Mobile OS Architecture Trends

The design of Mobile OS has experienced a three-phase evolution in the past decade: from the PC-based operating system to an embedded operating system to the current smart phone-oriented operating system. The Mobile OS architecture has gone from simple to complex to something in-between, while this entire evolution process. This evolution process is driven naturally by the technology advancements in the internet, as well as in software and hardware because of the advancement in the custom software development companies.

The technological advancements by web development companies have resulted in a variety of different competing mobile operating system solutions on the market driven by different actors. Few of these actors include Bada by Samsung, iOS of Apple, Android by Google, RIM’s BlackBerry OS, Symbian of Nokia, Windows Phone by Microsoft, webOS by HP and few embedded Linux distributions such as MeeGo and Maemo to mention few of them.

Some of the most popular mobile operating systems are described below:

Android OS

As of 2011, Android has the largest installed base of any mobile OS and its devices also sell more than Windows, iOS and Mac OS devices combined as of 2013 (Mahapatra, 2013). As of July 2013 the Google Play store has had over 1 million Android apps published, and over 50 billion apps downloaded (PHONEARENA, 2014). One of the developer survey conducted between April and May 2013 found that 71% of mobile developers develop for Android (DEVECO, 2013).

The layers of Android platform are as follows :

• Linux Kernel: Android relies on Linux for core system services such as process management, security, memory management, and many more.

• Android Runtime: it provides a set of core libraries which supports most of the functionality in the core Java libraries. Android Virtual Machine known as Dalvik VM relies on the Linux kernel for some underlying functionality.

• Libraries: Android includes a set of C/C++ libraries which are exposed to developers through the Android application framework including surface manager, media libraries, system C libraries, 3D libraries etc.

• Application Framework: it provides an access layer to the framework APIs used by the core applications and allows components to be used by the developers

iOS

• iOS(previously iPhone OS) is a mobile operating system developed by Apple Inc. and  is exclusively distributed for Apple hardware. iOS is the operating system that powers iPod Touch, iPad, Apple TV and iPhone. It promoted a new style of user interaction for limited input devices, small screen, specifically, direct manipulation. On-screen interface elements, and to perform interface operations are controlled by touch-based gestures like tap and hold, tap, swipe, and pinch. iOS is derived from Mac OS X.

iOS is made up of following  abstraction layers:

• Core OS: The kernel of the operating system including basic low-level features: system support—DNS, threads, math, sockets, memory—general security services— private/public keys, certificates, encryption— Bluetooth, sound and image processing, and external hardware management.

• Core Services: Fundamental system-services, which are subdivided in different frameworks and based on C and Objective C. IT include basic application services including SQLite, calendar events, XML support, accounts, location data management, contacts, networking,  and store purchasing. 

• Media Layer: Considers the high-level frameworks that are responsible for using graphics both 2d and 3d, video- and audio technologies.

• Cocoa Touch: The UIKIT, which is an Objective- C based framework and provides a number of functionalities that are necessary for the development of an iOS Application like the User Interface Management. Also APIs for building applications— multitasking, notifications, interface views, access to device data and touch input are included. 

Windows Phone

Windows Phone is a proprietary smart phone operating system developed by Microsoft. It is the successor to Windows Mobile, though it is incompatible with the earlier platform. Windows Phone was launched in 2010 under the name Windows Phone 7. Large number of hardware manufacturers including HTC, Samsung, LG, and Nokia are developing Windows Phone devices. Both Nokia and Microsoft announced in February 2011 that Windows Phone 7 would be the primary OS for all future Nokia smart phones. Windows Phone 7 received a major upgrade (7.5 Mango) in February 2011, adding features that had been missing in the original release. The Second generation Windows Phone 8 was released in October 2012 (NCSU, 2014).

Windows Phone 7’s architecture required a hardware layer that meets Microsoft’s minimum system requirements: a multi-touch capacitive display, 256MB RAM, a DirectX 9-capable GPU, an accelerometer, 8GB of flash memory, a compass, a 5-megapixel camera, proximity and light sensors, an A-GPS, an ARM7 CPU and six physical buttons: back, start, and search; camera, volume, and power/sleep(Windows, 2011). Windows Phone kernel handles low-level device driver access as well as basic storage, security and networking.Three libraries: a UI model for user-interface management, an App Model for application management, and a Cloud Integration module for web search via push notifications, location services ,Bing, and so on sit above the kernel (NCSU, 2014). The application-facing APIs include XNA, Silverlight, HTML/JavaScript and the Common Language Runtime (CLR) that supports C# or VB .Net applications. Kernel itself is a proprietary Windows OS design for embedded devices that combines Windows Embedded CE 6.0 R3 and Windows Embedded Compact 77. Windows Phone 8 replaced the Windows CE kernel with one based on Windows NT and this is meant in part to mimic the Windows 8 desktop OS, which allows for easier porting of applications between the two operating systems, usually carried out in many application development companies.

Author Signature - Sanika Taori

Marketing a Custom Software

Custom software is specially developed for some specific Custom Software Development company or other user with specific needs. As such, it can be contrasted with the use of software packages developed for the mass market, such as commercial off-the-shelf (COTS) software, or existing free software.

