions where warranted is the
‘Act’ Phase.
ConclusionAn important aspect of the secure
software development is that it requires
the participation and contribution of
multiple stakeholders. Sponsors, users,
developers, IT support staff , security
professionals all play a very important
part in building security. From the
organizational perspective it highlights
the need to educate all stakeholders and
defi ne activities related to security across
multiple organizational roles.
Security is an essential and non-
negotiable aspect of any software.
Applications and software diff er in their
functionality, usage and technology.
However, the high level approach to building
security remains the same. No software
would be considered to be eff ective or even
functional if security is not incorporated as
a key property or attribute. Building security
is neither diffi cult nor very expensive if it is
done the correct way. With a disciplined
approach, sincere eff orts and a mindset
that recognizes the importance of security
in software development; secure software is
well within reach.
References [1] www.owasp.org : There is a rich
collection of resources available
at OWASP. This includes tools,
applications and publications.
[2] OWASP Testing Guide
h t t p s : // w w w . o w a s p . o r g /
images/5/56/OWASP_Testing_
Guide_v3.pdf
[3] OWASP Secure coding Practices
Quick Reference Guide
h t t p s : // w w w . o w a s p . o r g /
images/0/08/OWASP_SCP_Quick_
Reference_Guide_v2.pdf
[4] Secure Coding Guidelines, Microsoft
http://msdn.microsoft.com/en-us/
library/d55zzx87(v=vs.90).aspx
[5] FxCop Tool from Microsoft
http://msdn.microsoft.com/en-us/
library/bb429476.aspx
[6] Paros Tool http://sourceforge.net/
projects/paros/
[7] Burp Tool http://portswigger.net/
burp/ n
Sandeep Godbole, works as Dy General Manager for Information Security at Syntel. He has a rich experience
spanning 20 years in IT Security, IT Assurance and Governance. He holds multiple certifi cations and qualifi cations in
these areas. Sandeep volunteers on the ISACA India Task Force. He is presently the President of ISACA Pune Chapter.
He can be reached at [email protected]
ut th
e A
utho
r
CSI Communications | June 2014 | 11
BackgroundProliferation of information technology
has been shifting trends over a period
of time. Today we cannot think of any
organization without IT. However threats
and vulnerabilities are responsible
for creating challenges in security of
information. With changing technology
and the threat scenarios are also aff ecting
the way organizations manage their
information security.
Apart from changes in technology
the customer expectations are also
driving business in changing the approach
on delivering services using IT. Today the
business is focused on using technology
for delivering services to customers.
Applications are the vehicles that take
services to customers using network
(internet) highways. Organizations use
multiple channels to deliver services for
example banking services are available
to customers though internet (internet
banking), Mobile banking though mobile
apps (or applications?), ATMs, Any branch
banking, Fund transfers (for example
National Electronic Fund Transfer(NEFT),
Real-time Gross settlement (RTGS)
of RBI) and so on. In order to ensure
these services are delivered securely
organizations ensure that security is
built around the infrastructure, that
includes network (fi rewall, IDS/IPS)
Anti-virus, website authentications, user
authentication with multi-factor access
controls however there are incidents of
fraud and information leakage on rise.
There are two weak links in the
process humans (users) and applications.
Weakness in humans can be addressed
using awareness training, however
application security must be part of
application and need to be addressed
while developing an application.
Threats and Vulnerabilities Associated with Application (OWASP top ten)With use of internet based technologies
and clouds organizations have hosted
applications that can be accessed
from internet and/or intranet. These
applications might contain vulnerabilities
if exploited can compromise the security
of information. Attackers tried to exploit
these vulnerabilities to launch the attacks
like SQL Injection, Cross site scripting.
OWASP (Open web application Security
project) identifi es top ten security threats
every years. Threats identifi ed in 2013 are
listed below. (Source: www.owasp.org)
• Injection (SQL Injection): Attacker
can access and modify databases
• Broken Authentication and Session Management: attackers can assume
users’ identity
• Cross-Site Scripting (XSS): Allows
attackers to hijack user sessions.
• Insecure Direct Object References: Attackers can access data.
• Security Misconfi guration: Attacker
can us gaps in confi guration to attack.
Sensitive Data Exposure: Attackers
may steal or modify Sensitive data.
• Missing Function Level Access Control: Attackers will be able access
functionality.
• Cross-Site Request Forgery (CSRF): Allows the attacker to control victim’s
browser.
• Using Components with Known Vulnerabilities: Attacker exploits
components that run with full
privileges.
• Invalidated Redirects and Forwards: Attackers redirect victims to phishing
or malware sites.
Detecting Problems in ApplicationMany organization’s direct their
application security eff orts on automated
detective and/or corrective solutions
such as application scans, penetration
testing, grey-box – white box testing,
web application fi rewalls, rather than
preventing the defects from occurring
in the fi rst place. Subsequently security
defects are fi xed based on report, however
this approach requires lot of rework and
high cost.
These detective controls many
times cannot detect absence of security
control mechanism within application for
example session management cannot be
identifi ed by automated tools. This sort of
logic fl aw is identifi ed by manual source-
code review and/or manual penetration
testing. However these techniques suff er
from scalability and high cost, associated
with testing and there after fi xing the
problem. Also very few organizations
can aff ord to perform the level of manual
testing required for their entire application
portfolio. The problem is further escalated
by bugs such as insuffi cient authorization,
which can be detected only by human
expertise. While the security community
and security tool developers already have
a strong understanding of insuffi cient
authorization, there is simply no practical
method of detecting such a vulnerability
using a completely automated mechanism.
Solutions1. Do not expect security from usersApplication developers cannot depend
upon user for security. For example in case
the application is developed using web
based technologies and users are expected
to access it using diff erent browsers (like
internet explorer, Google chrome etc.),
application may not depend upon users to
secure their browsers, but embed security
within application. In case application is
hosted on internet, it is subject to various
application level attacks that need to be
closed by adopting secure development
and coding practices. Another example
can be access from mobile where user
may or may not have secured the device
from which they are accessing the data.
2. Secure SDLCUntil recently security was an
afterthought for Software development
life cycle(SDLC); normally developers
used to check the security related aspects
of application through penetration testing,
which would result in a huge amount of
rework. For example, if a security related
vulnerability, bug or fl aw is detected after
development then correction of the same
will require re-examining all the aspects
starting from requirements till coding.
This entire exercise will increase the cost
and eff orts of the project. To overcome
this issue, latest research studies suggest
that the security should be incorporated
right from the beginning in the SDLC.
Information security trends indicate
that embedding security within application
development helps in addressing various
issues that may arise subsequently.
For example, when multiple users are
expected to access application hosted
at central location from diff erent nodes,
the application should be able to provide
Security in Software Development
Cover Story
Sunil BakshiFree-lance Consultant and Trainer, IT governance and Information Security
CSI Communications | June 2014 | 12 www.csi-india.org
access depending upon the function the
specifi c users has to perform. This requires
developers to design role defi nition and
provide functionality for assigning these
roles to diff erent users.
The following table describes the
additional steps that need to be added
to the traditional SDLC phases to make it
Secure SDLC.
3. Standard coding practicesOrganizations must adopt standard coding
practices that can prevent the security fl aws
being introduced within the applications. For
example input validation can prevent 80%
of security vulnerabilities being introduced.
Avoiding open ended loops and complex if
statements reduce the possibilities of error/
bug and writing code for error handling
helps in preventing abrupt termination of
application during operation. IT may be
noted here that handling errors must be
done appropriately so as not to reveal more
than suffi cient information that can provide
clues to an attacker.
4. Developer EducationDeveloper education is a preventive
technique that seeks to empower
developers with the knowledge to write
secure code. Research has showed that
education and awareness improves the
quality and security of application. A
single training class is a point-in-time
activity, and the value of the education
diminishes over time unless the
developers are continuously in touch
with material and are updated on new
and emerging techniques. Moreover,
given the pressures of building software
under strict deadlines, software
developers could forget about specific
security defects due to cognitive burden.
Thus, developer education is important
but not sufficient for preventing
application security defects.
ConclusionsDetective techniques are ineffi cient when
compared to preventive techniques as
a result of extremely high remediation
costs in the software development life
cycle (SDLC). It has been established long
back that is most cost eff ective to plan
SDLC Phase Security Steps
Requirement Defi nition • To identify security requirements including compliance for privacy and data loss.
• To determine risks associated with security and prepare mitigation plan.
• To train users on identifi cation and fi xing of security bugs.
Design Phase • To ensure security requirements are considered during design phase e.g. access controls for
privacy sensitive data.
• To identify possible attacks and design controls e.g. implementing least privilege principle for
sensitive data, and apply layered principle for modules.
Development Phase • To develop and implement security coding practices such as input data validation and avoiding
complex coding.
• To train developers on security coding practices.
Testing Phase • To review code for compliance of secure coding practices.
• To develop test cases for security requirement testing.
• To ensure security requirements are tested during testing.
• To test application for identifi ed attacks.
Implementation Phase • To analyze all functions and interfaces are secured.
• To perform security scan of application after implementation.
Maintenance Phase • To monitor for vulnerabilities on a continuous basis,
• To issue the patches for fi xing the reported vulnerabilities, accordingly,
• To evaluate the eff ectiveness of countermeasures periodically.
Table: Security steps in various phases of SDLC
and prevent defects upfront rather than
fi nding and fi xing them later.
End Notes[1] www.owasp.org
[2] http://www.sans.org/reading-room/
whitepapers/securecode/software-
engineer ing-secur i ty-process-
sdlc-1846
[3] h t t p s : // w w w . m i c r o s o f t .
c o m /s e c u r i t y /s d l /d e f a u l t .
aspx?mstLocPickShow=True
[4] http://www.veracode.com/security/
software-development-lifecycle
[5] www.isaca.org
n
Sunil Bakshi, MCA, AMIIB, CISA,CISM, CGEIT, CRISC, CISSP,PMP, CEH, ISO27001 LA, ISO14001 LA, ISO9001
LA, COBIT Foundation. Member, ISACA India task force and CRISC Certifi cation committee. Past chairman and
chapter patron for CSI Pune chapter. Has 36 years of experience in IT with public and private sector. Currently
free-lance consultant and trainer in IT Governance, Security and Audit fi eld.
Abo
ut th
e A
utho
r
CSI Communications | June 2014 | 13
Current Industry ChallengesCurrently web applications leverage multiple
application security libraries/ frameworks
for building secure web applications. There
defi nitely is a need to have a centralized
security framework, which can act as
security layer at the application level
providing value addition for the web
application developers, so they don’t need to
worry about integrating multiple libraries/
frameworks to protect the web applications
from top vulnerabilities.
Also many people are ignorant of the
fact that there are so many vulnerabilities
that one needs to be cognizant of
while ensuring the security of the web
applications at the application layer.
Following are some of the top
vulnerabilities:
One more challenge that the industry is
facing is that there are a lot of duplicate
confi guration settings or duplicate eff orts
one has to undertake in order to build/
confi gure the security framework or even
to customize one. We are addressing that
issue also so that we can save eff orts and
eliminate redundant work that is carried
out while implementing the security
frameworks for each web application.
Web Application Security Frameworks in the Market PlaceThere are plenty of frameworks in the
market right now, such as Apache Shiro,
Spring Security Framework, OWASP
ESAPI, JAAS, Hibernate Validator, Apache
commons validator and so on. The reason
why it is essential to build a custom
security framework is because none of the
above-listed frameworks provides all-in-
one solution, and the implementation of
some of the above-listed frameworks is
also very complicated.
So our solution addresses these
issues by having a unifi ed framework. It
simplifi es the customization and makes
it easy to consume the web application
security framework.
Web Application Security Framework: Proposed SolutionIn order to address these challenges,
IGATE’s unifi ed Web Application Security
Framework secures web applications
from top security threats, providing clear
value addition to the development team to
use the framework to address all the top
vulnerabilities with ease.
Instead of re-inventing the wheel,
IGATE’s Web Application Security
Framework solution leverages the security
frameworks already available in the
open source market. These open source
API’s are integrated together to provide
a pluggable centralized framework, with
easy confi guration settings, that takes
care of top security needs at the
application layer.
The Web Application Security
Framework also eliminates the
duplicate configurations that one has
to go through in each application if
they were configuring the security
frameworks available in the market
place independently.
Other features of the Web
Application Security Framework are: (a)
it should be highly confi gurable, (b) it
should be easily extendable, (c) it should
be readily integrated into any existing Java
based web application in production or a
new web application that we are building
from scratch.
Application Layer Security Solution for Java Based Web Applications
Vijay Gulati* and Venkata Swamy Bathina***Senior Principal Architect, Research & Innovation group of IGATE**Senior Technical Architect, Research & Innovation group of IGATE
Technical Trends
• Injection
• Broken Authentication and Session
Management
• Cross-Site Scripting (XSS)
• Insecure Direct Object References
• Security Misconfi guration
• Sensitive Data Exposure
• Missing Function Level Access Control
• Cross-Site Request Forgery
• Using Components with Known
Vulnerabilities
• Unvalidated Redirects and Forwards
• Improper Error Handling
Abstract— In the era of Web 2.0, where every organization is extensively using the internet to do their business and provide services to
their customers, they tend to forget one most essential thing - that is, “SECURITY”, until some negative impact happens due to breach
of it. In addition, as we are opening doors to multiple channels such as conventional web, mobile, Voice Response Unit, phone rep, and
so on, it is becoming increasingly important to secure our applications from various attacks.
Most e-business applications have standard security features such as fi rewalls, SSL, etc. already in place. But these are not suffi cient
to protect applications from various vulnerabilities. Any web application, which is hosted for public access, needs to have an application
layer security in place apart from the network layer security, or transport layer security, etc.
The Web Application Security Framework described in this paper will protect web applications from various vulnerabilities such
as Cross Site Scripting, Penetration, Injections, Custom Attacks such as CSRF, and so on. Also, as each application is diff erent from
the other, their security needs are also diff erent. Hence it is important to have a framework that is highly confi gurable as per
application needs.
CSI Communications | June 2014 | 14 www.csi-india.org
Web Application Security Framework Proposed Solution off ers the following features
High Level Architecture
Integration Steps
As the Web Application Security
Framework is based on a pluggable
component-based architecture, it should
be easy to integrate into the applications
that are already in production or the
applications that are built from scratch
by following the simple integration steps
described below:
• Confi gure Client Component
• Confi gure External Confi guration
Settings
• Suppress or activate any module,
for e.g. if somebody wants to use a
diff erent authentication mechanism,
they should be free to do so.
• Overriding Internal Confi gurations
• Extend or Override Module
Implementation
ConclusionIn conclusion it is essential to have
a centralized web application
security framework which is easily
confi gurable and adopts the best
practices in implementing a security
framework.
Our Web Application Security
Framework Solution provides the
following benefi ts:
Saves lot of Time and Eff ort
Wraps top security features for Web
Application Security
Deals with top security threats listed
above in a distinct framework
Eliminates the need to integrate
multiple framework libraries, so
developers don’t need to worry about
studying and understanding diff erent
libraries/ frameworks
Enables painless customization
as most of the parameters are
confi gurable
Integrates well with any J2EE
environment
Allows any module to be activated or
de-activated.
Adopts industry best practices in
securing the web applications
Simplifi es maintenance and
production support of web
applications
Eliminates lot of redundant code or
redundant confi gurations
Tackles the top security threats and
prevents various vulnerabilities at the
application layer
With numerous benefi ts, this solution
can be a key diff erentiator solution for
securing Java based web applications.
AcronymsAcronym Expansion
VRU Voice Response Unit
XSS Cross Site Scripting
CSRF Cross Site Request
Forgery
SSL Secure Socket Layer
JAAS Java Authentication
and Authorization
Service
OWASP ESAPI The Open Web
Application Security
Project Enterprise
Security API
API Application Program-
ming Interface
SQL Structured Query
Language
References[1] https://www.owasp.org
[2] http://commons.apache.org/proper/
commons-validator/
[3] http://projects.spring.io/spring-
security/
[4] http://hibernate.org/validator/
[5] http://commons.apache.org/proper/
commons-validator/
[6] http://shiro.apache.org/
n
• Secure Input Validation (core and
custom for all forms and user
supplied input) in confi gurable
manner
• Preventing various Injections and
vulnerabilities such as XSS, SQL
Injection, etc.
• Preventing sensitive data exposure
- Encoding of response with format
confi gurable as per application
needs
• Provide support to prevent custom
attacks such as CSRF by generating
anti CSRF tokens
• Cryptography – Confi gurable
cryptographic algorithm, database
encryption, etc.
• Application Security Confi gurations
• Validation of Redirect and Forwards
• Session Management – session
creation, confi gurable session
timeout, etc.
• Authentication
• Authorization
• Function level access control
• Insecure direct object references
• Proper Error handling mechanisms
Abo
ut th
e A
utho
rs
Vijay Gulati is a Senior Principal Architect in Research & Innovation group of IGATE. He has vast experience in Information
Technology with strong expertise in Java-based technologies. He has extensive experience in architecting and designing large
business applications, especially in the fi nancial services vertical.
Venkata Swamy Bathina is a Senior Technical Architect in Research & Innovation group of IGATE, with over 16 yrs of total experience
on Software Engineering which includes Enterprise Architecture, Solution Architecture, Application Design & Development, Delivery
Management and Technology Solutions. He has extensive experience in Enterprise Web Applications, Enterprise Integration projects,
Business Intelligence Frameworks, was involved in Enterprise level Architecture, Solution Architecture and Application Architecture,
Design, Development, Deployment using Java/ J2EE technologies. As part of technology strategy, he played instrumental role in
defi ning SOA Strategy, Reference Architecture and Integration Strategy Defi nition using Sun JCAPS SOA Suite. He Architected multi-
tiered applications and Business Application Systems for various customers in USA, Europe, Middle East and APAC regions.
CSI Communications | June 2014 | 15
Nuts and Bolts of Code Coverage Testing
Abhinav VaidIT Practitioner
Technical Trends
Abstract— Software Testing has evolved and matured over the past few years on all the fronts, be it process or technical. When it
comes to Code Coverage Testing, there always remain debates with novel & professionals alike each claiming its own defi nition of
Code Coverage. The biggest universally accepted myth is that 100% code coverage guarantees exceptional quality. There are books
and material available on the subject which are not wrong, but lack the clarity which is needed for actual implementation. The current
paper is an attempt to tailor the entire subject in one crisp document and so goes the title, “Nuts and Bolts of Code Coverage Testing”.
The paper starts with defi ning Code Coverage along with clearing out myths on Code Coverage. It demonstrates a real-time example
of Code Coverage implementation and how/where other testing activities are involved and their relation with Code Coverage. It
presents a methodical way to implement Code Coverage (highlighting the best practices along with pit falls to check out of). It also
presents a real time case study of one of the heaviest products in the Industry, where it reached to a point where testing became
almost untrack able and how Code Coverage Implementation helped to bring the Testing activity back on track.
What is Code Coverage ?Code Coverage is one of the measurement
criterion used to identify the Test
Coverage of Application Under Test. This
is typically used to publish the numbers
to the management/stake holders so that
they can make more informed decisions
before releasing a product.
Code Coverage is performed to
know the amount of Application Code
being exercised during testing (regardless
of Black Box, White Box, or Grey Box)
Testing.
This term is often confused with
Statistical Code Analysis which is a
completely diff erent activity done typically
by developers, dev. leads and some of the
most commonly techniques include code
inspections, walkthroughs etc.
Why Code Coverage?Over the past few years, the software
development tools have evolved in terms
of maturity levels (simplicity from the
development perspective but at the cost of
increasing internal complexities). Most of
the development Tools are wizard driven
& feature rich but they come with a lot of
overhead. The codebase of the application
not only includes its own codebase, but
also of OS, support/3rd party libraries. It
makes Testing a daunting task as the size
of codebases associated with the product
remains complex and bulky. Development
Team does have Unit Test cases where
the scope is limited. The fi nal gate always
remains to be the Testing Team and no
matter how hard the Team tries, there
would always remain areas where the
code will be running multiple times and
on the other side there will be areas where
the application code will never be tested.