Custom software development is often considered expensive compared to off-the-shelf solutions or products. This can be true if one is speaking of typical challenges and typical solutions. However, it is not always true; custom software development by a reputable supplier is often a matter of building a house upon a solid foundation and, if managed properly, it is possible to do this quickly and to a high standard. In many cases, COTS software requires customization to correctly support the buyer's operations. The cost and delay of COTS customization frequently adds up to the expense of developing custom software.

Business processes are an important intellectual property for any software development organization. Fine-tuning and enforcing your processes through smart, fully-automated applications can help set your company apart from your competitors. Most custom software companies in India don't market their product correctly. Marketing should focus not on products but on customers. If marketing were supposed to focus the product, it would be called “producting.”But it's not is it? It's called “marketing,” which means that marketing is supposed to focus on the marketplace—and the marketplace is made up of people: customers and prospects. This focus on marketplace instead of product must form the basis of your strategic and tactical marketing—when you lose this focus your marketing loses its meaning. Start off by segmenting your market.

There are some option for creating marketing strategies. Try company size and industry sector as variables. i.e. you are looking for medium sized companies in the financial services sector. The company size and industry sector would be dependent on the previous experience of your team. Speaking of that, have you got case studies on your previous engagements? Client testimonials are also good. Your revenue comes from services. Your revenue does not come from custom software development in isolation. Position yourself to as a services firm that provides solution. Your solutions should solve business problems. What problems do your solutions solve? What problems do your clients/prospects have? Do you provide customization of 'boxed product'? Do you improve system performance or functionality? Do your solutions provide benefit to the technical side or the end-user side? What does your service methodology provide that other service providers don't? Who benefits the most from your solutions and how? The answer to these questions will build your value proposition and create a compelling story that clients will want to hear!

Identify your niche by analysing your past project successes. And ask some questions to yourself. like:

• What technologies were used?
• What business department did you serve?
• What business process or function did you improve?
• Did you save your client money?
• Did you improve a process?
• What industry did you serve?

Break these criteria down into a basis and you will start to see where your company has been successful - then you can begin to replicate that success.

According to those criteria plan strategy for marketing your custom software.

Some common marketing methods are as follows :

• Continuous Search Engine Optimization
• Affiliates marketing
• Write newsletters and press releases
• Get involved in online forums and blogs

Thus, the custom software development companies in India should use these strategies and points while marketing the custom software.

Introduction to Information Rights Management

Information Rights management

There is only one technology that fully secures access to the data regardless of where it travels. The solution is to build the classification metadata, the access controls, and the information about which rights are allowed to individual users’ right in to the data itself. This solution is known as Information Rights Management (IRM). The software development companies use this as a solution to protect the data. 

IRM is essentially a combination of encryption and access controls that are built into document creation and viewing software applications, so that encrypted content can be decrypted and viewed based on access rights.We examine the history of rights management technologies that began with the digital entertainment industry and led to today’s IRM solutions that apply similar controls to any unstructured data.

IRM shrinks the security perimeter to the information itself. With IRM, you are not protecting the location where the information lives, nor the network it lives on. Instead, you are applying access control, encryption, and auditing to the information itself. That way, regardless of which disk the information resides on, which networks it travels across, or which database it may be resident in, IRM is able to provide a persistent level of security to the information wherever it goes.

IRM provides security protections not only for data at rest and data in transit, but also for data in use—which, is hard to accomplish. IRM technologies are able to prevent things like data being copied to a clipboard and pasted into another application. IRM can allow authorized users to open content while also limiting their ability to edit that content or make printed copies of it. With this level of control for data in use also comes auditing of all access to the information, even after it has left the perimeters of your network. These controls are basically impossible to implement with any other technology. 

With its fine-grained data-in-use features, the most valuable thing that IRM brings to the security landscape is the ability to control access to information, every time it is accessed, from any place it is copied to, and for every single copy, anywhere—along with the ability to revoke that access at any time. Imagine the scenario where your custom software development company has shared millions of e-mails, images, spreadsheets, documents, presentations, and so on with your business partners, customers, potential acquisitions, and employees (both current and long gone). Now imagine being able to revoke access to all that information and ensure that, as your business relationships and trusts change, you can maintain appropriate access to information even when it has long left the confines of your file servers, content management systems, and networks. The security of the data is persistent. Unlike nearly every other data security technology, the information is never given to the application or end user in an uncontrolled manner.

IRM technology extends the reach of information access control to well beyond places where you can typically deploy identity and access control technology. However, as with any technology, IRM has pros and cons.

Thus, every software development organization take into account IRM for data protection. IRM is not a replacement for existing security solutions, but it is an excellent tool to complement them. IRM represents a powerful tool for reducing risk of data loss.

Author Signature - Venu Majumdar

Industrial Safety Products

Security is among the very most typical goals of a business. This expands not only to software  development companies but to workers and patrons too. This resulted in the creation of industrial security merchandises to be used by various sectors. Under these kinds of industrial goods, distinct classes might even be discovered.

The general types for industrial security products are chemicals, arc flash protection and janitorial supply, cutlery, emergency response, facility upkeep, fall protection, female care goods, flooring, fire fighting and carpet attention and heat stress supplies. Equipment for hand, head, eyes and hearing protection is, in addition, discovered on the list. To develop a fuller comprehension of all of these matters, learn about special kinds below the general classes.

Hand, hearing and head protection

Head the hand and ears are widely used to be able to create a worker work readily. Hands are used in a number of the very most essential elements of creation while the head is likewise essential in managing some manufacturing procedures. Hearing is in taking up company directions also important. These motives are enough for firms to supply industrial products for protection of the hand, head and ears.

The most typical examples of hand protection are a wide range of hand gloves, glove accessories and glove dispensers. Hand gloves contain chemical resistant gloves, cotton gloves, inspector gloves and finger cots. In regards to head protection, goods including speciality hard hats, warm weather and cold protection, hard hat replacing and suspensions are accessible. For hearing protection functions, earplugs, earmuffs and accompanying accessories are likewise being offered in a record of industrial security products.

Description of the several equipments is as follows :

Eye protection

Eye protection is now a crucial variable in regards to the topic of industrial security. With 21% of the absolute variety of workplace injuries per year associated with the eyes, the requirement for protective eye wear is now a sensitive issue for a lot of the individuals belonging to the sectors that are involved.

Head safety

Industrial safety helmets are extremely critical in such surroundings where an employee is exposed to some kind of risk. When they are useful :-

• Shields head, your face, neck, and shoulders against splashes, spills, and drips.
• Safety Helmets shield against impacts from debris or falling items, electrical shocks and burns, penetration and flammability
• The stiff shell of the safety helmet deflect and will resist an impact to the head.
• The suspension system will absorb shock which is found in the helmet.
• The suspension should suspend the shell 1 1/4″ for shock absorption and breathing

Industry safety gates

Industrial security gates are utilized in factories where there are lots of workers, or different individuals, doing lots of distinct jobs through the day; they’re additionally used in huge loading docks. There are several distinct occupations being done in factories, meaning there are plenty of folks running around and on buildings sites. This is why you may find many distinct, and why security is the most essential matter on sites of the nature, brilliantly coloured industrial security gates installed where they’re needed.

Fire protection

Fire is a serious threat to the physical safety and security of any workplace. Fire protection comes in many forms, from rescue and escape equipment to fire extinguishers and fire-fighter gear. The fire protection needs of your company will depend on the size and type of business you have, as well as the type of emergency response plan you employ.

Thus, all the organizations including the software development companies should consider the Industry safety standard and use of the safety equipments. 

Author Signature - Venu Majmudar

Risk Analysis

Introduction

The objective of a security program is to mitigate risks. Mitigating risks does not mean eliminating them; it means reducing them to an acceptable level. To make sure your security controls are effectively controlling the risks in your environment, you need to anticipate what kinds of incidents may occur. You also need to identify what you are trying to protect, and from whom. That’s where risk analysis, threat definition, and vulnerability analysis come in. What is being protected? What are the threats? And where are the weaknesses that may be exploited?

Threat Definition

Evaluating threats is an important part of risk analysis. By identifying threats, you can give your security strategy focus and reduce the chance of overlooking important areas of risk that might otherwise remain unprotected. Threats can take many forms, and in order to be successful, a security strategy must be comprehensive enough to manage the most significant threats.

How do you know you’re defending against the right threats?

For example, if an software development organization were to simply purchase and install a firewall (and do nothing else) without identifying and ranking the various threats to their most important assets, would they be secure? Probably not. These statistics are from Verizon’s 2010 Data Breach Investigations Report (DBIR), the result of a collaboration between Verizon and the U.S. Secret Service. This is a breakdown of “threat agents,” which are defined in the report as “entities that cause or contribute to an incident.” 

This particular study illustrates the point that insider threats should be an important consideration in any security program. Many people that haven’t seen real-world security breaches don’t know this, so they focus exclusively on external threats.

There are numerous other studies that show different results, including later DBIR reports (because different environments experience different threats, and the threat landscape always changes) but they all point to the insider threat as a serious concern. Security professionals know that many real-world threats come from inside the organization, which is why just building a wall around your trusted interior is not good enough. Regardless of the breakdown for your particular organization, you need to make sure your security controls focus on the right threats. To avoid overlooking important threat sources, you need to consider all types of threats.

This consideration should take into account the following aspects of threats:

• Threat vectors
• Threat sources and targets
• Types of attacks
• Malicious mobile code
• Advanced Persistent Threats (APTs)
• Manual attacks

Threat Vectors

A threat vector is a term used to describe where a threat originates and the path it takes to reach a target. An example of a threat vector is an e-mail message sent from outside the software development organization to an inside employee, containing an irresistible subject line along with an executable attachment that happens to be a Trojan program, which will compromise the recipient’s computer if opened.

A good way to identify potential threat vectors is to create a table containing a list of threats you are concerned about. It is important to understand threat vectors and consider them when designing security controls, to ensure that possible routes of attack for the various threats receive appropriate scrutiny. Understanding threat vectors is also important for explaining to others, such as management, how the protective mechanisms work and why they are important.

Risk Analysis

A risk analysis needs to be a part of every security effort. It should analyze and categorize the assets that need to be protected and the risks that need to be avoided, and it should facilitate the identification and prioritization of protective elements. It can also provide a means to measure the effectiveness of the overall security architecture, by tracking those risks and their associated mitigation over time to observe trends. How formal and extensive should your risk analysis be? That really depends on the needs of your organization and the audience for the information. In a larger, well structured environment, a more detailed risk analysis may be needed. 