Historical data proves that it’s
impossible to release bug free products
which are destined to come when the
Product goes live. Manual Test Team
cannot be blamed as their job is to
execute the tests based on the Test Cases
generated from Functional Requirements
documentation. At the same time,
Automated Regression Tests can’t be
blamed as their scope is limited to ensure
nothing is broken where inputs are again
in terms of black and white (0’s and 1’s).
And similar is the case with system,
integration, grey box, and performance
testing.
Code Coverage: is the Test execution
performed on the Product with the
internal binaries hooked to a Coverage
Tool so that an accurate analysis can be
drawn as to how much code was actually
exercised during test execution. It draws
a measurement criterion of the untested
code of the application.
What Code Coverage Testing is not? It is never intended to replace:a. Manual Testing
b. Automated Testing
c. Grey Box Testing
d. Unit Testing
e. Static Analysis Tool – which includes
code walkthroughs, reviews etc.
Implementing Code Coverage Following are the high level objectives
that should be thoroughly studied and put
together in order to implement eff ective
Code Coverage Testing.
1. Draw the right expectations –
It’s always important to clearly set
expectations so that there is no scope of
ambiguities in future. Following are the
key expectations to be considered -
a. Objective Indicator of Test Coverage
of application code
b. Links to uncovered Packages /
Classes / Methods / Branches
c. Links to uncovered Folders / Files /
Lines
d. Drill down support right from the
namespace to individual line of code
e. Early detections of uncovered Test
Coverage to avoid later investments
(which are higher multiple times as
the Project Progresses)
f. Remove redundancy (same code
being exercised in multiple tests) in
testing
g. Increased Confi dence for Releases
2. Selecting the Tool: What to look for
while selecting a Code Coverage Tool –
there are many factors that need to be
considered when it comes to selecting the
Code Coverage Tool. The most important
key factors are mentioned below:
3. Code Coverage Strategy (Short Term and Long Term)4. Execution and Reporting – This is one
of the most critical part which is often
neglected by the Engineering teams. The
product owners/stake holders need this
information. The information not only needs
to be accurate, but at the same time crisp
(with meaningful data) and presentable.
A Real Time Implementation For the Purpose of demonstration, let’s do
a real-time implementation and see how
Code Coverage Testing is diff erent from
other types of Testing.
Application Under Test: Consider a web
or UI form (as displayed in Fig. 1) with only
3 controls, User ID, Password, and Login
CSI Communications | June 2014 | 16 www.csi-india.org
with an option to minimize, maximize
and close.
Black Box Testing: Enter a legitimate User
ID and the Password and click the submit
button. Expected outcome would be
getting to the home page.
Grey Box Testing: Would include going
to the database and validating that the
User ID and Password are authentic.
Expected behavior would be accurate
credentials.
Load/Performance Testing: Would
include multiple users logging in to the
form (with some ramp up patterns)
using their respective credentials,
followed by constant load and finally
ramp down. Expected outcome would
be conformance to SLA’s (be it response
time, CPU/memory utilizations etc.).
Automated Testing: A script would add
user id from an external fi le and then hit
the submit button in un-attended mode.
Expectation would be the execution report
marking the result as pass.
Code Coverage Testing: Code Coverage
can be generated for each of the Tests
mentioned above. The expectation would be
to publish the results and increase tests to
increase coverage. A typical Code Coverage
Report looks like shown in Fig. 2 and 3 below.
Code Coverage has a typical
jargon associated with it. It is not as
hard as it sounds at the first place. For
example, terms like Branch Coverage,
Sequence Point Coverage and so on.
The key terms are explained below
SNO Deciding Factor for Tool Selection Code Coverage tool
1. Uncovering Untested Areas Lines/nodes that remain untested
2. Execution modes For example, support for debug/run mode.
3. Identifying Repetitive Tested Areas
4. Quality of Test Reporting Metrics Should be intuitive/meaningful
5.Capacity to drill down from the top most module to pin
pointing the code/function
6.Accuracy of results during evaluation of the Tool before
making a recommendation
7. User Friendliness Should be intuitive/meaningful
8. Logging levels For example, basic, verbose etc.
9. Coverage Extensibility
10. Merging of Results Merging can be done manually as well as automated.
Popular Tools support both the modes of merging
Table 1
Fig. 1: Application Under Test
CSI Communications | June 2014 | 17
Fig. 2: Code Coverage Report
Fig. 3: Code Coverage Report 2
CSI Communications | June 2014 | 18 www.csi-india.org
Line Coverage - Line coverage captures
the number of lines that were executed
during testing activity. Later, the numbers
are compared with the total number
of executable lines (codebase of the
Application under Test). There is a
downside of Line Coverage because it
measures the line formats rather than the
code. For example, it is possible to format
a program in a single line and achieve
100% line coverage with only one test.
Statement/Branch Coverage - Statement
and branch testing are relatively stronger
than Line Coverage, but have the weakness
that interactions between decision
outcomes can mask errors during testing.
Decision Coverage - By requiring decision
outcomes to be performed independently
during testing, basis path testing can
expose additional errors.
For example, please refer to the
following code- func()(if (condition1)a = a + 1;if (condition2)a = a -1;)
If the expectation from the function is to
have the value of variable “a” unchanged
under all circumstances, it makes testing a
challenging task. Now let’s consider all the
Tests for testing this piece of code.
1.� Branch Testing - The branch testing
can be accomplished by executing
two tests that do not detect error. The
tests would be -
a. The fi rst test to make both decision
outcomes to be false, in which case
the value of “a” will not get aff ected.
b. The second test to make both
decision outcomes to be true.
2.� Statement Testing - The statement
testing can be accomplished only by
the later test
3.�Basis Path Testing – From the above
example, it can be concluded that neither
statement nor branch testing is suffi cient
to detect the error. In this particular
example, Basis Path Test will successfully
detect the error.
Code Coverage is measured as percentage
of application code executed during the
testing activities. Code Coverage can be
measured at various levels – in terms of
programming language like – Namespaces,
Classes, Methods, and Branches or in terms
of physical parameters like - Folders, Files
and Lines. And the idea is simple, generate
coverage add tests to increase coverage till
you reach the targeted coverage.
Note: 100% Code Coverage can never claim
that the product is bug free. It can help
ensuring that the code is 100% tested.
Case StudyA Case Study of Code Coverage
Implementation for Testing an
Application
Summary/Challenge: The codebase of
the Application was increasing from one
version to the next. This was primarily
because it had to support backward
compatibility (for legacy versions) as
well as add new features, do patch/SP
releases. The increasing complexities and
the bulkiness of product made testing a
challenge as well as an expensive task. It
needed around 8-9 months of eff ort to
just to test the regression suites manually
(with a team size of 70 engineers). In
order to control the situation, the test
suites were automated via as is basis, and
the execution time was reduced to 7 days
for un-attended test execution. The team
could spend qualitative time in enhancing
the existing automation suites and testing
for new feature/patch/bug fi x releases.
Later it was discovered that there was
no actual criterion to understand as to
how much application code was actually
tested. There were high possibilities of -
1. Cases where code was hitting the
same sequence hundreds of times
(maybe more)
2. Cases where the code was never
reaching out during Testing
SolutionA couple of popular Code Coverage
Tools were evaluated and the Application
was tested after confi guring the Code
Coverage. The Test Results of various Tools
were compared. The results of the Code
Coverage were alarming but accurate.
The best fi t Code Coverage Tool was
recommended, a Code Coverage strategy
was put together along with highlighting
the current as well as future targets.
The table mentioned below was put
together and shared in common dashboard.
The high level objectives included –
1. Highlighting and publishing the
current state of the Product
2. Use the number as a benchmark
to set the targets for subsequent
releases and
3. To bring back the clarity in Testing
with a continuous focus on
improvement
4. Highlight/bring in clarity in the Test
Organization as well as Product
Management team
The table below uses 10 %( a random
number) as targeted increased coverage
for subsequent releases
Release Categorization
Functional/Manual Testing
Automated Test Execution
Performance and Load Testing
Total % of Code Coverage Achieved
Release X(baseline
Coverage)A% - Benchmark B% - Benchmark C% - Benchmark
Release Y
Targeted Coverage
Actual Coverage
Targeted Coverage – A
%+10%
Targeted Coverage –
B %+10%
Targets are normally not for
the increased coverage but
for application stability
Release Z
Targeted Coverage
Actual Coverage
Table 2: Code Coverage Dashboard Metrics
CSI Communications | June 2014 | 19
Recommended Best Practices of Code Coverage Testing
1. Ensure covering all application
paths/workfl ows in terms of decision
trees in the code
2. Ensure covering all data values –
this can be done by patterns with diff erent
sets of data and can avoid extra fat/tests.
3. Code Coverage Tool should
determine where the controls/sequences
are being tested/not being tested, which
can save a lot of fat/extra tests being
tested by automated suites. It can cover
the classes, methods, branches but not
the business logic.
4. Give graphical representation of
the results in terms of real time charts &
metrics.
5. Education – Ensure that the stake
holders are aware of the shortcomings
and the benefi ts of implementing Code
Coverage so that the expectations are
clearly set and visible.
6. Testing is Proportional to
Complexity. It is a known fact that 80%
of the bugs are always found in 20% of
the code. Identifi cation, Planning, and
execution of Eff ective strategy can make a
huge diff erence and bring in value to the
Organization.
Analysis Some Important Points to recap –
1. Code Coverage can never replace any
other form of Testing
2. Testing activity is always proportional
to complexity of the application
3. Testing eff orts should be focused on
the error prone software and/or error
prone components.
4. Making informed decisions; whether
it is taking calculated risks or
confi dence in application stability. A
couple of examples include -
a. Facilitating Quicker Release
Cycles
b. Shrinking down the execution
time
c. Percentage of un-tested code in
Application
d. How have been the Code
Coverage’s from x Release x to
y release and what’s the target
benchmark set for forthcoming
release?
Take Away/Where to go from Here: The
Code Coverage is typically done by the
development Team. This is an attempt
to help manual/functional/automation
testers to get started on Code Coverage
Testing. I strongly recommend starting
with a real-time implementation taking
the sample project for getting started.
But before doing some tests, download
a couple of Code Coverage Tools and
learn how to hook on to the binaries of
the Application under Test. Aim for the
Tool that works best for your product
and justifi es business needs. Go through
the internals of the Application under
Test (an area which is always a black box
for a tester). This should be followed by
going through the Tools to narrow down
for selection. Once a Tool is selected and
basic Tests and some benchmarking is
done. You are good to go. There is enough
information available in the websites,
Books, journals to help you make a
baseline, creating a long term strategy
to make a signifi cant impact on the
whole testing lifecycle and eventually the
Product. n
Abo
ut th
e A
utho
r
Abhinav Vaid, is an IT Practitioner with 15 years of experience in various blue chip companies including Motorola,
McAfee, and Lotus. He is the author of building automated test systems and a regular writer in various technical and
research journals. He is also the Foundation Member of Indian ISTQB Certifi cation Board.
CSI Communications | June 2014 | 20 www.csi-india.org
ResearchFront
Template Matching Tool for Remote Sensing Images
Ashish Joshi*, Ankit Kumar**, Anil Kumar*** and Ankush Mittal*****Assist. Professor THDC-IHET,New Tehri**Assist. Professor DBIT Dehradun***Scientist/Engineer, IIRS (ISRO), Dehradun****Director Research, G.E.U, Dehradun
IntroductionTemplate matching has proven to be a
promising technology in the fi eld of image
processing for the diff erent applications
related to Remote Sensing, Medical, and
other related areas. A template based
approach provides several application
framework to known digital image
processing concepts for the exaction and
detection of various features in the image
portions itself providing the required
information from the specifi c image
portions. A large variety of application
uses the image registrations to gather
information from the physical aspects of
the image. A template matching in basic
is matching the specifi c objects of the
source image using a template image.
General approaches used in objection
recognition is basically classifi ed into 2
broad categories
1. Area based
2. Feature based methods
Area based methods sometimes called
correlation types deal with the images
without attempting to detect salient objects
window of preferred size or the search
window is used for estimation of objects.
Whereas features based methods
focus on the features of the images as
contrast color hue saturation etc.
Literature Review Template matching is the process of
indenting any object in the main image
better called us source image with a
template, small portion or any diff erent
image. It can be achieved through a variety
of methods like SAD (Sum of Absolute
Diff erence), NCC (Normalized Cross-
Correlation)[1][2][3] etc having diff erent
computation measures for processing in
the source image and the template image
itself. Feng et al[4] showed how an basic
process of template matching can be
enhanced to a time variant scale to make
template matching faster by dissolving
template to basic haar like feature and
thus making it more suitable to multi
scale template matching thus replacing
multiple element-by-element fl oating
point multiplications with several
additions thus signifi cantly improves
the speed. Neal et al proposed an
algorithm GENetic Imagery Exploitation
(GENIE) for image feature extraction
and classifi cation purpose. Jyoti et al[5]
in their paper displays a comparative
and largely used area based search
techniques it provides an view of classic
and recent area based methods used.
Classifi es area based search into further
categories as:
a. Cross-correlation based
b. Fourier based
c. Mutual Information based
d. Optimization methods (simulated
annealing ) etc
Degree of Similarity between
methods using vectors between two
image A= (x1, y1) and B = (x2,y2) is to
be given in the form of dot product given
by AB = x1 x2 + y1 y2 in general images.
Coarsening defi ned as:
[5,6]
…………eq(1)
Where X,Y defi nes the block location in
the source image and D is the disparity
parameter. It computes the " tie points
" of the images and the results are been
displayed. It is used by robots for exploring
its environment as a work proposed by
Levine m.d.et.al[6] through matching sub
regions in the image.
Traditional matching algorithms
constitutes of the conventional methods
that were proven to be computationally
intensive and time consuming by recent
studies. e.g. of methods include SAD NCC
etc which are given as equation (2) and
equation (3):
[7]…….…eq (2)
Ideally SAD score in this case must
be 0 if template is taken from the same
image itself but in case if the template is
taken from the other Registered image
of the same area or the other image or
the template is itself available we have
to calculate the minimum score over
the search region of the source image
portions.
In case of NCC which is given as :
[7]…………….eq(3)
Recent studies on SAD, NCC based
matching methods they are comparatively
slower as per our requirement . Shou-Der
Wei et al[7] in their study showed achieving
results faster with multilevel partions
using winner update strategy applied in
conjunction with an upper bound for cross
cooretaion derived from Cauchy-Schwarz
inequality given as shown in equation 4 :
[7]……………………eq(4)
The summation of cross correlation
is done into diff erent levels with the
partition order determined by the gradient
energies of the partitioned regions in the
template image itself. Thus, this winner
update scheme in conjunction with the
upper bound for NCC can be employed
to skip unnecessary calculation.Similar
works done by Stefano et al[8] shows the
matching process by enhanced Bounded
Correlation that again reduces the number
of computation used by NCC producing
the same results. Fedwa et al[9] in their
paper showed an matching process using
Abstract—Images are a tremendous source of information which are largely used for information extraction and largely found
applications are in Remote Sensing Medical science and so on. Template matching has provided basics and advance functionality
for the image processing e. g of these include the object recognition, Motion Estimation, feature based template matching and many
more in a variety of images like Medical Images, Remotely sensed Images etc. A variety of algorithms exist for comparison of images
and making the template matching process fast and reliable .This comparative study with implementation approach focus on the core
basics of the template Matching in remote sensing images of types multispectral Images aiming to detect and observe object and its
motion in registered and simple multispectral images. Also the implementation approach shows how SAD is advantageous over SSD.
General Terms Algorithms, Performance, Design, Experimentation, Programming.
Keywords Template Matching, Single Band-Multi Spectral Images, Correlation, Image Registration.
CSI Communications | June 2014 | 21
the fourth central movement which forms
an estimator in the higher statistics theory
it lowers the impact of the Gaussian
noisewhich may come in the transmission
to produce the fast desired results.also
uses the BDM and SSD. Which are shown
in equations 2, 5, 6 .
eq (5)
Where dx,y = f(x+k,y+l) – g(k,l),
f(x+k,y+l),g(k,l) denotes the luminance or
other real features
[9]………eq(6)
Considering the various types of
the images our research focus most
generally we are dealing with single band,
multispectral and hyper spectral images
in Remote sensing images. Works by
Taejung Kim et al[10] shows how center
of roads can be tracked through least
square correlation matching method
around an user given input. Similar works
by Mohamed Ali et al[11] shows the use of
canny edge detection algorithm for the
feature extraction and enhancement of
remote sensing images achieving a very
high enhancement level. Mihai Datcu et
al[12] showed the Bayesian way of thinking
and introduce a pragmatic approach to
extract structural information from RS
images by selecting from a library of a
priori models those which best explain
the structures within an image. Michael
Schroder et al[13] presented Gibbs–Markov
random fi eld (GMRF) for the descriptor
of the spatial information in remote
sensing data.
Dealing with such type of images
certain problem may arise like fi rstly
images basically comprises of diff erent
bands with diff erent information contained
in it like spectral, Radiometric, Textual,
Geometric and Contextual etc. Secondly
the image most probably will have color
combinations in false color composite
where it will not be an easy task to identify
and detect certain objects. The above
mentioned strategies SAD Correlation
are applied in our approach with images
in generic binary and comparative
results with conclusions are shown in the
proceeding headings.
Study AreaFor our research we have taken image
of San Francisco from the world views
2 satellites which is in the raw form.
WorldView-2 is Digital Globe’s second
next-generation satellite, built by Ball
aerospace, and has the most advanced
technologies and sensing capabilities. In
our research work image belongs to the
one of the famous place of San Francisco
Oakland Bridge.
Proposed WorkA SAD and SSD based approach has been
implemented in our system. We have
tried to match the specifi ed template
image which is to be extracted from the
source image itself using one source
image. We took java as platform for our
implementation by developing a tool
which is able to match images using
the algorithms. We have extracted few
template images using source image
and then tried to match using mentioned
algorithms so that we could get the
nearest match. An algorithmic approach
to our applied process is explained below:
Step 0:- Initialize the values in the
system. Select the search window as the
template image size itself in the source
image.
Step 1:- Load the source image and
the template images in the single band
format we choose an grey scale image for
it. If the source image is in multispectral
convert it using any tool or extract the
single band values to the image if in
vector form give weights to the bands
and perform the conversion. Our tool is
capable to reading and displaying a muti
spectral ,hyper spectral, and single band
images in generic binary format.
Step 2:- Compute SAD by moving
the template image over the source image
using equation 2.
Step 3:- SAD will compute to 0 as we
have chosen the template image from the
same image itself.
Step 4 :- If match is found it returns
the pixel position where the SAD was
initially calculated in the source image.
Step 5:- if no match is found fi rst
check the search window has processed
all the source image if yes return match
found. it would be least possible as in our
case return not possible.
Step 6:- If selection is correlation
compute the mth and sq variables, where
sq is calculated by squaring each pixel in
the template image and then calculating
their sum as a whole ,whereas the mth
vaiable is calculated by multiplying
source value at a particular pixel with the
overlapping template values and then
addying them as a whole over search
window. If the values of mth and sq are
found to be equal return the initial pixel
values of the source image.
Results and DiscussionsWith our experimental setup we are able
to perform template matching strategies
using SAD and SSD for image object
analysis in remote sensing images. As
we have taken a remotely sensed image
for our implementation part which is
multiband image. Therefore for processing
part we will have either to extract the
values in each band and match it with
template if the given template is also in
multiband image format. Which is tedious
and complex task. Secondary we can take a
grey scale image of the same multispectral
image in generic binary formatas we took
in our implementation. The values here
may exceed the normal display range so
we have implemented some mechanisms
to make it work. The outcomes in the
following fi gures show how SAD and SSD
mechanisms are implemented with the
images we have taken.
Our tool which is implemented in java having func onality of Mul spectral image reading
and Template matching.
Part of image we took as source image for implementa on.
Template images we took for our
research were of low sizes in the range of
32X32 as shown below.
CSI Communications | June 2014 | 22 www.csi-india.org
The template image
Result post SAD algorithm usage
Results post SSD usage
Experimental results show that match
occurred by both the methods is same.
AcknowledgementsWe are highly thankful to Digital Globe for
providing images the satellite used in our
research is world view 2.
ConclusionIn our research we proved how an template
matching mechanism can be implemented
on remotely sensed images using SAD
and correlation based mechanisms SSD.