A quantitative approach to risk analysis will take into account actual values—the estimated probability or likelihood of a problem occurring along with the actual cost of loss or compromise of the assets in question. One commonly used approach to assigning cost to risks is annualized loss expectancy (ALE). This is the cost of an undesired event—a single loss expectancy (SLE)—multiplied by the number of times you expect that event to occur in one year—the annualized rate of occurrence (ARO).

Annualized Loss (ALE) = Single Loss (SLE) * Annualized Rate (ARO).

But there are problems with the ALE approach. How can you assign ARO to every potential loss? For example, how many times a year will your car be involved in a fender bender? In reality, many years may go by in between accidents, but occasionally you may have two or three accidents in a single year. Thus, your ARO can be highly variable. Even defining SLE can be difficult. How much will a fender-bender cost? It could be anywhere from nothing to several thousand dollars. An analytical mind might be bothered by the variability and ambiguousness of the numbers. In fact, there is a lot of guesswork involved.

Because the results of an ALE analysis are hard to defend, prove, support, and demonstrate, this approach is tending to fall out of favor. However, the basic principle of identifying threats, vulnerabilities, and risks remains valid. 

A qualitative approach to risk analysis, which may suffice in smaller environments or those with limited resources, can be just as effective. In an software development company, You can identify your assets (for example, a web server, a database containing confidential information, workstation computers, and a network). You can identify the threats to those assets (malware, hack attacks, bugs and glitches, power outages, and so forth). And you can assign a severity level to help you prioritize your remediation. If the severity is high enough, you will probably want antivirus capability on the endpoints as well as on the network, a high-quality stateful firewall, a timely patching program that includes testing, and uninterrupted power supplies (UPSs).

Thus, a proper risk analysis should be carried out to mitigate the risk occurring in an organization. 

Computer & Network Policies in Information Security : Part-2

Network Policies

This group of policies applies to the network infrastructure to which computer systems are attached and over which data travels in a software development organization. Policies relating to network traffic between computers can be the most variable of all, because an organization’s network is the most unique component of its computing infrastructure, and because organizations use their networks in different ways. These example policies may or may not apply to your particular network, but they may provide inspiration for policy topics you can consider. 

• Extranet Connection Access Control: All extranet connections (connections to and from other organizations’ networks outside of the organization, either originating from the external organization’s remote network into the internal network, or originating from the internal network going out to the external organization’s remote network) must limit external access to only those services authorized for the remote organization. This access control must be enforced by IP address and TCP/UDP port filtering on the network equipment used to establish the connection. 

• System Communication Ports: Systems communicating with other systems on the local network must be restricted only to authorized communication ports. Communication ports for services not in use by operational software must be blocked by firewalls or router filters. 

• Inbound Internet Communication Ports: Systems communicating from the Internet to internal systems must be restricted to use only authorized communication ports. Firewall filters must block communication ports for services not in use by operational system software. The default must be to block all ports, and to make exceptions to allow specific ports required by system software. 

• Outbound Internet Communication Ports: Systems communicating with the Internet must be restricted to use only authorized communication ports. Firewall filters must block communication ports for services not in use by operational system software. The default must be to block all ports, and to make exceptions to allow specific ports required by system software. 

• Unauthorized Internet Access Blocking: All users must be automatically blocked from accessing Internet sites identified as inappropriate for the organization’s use. This access restriction must be enforced by automated software that is updated frequently.

• Extra net Connection Network Segmentation: All extranet connections must be limited to separate network segments not directly connected to the corporate network.

• Virtual Private Network: All remote access to the corporate network is to be provided by virtual private network (VPN). Dial-up access into the corporate network is not allowed. 

• Virtual Private Network Authentication: All virtual private network connections into the corporate network in an IT software development company require token-based or biometric authentication.  Employee and contractor home systems may connect to the corporate network via a virtual private network only if they have been installed with a corporate-approved, standard operating system configuration with appropriate security patches as well as corporate-approved personal firewall software or a network firewall device.

Author Signature: Venu Majmudar

Computer & Network Policies in Information Security : Part-1

Computer Policies

This group of policies applies to computers and information systems in a software development company. Authentication policies often form the largest collection of policy statements in a computer environment because authentication systems and variations are so complex and because they tend to have the greatest impact on the average computer user. Password policies are often the largest subset of authentication policies. 

• Account/Password Authentication: A unique account and password combination must authenticate all users of information systems. The account name must be used only by a single individual, and the password must be a secret known only to that individual.

• New Account Requests: The manager responsible for a new end user must request access to corporate information systems via a new account. End users may not request their own accounts. The new account request must be recorded and logged for the record. When the account is no longer needed, the account must be disabled.

• Account Changes: The manager responsible for the end user must request changes in access privileges for corporate information systems for a system account. End users may not request access-privilege changes to their own accounts. The request must be recorded and logged for the record. 

• Two-Factor Authentication: All administrators of critical information servers must be authenticated via a token card and PIN code. The individual must be uniquely identified based on possession of the token card and knowledge of a secret PIN code known only to the individual user.

• Desktop Command Access: Access to operating system components and system administration commands on end-user workstations or desktop systems is restricted to system support staff only. End users will be granted access only to commands required to perform their job functions.

• Generic User Accounts: Generic system accounts for use by people are prohibited. Each system account must be traceable to a single specific individual who is responsible and accountable for its use. Passwords may not be shared with any other person. 

• Inactive Screen Lock: Computer systems that are left unattended must be configured to lock the screen with a password-protected screensaver after a period of inactivity. This screen locking must be configured on each computer system to ensure that unattended computer systems do not become a potential means to gain unauthorized access to the network. 

• Login Message: All computer systems that connect to the network must display a message before connecting the user to the network. The intent of the login message is to remind users that information stored on the organization’s information systems belongs to the organization and should not be considered private or personal. The message must also direct users to the corporate information system usage policy for more detailed information. The message must state that by logging on, the user agrees to abide by the terms of the usage policy. Continuing to use the system indicates the user’s agreement to adhere to the policy. 

• Failed Login Account Disabling: After ten successive failed login attempts, a system account must be automatically disabled to reduce the risk of unauthorized access. Any legitimate user whose account has been disabled in this manner may have it reactivated by providing both proof of identity and management approval for reactivation. 

• Password Construction: Account names must not be used in passwords in any form. Dictionary words and proper names must not be used in passwords in any form. Numbers that are common or unique to the user must not be used in passwords in any form. Passwords shorter than eight characters are not allowed. 

• Password Expiration: Passwords may only be used for a maximum of 3 months. Upon the expiration of this period, the system must require the user to change their password. The system authentication software must enforce this policy. 

• Password Privacy: Passwords that are written down must be concealed in a way that hides the fact that the written text is a password. When written, the passwords should appear as part of a meaningless or unimportant phrase or message, or be encoded in a phrase or message that means something to the password owner but to nobody else. Passwords sent via e-mail must use the same concealment and encoding as passwords that are written down, and in addition must be encrypted using strong encryption. 

• Password Reset: In the event that a new password must be selected to replace an old one outside of the normally scheduled password change period, such as when a user has forgotten their password or when an account has been disabled and is being reactivated, the new password may only be created by the end user, to protect the privacy of the password.

• Password Reuse: When the user changes a password, the last six previously used passwords may not be reused. The system authentication software must enforce this policy. 

• Employee Account Lifetime: Permanent employee system accounts will remain valid for a period of 12 months, unless otherwise requested by the employee’s manager. The maximum limit on the requested lifetime of the account is 24 months. After the lifetime of the account has expired, it can be reactivated for the same length of time upon presentation of both proof of identity and management approval for reactivation. 

• Contractor Account Lifetime: Contractor system accounts will remain valid for a period of 12 months, unless otherwise requested by the contractor’s manager. The maximum limit on the requested lifetime of the account is 24 months. After the lifetime of the account has expired, it can be reactivated for the same length of time upon presentation of both proof of identity and management approval for reactivation. 

• Business Partner Account Lifetime: Business partner system accounts will remain valid for a period of 3 months, unless otherwise requested by the manager responsible for the business relationship with the business partner. The maximum limit on the requested lifetime of the account is 12 months. After the lifetime of the account has expired, it can be reactivated for the same length of time upon presentation of both proof of identity and management approval for reactivation. 

• Same Passwords: On separate computer systems, the same password may be used. Any password that is used on more than one system must adhere to the policy on password construction. 

• Generic Application Accounts: Generic system accounts for use by applications, databases, or operating systems are allowed when there is a business requirement for software to authenticate with other software. Extra precautions must be taken to protect the password for any generic account. Whenever any person no longer needs to know the password, it must be changed immediately. If the software is no longer in use, the account must be disabled. 

• Inactive Accounts: System accounts that have not been used for a period of 90 days will be automatically disabled to reduce the risk of unused accounts being exploited by unauthorized parties. Any legitimate user whose account has been disabled in this manner may have it reactivated by providing both proof of identity and management approval for reactivation. 

• Unattended Session Logoff: Login sessions that are left unattended must be automatically logged off after a period of inactivity. This automatic logoff must be configured on each server system to ensure that idle sessions do not become a potential means to gain unauthorized access to the network. 

• User-Constructed Passwords: Only the individual owner of each account may create passwords, to help ensure the privacy of each password. No support staff member, colleague, or computer program may generate passwords.

• User Separation: Each individual user must be blocked by the system architecture from accessing other users’ data. This separation must be enforced by all systems that store or access electronic information. Each user must have a well-defined set of information that can be located in a private area of the data storage system. 

• Multiple Simultaneous Logins: More than one login session at a time on any server is prohibited, with the exception of support staff. User accounts must be set up to automatically disallow multiple login sessions by default for all users. When exceptions are made for support staff, the accounts must be manually modified to allow multiple sessions.

All the software companies take into account the above mentioned points for the Computer Policies to ensure the Information Security in an organization or a firm for mitigating the risk against the unauthorized entity.

Author Signature - Venu Majmudar

Comparison between CRM Softwares

Customer Relationship Management (CRM) systems enable companies, including software development companies to track and manage all customer interactions across the customer lifecycle from lead to order to support in one master system of record.

CRM software suites typically provides:

1. Sales Force Automation (SFA) including contact, account, and opportunity management,
2. Marketing Automation features such as lead and campaign management,
3. Customer support features such as support case and knowledge management, and
4. a unifying database and platform for companies to manage all customer data and customer-facing applications.