Existing template matching techniques
proved to be inadequate for the multiband
images also proving to be computationally
intensive.
Above stated algorithmic
mechanisms may fi nd application in
remote sensing fi elds like monitoring in
harbors , also it can be much benefi cial
for semi- automatic image registration
process where geo related information
has to matched regardless of the lat- long
coordinate’s not available at the moment
Besides these may fi nd applications ins
medical science imaging where it is helpful
in detection of tumors etc.
References[1] Lisa Gottesfeld Brown ,"A Survey of
Image Registration Techniques" ACM
Computing Surveys, VoI 24, No. 4,
December1992.
[2] Manjusha Deshmukh,Udhav Bhosle,
"A Survey Of Image Registration"
International Journal Of Image Processing
(IJIP), Volume (5) : Issue (3) , 2011.
[3] Barbara Zitova, Jan Flusser, "Image
registration methods: a survey" Image and
Vision Computing 21 (2003) 977–1000.
[4] Feng Tang ,Hai Tao, "Fast Multi-scale
Template Matching Using Binary
Features". IEEE workshop on Applications
of Computer Vision (WACV'07).
[5] Jyoti Joglekar, Shirish S. Gedam, "Area
Based Image Matching Methods – A
Survey". International Journal of Emerging
Technology and Advanced Engineering
Volume 2, Issue 1, January 2012.
[6] Levine M D, O'Handley D A, Yagi G M,
"Computer Determination of Depth
Maps". Computer Graphic and Images
Processing vol. 2, 131-150, 1973.
[7] Shou-Der Wei and Shang-Hong Lai,
"Fast Template Matching Based on
Normalized Cross Correlation With
Adaptive Multilevel Winner Update", IEEE
Transactions On Image Processing, Vol. 17,
No. 11, November 2008.
[8] Stefano Mattoccia, Federico Tombari,
and Luigi Di Stefano ,"Fast Full-Search
Equivalent Template Matching by
Enhanced Bounded Correlation," IEEE
transactions on image processing, vol. 17,
no. 4, april 2008.
[9] Fedwa Essannouni and Driss Aboutajdine,
"Fast Frequency Template Matching Using
Higher Order Statistics," IEEE transactions
on image processing, vol. 19, no. 3,
march 2010.
[10] Taejung Kim, Seung-Ran Park, Moon-
Gyu Kim, Soo Jeong, and Kyung-Ok Kim,
"Tracking Road Centerlines from High
Resolution Remote Sensing Images by
Least Squares Correlation Matching,"
Photogrammetric Engineering & Remote
Sensing Vol. 70, No. 12, December 2004,
pp. 1417– 1422.
[11] Mohamed Ali David Clausi, "Using
The Canny Edge Detector for Feature
Extraction and Enhancement of Remote
Sensing Images"
[12] Mihai Datcu, Klaus Seidel, and Marc
Walessa, "Spatial Information Retrieval
from Remote-Sensing Images—Part I:
Information Theoretical Perspective," IEEE
Transactions On Geoscience And Remote
Sensing, Vol. 36, No. 5, September 1998.
[13] Michael Schroder, Hubert Rehrauer,
Klaus Seidel, and Mihai Datcu, "Spatial
Information Retrieval from Remote-
SensingImages—Part II: Gibbs–Markov
Random Fields," IEEE transactions on
geoscience and remote sensing, vol. 36,
no. 5, september 1998.
n
Abo
ut th
e A
utho
rs
Ashish Joshi received his M. Tech. degree from Graphic Era University and is member of CSI. Currently he is working as an Assistant
Professor in THDC-IHET. He has published and presented papers in IEEE and Springer. His areas of interest include Image Processing,
Network Security, and Data Mining.
Ankit Kumar received MCA and M. Tech. degrees from Graphic Era University Dehradun. He is currently working with Dev Bhoomi
Institute of Technology Dehradun as Assistant Professor. He is Oracle Certifi ed Professional from Oracle University. His areas of
interest are Big Data, Image preprocessing, Soft Computing & Data Mining.
Dr. Anil Kumar received degrees viz. B. Tech., M.E., and Ph.D. in Photogrammetry and Remote Sensing Engineering from IIT Roorkee.
He is presently working in Indian Institute of Remote Sensing (ISRO, Dept. of Space, Govt . of India), Dehradun, India as Scientist/
Engineer 'SF'. His areas of interest are Soft Computing Application for Images, Digital Image Processing, Digital Photogrammetry,
LiDAR, and GPS.
Dr. Ankush Mittal is Director Research at Graphic Era University Dehradun. He has published several books and research publications.
His areas of interest include Computer Network Operating Systems and Image processing.
CSI Communications | June 2014 | 23
Imagine hiding your secret
information in a digital media without
scrambling its original contents.
This property of hiding Information is
highly desirable for military, corporate
and private applications in order to
secure their secret communication.
This philosophy is in contrast with the
popular science of Cryptography where
message is encrypted by a secret key.
But, in many situations detection of
encrypted message by intruder may lead
to attack on the transmission source aka
attack on availability. For instance, in a
war like scenario detection of encrypted
signal may cause enemy to jam the
signal. Therefore, it would be a good
practice to hide the secret message in an
innocuous carrier before transmission.
This information hiding practice is
popularly known as Steganography.
It is a science of hiding or embedding
secret information in routine message
exchange between two parties in a way
which is undetectable and irremovable
by adversary[1][2].
Steganography is a Greek word,
where, Stega means covered, and
Nography means writing i.e. concealed
writing. In Steganography, original
contents are not scrambled hence
adversary cannot suspect the existence
of hidden secret inside simple message.
Even, ancient history witnessed footprints
of Steganography and illustrated various
ingenious methods of Steganography. An
old but famous approach was to use lemon
juice as an ink in writing secret messages.
This message remains invisible unless the
paper is put in contact with heat. The past
is fi lled with many such exciting instances
of hiding secrets[3]. Around in 1985,
introduction of digital technology had
shown the world innovative techniques to
apply Steganography techniques including
one of the most fascinating one of hiding
information in digital images.
Fig. 1 depicts the principle of
Steganography where the secret
information to be concealed in cover
object is termed as payload. Cover
object may be text, image, audio, or
video. Any media with large amount
of redundancy is a good choice for
cover object. Redundancy refers to the
number of bits in cover image which can
be overwritten without any significant
loss in the quality of cover object. As a
matter of fact, digital images, despite
compression have high degree of
redundancy in them; therefore digital
images are mostly used as cover objects
in Steganography. And, the combination
of payload embedded in cover object is
referred as stego object. The embedding
algorithm is the way used to hide
the secret in cover. It is generally not
fixed and open area of research[4].
Readers must not relate Watermarking
with Steganography as latter is the
hidden point to point communication.
Whereas, Watermarking is open to all
and broadcast in nature i.e. everybody
can see the presence of Watermark on
the document but find it very difficult
to remove or reproduce it. Purpose of
Watermark is not to hide the document
but preserve its integrity and prove the
ownership[5].
Relevance with CryptographyCryptography scrambles a message
with a secret key to make it unreadable
by the adversary, while, Steganography
hides the message within a cover object.
A scrambled message might attract
suspicion; while an “invisible” message
crafted with Steganography method is
likely to be bypassed by the adversaries
without any doubt. As the essence of
cryptography lies in the secrecy of its key,
similarly, Steganography is useless once
the hiding technique is disclosed. In fact,
many Steganography tools also provide
option to encrypt the embedded message
after hiding secret information in it.
In cryptography, if adversary cannot
remove the encryption she can easily
modify or destroy the fi le, making it
unreadable or useless to the intended
recipient. In contrast, Steganography
provides a means of communication
where secret message cannot be removed
without much change in cover object.
The embedded message will remain
secret unless an adversary can fi nd a way
to detect it. In order to be successful,
Steganography techniques must satisfy
following requirements:
• The integrity of the secret
information should remain intact after
it has been embedded inside the cover
object i.e. any change in Stego object must
not compromise the originality of secret
information.
• The Stego object must appear same
as cover object to the senses of adversary.
Otherwise, adversary may doubt the
presence of secret and try to extract or
destroy it.
Strong Steganography techniques
fulfi ll both the above stated criteria; where
as weak techniques may change the
secret information during Steganography
and defeat the whole purpose[6]. Till date,
various Steganography techniques are
invented namely substitution, transform
Digital Image Steganography “Seeing is always NOT believing”
Anurag Jagetiya*and Dr. C Rama Krishna***M. E. (CSE) student **Associate Professor, Department of CSE, NITTTR, Chandigarh
Fig. 1: Principle of Steganography
ResearchFront
CSI Communications | June 2014 | 24 www.csi-india.org
domain, spread spectrum, statistical
methods, distortion, cover generation,
etc[7]. But this article is confi ned to
the discussion of only substitution
technique to demonstrate the concept of
Steganography.
In substitution technique redundant
part of cover object is replaced with the
secret payload message. Least Signifi cant
Bit (LSB) insertion is a popular substitution
technique used with image fi les. Generally,
this method does not increase the fi le
size of Stego object however size may
noticeably increase if the size of secret
message is large. Many substitution
techniques based software often reject to
hide secret fi les larger than a fi xed ratio of
size between secret and cover images.
Steganography in Digital ImagesA digital image is fi nite collection of
picture elements called pixels; each of
pixels is having a particular location and
value. Hence, colors and intensities of light
on diverse areas of an image found to be
diff erent. Color at every pixel is determined
by the mixture of all three components
of primary colors namely: Red, Green
and Blue (RGB). This color value can be
represented in binary, hexadecimal or
decimal format. The number of bits used
to represent RGB component determines
the color quality of an image. Many image
fi le formats takes 8-bits to represent single
pixel i.e. 2-3 bits per color component.
However, it is found that 24-bits per
pixel give much better image quality but
increased fi le size. Consequently, images
will consume more storage capacity
and take noticeable time to download.
Therefore, to minimize the size of images,
two types of fi le compression techniques
are in general practice, namely, lossy and
lossless. GIF (graphic interchange format)
and BMP (bitmap fi le) are examples of
lossless compression which is in general
recommended media type since both of
these preserve their originality and gives
high quality images[12]. While, popularly
used JPEG (joint photographic experts
group) is an example of lossy compression
technique. Its advantage is that it saves
more space than BMP or GIF, but loses
its originality because the compression
techniques remove the parts of digital
media which cannot be perceived by
human visual perception. Figure 2 (A)
illustrates a 24-bit BMP image of size 768
KB and its size shrink to only 41 KB when
transformed into JPEG. It clearly depicts the
availability of great amount of redundant
data in BMP images and makes it a good
choice as cover image in Steganography.
The diff erence in the originality of BMP
and JPEG images is undetectable to human
eyes but their histograms i.e., plot between
number of pixels and color values indicate
some diff erences.
The basic principal of image
Steganography is based upon the
limitations of human visual perception
system that cannot
distinguish the
diff erence between
similar like colors.
To understand the
instance, a box is
shown in fi gure 3(A)
which is fi lled with a
color of hexadecimal
value FF3232 (decimal
equivalent: 255, 50, 50) and another one
whose color values are a bit changed to
FE3030 (254, 48, 48) is shown in Fig. 3 (B).
It’s obvious that the diff erence between
both of them is imperceptible. Variations
in colors of an image are obtained by
combinations of Red, Green, and Blue
colors on a pixel. A 24-bit BMP image
have 8-bits for each color component
i.e. Red, Green, and Blue (RGB) so there
are total 28 diff erent values possible of
every color. And, as shown in Fig. 3 the
diff erence between 11111111 (255) and
11111110 (254) in the value of red intensity
is likely to be undetected by human eyes.
This leads to the clue that quality of
picture will not be degraded signifi cantly
if secret message is stored in the least
signifi cant bit of pixel values. In this way,
whole secret message is embedded in the
cover image. This approach is known as
Least Signifi cant Bit (LSB) Substitution
method of Steganography. Experimental
result of image Steganography obtained
by a tool named Stegomagic is shown
in Fig. 4. In this demonstration, a secret
image of 84 KBytes is embedded into an
original 24 bit BMP image of dimensions
512 * 512. Size of BMP can be calculated
as: (512*512*3)/ 1024=768 Kbytes.
Resultant, Stego object in Fig. 4 (C)
indicates no perceptible diff erence with
original cover image. Moreover, size
Fig. 3: Similar like colors
Fig. 4: Genera ng stego objectFig. 2: BMP, JPEG images and their histograms generated in Scilab
CSI Communications | June 2014 | 25
of stego object also remained same as
original cover image.
For further clarifi cation of image
Steganography, suppose a secret
character value ‘B’ is to be hidden in an 8
bit cover image. ASCII value of alphabet B
is 01000010; and supposes 8 consecutive
pixels from the top left corner of the cover
image are as follows: 00100101 11100001
11001000 00100101 11001010 11101000
11001001 00101111.
In this approach, secret character’s
binary value will be copied bit-by-bit and
in left-to-right order at LSB position of
every pixel value of cover image in same
order. The result may look like:
00100100 11100001 11001000
00100100 11001010 11101000 11001001
00101110
Defi nitely, large images can store
more secret information with ease but, at
the same time, it may arouse doubt and
consume more bandwidth on Internet.
One of the applications of Steganography
can be seen in today’s color laser
printers of HP and
Xerox brand that add
tiny yellow dots to each
page[8]. These dots are
barely visible and contain
date and time stamps as well as encoded
printer serial numbers. On the contrary to
this, adversary may attempt Steganalysis
to identify the presence of secret message.
The basic principle of Steganalysis
includes the extraction of secret image,
destruction of hidden message to avoid
later extraction, and fi nally instead of
actual hidden message, a diff erent or
modifi ed message is to be embedded.
It is seen in the Fig. 4 that the changes
in the stego object are undetectable to
human eyes, but histograms of original
image and stego object depicted
in Fig. 5 indicate some changes on
the peaks.
There are various other methods for
Steganalysis viz. to carefully compare the
hex code of image fi le with the same fi les
available on Internet. Hex code snap shot
of Lena cover and Stego object is shown
in Fig. 6. There are many software to be
used for this purpose e.g. stegdetect[9],
stegsecret[10] etc.
Although Steganography hides the
existence of secret information embedded
inside the message. The limitation of
Steganography is that the amount of secret
data to be eff ectively embedded into the
cover depends upon the size of the cover
itself. In case of image Steganography, it
is found by experimental results as shown
in Table 1 that the size of cover should be
at least 8 to 10 times of secret object in
order to create Stego object. Another
limitation of Steganography is same as
of Symmetric Key Cryptography, in which
the sender and receiver have to privately
agree upon a secret way of information
exchange. Steganography may prove as
dangerous if used by the people with
wrong intentions, In fact, it is believed
that terrorists used Steganography
techniques to hide their secret messages
in digital photographs on the web to plan
the 9/11 attack on world trade center[11].
Both Steganography and Steganalysis
are emerging area of research due to its
applications in forensics, intelligence,
military etc. Till now more than 725 digital
Steganography applications have been
identifi ed by Steganography Analysis and
Research Center[12].
Fig. 5: Histogram comparison of cover image (A) and Stego object (B)
Fig. 6: Hex code snap shot of cover image (A) and Stego object (B) with some of the highlighted changes
Table 1: Indicating fi t ratio between Cover and Secret image. Results obtained by software stegomagic.
Cover Image(Size in KB)
Secret Image(Size in KB) Fit Ratio
768 384 Νο 2
768 208 Νο 3.69
768 109 Νο 7.05
768 84 Yes 9.14
CSI Communications | June 2014 | 26 www.csi-india.org
References[1] H Wu, H Wang, C Tsai and C Wang,
“Reversible image Steganography scheme
via predictive coding”, 1 (2010), ISSN:
01419382, 35-43.
[2] James C Judge, “Steganography: Past,
Present, Future”, SANS Institute, 2001.
[3] Herodotus, The Histories, Penguin Classics;
Reprint edition, September 1, 1996.
[4] N Johnson, “Survey of Steganography
Software”, Technical Report, January,
2002.
[5] Dr. Natarajan Meghanathan, “Basics of
Digital Watermarking, Steganography
vs. Watermarking”, course notes, Jackson
State University, Jackson MS 39217.
[6] Shashikala Channalli, Ajay Jadhav,
“Steganography An Art of Hiding Data”,
Sinhgad College of Engineering, Pune,
Shashikala Channalli et al /International
Journal on Computer Science and
Engineering Vol.1(3), 2009, 137-141.
[7] Neil F Johnson, Stefan C. Katzenbeisser, “a
survey of stenographic techniques”, Chapter
3 in Stefan Katzenbeisser (ed.), Fabien A P
Petitcolas (ed.) Information Hiding Techniques
for Steganography and Digital Watermarking,
Artech House Books, 2000.
[8] Seth Schoen, “Secret Code in Color
Printers Lets Government Track You”,
Electronic Frontier Foundation, Press
Release, October 16, 2005, url: www.eff .
org/press/archives/2005/10/16
[9] Niels Provos and Peter Honeyman,
“Hide and Seek: An Introduction to
Steganography”, IEEE Computer Society,
1540-7993/03, May/ June 2003.
[10] Alfonso Muñoz, Stegsecret application,
url: www.stegsecret.sourceforge.net
[11] Federal Plan for Cyber Security and
Information Assurance, Research and
Development, National Science and
Technology Council, April 2006.
[12] S ShyamalaDevi, M Anandbabu,
“Hiding of information in multimedia
fi les”, International Journal of Computer
Application and Engineering Technology,
Volume 1-Issue 4, October 2012.
PP.95-108
n
Abo
ut th
e A
utho
rs
Mr. Anurag Jagetiya is an Assistant Professor at MLV Government Textile & Engineering College, Bhilwara
(Rajasthan). He is pursuing M.E. in Computer Science & Engineering from NITTTR, Chandigarh. He is having
more than 7 years of academic experience. His research interests are Computer Network and Cyber Security.
E-mail: [email protected]
Dr. Rama Krishna Challa is an Associate Professor at NITTTR, Chandigarh. He has done his Ph.D. from IIT Khargpur,
M.Tech. from CUSAT, Cochin and B. Tech from JNTU, Hyderabad. He has 18 years of teaching and research
experience. He has more than 50 papers to his credit in many international and national journals and conferences.
His research interests are Wireless Networks, Distributed Computing, Cryptography and Network Security.
CSI Communications | June 2014 | 27
ArticleNavdeep Kaur* and Parminder Kaur** *Master’s Degree, M. Tech. in Software Systems, Guru Nanak Dev University, Amritsar**Assistant Professor, Department of Computer Science & Engineering, Guru Nanak Dev University, Amritsar
SQL Injection – Anatomy and Risk MitigationSQL Injection or Insertion is still one of the
top vulnerabilities according to OWASP
Top10-2013. SQL Injection is consistently
growing day by day and hence has become a
buzz word. But what made this happen? It is
due to the lack of security awareness during
development of web applications. Developers
are mandated to deliver functionality on time
and on budget but not to develop secure
applications, which results in development
of vulnerable web applications. Inaccurate
Security Requirements, Poor Design,
Confi guration Mistakes, Insecure or bad
Coding Techniques, Complexity, Invalidated
User Input, Password Management Flaws
are major causes which make SQL Injection
possible. To prevent or mitigate the risk of
SQL Injection, there is a need to integrate
security during development of web
application.
What is SQL Injection?“SQL Injection” refers to an attack where
malicious users can inject SQL commands
into an SQL statement, via input fi elds
of web forms. Injected SQL commands
can alter SQL statement and have an
unauthorized access to the Database,
there by compromising the security
of a web application. SQL Injection
attack mainly happens due to Input
validation vulnerabilities. The common
vulnerabilities that make SQL Injection
possible in web application are:
• No or Improper user input validations.
• Constructing dynamic SQL queries
using simple string concatenation.
• Confi guring an application with an
over privileged database login.
• Improper exception and error
handling.
• To stop SQL Injection these
vulnerabilities should be removed
during development of web
application.
SQL Injection AnatomyFigure 1 illustrates an example for Tautology
based attack, showing how SQL Injection
happens. The attacker is attempting to
put SQL commands to extract data from a
database. As shown in Fig. 1, attacker enters
a tautology statement in textbox which is
concatenated with the SQL Query at the
backend and executed by the database.
Database reveals the confi dential data at front end to the attacker. In this way, a simple SQL statement is used to compromise the whole database.
What SQL Injection Can Do? SQL Injection is a kind of attack which is very diffi cult to stop, because it happens as a normal functioning of web application. SQL Injection even bypasses the Authentication and Authorization of Web Application. It crosses the Network level (Firewalls and Intrusion detection System) and Operating system security.
Web Application having SQL Injection Vulnerabilities is exposed to all types of threats as explained by STRIDE. STRIDE is a threat categorization model introduced by Microsoft. The acronym STRIDE (spoofi ng, tampering, repudiation, information disclosure, denial of service, elevation of privilege) for threat categorization of SQL Injection is explained as below-S- Bypass Authentication and
AuthorizationT-Steal and Modify DataR- Void or Delete Transactions and
Drop TablesI-Disclosure of Sensitive DataD-Destroy Data and make it UnavailableE-Get and use Administrator credentials
It shows that SQL Injection is powerful attack which destroys the database and steals the billions of money from banks which leads to crisis in Organization. So, there is a need to stop SQL Injection before they stop you.
SQL Injection MitigationIt is clear that, SQL Injection vulnerability is due to a fl aw in Web Application Development. It is not a Database or Web Server Problem. When we talk about
security, there are three ways to secure a
web application –
1. Penetrate and Patch
2. Operational Environment
3. Secure Software Engineering
The dominating idea i.e. secure
software engineering means addressing
security during development, off ers
reduction in future expenditures , time as
well as more in-depth defensive layers. So
there is a need to take a holistic approach.
Security should be weave in throughout the
complete software development lifecycle
starting from Requirements Phase to Testing
phase. While designing a secure Web
Application which is free from SQL Injection
vulnerability, the three thumb rules, which
should keep in mind are -
1. All Input is Evil
2. Defense In Depth
3. Think from Attackers
Perspective
To mitigate SQL Injection, Diff erent
activities which should be performed
during development are shown in Fig. 2.
As applications are rarely static and
need to be enhanced and adapted to
suit changing business requirements,
so vulnerabilities should be removed in
their respective phase as the application
evolves. Some measures to be taken in
each phase to mitigate SQL Injection are
explained below phase by phase –
Requirement Phase
Developing secure web applications that
can withstand malicious SQL Injection
Fig. 1: How SQL Injec on Happens
Fig. 2: SQL Injec on Mi ga on in SDLC
CSI Communications | June 2014 | 28 www.csi-india.org
attacks requires a careful injection of security considerations into early stages of development lifecycle. Decisions taken in this phase will help us in implementing security in Design and coding phase. Following are some tasks which are necessary to perform for SQL Injection mitigation- • Incorporate Security Modelling
(Misuse Case, Attack trees, Vulnerability Cause Graph) - Security modelling is a collective term for modelling techniques of security concepts such as threats, attacks and vulnerabilities. The security modelling identifi es potential vulnerabilities, threats and countermeasures. Security Modelling is done to reduce the knowledge gap between Developers and Security Experts. The modelling techniques like vulnerability cause graphs (VCG), Attack trees and Misuse cases are used to elicit Security requirements for the mitigation of SQL Injection Vulnerability. The main role of these modelling techniques are-VCG- shows the causes of vulnerability in graphical formAttack Tree- shows how the system is threatened and exploited by attackersMisuse Case- is “Inverse Use Case” which shows the threats a vulnerability is exposed to and countermeasures to mitigate vulnerability.
• Elicit Accurate Security Requirements by using Security ModellingIf Security modelling is properly done, then it is very easy for designers and developers to implement security to mitigate SQL Injection.
Design PhaseNow the system needs to be designed in such a way that all the security considerations have been taken into account. At Design time SQL Injection is prevented by – • Proper Design review or audit • Incorporate Threat Modeling. • Data Flow diagram (DFD) and
Architecture diagram Analysis • Examine Entry and Exit points
Coding phaseDuring Coding, lot of vulnerabilities are introduced due to less skilled or unaware developers. SQL Injection vulnerability is introduced due to bad coding practices.
To prevent SQL Injection following coding techniques should help:- • Validate the user input (whitelisting /
blacklisting) • Never use Dynamic SQL queries by
string concatenations. • Use Parameterized commands with
dynamic SQL queries. • Stored Procedure is the best option to
prevent attack. • Implement the principle of Least
privilege. • All sensitive and confi dential
information like passwords should be stored in encrypted form.
• Implement strong client side as well as server side validation for all user inputs
• Use Regular expression to validate and limit the input data.
• Implement error handling, don’t show error messages to the user.
• Use Quoteblock function • Keeping untrusted data separate from
backend commands and queries. • Escape or fi lter or sanitize the special
characters in user inputs. • Use Exception handling to catch all
possible exceptions. • Set length limits, range on input data
in form fi elds and validate data for content length and format.
• Make schema, table names unique. • Try to avoid query strings for building
Web pages. • Audit the code to fi nd vulnerabilities.
Testing phaseSecurity testing focuses on the testing potential security bugs that might be exploited by the hackers. Security testing goal is to ensure that the software being tested is robust and continues to function in an acceptable way even in existence of malicious attacks. During testing SQL Injection is mitigated as:– • Ethical Hacking • Perform penetration tests. • Implement static and dynamic
testing for code walkthroughs and inspection.
• Perform Fuzz Testing (Provide random unexpected inputs in input fi elds which are connected to a database and observe the outputs and error messages generated for the
wrong inputs). • Perform static code analysis or reviews
GreenSQLGreenSQL is unifi ed software solution provides Database Security, Dynamic Data Masking, and Database Activity Monitoring in one product. GreenSQL is an open source software as a proxy server (communication interface) or database fi rewall between the database server and web server is implemented. It includes a graphical user interface for confi guring and monitoring a fi rewall. This supports Microsoft SQL Azure , SQL Server (all versions), MySQL .The software automatically checks queries on security and forwards them only after review. The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known database administrative commands (DROP, CREATE, etc).How it helps us – • Blocks SQL Injection attacks • Secures data • Prevents Unauthorized Database
Access • Masks Sensitive Data
ConclusionsSQL Injection vulnerabilities are known for more than a decade, and they are still one of the most prevalent vulnerabilities in web applications. Today, wide variety of automated detection tools are available in the market which made easy to detect and exploit SQL Injection(SQLI) vulnerabilities. SQLI vulnerabilities have high damage potential and can completely compromise the web application. So by raising the awareness and following few simple best practices during development of web applications will help completely preventing SQLI vulnerabilities.
References[1] OWASP Top 10 list 2013: https://www.
owasp.org/index.php/Top_10_2013-Top_10
[2] GREENSQL: http://www.greensql.com/
[3] Threat Modeling Process: http://msdn.
microsoft.com/en-us/library/ff648644.
aspx
[4] SeaMonster-Providing tool
support for security modelling:
http://www.shieldsproject.eu/files/docs/
seamonster_nisk2008.pdf
[5] G. Sindre and A.L. Opdahl , “Eliciting
security requirements with misuse cases”,
Requirements Eng (2005) 10: 34–44,DOI
10.1007/s00766-004-0194-4 n
Abo
ut th
e A
utho
rs Navdeep Kaur obtained her bachelor’s degree, B. Tech. in Computer Science & Engineering from Punjab Technical University and currently pursuing
Master’s Degree, M. Tech. in Software Systems at Guru Nanak Dev University, Amritsar. She has published 3 research papers in International journals
and 1 research paper in National Conference. Her research area includes Software Security (web application vulnerabilities).
Parminder Kaur, is working as Assistant Professor in the department of Computer Science & Engineering, Guru Nanak Dev University, Amritsar. She has
published around 45 research papers in International/National journals as well as Conferences. Her research area includes Component-based Software
Engineering, Open Source Systems, Web Engineering and Software Security.
CSI Communications | June 2014 | 29
A recent Gartner report that came out September this year made a not so surprising revelation that, most companies are still not generating positive ROI on Big Data. As per the report, big data investments currently
earn 50 cents for every dollar invested.
Fig. 1: Big Data ROI [Source: Wikibon Research, 2013]
A big reason for this underperformance is that, companies just want to follow the herd without understanding its true purpose. As Gartner report points out, enterprises which had no clue about Big Data are actually running Big Data projects.
A survey conducted by Gartner revealed that, determining how to get value from Big Data, defining a strategy and obtaining skills and capabilities to be three most compelling challenges faced by the adopters of the Big Data
technology.
Fig. 2: Top Big Data challenges [Source: Gartner, September 2013]
Although from the above statistics
and reports, there would be an immediate
temptation to term Big Data a hype than
a practical business reality; one must try
to study case studies of those enterprises
which have used and are using Big Data
successfully. Examples include, Amazon,
T-Mobile, eBay etc. to name few known
biggies.
While, there are lots of case studies
appearing in business reviews, blogs,
articles, practitioners opinions etc. touting
the success of Big Data technology; there
are hundreds of smaller players who are
tumbling, fumbling and looking confused
over the implementation of Big Data and
its expected ROI.
After analyzing some of the successful
implementations of Big Data Analytics; I
believe, following are some of the points that
can be kept in mind while contemplating
on the integration of Big Data Analytics to
enterprise decision making.
Why you need Big Data?As per the recent Gartner report, more
than 60% of the respondents do not even
have a clue on what to do with Big Data.
This is in parallel with the fi ndings shown
in Fig. 2, which enlists ‘determining how
to get value from big data’ and ‘defi ning
strategy’ to be the biggest two challenges
in Big Data implementations.
Amassing huge volume of data is
one thing (perhaps, easier with the plunge
in storage costs), analyzing those data
is another thing and fi nally, integrating
the insights into the decision making is a
totally diff erent thing!
Any enterprise must begin by
identifying a business problem! What
is it that you are trying to achieve? Are
you planning to expand your business
market? Or are you concerned about
the high customer attrition rates? Both
of these require different analysis on
different datasets. Just amassing huge
volumes of data from multiple sources
is not profitable, without having or
knowing a business problem. Also,
analyzing data just because, there is
huge data without a clear goal will
make reaping ROI all the more difficult.
Thus, asking right business questions is
critical in giving a business context to
the Big Data technology, in giving clarity
on WHAT data is to be analyzed and
HOW it should be analyzed.
Finally, it is equally important to have
a positive culture within the enterprise for
data-driven decision making so that, the
insights drawn from voluminous data using
diff erent complex statistical packages are
not pushovers. It is important that the
BIG Data Analytics is integrated with the
decision making process.
Thus, aligning Big Data Analytics with
the enterprise’s core business strategies is
the most critical ingredient in reaping the
maximum ROI.
ERP is not One of the Options but, the Only Option!For drawing insights which can infl uence
critical decision making, the complex
analysis must be made on data which
is of high quality and highly consistent.
Otherwise, the scenario would resemble,
‘Garbage In Garbage Out’!
For collecting data which is of high
quality and is highly consistent at the same
time, it becomes necessary to adopt an
enterprise-wide system which integrates
all the business processes of the enterprise.
Without which, it would be independent
‘silos’ (systems) for each process and
extracting and organizing data in such an
environment is intensely complex and the
cost would be prohibitively high.
Although the adoption of ERP systems
in India is on the rise, the SMB’s are fi nding
the path more of thorns than roses! But,
the reasons seem genuine. Firstly, the most
deterrent factor is the cost with most of the
ERP solutions being priced exorbitantly. But,
the advent of SaaS based ERP solutions has
provided the mid-market companies with a
great opportunity to leverage ERP systems
to stay competitive. Gartner estimates
SaaS ERP in India to grow at a CAGR of 28
per cent. Also, the survey concludes that
the adoption has been more in the SMB
segment than the large enterprises.
The second deterrent factor is the
customization. Every enterprise has a unique
set of business processes and fi nding a
single suite which meets every requirement
is impossible. Also, customization can be a
complicated and expensive activity which
may even result in making compromises in
the ‘best practices’ embedded system.
Binesh NairLecturer and Core-Member, R&D Cell, Vidyalankar School of Information Technology, MumbaiArticle
Reaping ROI from Big Data Abstract—The current dramatic underperformance of Big Data with respect to the hype that is in the air is due to less knowledge of
Big Data and lack of alignment of the Big Data Analytics to the Strategic objectives of the organization. Also, Mid-Market segment
needs to introspect and ask right questions before implementing Big Data. Finally, breeding an Analytics Culture and having Data
Scientists who can see the Big Picture will decide the swing of ROI in any enterprise.
CSI Communications | June 2014 | 30 www.csi-india.org
However, despite the challenges, it
becomes imperative for enterprises in
this highly competitive market to have an
enterprise-wide system so that, they can
increase the value of data by providing for
analysis data which is correct, complete,
current, consistent and is in context.
Small is BeautifulThe American Marketing Association’s
fi rst conference which happened in the fi rst
quarter of this year, thrown a startling story
that, very few are actually working with
anything approaching Big Data! In fact, a
survey by Tom H.C. Anderson coined a new
terminology of what is a ‘MID DATA’.
Fig. 3: ROI versus size of Data [Source: Tom H.C Anderson, March 2013 Edi on]
As can be seen in the fi gure, the size
of Mid Data sample is between 100,000
to 10,000,000 which by the way is huge.
Also, as the research output in the fi gure
exemplifi es that, as the size of the underlying
data sample reaches the Big Data horizon,
the ROI as well as the practicality of the
implementation starts dropping.
If one thinks, this does make sense,
for example, if an enterprise wants to
understand the purchase patterns of the
customers, it can achieve so by focusing
on the customer data extracted of POS,
social media etc. It would be make less
sense to club this data with accounting
data or purchase data! Also, it may make
little sense to compare customers in US
with customers of India.
Thus, by focusing hard on ‘WHAT’, it
becomes clear about the ‘WHICH’ smaller
datasets (MID DATA) to be considered for
the mining process. Focusing on relevant
datasets instead of being carried away
by the idea of building a BIG data source;
the enterprise can, not just make the
implementation practical but, also allows
reaping a higher ROI.
Build an Analytics CultureAnalytics is not just Stats,Quants or
Statistical Tools; it defi nitely boils down you
how an enterprise integrates it into everyday
decision making. For this, the leaders must
be leading from the front to foster a culture
of analytics in the organization.
Leaders in the C-Suite must have a
passion for collecting objective data and
basing them for everyday decision making;
they must set an example for the rest of the
enterprise. The top-level management must
be able to translate this culture to the mid-
level managers because, ultimately, for data-
driven decision making, it not just enough
to have the C-suite executives but also,
every staff member must be incorporating
analytics in their every-day working.
One widely adopted practice is to
have an internal/external analytics team
consisting of Data Scientists who will
work cross-functionally in the enterprise.
They will do the job of collecting data,
determining the quality of data required
for building predictive models, building
statistical models and presenting the
insights with eff ective data visualizations
to key business stakeholders. However,
for producing any critical impact in the
business; it becomes important not be
make them a ‘silo’ and integrate them with
rest of the business units of the enterprise.
See the Big PictureAnalytics is all about solving business
problems using knowledge discovered
from massive amounts of data (in
terabytes or even petabytes) using various
statistics, data mining, machine learning
etc. Thus, it becomes pivotal to align
analytics to business.
Organizations often have this
challenge wherein, employees who are good
quantitatively lack business knowledge; and
those who have good business know-how
may not be good with numbers. The attempt
must be to close the gap.
Analytics is an inter-disciplinary data
science and demands a unique blend of
business knowledge and quantitative
knowledge. Working on data without
understanding the underlying business will
reap misleading results which defi nitely
will impact the business. For example, a
statistician working on building predictive
models for marketing campaigns must
understand that, all media’s behave
diff erently and one media may even
infl uence the other, like, a potential
customer who sees an ad frequently in the
television may relate easily to the hoarding
along the highway.
Thus, an enterprise requires resources
who are not just statisticians but, those
who have a holistic view of the business
as well so that, they will be in a position
to distinguish relevant and irrelevant
patterns. Insights would not be obvious
but, something which was unknown in the
past and prompts the decision makers to
incorporate it in how business is done!
ConclusionReaping a positive ROI from Big Data
maybe a slow process but, a defi nite one!
The learning curve for the organizations
that do not have an analytical culture
may have a steep learning curve but, I
believe, the above fi ve points are critical
for reaping success wi th Big Data.
References[1] ‘Forget Big Data, Think Mid Data’,
Tom H C Anderson, Anderson
Analytics, March 7th, 2013.
[2] Survey Analysis: Big Data Adoption
in 2013 Shows Substance Behind the
Hype, 12th September, 2013.
[3] Matt Asay, ‘Gartner on Big Data:
Everyone’s Doing It, No One Knows
Why’, Enterprise, 18th September,
2013.
[4] ERP Implementation in the Mid Market
Segment, PriceWaterHouseCoopers,
Pages 5-7, 2013.
[5] Jeff Kelly, ‘Enterprises Struggling to
Derive Maximum Value from Big
Data’, wikibon.org, September 19th,
2013, 12:36 PM IST.
[6] Ada Wong, Harry Scarbrough,
‘Critical Failure Factors in ERP
Implementation’, Pacifi c Asia
Conference on Information Systems
2005, Sections 1-8, NATL SUN
YAT-SEN UNIV, Bangkok, Thailand,
PP.492-505. n
Binesh Nair, is currently a Lecturer and a core-member of the R&D Cell at Vidyalankar School of Information
Technology, Mumbai. His areas of interests are Data Mining and Analytics. He has published several papers at the
International level. Contact: +91 900 4282 394 Email: [email protected]
Abo
ut th
e A
utho
r
CSI Communications | June 2014 | 31
Programming.Tips() »
Fun with ‘C’ programs
Practitioner Workbench
Wallace JacobSenior Assistant Professor, Tolani Maritime Institute
If an array is passed to a function and the
values of the array are changed in the called
function, then those changes are refl ected
in the calling function. The program below
and its corresponding output testify the
aforementioned statement:
Program listing one
#include<stdio.h>
#defi ne SIZE 10
void arraypassex(int *);
main()
{
int num[SIZE];
int i;
for(i=0;i<SIZE;i++)
num[i]=i;
printf(“\nBefore calling arraypassex(int
*)”);
for(i=0;i<SIZE;i++)
printf(“\nnum[%d]=%d”,i, num[i]);
arraypassex(num);
printf(“\nAfter calling arraypassex(int
*)”);
for(i=0;i<SIZE;i++)
printf(“\nnum[%d]=%d”,i, num[i]);
return 0;
}
void arraypassex(int *x)
{
int j;
for(j=0;j<SIZE;j++)
x[j]+=j;
return;
}
Output of the above program:
Before calling arraypassex(int *)
num [0]=0
num [1]=1
num [2]=2
num [3]=3
num [4]=4
num [5]=5
num [6]=6
num [7]=7
num [8]=8
num [9]=9
After calling arraypassex(int *)
num [0]=0
num [1]=2
num [2]=4
num [3]=6
num [4]=8
num [5]=10
num [6]=12
num [7]=14
num [8]=16
num [9]=18
Is it possible to ensure that the array
elements remain immutable in the called
function? Well, it is possible with the help
of the keyword const. The program below
illustrates how this can be accomplished:
Program listing two
#include<stdio.h>
#defi ne SIZE 10
void arraypassex(const int *);
main()
{
int num[SIZE];
int i;
for(i=0;i<SIZE;i++)
num[i]=i;
printf(“\nBefore calling arraypassex(int
*)”);
for(i=0;i<SIZE;i++)
printf(“\nnum[%d]=%d”,i, num[i]);
arraypassex(num);
printf(“\nAfter calling arraypassex(int
*)”);
for(i=0;i<SIZE;i++)
printf(“\nnum[%d]=%d”,i, num[i]);
return 0;
}
void arraypassex(const int *x)
{
int j;
for(j=0;j<SIZE;j++)
x[j]+=j; /*error: assignment of read-
only location */
return;
}
n
Abo
ut th
e A
utho
r Wallace Jacob is a Senior Assistant Professor at Tolani Maritime Institute, Induri, Talegaon-Chakan Road,
Talegaon Dabhade, Pune, Maharashtra. He has contributed articles to CSI Communications especially in the
Programming.Tips section under Practitioner Workbench.
E-mail: [email protected]
Offi ce Contact No: 02114 242121
“Most good programmers do programming not because they expect to get paid or get adulation by the public, but because it is
fun to program.”