Different CRM softwares are explained as follows :

1. Aplicor

Technology – Microsoft.Net,Sql server

Company – Private

Pros:-

• Workflow automation capabilities stand alone
• Strong Business Intelligence (BI) & analysis reporting
• Strong feature sets and functionality
• Private assembly model a unique alternative
• Excellent customer support and client satisfaction

Cons :-

• Company imposes 10 user minimum
• No modular pricing
• Slightly higher pricing than competitors
• Only supports MS IE browser
• Company needs to become more analyst friendly    

2. SAP

Technology :-HTML-5 , Webservices,  Sap mobile platform

Pros :-

• Backing by the largest application software vendor in the world backing by the largest application software vendor in the world
• Isolated tenancy hosted delivery model is a welcome change from most other hosted CRM vendors Isolated tenancy hosted delivery model is a welcome change from most other hosted CRM vendors

Cons :-

• The product is new, shallow and comparatively weak when compared to other hosted CRM vendors; however, offers much broader and powerful ERP capabilities.

3. Oracle OnDemand

Technology :- Java, Linux

Company :- Oracle

Pros :-

• CRM integrates to Oracle Financials
• Nice dashboard
• Good data warehousing (lacks flexibility, but good presentation)
• Strong sales force automation (SFA)

Cons :-

• Not as strong marketing automation or customer service
• Lacks deep functionality offered by some other hosted vendors
• Offline version is pretty bad
• Allegedly poor customer service and turnover

4. MS dynamics CRM

Technology :- .Net

Company :- Microsoft Corporation

Pros :-

• Good integration with Microsoft Office products
• Reasonable sales force automation (SFA)
• Strong technology foundation and architecture
• Strong partner delivery network

Cons :-

• Heavy browser architecture - fat client
• Not taken seriously in the SaaS market place
• Titan is Microsoft's first attempt at hosted CRM
• Weak marketing and customer support

5. NetSuit

Pros :-

• CRM integrates to back office accounting
• Good service level agreement
• Accounting is mature (company's original name was NetLedger reflecting it's accounting heritage)

Cons :- 

• Good accounting, not as strong CRM
• Primarily a small business system
• Signs of a lot of client turnover
• Allegedly poor customer support

The best CRM Software products are determined by customer satisfaction (based on user reviews) and scale (based on market share, vendor size, and social impact). Thus, the custom software development companies use all the above CRM software to satisfy customer and maintain the good relationship with the customers and thereby adding a value to an IT organization.

Incident Management process in IT Organizations

Security incident means any harmful activity which can lead to negative impact to company’s tangible or intangible assets. It is a compromise or violation of an organization’s security eg. it can be a software development company. An incident can range from anything outage such as a power or hardware failure to the incidents such as a violation of organizational policy by disgruntled employees or being hacked.

Incident management  is the activities of an IT organization to identify, analyse, and correct hazards to prevent a future re-occurrence of it. Incidents within an organization are normally dealt with by either an Incident Response Team (IRT), or an Incident Management Team (IMT). These team work to restore normal functions of the company.

When any incident occurs IRT take some basic steps and those steps are preplanned. They are;

1. Preparation

This phase  deals with the pro-actively preparing a team to be ready to handle an incident. The following should be performed :

• Response Plan/Strategy
• Communication
• Documentation
• Access Control
• Training

2. Identification

This phase deals with the detection and determination of whether there is a deviation from normal operations within an organization, and its scope assuming that the deviation is indeed an incident. This step includes one to gather events from various sources such as past reports, error messages, log files, and other resources, such intrusion detection systems and firewalls. That may produce evidence as to determine whether an event is an incident. If a particular event is determine to be an incident then it should be reported immediately in order to allow the team enough time to collect evidence and prepare for the preceding steps.

3. Containment

The purpose of this phase is to limit the damage happened and prevent any further damage from happening. Basically the focus of this step is to limit the damage as soon as possible and take actions which are corrective.

4.  Eradication

This phase deals with the removal and restoration of affected systems. Antivirus and other corrective software will be used.

5. Recovery

The purpose of this phase is to bring affected systems back into the production environment carefully ensuring that it will not lead another incident. The system is  tested, monitored, and validated that are being put back into production to verify that they are not being re-infected by malware or compromised by some other means.

It is not necessary in every incident there will be a disciplinary action which should be taken. It depends on what kind of breaches happened after the incident took place. How incident impacted the CIA of the information asset of the organization, and what is the criticality of incident, depending on that disciplinary actions should be taken.

Information security incident management process:

1) Corrective Action of the incident

2) Identification and reporting of the incident.

3) Classify the incident i.e critical, moderate, high or low

4) Identification of stakeholder who all should be involved for managing the incident

5) Root Cause Analysis of the incident

6) Preventive action of the incident to stop or minimize the re-occurrence of the incident

7) Learning communicated to either whole organization or to the stakeholders only

Thus, incident management is significant aspect for every organization including custom software development. Every organization should have proper planning to handle incidents.

Industry safety standards and its implications : Part-2

In most of the countries, standards can be regarded as voluntary whereas regulations are legally mandatory. However standards are usually used as the practical interpretation of the regulations. Therefore the worlds of standards and regulations are closely interlinked.

ISO (International Organization for Standardization)

ISO is a non-governmental organization comprised of the national standards bodies of most of the countries of the world (157 countries at the time of this printing). A Central Secretariat, located in Geneva, Switzerland, coordinates the system.

ISO standards can be identified by the three letters ISO.