- Linus Torvalds, Software Engineer behind development of the Linux Kernel
CSI Communications | June 2014 | 32 www.csi-india.org
Programming.Learn("R") »
Basic Statistics Using RAs we have mentioned in the previous issues, R package is developed
for statistical applications. It provides built-in functions for various
statistical operations based on probability distributions, statistical
tests, regression models, classifi cation models, machine learning,
time series analysis, resampling etc. We shall look into some of
them in a nutshell in each of the coming issues. In the current issue,
let us discuss how R supports basic statistical operations like mean,
median, maxima, minima, standard deviation etc.
MeanArithmetic mean of a set of data values can be calculated simply
using the function mean ( ). For example,
> dataset<-c(21,22,23,24, 25,26,27,28,29,30)
> M<-mean(dataset)
> M
[1] 25.5
MedianMedian, which is the ordinal measure of the central location of the
data values can be calculated using the function median ( ).
Example:
> median(dataset)
[1] 25.5
RangeThe function range ( ) gives the range of all the values given as
input. In other words, it gives the maximum and minimum values
in the given dataset. See the example given below which gives the
range of the values given in the vector dataset.
Example:
> range(dataset)
[1] 21 30
Minima and maximaThe functions min ( ) and max ( ) can be used to obtain the
minimum and maximum values of a set of input values.
Example:
> max(dataset)
[1] 30
> min(dataset)
[1] 21
QuantileQuantile split the input data values. There are basically four
quantiles for every input dataset. The fi rst quantile is the value
that cuts the fi rst 25% of the given data set while second quantile
cuts the fi rst 50%, third quantile, the fi rst 75% and fourth quantile,
100%. The function that achieves this is quntile( ).
Example:
> quantile(dataset)
0% 25% 50% 75% 100%
21.00 23.25 25.50 27.75 30.00
VarianceThe function var ( ) calculates the variance of the input values.
Example:
> var(dataset)
[1] 9.166667
Standard DeviationStandard Deviation is the square root of variance. It is calculated
using the function sd ( ).
Example:
> sd(dataset)
[1] 3.02765
Correlation Coeffi cientThis property measures how two variables are co-related. Its value
varies from -1 to +1. The function cor ( ) computes the correlation
between two values.
Example:
> dataset1<-c(21,22,23,24,25,26,27,28,29,30)
> dataset2<-c(0.1,0.2,0.3,0.4,0.5,0.6,0.7,0.8,0.9,1.1)
> cor(dataset,dataset2)
[1] 0.9964518
CovarianceCovariance tells how two variables are varying together. The
function cov ( ) is used to fi nd out the covariance in R.
Example:
> cov(dataset1,dataset2)
[1] 0.9666667
In addition to all these specifi c statistical functions, the function
summary ( ) will provide us with all the most basic statistical
properties. See the example below:
> summary(dataset)
Min. 1st Qu. Median Mean 3rd Qu. Max.
21.00 23.25 25.50 25.50 27.75 30.00
n
Practitioner Workbench
Umesh P and Silpa BhaskaranDepartment of Computational Biology and Bioinformatics, University of Kerala
R is an implementation of the S programming language combined with lexical scoping semantics. R was created by Ross Ihaka and Robert
Gentleman. R is named partly after the fi rst names of the fi rst two R authors and partly as a play on the name of S.
- Wikipedia
CSI Communications | June 2014 | 33
Information Security »
A Quick Look at Hadoop Security
Security Corner Paresh Suvarna* and Prashant Wate**
*Technical Specialist, IGATE**Technical Architect, IGATE
IntroductionIn this era of Big Data, with cheap data
storage devices and cheap processing
power becoming available, organizations
are collecting massive volumes of data, with
the intent of deriving insights and making
decisions. While most of the focus is on
collecting data, having all data at one place
increases the risk of data security and any
kind of data breach can lead to negative
publicity and a loss of customer confi dence.
Hadoop is one of the main
technologies powering Big Data
implementations. In this article, we cover
some of the ways in which data security
can be ensured while implementing Big
Data solutions using Hadoop.
Evolution of Hadoop SecurityDuring the initial development of Hadoop,
security was not a prime focus area. In most
of the cases, the Hadoop platform was being
developed using data sets where security
was not a prime concern because the data
was publicly available. However, as Hadoop
has become mainstream, organizations are
putting a lot of data from varied sources
onto a Hadoop cluster, creating a possible
data security situation. The Hadoop
community has realized that more robust
security controls are needed and has
decided to focus on the security aspect and
new security features are being developed.
While the use of basic features
provided by Hadoop itself are of
importance, organizations cannot be
parochial, instead they must have a
holistic approach for securing Hadoop.
Hadoop security in itself is a very vast area
and ever evolving to cater to the growing
market. A high level overview of Hadoop
security is given in the following sections.
Big Data Security – A Three -Tier ApproachHadoop security can be considered to be
a multi-layered approach. Each layer has
diff erent set of security approaches and
techniques, as depicted in Fig. 1.
Data Transfer & Integration Layer
The first layer of security is at
the integration cusp between the
F ig. 1: Three- er Security Approach for Hadoop
CSI Communications | June 2014 | 34 www.csi-india.org
different source systems and Hadoop
ecosystem. For data ingestion into and
dissemination out of Hadoop, there are
different methods and techniques which
can transfer data back and forth from
source systems. Security aspects of
some of the tools/techniques for data
transfer are listed below:
• Apache Flume – Flume can be
used for collecting, aggregating,
and moving large amounts of data
from multiple sources into Hadoop
Distributed File System (HDFS). If
multiple users need to transfer the
data using Flume agent to HDFS,
proxy users can be created and
mapped to a single principal user.
Alternately, Kerberos principal can
be used to access Hadoop directly.
• Apache Sqoop – Apache Sqoop can
be used to transfer data to and from
relational databases to Hadoop.
It provides role-based access and
execution restrictions using ‘Admin’
and ‘Operator’ roles. This enforces
restrictions on execution of activities
like import and export of data by end
users.
• External Tools – Extract, Transform
and Load (ETL) tools or custom
built applications can connect to
Hadoop data stores like HBase or
Hive. These data stores support
Kerberos, Lightweight Directory
Access Protocol (LDAP) & custom
pluggable authentication. The
external applications can access
Hadoop as itself or by impersonating
the connected user using proxy
privileges which can be confi gured in
Hadoop.
• File Transfer – Secured File Transfer
Protocol (SFTP) is a good option for
data transfer. Also if an FTP server
is to be used, then it will be better to
use single user access of FTP server
or use proxy user credentials with
required permissions.
OS Layer - Authorization &
Authentication
The Hadoop file system is similar to a
Portable Operating System Interface
for uniX (POSIX) file system and gives
administrators and users the ability to
apply file permissions and control read
and write access. The interconnect of
the base Operating System (OS) and
Hadoop cluster is another layer which
has to be secured. Big Data applications
are typically deployed on Hadoop
infrastructure that resides on top of the
OS. It is important to consider OS users,
group policies and the file permissions
at the OS layer, while securing the
Hadoop cluster.
For overcoming the OS related
concerns, Hadoop should be configured
using a user id, which is not the root
user or is not part of the root users
group. This user can act as a super-user
for Hadoop Name Node and can have
the rights to start and stop Hadoop
processes. In a Hadoop ecosystem,
several users, namely ‘hdfs’, ‘mapred’,
‘yarn’ are created during installation.
Typically, a common Unix group is
created to provide access to these
Hadoop internal users. But, for end users
who need to access HDFS, it is best to
use proxy users for the same instead of
giving group access. In order to further
enhance the security of Hadoop cluster,
security features integral to Hadoop
must be fully utilized in addition to OS
users and file permissions.
Hadoop Integral Security Layer
Hadoop provides several security control
features. Subsequent releases of Hadoop
are expected to provide enhanced security
features. Following are some of the
essential security features available in
Hadoop:
• Authentication • Remote Procedure Calls (RPC)
Connections: To mutually
authenticate the users, Simple
Authentication & Security
Layer/Generic Security Services
Application Programming
Interface (SASL/GSSAPI) is used
for Kerberos implementation on
RPC connection
• Hypertext Transfer Protocol
(HTTP) Web Consoles:
A pluggable HTTP user
authentication mechanism
allows deploying organizations
to configure their own
browser based authentication
for JobTrackers Web User
Interface. This could include
HTTP Simple and Protected
GSSAPI Negotiation Mechanism
(SPNEGO) authentication
• Delegation Tokens: Initial
authentication to NameNode is
done using Kerberos credentials.
Thereafter, the user obtains
delegation token for subsequent
authentication to namenode
without utilizing kerberos key
servers
• Authorization • HDFS File Permissions: Namenode
enforces access control to HDFS
fi les based on fi le permissions -
Access Control Lists (ACLs) of
users and groups
• Task Authorization – Job Tokens:
Job tokens are created by the
JobTracker and shared with its
associated TaskTrackers. This
ensures that the task tracker
performs tasks assigned by its
corresponding JobTracker only
• Data Block Control – Block Access
Tokens: When users need fi le
accesses on NameNode, fi le
permissions are checked. The
namenode issues Block access
tokens using Hash Based Message
Authentication Code (HMAC-
SHA1) that could be sent to
the DataNode for block access
requests. This helps to establish
the connection between the HDFS
permissions and access to data
blocks
• Encryption • RPC Encryption: RPC connections in
Hadoop use SASL which supports
encryption
• Data Transfer Protocol: Data
Transfer between clients and
hadoop services can be confi gured
for encryption
• HTTP Secure (HTTPS) Encryption:
Data transferred over HTTP
protocol is encrypted by using
Secure Sockets Layer (SSL) -
HTTPS. SSL can be confi gured to
authenticate the server as well as
the client
• Shuffl e Encryption: Shuffl e is
the data movement between
Mappers and Reducers over
HTTP protocol. HTTPS can be
enabled for encrypting shuffl e
traffi c by confi guring the required
parameters
Third-Party Hadoop Security SolutionsAlthough, Hadoop incorporates many
security features, there still exist
CSI Communications | June 2014 | 35
gaps. This has given opportunity
to other vendors to come up with
security solutions for Hadoop. Some of
these are:
Open-source solutions
Some of the open source security solutions
for Hadoop are as follows:
• Sentry - Delivers fi ne-grained
authorization to data
• Knox Gateway- Provides perimeter
security which integrates easily into
existing security infrastructure
• Intel’s Project Rhino - aims to
enhance existing data protection
capabilities of Hadoop ecosystem
Commercial solutions
Some of the commercial hadoop security
solutions are as follows:
• Dataguise for Hadoop – Provides
Discovery, Data masking &
Encryption for sensitive data
• IBM’s InfoSphere Data Privacy for
Hadoop – Provides data masking,
monitoring & Auditing
• Zettaset Orchestrator – Provides
Encryption for data-at-rest and
data-in-motion, Fine-grained, role-
based access
• Protegrity Big Data Protector - Enables
data protection and access control
ConclusionDuring the initial days of Big Data
implementations using Hadoop, the
prime motivation was to get data into the
Hadoop cluster and perform analytics
on it. As organizations have matured
their understanding of Big Data, the data
security and privacy policies of such
implementations are being questioned.
Though Hadoop lacks a robust security
and privacy framework, the increasing
interest in this area is ensuring that
appropriate solutions are developed.
While security and privacy issues can
be addressed to an extent using existing
Hadoop mechanisms, more robust tools
and techniques are needed.
References[1] Data Security for Hadoop – Add-on
Choices Proliferating, Merv Adrian,
Gartner, 2014. http://blogs.gartner.
com/merv-adrian/2014/02/23/
data-security-for-hadoop-add-on-
choices-proliferating/
[2] Hadoop security: A jungle of options,
Michael Steinhart, AllAnalytics.
com, 2014. http://www.allanalytics.
c o m / d o c u m e n t . a s p ? d o c _
id=272302&page_number=2
[3] Wire encryption in Hadoop, Vinay
Shukla, Hortonworks, 2013. http://
h o r t o n wo r k s . c o m / b l o g /w i re -
encryption-hadoop/
[4] Big Data Security: The Evolution
of Hadoop’s Security Model, Kevin
T Smith, InfoQ, 2013. http://www.infoq.
com/articles/HadoopSecurityModel
[5] Apache Sqoop: Highlights of Sqoop 2,
Kathleen Ting- Customer Operations
Engineer, Cloudera, Jan 2012.
https://blogs.apache.org/sqoop/
entry/apache_sqoop_highlights_of_
sqoop
[6] Hadoop Security Design, Owen
O’Malley & team, Yahoo, 2009.
https://issues.apache.org /jira/
secure/attachment /12428537/
security-design.pdf
n
Abo
ut th
e A
utho
rs
Paresh Suvarna, Technical Specialist, IGATE- Paresh has 14 years of experience in Information Technology and is part
of the Technology Center of Excellence (CoE) of Research & Innovation group at IGATE. He has rich experience in
architecting and implementing database solutions including data modeling, data migration, database performance &
optimization, etc. in Big Data, NoSQL & RDBMS realm. Email – [email protected]
Prashant Wate, Technical Architect, IGATE - Prashant has 14 years of experience in IT and is currently part of the
Technology Center of Excellence (CoE) of Research & Innovation group, IGATE. He has extensive experience in
architecting and implementing database solutions including Big Data, NoSQL databases, Analytics, data modeling,
data migration and database optimization. Email - [email protected]
Kind Attention: Prospective Contributors of CSI Communications -
Please note that cover themes of future issues of CSI Communications are planned as follows -
• July 2014 - Business Analytics• August 2014 - Software Engineering • September 2014 - IT History
Articles and contributions may be submitted in the categories such as: Cover Story, Research Front, Technical Trends and Article.
Please send your contributions before 20th of a month for consideration in subsequent month’s issue.
For detailed instructions regarding submission of articles, please refer to CSI Communications March 2014 issue, where Call for Contributions is published on page 37.
[Issued on behalf of Editors of CSI Communications]
CSI Communications | June 2014 | 36 www.csi-india.org
Security in Software Development: Software Development has come a long way from the early days of programming, when almost
all programmers used assembly-language. From FORTRAN and COBOL in the 1950s, through BASIC, PASCAL and C in 1960-80s, to
PYTHON, JAVA, PHP in the 1990s programming has come a long way. The current thinking in software development has also moved
from Procedural in the 1960s, Object-Oriented in the 1990s to Agile Alliance in 2000s. On the other hand software project cost and
price are still largely estimated using a top of the mind approach. Even software development methodologies and tools take over 15 to
20 years to percolate down to programmers and become popular enough to be regularly used.
It is no surprise that software security has been a neglected area over the years. Security is considered as an add-on, to be
provided if the client / customer wants it or if there are incidents and you have no choice but to provide a fi x. Security even today is
considered and incorporated in software at a much later stage in the software development process. But as with add-ons and elements
introduced later in the life cycle, such add-ons seldom provide really secure solutions.
The reasons for this are varied ranging from cost and time constraints / considerations on one hand to an attitude /
culture issue with the developers on the other. Quite often for developers the concept of building in security from the beginning is
anathema. It could be due to a number of factors. For one it means that the iterations go up that much more. It is always easier for
the fi nal code to be cleared for security bugs / issues only once. It also requires that developers learn, understand and use security
concepts and tools, something which they consider out of their scope.
Given this background the current Case in Information Systems is being presented. Although every case may cover multiple
aspects it will have a predominant focus on some aspect which it aims to highlight.
A case study cannot and does not have one right answer. In fact answer given with enough understanding and application of mind
can seldom be wrong. The case gives a situation, often a problem and seeks responses from the reader. The approach is to study the
case, develop the situation, fi ll in the facts and suggest a solution. Depending on the approach and perspective the solutions will diff er
but they all lead to a likely feasible solution. Ideally a case study solution is left to the imagination of the reader, as the possibilities
are immense. Readers’ inputs and solutions on the case are invited and may be shared. A possible solution from the author’s personal
viewpoint is also presented.
Case Studies in IT Governance, IT Risk and Information Security »
Security Corner Dr. Vishnu Kanhere
Convener SIG – Humane Computing of CSI (Former Chairman of CSI Mumbai Chapter)
SureSwift Software is an upcoming startup
that is well on its way to being successful.
The entire team is young enthusiastic and
charged up to perform and achieve. The
development team is headed by Rohit the
team leader, who is chairing the Saturday
review meeting as usual.
Dhanesh the experienced
programmer that he was, looked at the
Agenda, noted that there were just 4 items
and started making plans for an afternoon
movie. The fi rst three items covering
review of ongoing projects passed off in a
few minutes.
The last point was about Security
issues in Software. “Let us give it to the
Infosec team, it is their baby”- rang out
the chorus. Rohit looked at Dhanesh.
Dhanesh echoed the sentiment. Security
was handled by the infosec team and
after the coding was complete and the
software ready, just prior to its release
it was handed over to the security team.
The security consultants did a code
review and carried out tests, came up with
bugs which were then resolved and the
software was released. This had become
a bit of a pain as it entailed reworking
to get rid of the bugs and develop fi xes,
increased the costs and delayed the
release dates. Most of the programmers
were unhappy about this. Their argument
was that “no software was 100% secure
and security vulnerabilities were bound
to be discovered post release and would
get fixed anyway.” In fact they had
postponed the ISO 27001 certification
exercise claiming that it was really
necessary for the IT department and
the Data Centre rather than for the
development team.
Rohit pointed out that they had
received a strong letter from their key client
– the Millionaire Bank. They were unhappy
with the software as their IT Audit had
discovered some critical security fl aws in
the software. They wanted to know what
steps SureSwift was planning to take to
avoid such incidents in the future.
Priyanka raised her hand and voiced
a fundamental query. She was quick to
point out that the Bank like others must be
mandatorily deploying fi rewalls and using
SSL (Secure Sockets Layer) encryption
which should really restrict and protect
the application access. If these had been
compromised there was precious little
they could do.
Dhanesh suggested looking at the
RFQ (Request for Quotation) and the
evaluation matrix used by Millionaire
Bank for the software project in question.
It was a long laundry list covering – Ease
of Use, Maintainability, Complexity,
Completeness, Volatility, Reusability,
Documentation, Resource usage,
Correctness, Architecture, Portability, and
Integrity.
Pramila chipped in – how can they
hold us responsible if security is not on the
list anyway?
Rohit seemed visibly upset and
elaborated that – “there is something
called warranties and software being
fi t for use, and an application for a bank
simply had to be secure.”
Tea was served and after a quick
consensus it was decided to call in Amar
the security consultant to help them
work out a strategy. Amar joined in and
suggested a way forward.
A Case Study of SureSwift Software
CSI Communications | June 2014 | 37
SolutionThe situation:The events and details of the case seem to
indicate that in general there is a very low
level of awareness regarding information
security in software applications. The
Software Development process itself
appears to look at security as an add-on to
be checked and deployed towards the end
of the development cycle.
Given the mindset of most
programmers ‘Security’ is an obstacle
to quick development and rapid
deployment. It often makes the
program heavy and slow. With the
looming deadlines and tight budgets
implementing security is viewed as
a handicap. In fact most developers
seldom study the subject and have only
a vague idea about information security.
The main priority for developers when
creating an application is making the
application work and security is the last
thing that they are worrying about.
The consequences:Applications with poor security are a
potential for severe brand damage, loss of
reputation and image, privacy issues and
fi nancial loss from client and third party
claims. They may also result in escalating
costs with the substantial modifi cations
and fi xes needed to the software pre- and
post- release even after deployment.
The Strategy:(1) The strategy needs to focus on
integrating security in the software
development life cycle itself. It is true
that developers are not security experts
and security consultants are not good
at software development. Educating the
developers in information security and
having security consultants as a part of the
team to collaborate with the developers
when developing an application is a good
beginning.
(2) A security review and assessment
identifying potential threat scenarios
and building abuse cases before the
actual development starts will help
identify issues based on needs and
expectations of interested parties. For
too long software products have been
developed to suit the convenience of the
developer. They need to be built keeping
in mind by whom, for what and how they
are going to be used.
(3) During the design stage a risk analysis
exercise followed by an external review
needs to be undertaken.
(4) The testing process should
incorporate risk based security tests.
(5) Post code review the application
should undergo penetration testing.
(6) Finally the fi eld feedback and user
trials should incorporate security aspects.
There are many classifi cation systems
available for threat analysis. STRIDE
focuses on threats as Spoofi ng, Tampering,
Repudiation, Information Disclosure, Denial
of Service, and Elevation. It primarily looks
at the application from the perspective of
the attacker. The other method DREAD,
classifi es risks according to Damage
Potential, Reproducibility, Exploitability,
Aff ected Users and Discoverability.
Abuse cases need an external and
user perspective to design them and
adequate external inputs need to be
taken. It is like taking a blind person on
board to design a mobile phone intended
to be used by the blind. Without this
input it will rarely be user friendly and
feature rich. The same is true if software
development is to be secure. You need
to think like a hacker if not actually get
help from one.
The immediate benefit that would
be realized is that the development
process itself will become more secure.
It can avoid wasted time and effort of
addressing application security flaws
close to launch of the software as it
happens in the traditional development
models and will help prevent the
complexities of repeating the test phase
later in the development cycle or after
the application is deployed.
A vulnerability management
program based on the above will
make the applications more secure. It
would cover system discovery, asset
classification, vulnerability testing,
prioritization, remediation, root cause
analysis, and improvement.
Software applications using this
integrated approach cannot claim to
be free of security issues or 100%
secure. No application can ever aim to
be fool proof. It will nevertheless assist
in detecting and fixing security flaws
both efficiently and effectively, thereby
reducing costs, time and achieving the
stated objectives.
It is clear that one cannot expect
an application to be secure by treating
security as an add-on and only
considering it at much later stages in
the development. Integrating security
throughout the development life cycle
will be the appropriate strategy to adopt.
Any software development
process depends on people, process
and technology. While the suggested
methodologies will ensure safe, secure
technologies and robust processes the
human element is equally important.
To achieve this it is necessary to
create awareness about information
security in the software development
fraternity, to educate them in the
three principles of confidentiality,
integrity and availability (CIA), and
then go on to develop a cascade of
policies, procedures, best practices
and guidelines.
Emergence of Industry standards
on secure development will eventually
lead to a wide spread adoption of these
principles making secure software
development the norm rather than the
exception that it currently is.
An effective solution is generally
expected to proceed on these lines. n
Abo
ut th
e A
utho
r
Dr. Vishnu Kanhere Dr. Vishnu Kanhere is an expert in taxation, fraud examination, information systems security and system audit
and has done his PhD in Software Valuation. He is a practicing Chartered Accountant, a qualifi ed Cost Accountant and a Certifi ed
Fraud Examiner. He has over 30 years of experience in consulting, assurance and taxation for listed companies, leading players
from industry and authorities, multinational and private organizations. A renowned faculty at several management institutes,
government academies and corporate training programs, he has been a key speaker at national and international conferences and
seminars on a wide range of topics and has several books and publications to his credit. He has also contributed to the National
Standards Development on Software Systems as a member of the Sectional Committee LITD17 on Information Security and
Biometrics of the Bureau of Indian Standards, GOI. He is former Chairman of CSI, Mumbai Chapter and has been a member of
Balanced Score Card focus group and CGEIT- QAT of ISACA, USA. He is currently Convener of SIG on Humane Computing of CSI
and Topic Leader – Cyber Crime of ISACA(USA). He can be contacted at email id [email protected]
CSI Communications | June 2014 | 38 www.csi-india.org
Solution to May 2014 crossword
Brain Teaser Dr. Debasish Jana
Editor, CSI Communications
Crossword »Test your Knowledge on Security in Software DevelopmentSolution to the crossword with name of fi rst all correct solution provider(s) will appear in the next issue. Send your answers to CSI
Communications at email address [email protected] with subject: Crossword Solution - CSIC June 2014
CLUESACROSS1. A process of converting data having many possible representations
into a standard form (16)
5. A software that controls the incoming and outgoing network traffi c (8)
7. The degree of resistance to, or protection from, harm (8)
8. The art of writing or solving secret codes (12)
11. Provides pluggable dynamic authentication for applications and
services (3)
16 The act of confi rming the truth of an attribute of an entity (14)
17. A type of network security attack where the attacker takes control of
a communication (9)
19. A character encoding standard (7)
20. A list of software weaknesses (3)
22. Parses the code and identify constructs that seem to introduce
threats.(4, 7)
23. A weakness that makes a threat possible (13)
25. An open-source web application security project (5)
26. An operating system (4)
27. Cross-Site Scripting (3)
DOWN2. Authentication, authorization and accounting (3)
3. A possible danger that may act to breach security (6)
4. An attempt to acquire sensitive information by redirecting to a false
site (8)
6. A list of known good inputs (9)
7. Static application security testing (4)
9. Provides remote access to a targeted computer system (6)
10. Used by attackers to gain unauthorized access to systems or data (6, 8)
12. An action taken to harm an asset (6)
13. A safeguard that addresses a threat and mitigates risk (14)
14. A method of bypassing normal authentication (8)
15. A technique used to attack data driven applications through code
injection (3, 9)
18. Process of creating computer software (6)
21. Dynamic application Security testing (4)
22. Cross-Site Request Forgery (4)
23. A malware program (5)
24. An open-standard application protocol for directory access (4)
Did you hear about Code Injection Attack?
Code injection attack could be disastrous as attackers may inject harmful code that can change the desired course of execution.
(More details can be found in https://www.owasp.org/index.php/Command_Injection)
We are overwhelmed by the responses and solutions received from our enthusiastic readers
Congratulations !for ALL correct answers to May 2014 month’s crossword received from the
following readers:.
Dr. Madhu S Nair (Dept of Computer Science, University of Kerala, Kariavattom,
Thiruvananthapuram, Kerala), Jestin Joy (Dept of Computer Applications,
Cochin University of Science and Technology, Kerala) and Kamala Kannan K
(Dept of Computer Science & Engineering, Anna University, Chennai)
1 2
3 4
5 6
7
8 9
10
11 12 13
14 15
16
17 18
19
20 21
22
23 24
25
26
27
CSI Communications | June 2014 | 39
Ask an Expert Dr. Debasish Jana
Editor, CSI Communications
Your Question, Our Answer“The more you like yourself, the less you are like anyone else, which makes you unique.”
~ Walt Disney
On C++ Multiple Inheritance and Virtual Base ClassFrom: Ansuman Mahanty, Dr. B. C. Roy Engineering College, Durgapur, West Bengal
I am getting few compilation errors for the following program. This is giving an error where I am using multiple inheritance using virtual base class. What and why it went wrong in compilation?
1. #include<iostream>2. using namespace std;3. class Base4. {5. public:6. Base(int i) {7. cout << “Parameterized Base constr called\n”;8. }9. };10. class Derived1: public virtual Base11. {12. public:13. Derived1() : Base(0) {14. cout << “Default Derived1 constr called\n”;15. }16. };17. class Derived2: virtual public Base18. {19. public:20. Derived2() : Base(0) {21. cout << “Default Derived2 constr called\n”;22. }23. };24. class Grand_child : public Derived1, 25. public Derived226. {27. public:28. Grand_child() {29. cout << “Default Grand_child constr called\n”;30. }31. };32. int main()33. {34. Grand_child d;35. return 0;36. }
The compilation errors are:
main.cpp: In constructor ‘Grand_child::Grand_child()’:main.cpp:28:17: error: no matching function for call to ‘Base::Base()’ Grand_child() { ^main.cpp:28:17: note: candidates are:main.cpp:6:2: note: Base::Base(int) Base(int i) { ^main.cpp:6:2: note: candidate expects 1 argument, 0 providedmain.cpp:3:7: note: constexpr Base::Base(const Base&) class Base ^main.cpp:3:7: note: candidate expects 1 argument, 0 providedmain.cpp:3:7: note: constexpr Base::Base(Base&&)main.cpp:3:7: note: candidate expects 1 argument, 0 provided
A In virtual inheritance, in this particular example, the default Base constructor (constructor that does not take any argument) is being called from Grand_child constructor. Normally a derived class’s constructor calls the super or base class constructor either explicitly or implicitly. For example, in your example, Derived1 default constructor is explicitly calling Base constructor with integer argument as it is written as:
Derived1() : Base(0) {
However, if you would have written as below:
Derived1() {
Then, Derived1 default constructor would have implicitly called Base constructor without any argument i.e. Base’s default constructor.In Grand_child constructor, it’s written as:Grand_child() {This is equivalent to:
Grand_child(): Derived1(), Derived2(), Base() {That is implicit default constructor call of Base as well as implicit default constructor call of Derived1 and Deribed2, order is Base, Derived1, Derived2 constructors . Because of virtual inheritance, the Grand_child constructor will call Derived1 and Derived2 constructor but in turn, Derived1constructor cannot call Base constructor. Similarly for Derived2 constructor when called by it’s derived class i.e. Grand_child constructor. So, the solution is that you require a default constructor in Base as:
Base() { cout << “Default Base constr called\n”; }
So, the corrected program is as below:
1. #include<iostream>2. using namespace std;3. class Base4. {5. public:6. Base() {7. cout << “Default Base constr called\n”;8. }9. Base(int i) {10. cout << “Parameterized Base constr called\n”;11. }12. };13. class Derived1: public virtual Base14. {15. public:16. Derived1() : Base(0) {17. cout << “Default Derived1 constr called\n”;18. }19. };20. class Derived2: virtual public Base21. {22. public:23. Derived2() : Base(0) {24. cout << “Default Derived2 constr called\n”;25. }26. };27. class Grand_child : public Derived1, 28. public Derived229. {30. public:31. Grand_child() {32. cout << “Default Grand_child constr called\n”;33. }34. };
35. int main()
36. {
37. Grand_child d;
38. return 0;
39. }
And, now, it compiles and runs fi ne.
The output is as below:
Default Base constr calledDefault Derived1 constr calledDefault Derived2 constr calledDefault Grand_child constr called
Do you have something to ask? Send your questions to CSI Communications with subject line ‘Ask an Expert’ at email address [email protected]
CSI Communications | June 2014 | 40 www.csi-india.org
Happenings@ICT H R Mohan
President, CSI, AVP (Systems), The Hindu, ChennaiEmail: [email protected]
ICT News Briefs in May 2014The following are the ICT news and headlines of interest in May 2014. They have been compiled from various news & Internet sources including the dailies - The Hindu, Business Line, and Economic Times.
Voices & Views• About 70% of the global off shoring
capability is centered around India – Cap Gemini.
• With many subscribers holding multi-SIMs, the company sees an opportunity as the total number of Indian mobile users will not be more than 500-550 million – Idea Cellular MD.
• The tele-shopping market in India is estimated to be worth Rs. 2,000 crore and has been growing at more than 40% over the last four-fi ve years.
• IT infra market will touch $1.9 b this year and will touch $2.35 billion by 2017 – Gartner.
• The global IT services opportunity by 2017 will be $752 billion and that for APJC is forecast to be $159 billion with $11.9 billion as Indian share having a CAGR of 10.2% - IDC.
• There are over 350,000 telecom towers in the country and a substantial number of them are still not connected to the power grid.
• At least 20 per cent of the villages in the North-East do not have mobile connectivity - TRAI.
• The Indian analytics market is set to be $1.15 billion by 2015 from the current $ 375 million with over 500 companies operating in this segment.
• India today has a little over 2,630 MW of solar and about 20,000 MW of wind power capacity. The growth in both these major has been far below potential.
• Flipkart.com, acquiring fashion e-retailer Myntra.com is seen as an early phase of consolidation in the Rs. 62,000-crore e-commerce market.
• Oracle’s victory over Google on API copyright may impact software development.
• The digital payment industry is expected to grow at 40% to touch Rs. 120,120 crore by end 2014. Out of around 800 million online transactions in 2013, nearly 53 per cent were done through credit (21%) and debit (32%) cards.
• Cisco estimates that about 50 billion devices will be connected to the Internet by 2020.
• India is aiming for a big chunk of China’s domestic IT-BPO business, which is estimated to grow to $84 billion in the next six years.
Govt, Policy, Telecom, Compliance• IPR: US does not blacklist India.• The DoT is planning to set up an
application development center to provide testing facilities, support for launch and commercial run and storage capacities to
selected entrepreneurs, .with an outlay of Rs. 1,000 crore over a three-year period.
• The National Telecom Policy 2012 targets 175 million broadband subscribers by 2017 and 600 million by 2020. Rural telecom penetration in India is targeted to be 70% by 2017 and 100% by 2020.
• DoT seeks infra sector tax breaks for tower fi rm.
• BSNL exploring ways to improve Internet connectivity in north-eastern States
• The National Cyber Safety and Security Standards will release a comprehensive set of guidelines for private and public sector companies to secure their online data.
• Telecom user-base rises to 933 million in March. The country’s overall wireless tele-density rose to 72.94.
• Rs. 5,000-cr project to improve mobile connectivity in North-East through Universal Service Obligation Fund.
• The Kerala cell of Telecom Enforcement Resource and Monitoring (TERM), under Telecom Dept., has given clean chit for mobile towers in the State in respect of compliance to radiation norms.
• DIPP Secretary discusses FDI in e-commerce with industry.
• Nasscom expects Modi to make India fully digital.
• As Narendra Modi took charge of the BJP’s Parliamentary Committee, the twitter handle @PMOIndia was renamed @PMOIndiaArchive.
IT Manpower, Staffi ng & Top Moves• BPO fi rm EXL may hire 6,000 this fi scal.• Cognizant ended the March quarter with
around 178,600 employees of which 167,300 were service delivery.
• Low-skilled IT jobs ‘grounded’ as fi rms look for ‘cloud’ professionals.
• US war veterans are increasingly hired by Indian BPO fi rms.
• 5,000 workers at Nokia Chennai plant opt for voluntary retirement scheme.
• The analytics professionals in India obtain a 250% hike in their salaries from entry level analysts to manager.
• Infosys stops giving loans and advances for employees for car, home, personal computer, telephone, medical, marriage, education and personal loans, salary advances, and loans for rental deposits, ranging from one month to eight years. It has $41 million in these kinds of loans and advances.
• Nandan Nilekani is the top choice of Infosys employees for the new CEO’s job.
• Infosys received 9.11 lakh job applications in 2013-14 while touching the record 14.23 lakh in 2005-06.
• Infosys President BG Srinivas resigns.Company News: Tie-ups, Joint Ventures, New Initiatives• Ericsson in India now has the largest
number of employees (18,000) making it the largest operations for the telecom equipment maker in the world.
• Technopark–based Seaview Support
Systems is introducing MobScan, a
computer mouse with in-built scan
technology.
• India is the hub of innovation and delivery
for Cap Gemini, and its headcount in
India crossed 50,000 recently making it
the largest employee base in the world.
It employs a total of 1.34 lakh personnel
across 44 countries.
• Autodesk to sell software under monthly
installment scheme. Its entire software
portfolio free of charge for students
across India.
• Happiest Minds is creating a platform
that will help the company bag deals in
the Internet of Things (IoT) or machine-
to-machine solutions.
• Out of 60,000 student innovators, a team
from Hyderabad wins Microsoft Imagine
Cup.
• Brands are earmarking about 10-20% of
their total advertising spend on digital
marketing, of which selfi e campaigns are
becoming a major part.
• Cognizant is betting on Code Halo – the
information fl owing between computing
devices – to drive its consulting business.
• Infotech Enterprises renamed as Cyient,
targets $1-billion revenue.
• ItzCash eyes 60% growth in pre-paid
consumer cards.
• Hannover Milano Fairs, will hold the
world’s largest IT trade exhibition, CeBIT,
for the fi rst time in India during Nov 12-14
at Bangalore.
• Viom Networks, Japan’s NEDO tie up to
cut diesel use in towers.
• LED TV maker Vu Technologies goes
online to sell more and cheaper too.
• IBS Software tooling up Gatwick airport
operations.
• Lean Start up is a methodology that asks
entrepreneurs to vet their ideas with
stakeholders, get feedback and fi ne-tune
the idea before going ahead with product
development.
• Election results drive data usage for
telecom fi rms.
• IIIT Hyderabad to handhold start-ups with
early-stage funding, mentoring.
• Samsung’s new series of printers
with near-fi eld communication (NFC)
capability, which will allow printing from
smartphones.
• Microsoft launches a new initiative -
ThinkNext partnering with iSPIRT and TiE.
• Ojus ATM employs a range of modern
and traditional global health practices,
such as AYUSH (ayurveda, yoga, unani,
siddha and homeopathy), acupuncture
and energy medicine.
• Microsoft unveils Skype Translator n
CSI Communications | June 2014 | 41
On the Shelf!
Book Review »
Code HalosHow the Digital Lives of People, Things, and Organiza ons are Changing the Rules of Business
Book Title : CODE HALOS
Author : Malcolm Frank, Paul Roehrig and Ben Pring
ISBN : 978-81-265-4860-6
Price : Rs. 599/-
Publisher : Wiley India Pvt. Ltd., New Delhi.
Mrs. Jayshree A Dhere
Resident Editor, CSI Communications
We welcome the arrival of a book titled Code Halos from Wiley India and present here a brief review of this thought provoking book for all those who are concerned with the new age economy, changing nature of business and survival in the new world created by the digital disruption happening all around us. The book is described as a Playbook for Managers. It is written by three authors Malcolm Frank, Paul Roehrig and Ben Pring who are the men behind Cognizant’s Center for Future of Work. Based on the insight they have gathered through the years of their experience of engaging with various clients for helping them create business advantage with the available new technologies, they see a kind of signifi cant pattern emerge, which they name as Code Halo Solutions and present in this book a framework that is useful for all types of businesses and people who intend to start and win their digital journey in years to come.
The term Code Halo is defi ned as the fi eld of information that surrounds any noun – any person, place or thing. Authors describe the word “halo” as the one that refers to the data that accumulates around people, devices and organizations, to the data that is robust, powerful and continually growing in richness and complexity. There is “code” contained in these halos and authors go about explaining how companies, brands, employers and partners can use it for enhancing their understanding of people and objects more deeply, since it is not easy to decode the information within the invisible fi eld. Authors write about how new business models that are commercially viable can be created out of the knowledge gained and state that this simply cannot happen automatically.
The book has three parts – fi rst part is all about Digits over Widgets. In this part it is explained how handful of companies - like Amazon, Apple, Facebook, Google, Netfl ix and Pandora – collectively generated $1 trillion of market value during the past decade by leveraging consumer technologies in new ways. They transformed customer expectations, established new operating models and violently disrupted about a dozen mature industries – such as Nokia, Motorola, Borders, Barnes & Noble, AOL, Blockbuster, HMV and so on – who lost on average more than 90% of their 2003 enterprise value. Authors assign the success of the trillion-dollar club to the common denominator that is at the heart of the business models of these
new age companies and that is : the creation and management of Code Halos.
Next they go onto introducing the SMAC Stack, which is the foundation that makes creation of Code Halos possible. The SMAC Stack has four components viz. Social, Mobile, Analytics and Cloudwhich provide the infrastructure for the Code Halo economy. While explaining the importance of the rich customer experience created by new age companies, authors give an example of a local bank where you might be a customer for 15 years and upon inserting your ATM bank card, the fi rst thing you see is Press 1 for English, Press 2 for … etc. The sophisticated fi nancial institution which claims to be your partner does not know what language you speak. They help you carry out your fi nancial transactions and would have record of all of their details but do not know what language you speak. They only know that what is in their system of records rather than what is in your Code Halo. It feels that they don’t know you and your real fi nancial life. This is an example of how traditional business is unaware of the Code Halos surrounding people. This is but natural because mere deployment of SMAC Stack of technologies is not suffi cient. Creating Code Halos and deriving meaning out of them requires their integration into well-codifi ed and well-understood business processes – such as sales, customer service, research & development or supply-chain management.
In the light of this, authors describe fi ve business code halos viz. Customer, Product, Employee, Partner and last but not the least Enterprise itself. Customer Code Halo is important for relationship building while Product Code halos help shift value from Widgets to
Digits which is becoming richer due to Internet of Things. Employee Code Halos provide new ways for team members to connect and solve problems, while Partner Code Halos are weavers of webs. The Enterprise Code Halo is an aggregate of four other code halos and hence a Brand aggregator. Creating winning Code Halo Solutions is far more than just deploying one or two elements
of SMAC Stack technologies and hence authors devote a complete chapter to discuss the anatomy of a winning code halo solution. They state that 5 elements are essential for such a solution viz. – Amplifi er, Application Interface, Algorithm, Data and Business model. Authors provide numerous examples based on trillion-dollar club organizations to explain in detail the meaning of these fi ve elements. In the process they provide four anatomy lessons and also explain what should not be done and provide examples of failure as well such as say Microsoft Zune.