The ISO machine standards are organized in the same fashion as the EN standards, three levels: Type A, B and C (see the later section on EN Harmonized European Standards).

IEC (International Electro technical Commission)

The IEC prepares and publishes international standards for electrical, electronic and related technologies. Through its members, the IEC promotes international cooperation on all questions of electro technical standardization and related matters, such as the assessment of conformity to electro technical standards.

EN Harmonized European Standards

These standards are common to all EEA countries and are produced by the European Standardization Organizations CEN and CENELEC. Their use is voluntary but designing and manufacturing equipment to them is the most direct way of demonstrating compliance with the EHSRs of the Machinery Directive.

They are divided into 3 types: A, B and C standards. 

Type A. STANDARDS: Cover aspects applicable to all types of machines. 

Type B. STANDARDS: Subdivided into 2 groups.

Type B1 STANDARDS: Cover particular safety and ergonomic aspects of machinery. 

Type B2 STANDARDS: Cover safety components and protective devices. 

Type C. STANDARDS: Cover specific types or groups of machines. 

It is important to note that complying with a C Standard gives automatic presumption of conformity with the EHSRs. In the absence of a suitable C Standard, A and B Standards can be used as part or full proof of EHSR conformity by pointing to compliance with relevant sections. 

ISO and EN Standards (Type A)

EN ISO 12100

Safety of machinery. Basic concepts, general principles for design. Pts 1 & 2

This is an A standard which outlines all the basic principles including risk assessment, guarding, interlocking, emergency stops, trip devices, safety distances, etc. It references to other standards that provide greater levels of detail. 

In the near future it is likely that EN ISO 12100 and EN ISO 14121 will be combined into one standard.

EN ISO 14121

Principles for risk assessment.

This principle outlines the fundamentals of assessing the risks during the life of the machinery. It summarizes methods for hazard analysis and risk estimation.

An ISO Technical Report: ISO/TR 14121-2 is also available. It gives practical guidance and examples of methods for risk assessment.

ISO and EN Standards (Type B)

EN ISO 11161

Safety of Integrated Manufacturing Systems — Basic Requirements.

This standard was published in its revised form in 2007. It was significantly updated making it very useful for contemporary integrated machinery.

EN ISO 13849-1:2008 

Safety related parts of control systems—Pt 1: General principles for design

This standard is the result of the significant revision of the old EN 954-1 (which is due for withdrawal at the end of 2011). It introduced many new aspects for Functional Safety of control systems. The term “PL” (Performance Level) is used to describe the level of integrity of a system or a subsystem. 

It is available as an alternative to IEC/EN 62061 (see later). Note that EN ISO 13849-1 covers all technologies of control system whereas IEC/EN 62061 only covers electrical technology. 

EN ISO 13849-2

Safety related parts of control systems—Pt 2: Validation

This standard provides details for validation of safety related parts of control systems. It has annexes that give details safety components, principles and fault exclusion.

EN ISO 13850

Emergency Stop devices, functional aspects—Principles for design.

Provides design principles and requirements.

ISO 13851 (EN 574)

Two-hand control devices—Functional aspects—Principles for design.

Provides requirements and guidance on the design and selection of two-hand control devices, including the prevention of defeat and the avoidance of faults. There are various standards which are followed in the software development companies like ISO, PCI DSS, various outsourcing policies, network security standards.

Author Signature - Venu Majmudar

Industry Safety Standards and its Implications : Part-1

General safety goals for industry

• Provide workers with a safe work environment.
• Conduct routine/regular workplace inspections.
• Provide Personal Protective Equipment. 
• Develop and implement safe work procedures and rules.
• Provide on-going safety training 
• Enforce safety rules and appropriate discipline.
• Provide on-going property conservation practices.

Safety Rules For industry

• All injuries must be reported as soon as possible.
• No horseplay, alcohol, or drugs allowed on premises. 
• No alcohol usage allowed during lunch break. 
• PPE must be worn as prescribed by management. 
• All tools/equipment must be maintained in good condition.
• Only appropriate tools shall be used for specific jobs. 
• All guards must be kept in place. 
• No spliced electrical cords/wiring allowed. 
• Only authorized personnel can operate forklift vehicles.
• Smoking allowed only in lunch room. 
• Seat belt use required of all drivers/passengers

Here is a list of some of the typical international and national standards that are relevant to industry safety including software development companies.This section should be read in conjunction with the Regulation section.

Most of the countries are working towards global harmonization of standards. This is especially evident in the area of machine safety. Global safety standards are governed by two organizations: ISO and IEC. Regional and country standards are still in existence and continue to support local requirements but in many countries there has been a move toward using the international standards produced by ISO and IEC. 

For example, the EN (European Norm) standards are used throughout the EEA countries. All new EN standards are aligned with, and in most cases have identical text with ISO and IEC standards.

IEC covers electro technical issues and ISO covers all other issues. Most industrialized countries are members of IEC and ISO. Machinery safety standards are written by working groups comprised of experts from many of the world’s industrialized counties. 

Author Signature - Venu Majmudar

Automated Software Testing and related Tools

Software testing is major part of software development life cycle in all the software development companies. There are so many methods for software testing. One method is automated software testing. The objective of automated testing is to simplify testing using minimum scripts. It uses automated software tools to run tests based on predetermined algorithms to compare the developing program’s expected outcome with the actual outcome. If both the outcomes are aligned the program is running properly otherwise there is need for improvement. If two programs are not aligned with each other you have to do changes in the code and test it again until the outcomes align.