While explaining the key importance of SMAC Stack, authors compare it with steam power, steel and electricity which fueled the
The term Code Halo is defi ned as the fi eld of information that surrounds any noun – any person, place or thing. Authors describe the word “halo” as the one that refers to the data that accumulates around people, devices and organizations, to the data that is robust, powerful and continually growing in richness and complexity.
CSI Communications | June 2014 | 42 www.csi-india.org
industrial corporate model, and inform that the new technology stack is providing the foundation for knowledge corporate model. In coming five years they suggest that organizations of all sizes will need to develop mastery of SMAC technologies, which is easier said than done. They address the problem of making sense of this new wave of technology to seize competitive advantage by providing historical perspective of corporate computing to see where and how the SMAC model fits today; by providing overview of current SMAC technologies and their pervasiveness and describing view of how this model is already upending several established industries. So far as historical perspective is concerned they place the SMAC stack in the fifth wave of corporate IT – mainframe (1960-76), minicomputer (1976-92), client/server (1992-2002) and Internet PC (2002-12) being the first four waves. Each wave had a “killer” technology application such as general ledger with mainframe, ERP with client/server and eCommerce with the Internet PC. Each wave is represented as “S” curve since business productivity which these technology models created in the form of cost savings, revenue generation, or productivity gains would form an S shape over time. One key message that authors give is that these technologies need to be deployed in an integrated manner in order to create the technology architecture for the new age business since SMAC stack’s power and value only comes when these technologies work in harmony. They are not simply glued onto traditional corporate model but in many cases they are creating entirely new business model. Authors provide examples of Wikipedia over Encyclopedia Britannica and Craiglist over newspaper ads to elaborate the impact of the power of appropriate implementation of SMAC stack.
While explaining how and where Code Halo solution concepts apply to an organization, and where they can fi nd a starting point, authors provide an answer in the form of Crossroads Model which they have developed based on their research fi ndings and their consulting work with many leading companies. For any organization starting on the digital journey, while external factors like nature of their products and/or services, industry structure, and customer base’s demographics do have an impact on next steps to be taken, the internal factors like organization culture (does it support change?), IT team (is it strong having right capabilities?) and organization’s execution capability also play a role. Authors explain the fi ve stages of the Crossroads model for winning with Code Halos viz. – Ionization (fertile context for innovation), the Spark (where Code Halos emerge in an industry), Enrichment (when the code Halo solutions scale) and the Crossroads (where markets fl ip). They provide examples to explain Crossroads model across multiple industries.
Last chapter in the fi rst part of the book is devoted to Code halo Economy where economics of information is explained. Although one might be excited about bringing Code halos to the organization, important questions to ask are what is it going to cost and what fi nancial returns can be expected for the organization. To understand Code Halo economics, authors collaborated with Oxford Economics and futurist Thornton May to survey 300 Global 2000 corporations and interviews were conducted with leading companies in insurance, banking and fi nancial services, healthcare, life sciences, technology, consumer goods/retail, manufacturing and communications/media across the US, UK, Germany and France. Authors found through this research that among those who participated in their research, investment in business analytics yielded an average 8.4% increase in revenues and an average of 8.15% improvement in cost reductions in last fi nancial year – resulting in $766 billion in economic benefi t over
the previous year. This indicates how meaning makers are winning based on code. Thus authors predict that separating ‘Signal’ from ‘Noise’ will be the killer business skill over the next decade. This chapter provides information on how to make meaningful returns.
While people and organizations are still creating map for the way forward, authors claim that they already know a lot about what works and what does not and provide advice on some critical rules to follow so that the chances of success signifi cantly increase. Part II of the book has four chapters explaining four principles of success in the Code Halo Economy. These are – Delivering beautiful products and experiences, Not being evil (Earning and keeping trust in the transparent world), Managing your career based on Code (Winning in the Wierarchy) and fi nally Making IT your Halo Heroes (in short Transforming your Technology Organization). Chapter on “Not being Evil” is especially important for all those people who are frightened by the sudden threat to privacy of data and various vulnerabilities of the virtual world, which apparently make it fragile. The chapter puts the dark side of the digitized world into a certain context by providing an example of automobiles - e.g. they discuss that over the past century we have come to a point of equilibrium with cars, balancing the benefi ts with the inherent risks. As awful as car-associated crime is, we accepted a certain level of carjackings, drive-by shootings, smuggling, drunk-driving accidents, road rage and basic car theft as part of downside of personal transportation. We don’t live in the fear of our cars as we have learnt how to manage the risks. In the same manner, we need not be afraid of the reducing level of privacy and many threats of the virtual world but we should learn to balance the risks and gain from the benefi ts of digital revolution. The chapter also talks about how the meaning of privacy is evolving in the new age and why the law will never be able to catch up with the changing world. The chapter provides advice on how action can be taken to avoid evil, and what organizations can to do build trust among their customers.
Changing structure of organization in the digital world is termed as Wierarchy as against Hierarchy and authors provide advice on how to manage one’s career in this new fl attened structure. Finally they provide advice for aligning IT along three horizons – extend and defend core businesses, build emerging businesses and third creating viable options. In addition to aligning IT, two more critical suggestions are provided for IT departments – one to fund their own transition and second to tear down the wall between the IT and the business.
The third part of the book provides more tactical details for the
Crossroads model and how to apply it to organization’s challenges and
opportunities. There is a chapter telling on how to seize advantage during
ionization by sensing, innovating and preparing to pilot. Next there is a
chapter which talks about creating a spark by piloting the best Code Halo
solution and another chapter on enriching and scaling at Internet speed
which helps turn a spark into a blaze and fi nally a chapter that provides
insight on winning in the new code rush. There are detailed instructions
in each chapter on how to go about achieving this. In the conclusion,
authors say that by 2020, much will change and ultimate success will
require open mind, perseverance and courage. They make a strong
argument that very existence of organization’s business can become
diffi cult if the organization does not venture to adopt data and analytics.
With this book authors have provided clues on how to ride the new wave
of digital disruption confi dently and affi rmatively.
The book is a must read for variety of readers ranging from those
in business as well as those who intend to manage their careers in the
new age economy as the book is all about understanding the Future
of Business which is being shaped by ever growing digitization. It
provides food for thought and for debates on a variety of topics like
how to deploy the new age technologies in the best possible manner,
new meaning of data privacy, transformation of IT organizations, need
of new age regulations and so on. n
The book is a must read for variety of readers ranging from those in business as well as those who intend to manage their careers in the new age economy as the book is all about understanding the Future of Business which is being shaped by ever growing digitization.
CSI Communications | June 2014 | 43
Application for Travel Grants to Researchers
Research Committee of Computer Society of India has decided to fund CSI Life Members and CSI Student Members to the extent of Rs. 25000/ for
travelling abroad to present research papers at Conferences.
CSI Life Members/ CSI Student Members who have been invited to present papers abroad and have received partial or no funding are eligible to apply
for the same. In case of multiple authors of a research paper, only one author is eligible to apply.
Applications should be sent by email to [email protected] with the Subject : Travel Grants with the following details.
1. Name of the Applicant, Organization Details and Bio Data of Applicant
2. CSI Life Membership/ CSI Student Membership Number
3. Name of the International Conference with details of the organizers
4. Venue and Date of the Conference
5. Copy of the Research Paper
6. Copy of the Invitation Letter received from the organizers
7. Details of funding received from/ applied to, any other agency
8. Justifi cation for requesting support ( in 100 words)
9. Two References (including one from head of the organization/institution)
Interested members have to apply within July 31, 2014 for Conferences held before October, 2014.
Please note that CSI intends to make it an ongoing process and provide travel grants every six months.
Dr Anirban BasuChairman,
CSI Research Committee and Division V (Education and Research)
CSI History – Update & AppealAs Computer Society of India (CSI) will be turning 50 in 2015, a series of Golden Jubilee events/activities are planned in the coming
two years. In this context, a compilation on “CSI History” - highlighting the signifi cant milestones of CSI from its inception is being
brought out.
To facilitate the compilation, inputs are requested from CSI Chapters, CSI members and all who have been associated with CSI at
various capacities at the chapter, regional, national and international levels. Kindly provide us with all possible information relevant
to this compilation as write-ups, documents, publications, photographs and in all other forms at your earliest.
Until now, the response to our requests HAS NOT BEEN VERY SIGNIFICANT. We had received inputs from a limited no. of people
and chapters. You may see all the inputs received and stored in a shared folder at http://goo.gl/ou0zJ
We value your contributions and involvement in shaping the CSI and promoting its objectives over the years. Inputs on signifi cant events,
happenings, initiatives & activities during your long and fruitful association with CSI will be very useful in creating the CSI History.
The successful compilation of CSI History highlighting the signifi cant milestones of CSI from its inception depends on the quantum
and quality of inputs we receive from you all.
In this context, once again we request you to provide us with all information relevant to the proposed History of CSI as brief write-
ups, documents, publications, photographs and in all other forms at your earliest. We will use your contributions in the primer with
due acknowledgement.
While soft copies of the inputs can be sent by email to [email protected] the hard copies (documents/publications/photos/)
may pl. be sent to:
Director - Education, Computer Society of India, Education Directorate, CIT Campus, IV Cross Road, Taramani, Chennai - 600113.
Ph: +91-44-22541102 / 1103 / 2874.
After use, they will be returned back to you if you desire. The inputs provided will be used with suitable acknowledgement.
We request your valuable inputs and support in this activity of creating a comprehensive History of CSI.
CSI Communications | June 2014 | 44 www.csi-india.org
CSI Report
Interventions in Integration – Promoting Digital Inclusiveness The Initiatives of Computer Society of IndiaComputer Society of India (CSI) has been in the service of the nation for the last 50 years. In this special year of its Jubilee, CSI has embarked initiatives of social relevance and human virtues in reciprocation to the support and encouragement showered upon the organization.
The Special Child has been a challenge for educationists, sociologists, and certainly to the parents and the family. CSI has launched few simple initiatives aimed at alleviating the issues surrounding the special child, normally destined to seclusion and segregation.
The CSI “Interventions in Integration” deploys technology as the basic platform of operation. The challenge is to utilize the features and advantages of computers to lessen the daily hardships and transform the special child to a contributing member of the mainstream society.
CSI envisions to impart simple knowledge and basic skills on computers to the special children, primarily awakening an interest and affi nity to the technology. Quite often, the Mentally Challenged Child, particularly the mild categories, possesses residual abilities and cognition in specifi c domains, say, numbers, arithmetic, basic science, geography, etc. These may not be high level skills, but still remarkable with potential and utilizational value. At times the skills are obscured by defi ciencies in expression or speech, but the skills do exist and can be detected and developed systematically.
The challenge to the trainers is to explore the abilities and to create plans for comprehensive growth. Technology acts as the enabling medium facilitating the transition of the special child.
CSI has recently launched a special training programme to teach the basic computer familiarity to a pilot group of Mentally Challenged Children. They volunteered for the programme, and were found to be enthusiastic, with clear objectives and aspirations. The children have become keen students of computers, considering vocations in accounting, offi ce activities, and other options requiring the
basic computer familiarity. The children were a group of four namely Kishorekumar, Chittesh, Pavithran and Anupriya.
The group has displayed good grasping abilities. In spite of the diffi culties of expression and speech, the understanding of the subject is encouraging. The students appear excited and motivated after their initial induction to technology, and they are even getting impatient to study more and work on the systems, and even to quickly grab some jobs!
The CSI Programme incorporates training the Mentally Challenged children in the fundamental operations of computers and introducing them to the frequently used software products such as MS Offi ce. In addition, the basics of accounting are also proposed to be of use to them in pursuing a career. In this case, the skills in the accounting software Tally are being imparted. This programme is scheduled to be of 15 to 20 days duration, and is customized to the learning pace of the students. The programme is fl exible enough to be modifi ed in contents and delivery to suit the learning abilities and the performance pattern of every individual student.
In this pilot attempt, four children (three boys and one girl) are getting trained at the CSI Education Directorate at Taramani. Parents of the children are also involved in the training process which is being handled by ED staff Ms. Sri Vidya and Ms. Miraclin as computer trainers with good exposure to packages. After completion of the training and review, CSI plans to design technical courses for the special children, to enable them to the benefi ts of technology, the vehicle for transformation. CSI fervently hopes to transport the special children to the world of opportunities and participation by these technology initiatives, which will help them to lead meaningful lives.
CSI has also trained nearly 300 Special Educators in software packages for the Integrated Assessment, Evaluation and Programming of Mentally Challenged Children partnering with Media Lab Asia and Centre for Development of Advanced Computing (CDAC).
This software accepts inputs from the interdisciplinary team of special educators to create individualized plans for training. The system integrates the three major RCI approved evaluation and assessment methodologies such as FACP, MDPS and BASIC-MR and FACP-PMR. Algorithms have been drawn from the currently followed
manual processes. Strength and needs of each individual are suggested based on these algorithms. Areas of achieved independence, areas required for strengthening and problem areas are identifi ed for each person. Based on this analysis, optimal long term goal and short term objectives are identifi ed and suitable lesson plan is recommended for each. A grouping algorithm incorporated in the tool helps to create homogenous groups for group teaching of the special children.
The system has inbuilt facility for periodic assessment and evaluations. It also helps the special educators to arrive at a comprehensive picture of an individual’s performance level in adaptive behaviour. The system follows the principle that the assessment is the fi rst necessary step in program planning, followed by the designing of Individualized Program Plan. It also provides a platform for the quarterly evaluation to determine the eff ectiveness of the program. New goals and objectives can be set, if needed. The software is equipped to manage the programming of the special child from three to eighteen years.
The system enhances the uniformity in evaluation, reducing the subjectivity factor. Graphical representation of the development pattern of the special child is a major advantage for parents and teachers. The system decrease the cumbersome manual tasks, and consequently, the special educators get more time to take care of the real developmental needs of the special child. The system, created by a technical partnership between the research laboratories of CDAC Trivandrum and Media Lab Asia, has already been deployed at several special schools.
In keeping with the lofty objectives, CSI looks forward to more opportunities in serving the country. CSI hopes to promote Digital Inclusiveness by these initiatives and interventions to take technology to all segments of society, to ensure that the advantages of technology benefi t everyone including the last and the least. CSI shall endeavour to make this transformation possible in the Golden Year of service to the nation. n
CSI ED trainers Ms.Miraclin and Ms. SriVidya training the MR Children along with their parents
CSI President Mr. H.R. Mohan with the MR Children, their parents and ED staff
CSI Communications | June 2014 | 45
CSI Reports
From CSI SIGs / Divisions / Regions and Other News »Please check detailed reports and news at:
http://www.csi-india.org/web/guest/csic-reports
SPEAKER(S) TOPIC AND GISTELECTRONICS AND COMMUNICATION SCIENCES UNIT, INDIAN STATISTICAL INSTITUTE WITH CSI KOLKATA CHAPTER AND DIVISION II-SOFTWARE, IEEE CSI COUNCIL, IFIP
Prof KS Ray, Prof Bimal Kumar Roy, Prof D Dutta Majumder, Prof Greg Adamson, Prof TV Gopal, Dr MGPL Narayana, Prof B Chanda, Mr FC Kohli, Prof Aditya Bagchi, Dr Arundhati Bhattacharya, Dr Supriya Kummamuru, Dr Pinakpani Pal, and Dr Swagatam Das
Informa on is informa on, not ma er or energy.—Norbert Wiener, Cyberne cs: Or the Control and Communica on in the Animal and the Machine
7 March 2014: Seminar on “Norbert Wiener, Cybernetics, Humanity & Technology”
Prof Ray gave presentation on the life and works of Norbert Wiener.
Prof Majumder spoke on his association with Prof Wiener during his visit
at ISI in 1955-56. Prof Greg Adamson of University of Melbourne, Australia
delivered an illuminating lecture on Norbert Wiener through SKYPE.
He presented not only Norbert Wiener’s life and work but also about
his stay in India and his views about India. He made analyses of close
resemblances of Prasanta Chandra Mahalanabis and Norbert Wiener on
various scores. Dr Narayana spoke on genesis of formation of Cybernetics
Centre at Hyderabad. Mr Kohli, student of Norbert Weiner, dwelt on
Cybernetic Approach for Business Solution Design. He discussed several
terms like Cybernetics Infl uence Diagram (CID) in the context of today’s
application of cybernetics in business as solution providers. Dr Arundhati
gave presentation on “Cybernetics and Science of Military Command
and Control”. She emphasized the need of training and methodologies in
Command and Control 2W and the relevance of cybernetics in this area.
She presented a case study on Indian BMD – Ballistic Missile Defence.
Dr Kummamuru gave presentation on “Evolution of a Cybernetic Model :
Outcome of TCS Consulting Practice”. She made use of several diagrams to
show use of cybernetics in emerging area of consulting practice. Prof Gopal
started his presentation on “What impacts the Progress of Cybernetics?’.
In his presentation, he had many other posers, particularly in the arena of
future of cybernetics and introduced several terms for explaining study,
understanding future and new cybernetics, as emerging in a multiplicity
of fi elds.
CSI UDAIPUR CHAPTER, SIG-WNS, THE INSTITUTION OF ENGINEERS (INDIA) UDAIPUR LOCAL CENTER
RS Vyas, Prince Komal Boonlia, Dr Dharm Singh, Dr BR Ranwah, AS Choondawat and Dr Navneet Agarwal
Guests, organizers and par cipants
17 May 2014: World Telecommunication and Information Society Day
(WTISD) 2014
Chief Guest Vyas congratulated organizers for celebrating this day to draft
the policies which is need of the hour. Mr Boonlia discussed about various
threats due to increasing use of Internet and suggested various remedies
for the same. Dr Dharm Singh talked about various broadband protocols in
use, generation gap in Internet technologies and devices from traditional
to modern ones. Dr BR Ranwah spoke about activities to be organized in
near future. Mr Choondawat spoke about key areas of telecommunications.
Essay competition was organized on 12 May as part of celebration of WTISD
Day on the theme "Broadband for Sustainable Development".
Dear CSI Member -
Your hard copy of CSI Communications magazine is sent to the address, which you have provided to CSI. Please ensure that this
address is correct and up-to-date.
In case you need any help from CSI, please write an email to [email protected] for assistance.
You may send your feedback and comments on the contents of CSI Communications - Knowledge Digest fo IT Community to
- On behalf of editors of CSI Communications.
CSI Communications | June 2014 | 46 www.csi-india.org
CSI News
From CSI Chapters »Please check detailed news at:
http://www.csi-india.org/web/guest/csic-chapters-sbs-news
SPEAKER(S) TOPIC AND GIST
CHENNAI (REGION VII)HR Mohan, Prof. CR Muthukrishnan, Prof. S Karmalkar,
Prof. San Murugesan, Prof. LS Ganesh, Prof. Feroz Ali
Khader and Prof. Gopalaswamy Ramesh
3 May 2014: Workshop on “Avoiding the Risks of Plagiarism in Research Publication”
Mr. Mohan briefed on the importance of avoiding plagiarism and informed
that this program would be repeated at diff erent parts of the country in
clusters of educational institutions. Prof. Muthukrishnan delivered keynote
address highlighting about plagiarism, potential dangers and tips to avoid.
Other sessions were - Research writing and plagiarism: An introduction by
Prof. Karmalkar, Why you should prevent plagiarism? by Prof. Murugesan,
Issues in research writing in social science and management by Prof. Ganesh.
Copyright and copyright infringement in publication by Prof. Khader, Special
considerations in writing for publications in computer science and software
engineering by Prof. Ramesh.
Prof. Karmalkar, HR Mohan, Prof. CR Muthukrishnan, Prof. San Murugesan & Prof. Gopalaswamy Ramesh on the stage
Dr. Robin Jeff rey, Visiting Research Professor at
National University of Singapore & Author of the
Book-"Cell Phone Nation", Dr. Ashok Jhunjhunwala,
Mr. HR Mohan and Mr. VK Cherian
5 May 2014: A lecture session on “Cell phone nation: How mobile phones changed India”
Lecture was organized with IEEE, IEEE CS, IEEE COMSOC, COAI & TCOE.
Mr. Mohan briefed on impact of growth in cellular communications.
The speaker showcased importance and critical part played by mobile
phones and entire communication systems in our day-to-day life tracing
references from his book "Cell Phone Nation", which probed mobile phone
universe in India - from contests of great capitalists and governments
to control Radio Frequency spectrum, to ways ordinary people build
troublesome, addictive device into their daily lives. He elaborated on first
comprehensive study about communication revolution and its impact on
Indian society and highlighted positive impact which mobile telecom
industry has created to improve livelihood of people. He briefly touched
on negative coverage which is appearing due to rumours spread about
effects of EMF radiations from mobile phones and mobile towers.
Dr. Robin Jeff rey, Visi ng Research Professor, Ins tute of South Asian Studies, Na onal University of Singapore & Author of the Book-"Cell Phone Na on"
COIMBATORE (REGION VII)Dr. A Selvakumar, N Valliappan, Dr. R Nadarajan,
Dr. M Sundaresan, L Venkatesan and Prof. Dr. E
Balagurusamy.
30 April 2014: Installation of offi ce bearers 2014–15 and Speech on
"e-Governance"
Mr. Valliappan presented Annual Report of the year 2013-2014 which
was followed by introduction of incoming team by Dr. Nadarajan.
Dr. Sundaresan briefed about new projects planned for the year. Chief
guest Prof. Balagurusamy pointed out lack of responsibility, accountability,
objectiveness and transparency in e-governance. He suggested that
CSI should come forward to solve issues in e-governance. He asked
academicians, industrialists and software experts to encourage young
minds to show their skills in creativity and innovations.
Standing L-R: L Venkatesh, C Ravi, E Chandra Blessie, Dr. Elijah Blessing, Vinoth Rajsingh, Subramani P, S Arumugam, Shankar Dhandapani, Dr. NK Karthikeyan, R Ravikumar, V Sivaramasamy, A Sivabalan, Si ng L-R: N Valliappan, Dr. A Selvakumar, Dr. E Balagurusamy, Dr. M Sunderasan, R Murali
CSI Communications | June 2014 | 47
TRIVANDRUM (REGION VII)Mr. John T. George 3 May 2014: Dr. A.K. Pujari Memorial Speech on “Genesis of CSI-
Trivandrum Chapter”
Mr. George spoke about history of MINSK Computer, which was installed
under his leadership in1965 in ISRO, Trivandrum. He informed that his
association with SR Thakur of PRL, Ahmedabad, founder member of CSI and
National conference of CSI held at Trivandrum in 1968 culminated in formation
CSI-Trivandrum Chapter in 1976. His presentation included old photographs,
paper tape outputs, plots, illustrations, parts like core memory planes and
sample CSI- Communications & newsletters of those days. His talk covered
activities of this chapter in those days as well as the computer usage in R &D
activities in ISRO. He also spoke about stiff resistance for computerization in
local industries, fearing loss of employment opportunities, and also about the
present IT scenario in the state.
Mr. John T. George delivering Dr. A K Pujari Memorial Speech
Offi ce bearers - M Jayalakshmy, Prof K Babu,
Vishnukumar S, Dr. M Sasikumar & Mr Rajesh
Prabhakaran Nair and Ph.D. thesis award winner
Dr. Sreelekshmi
3 May 2014: Award Ceremony during Annual General Body Meeting- 2014
(AGM38-2014)
Offi ce bearers spoke about chapter activities in AGM38-2014. Mr.
Sreekanth P Krishnan announced various awards instituted by the chapter
for the year 2014. 1) Dr. Venkitakrishnan Memorial award (Ms. Dia Nainika
Nair, T.K.M. College of Engineering, Kollam) and 2) Prof. Krihnankutty
Memorial award (Ms. Priyanka Suresh M.S., T.K.M. College of Engineering,
Kollam). Best Project awards to students of B.Tech Course from Engineering
Colleges affi liated to this chapter. First prize was shared for the projects
“Implementation of Effi cient Shortest Path Algorithm” and “Web Application
for crowd Funding” and the second prize for “Education Portal & Admission
System”. Dr. Sreelakshmi, the third prize winner of CSI- India for her Ph.D
thesis was felicitated on this occasion. In reply to the award, Dr. Sreelakshmi
spoke about her thesis on "Steg Analysis".
Mr Sathish Babu handing over the memento to Dr. Sreelakshmi
From Student Branches »(REGION-I)
III UTTRAKAND STATE STUDENT CONVENTION AT BIRLAINSTITUTE OF APPLIED SCIENCES, BHIMTAL�
12th Apr 14 : Prof. Dhami, Vice Chancellor – Kamaun Univeristy with
Prof. Bisht, Director, Birla Inst., Bhimtal inaugurating the Student
convention
30th April 2014 : Ghaziabad Chairman Mr. Saurabh , Director Prof. S C Gupta,
Director D. R. Somashekar, Mr. Anil Ji, Principal Kavita Saxena with prize
winner in quiz contest
RAJ KUMAR GOEL INSTITUTE OF TECHNOLOGY, GHAZIABAD
CSI Communications | June 2014 | 48 www.csi-india.org
(REGION - II)GOVT. COLLEGE OF ENGINEERING & CERAMIC TECHNOLOGY, KOLKATA GOVT. COLLEGE OF ENGINEERING & CERAMIC TECHNOLOGY, KOLKATA
WORKSHOP ON “BIG DATA” WORKSHOP ON “ANDROID APPLICATIONS AND DEVELOPMENT”
22.02.2014 : Mr. Sumit Misra during his deliberation 25.04.2014 : Dr. Debasish Jana during his deliberation
(REGION-III) (REGION-V) MODI INSTITUTE OF MANAGEMENT & TECHNOLOGY KOTA(RAJ.) SRINIVAS INSTITUTE OF TECHNOLOGY, MANGALORE
11.04.2014 : Guest Lecture on Usability Engineering Dr. Mrs. Maya
Ingle, Professor, DAVV, Indore“Basic of NS-2” on 17 – 03 – 14 by Dr. Mohit. P. Tahaliani
(REGION-V) (REGION-VI)CSI STUDENT BRANCH OF GUDLAVALLERU ENGINEERING DEOGIRI INSTITUTE OF ENGINEERING AND COLLEGE, GUDLAVALLERU MANAGEMENT STUDIES, AURANGABAD
Dr. Naveensivadasan delivering guest lecture on Big data computing
on 26th April 2014.
During One-day Rural Reach Program 0n “Science and Technology Meet”
on 7th March, 2014, csi student member demonstrating the use of a Tablet
to the school students
(REGION-VI)MITSOM COLLEGE CSI STUDENT BRANCH, PUNE INSTITUTE OF BUSINESS MANAGEMENT AND RESEARCH (IBMR), PUNE
21st & 22nd March, 2014 “ Understanding the Technology of
Cloud Computing” Dr. C.M.Joshi, Prof. Sadanand Borse, Mr. Sanjay
Suryadevra, Mr. Amol Jadhav , Brig. Harinder Singh
Shekhar Sahasrabudhe, Prof. Asheesh Dixit, Dr.K.Nirmala, Dr.Sandeep Pachpande, Swapnil Shukla & Mayur Tendulkar during the inauguration of a new student branch
CSI Communications | June 2014 | 49
(REGION-VII) AVS ENGINEERING COLLEGE, SALEM EINSTEIN COLLEGE OF ENGINEERING, TIRUNELVELI
02.05.2014: Workshop on by Dr. G.Tholkappia arasu, Principal,
AVS Engineering College
7th Apr 2014 : Dr. R.Velayutham, Prof. A Ezhilvanan, Dr. K Ramar, Prof. M
Suresh & Ms. C Kanthimathi in Code debugging and
C programming event.
RAJAGIRI COLLEGE OF SOCIAL SCIENCES - KOCHI AMRITA SCHOOL OF ARTS AND SCIENCES-KOCHI
20th March 2014: One day Android Workshop inaugurated by Mr.
Biju M G, Chairman, CSI, Cochin Chapter
Two Day Hands on workshop on Agile Software Development on 22nd March,
2014 by Sri. Abhilash Chandran
J AMAL MOHAMED COLLEGE, TIRUCHIRAPPALLI
Winners of overall Champion trophy in Inter-Collegiate Technical
Symposium – SWAP 2K13
Repeating instruction for your Information -
Please send your student branch news to Education Director at [email protected]. News sent to any other email id will not be considered. Low-resolution photos and news without gist will not be published. Please send only 1 photo per event, not more.
Please send your student branch news to Education Director at [email protected]. News sent to any other email id will not be considered. Low-
resolution photos and news without gist will not be published. Please send only 1 photo per event, not more.
CSI Communications | June 2014 | 50 www.csi-india.org
Marking the 50th year of Service, Computer Society of India (CSI) Launches
The CSI Golden Tech-Bridge Programme
In this Golden Jubilee Year, CSI launches the “Golden Tech-Bridge” Programme as an intervention of the organization, to introduce computers and
its advantages to the unexposed sections of society. The one day Programme will be conducted on 9 August 2014 at 50 Student Branches across
the country, with 50 participants each to mark the 50th year of CSI’s services, co-ordinated by the CSI Education Directorate.
Despite the rapid developments, there are still segments of population yet to adopt and get benefi ted from the technological advances. The group is
fairly extensive, comprising of housewives, elders, destitutes, economically disadvantaged, etc. As the nation aspires for digitally inclusive growth, it
is important to assure technology to all citizens. CSI attempts to reach them and teach them, including the last and the least, through this initiative.
The Programme, an initiation to computers, the technology, the applications and the potential consists of lectures on the basics of computers,
common applications, etc., supported by demonstrations and a visit to a factory or a laboratory to directly witness the practical deployment of
technology. The digital divide needs to be demolished and all citizens need to be integrated into the mainstream technology society to reap the
benefi ts of the advancements and to improve the quality of life. This is a modest attempt at the inclusive digital development of the country –
indeed, a tribute from CSI to a great Nation !
All details of the programme are given in the website - http://www.csi-india.org/golden-tech-bridge-programme . The CSI Education Directorate,
Chennai co-ordinates and implements the Programme. Please contact Mr. Sekar, CSI-ED for information and guidance on 98403-41902 or by eMail
admn.offi [email protected] .
CSI Membership = 360° Knowledge
Your membership in CSI provides instant
access to key career / business building
resources - Knowledge, Networking,
Opportunities.
CSI provides you with 360° coverage for your Technology goals
Learn more at www.csi-india.org
WE INVITE YOU TO JOINComputer Society of India
India's largest technical
professional associationJoin usand
become a member
I am interested in the work of CSI . Please send me information on how to become an individual/institutional* member
Name ______________________________________ Position held_______________________
Address______________________________________________________________________
______________________________________________________________________
City ____________Postal Code _____________
Telephone: _______________ Mobile:_______________ Fax:_______________ Email:_______________________
*[Delete whichever is not applicable]
Interested in joining CSI? Please send your details in the above format on the following email address. [email protected]
CSI Communications | June 2014 | 51
(ADVERTISING TARIFF)Rates eff ective from April, 2014
Computer Society of IndiaUnit No. 3, 4th Floor, Samruddhi Venture Park, MIDC, Andheri (E), Mumbai-400 093
Tel. 91-22-2926 1700 • Fax: 91-22-2830 2133
Email: [email protected]
CSI - CommunicationsCOLOUR
Colour Artwork (Soft copy format) or positives are required for colour advertisement
Back Cover ` 50,000/-
Inside Covers ` 40,000/-
Full Page ` 35,000/-
Double Spread ` 65,000/-
Centre Spread
(Additional 10% for bleed advertisement)
` 70,000/-
MECHANICAL DATA
Full page with Bleed 28.6 cms x 22.1 cms
Full Page 24.5 cms x 18.5 cms
Double Spread with Bleed 28.6 cms x 43.6 cms
Double Spread 24.5 cms x 40 cms
Special Incentive to any Individual/Organisation for getting sponsorship 15% of the advertisement valueSpecial Discount for any confi rmed advertisement for 6 months 10%Special Discount for any confi rmed advertisement for 12 months 15%
All incentive payments will be made by cheque within 30 days of receipt of payment for advertisement
All advertisements are subject to acceptance by the editorial team
Material in the form of Artwork or Positive should reach latest by 20th of the month for insertion in the following month.
All bookings should be addressed to :
Executive Secretary
Computer Society of IndiaTM
Unit No. 3, 4th Floor, Samruddhi Venture Park, MIDC, Andheri (E), Mumbai-400 093
Tel. 91-22-2926 1700 • Fax: 91-22-2830 2133 Email: [email protected]
Dear Member,
CSI Digital Magazine - DigiMag
Now you can access your daily digest of knowledge CSI – Communications on just one click. Keeping in my mind our members
convenience CSI has launched the new CSI Digital Magazine - DigiMag. Visit www.csi-india.org to access the Magazine
CSI fi rst app - "CSI Communications"Technology is bringing new tools every minute to us. One such tool is the world of Apps. They are easy, handy and fun to experience.
Computer Society of India being the oldest and one of the renowned societies in the IT industry is spreading its wings to reach out to
its members and serve them better with the help of these tools. With this aim we bring to you our very own, the all new and the very
fi rst app – "CSI Communications".
Go to Play store and search for “CSI Communications” to download the same on your android phone. Kindly register to access this app.
Registration link is available on login screen.
Happy Reading!
CSI Communications | June 2014 | 52 www.csi-india.org
CSI Calendar 2014
Prof. Bipin V Mehta
Vice President, CSI & Chairman, Conf. CommitteeEmail: [email protected]
Date Event Details & Organizers Contact Information
July 2014 events
2-5 Jul 2014 National Workshop on Parallel and Hetrogeneous Computing (NWPHC 2014) with focus on "Big data Analytics and Machine Learning "Organized by the Student branch CSI and NVIDIA CUDA Teaching Center at CV Raman
College of Engg., IT dept., in association with CSI div IV.
Mr. A K Sahoo, Dr. Rachita Misra
4-5 Jul 2014 ICIS-14: International Conference on Information ScienceAt Cochin. Organized by the Dept. of CSE, College of Engineering Cherthala in association
with CSI Cochin Chapter & Div III, IV & V and sponsored by Technical Education Quality
Improvement Programme (TEQIP II). http://www.iciscec.in/
Ms. Sony P
August 2014 events
8–9 Aug 2014 ICICSE: II International Conference on Innovations in Computer Science and EngineeringAt Hyderabad. Organized by Guru Nanak Institutions, Ibrahimpatnam, Hyderabad in
association with CSI Div IV
Dr. H S Saini
Dr D D Sarma
20 Aug 2014 Workshop on "Ethernet LAN Construction using Crossover and Patch Cable"At Hyderabad. Organized by CSI SB and Dept. of IT, Nalla Malla Reddy Engineering College,
Hyderabad
Mr. K C Arun
22-24 Aug 2014 BiDA2014: National Workshop on Big Data Analytics
At Hyderabad. Organised by CR Rao Advanced Institute of Mathematics, Statistics & Computer
Science. Supported by CSI Div III. Website: http://www.crraoaimscs.res.in/bida
Dr. Saumyadipta Pyne
25-27 Aug 2014 NITC 2014 : ICT For Inclusive Development. Organised by The Computer Society of Sri Lanka (CSSL). At Colombo, Sri Lanka. For CFP and other details, pl. visit http://www.nitc.lk/
[email protected] / [email protected]
28–30 Aug 2014 International Contest on Programming & Systems Development (ICPSD’14)
www.icpsd.gibsbd.org
Dr. Anirban Basu
November 2014 events
28-30 Nov 2014 International Conference on Advance in Computing Communication and Informatics Dr. Vishal Singhal, Convener
December 2014 events
12-14 Dec 2014 49th Annual Convention ,Organised by Computer Society of India, Hyderabad Chapter In association with JNTU-Hyderabad & DRDO Theme: Emerging ICT for Bridging Future
At Venue: JNTUH, Kukatpally, Hyderabad
http://www.csihyderabad.org/csi-2014
Sri. J A Chowdary
Sri. GautamMahapatra
16-20 Dec 2014 ICISS-2014: International Conference on Information Systems Security.
At Institute for Development & Research in Banking Technology (IDRBT), Hyderabad, India.
Co-sponsored by CSI Division IV and CSI SIG-IS. Website:
http://www.idrbt.ac.in/ICISS_2014/
19-21 Dec 2014 EAIT-2014: Fourth International Conference on Emerging Applications of Information TechnologyAt Kolkata. Organized by CSI Kolkata at Indian Statistical Institute, Kolkata
https://sites.google.com/site/csieait/ For paper ssubmission visit
https://cmt.research.microsoft.com/EAIT2014
Prof. Aditya Bagchi
Dr. Debasish Jana
Prof. Pinakpani Pal
Prof. R T Goswami
Registered with Registrar of News Papers for India - RNI 31668/78 If undelivered return to : Regd. No. MH/MR/N/222/MBI/12-14 Samruddhi Venture Park, Unit No.3, Posting Date: 10 & 11 every month. Posted at Patrika Channel Mumbai-I 4th fl oor, MIDC, Andheri (E). Mumbai-400 093 Date of Publication: 10 & 11 every month
ICRITO’20143rd International Conference on Reliability, Infocom Technologies and Optimization
(Trends and Future Directions)October 8-10, 2014 at Noida, India
Organized byAmity Institute of Information Technology, Amity University Uttar Pradesh, Noida, India
In Association withComputer Society of India (CSI) Division IV-Communication
Technically Sponsored by Knowledge Partner IEEE UP Section (India) Project Management Institute (PMI)
In this globally competitive environment scientifi c analysis of system under study is the key issues in attaining market leadership.
This competitive advantage through quality process, product and services in the market place is possible through the development of
knowledge bases and easy access to structured databases on systems, processes and technology based on quantitative study. Further
due to ever emerging new trends of fashion and taste as well as technology, predicting future with certainty can be the daydream.
This theme is most appropriate in the current context as well as in the future. The Conference will not only take stock of trends and
developments at the globally competitive environment, but will also provide future directions to young researchers and practitioners.
Besides, it will help in sharing of experience and exchange of ideas, which will foster National/International collaboration. The Conference
would be of immense benefi t to Management, Researchers, Academicians, Industry and participants from Technical Institutes, R & D
Organizations and students working in the fi eld of IT.
Original papers are invited from research scholars, academicians, students and Industrialists. The topics of the Conference would include
but not restricted to: Quality Assurance, Reliable and Secure Communications, Software Reliability and Testing, Infocom Systems,
Reliability, Power Systems Reliability, Reliability and Maintenance Models, Fault Tolerance in Hardware and Software systems, Free
and Open Source Software, Natural Language Processing, Cloud Computing, Computer Architecture and Embedded Systems, Artifi cial
Intelligence and Expert Systems, Data Mining & Data Warehousing, Network Technologies, Convergence Technologies, Human-Computer
Interface, Information and Network Security, Mobile Computing, Software Engineering, Advances on Computing Mechanisms, Software
and Web Engineering, ICT Act and Cyber Laws, Rural Applications of IT, E-Governance, Soft Computing, Financial Optimization, Inventory
Management, Fuzzy Systems, Knowledge Management, Supply Chain Management, Stochastic Petrinets, Risk Analysis, Infrastructure
Systems Safety and Risk, Probabilistic Fracture Mechanism and Fatigue Analysis, Probabilistic Safety Assessment, Project Management,
Risk Management, Change Management, IT Projects Delivery.
Submissions: Submissions must be of original contributions and should not have been presented or published anywhere. Authors of
the accepted papers must guarantee that at least one of the authors will attend the conference and present the paper. Paper should not
exceed 10 pages following the IEEE format.
Important Dates:
Last date for receiving full paper : July-10-2014
E-mail notifi cation of paper acceptance : July-30-2014
Last date for receiving camera-ready paper with modifi cations : August-10-2014
For Additional Details, Pl. Contact:Prof. Sunil Kumar Khatri, General Chair, ICRITO’2014 at [email protected]
Phone: 0120-4392276-77(O), 8130977443(M)
Website: www.amity.edu/aiit/icrito2014