Automated testing is best to use when you’re working on a large project, and when there are many system users. Advantages of automated testing, for the custom software development companies, are its relative quickness and effectiveness. You have to set up initial test then it’s an easy process to repeat tests, continuously fill out the same information and everything is done for you automatically.

Many open source automation testing tools are available for almost all types of testing such as functional, Web, UAT, regression, performance etc. There are several criteria’s based on which a custom software development company can select tool for doing automated testing. Those are:-

• Target Testing Team
• Application & Platform support
• Testing Types
• Programming ability
• Application Technology
• Test Data Sources
• Testing Tools Outputs
• Technical Support
• Pricing Policy

Some of the tools that can be used for doing the automated testing are:

1. Silenium

Selenium is the best option for automated testing of Websites today. It is becoming popular and it is the first choice of automation testers as well as custom software development organizations for automating the testing of Web-based applications for both the GUI as well as the functionality. It  can also be used as a unit testing tool for JavaScript. Silenium  is package of various test components.  Selenium has following three modes for executing the test cases and test suites: Record-Playback mode (Selenium IDE)‏, Selenium Remote Control (RC) Mode, Test Runner Mode.

2. Watir

Watir is a set of Ruby libraries for automating web browsers. It  allows to write tests that are easy to read and maintain. It drives browsers the same way people do and also checks results such as whether expected text appears on the page. It is open source.

3. Windmill

Windmill is web application testing tool.  It supports cross-browser test recorder, JavaScript integration and an interactive shell to automate web browsers. It is open source.

4. SoapUI

SoapUI is a tool for automation of web application testing. SoapUI is available as a free open source edition as well as a commercial Pro edition.

5. Tellurium

Tellurium is a web automation tool that allows you to design and write your automated tests using plain English without any scripting or programming experience. It has a full library of “Plain English” commands – plus the ability to create your own – Tellurium’s natural language makes it easy for everyone to read and write advanced automated tests. No programming experience is required.

6. QTP

HP QTP uses Visual Basic Scripting  for automating the applications. Scripting Engine is available as a part of the Windows OS thus it is not installed exclusively.

Thus, for doing automated testing, a custom software development company have to analyse each tool in detail and as per requirement you have to choose best tool which fulfils all the criteria.

            

 Author Signature - Venu Majmudar

Importance of Project Management in Software Development Companies

In software development companies, Project Management is the art and science of planning and controlling the software projects. Project management helps you control scope, time, quality, cost, human resource related all the detail plan. It streamlines the process of developing any project and provides effective way to conduct the implementation. Project management helps in setting the goals, the actions needed to achieve those goals, plans how these goals are achieved.

Projects are completed by teams of people who are specially chosen because of their skills, potential and knowledge to contribute to the final output. Unless there is a structured and scientific approach to the managing projects, custom software development company in India would find themselves not familiarize and hence would be unable to meet the challenges that the modern era throws at them.

Major reasons for project failure are lack of communication between stack holders, failure to establish control over requirements and scope, lack of risk management, poor quality implementation, schedule slippage, poor plan, under estimation of the complexity, changing requirements, etc. Denver airport baggage system Originally billed as the most advanced system in the world, the baggage handling system  become one of the biggest examples of project failure. Originally planned to automate the handling of baggage through the entire airport, the system proved to be so much complex than some had original believed. Implemented system never functioned properly and  the system was scrapped.  The $2M monthly cost to maintain the system was outweighing the value the remaining parts of the system offered and using a manual system actually cut costs. Major Issues were Underestimation of project complexity, schedule and budget, Dismissal of advice from experts ,Changes in requirements, Complex architecture  Failure to build in backup or recovery process to handle situations in which part of the system failed is major reason for project failure .If they had develop proper project management plan this situation could have been avoided.

There are so many examples of project success in the custom software development company in India due to proper project management. An example of project success due to project management, Hotel management system for Wahda master development located in Abu dhabi city in UAE. They implemented project using this method and ensured that project management and cost consultancy to the development of software involved in every element from the master planning of the development to the concept development and management of all the details related to hotel. EC Harris developed detailed and systematic procedures through a project management gateway approach, which involved design verification checks, employer sign-off at various phases, value engineering workshops, and risk management. They worked step by step according to the plan for making user friendly and employee friendly hotel management site using proper project management and they succeeded.

Thus, project management is about creating the structure and managing  project commitments and proper delivery. By using the methods of project management, custom software development company can seek to achieve control over the project environment and they ensure that the project deliverables are being managed. Thus in this competing environment every software development company should ensure that they make proper project management plan to implement projects successfully. Without using Project Management, the managers and organizations face an unpredictable situations on which they have little or no control. Thus, Project Management is both necessary and essential to the success of the project and the software development companies.

Author Signature

Venu Majmudar

Risk Management in Custom Software Development in India

Now a days, many software development companies in India use custom software for their critical business activities like inventory management, customer management, human resource management, financial management etc. Basically custom software development means developing software for particular client as per his specific needs his requirements. All the organizations have different working structure thus they have different needs, for satisfying this type of varying requirements trend of custom software development in India has come. These software are costlier compare to other normal software and risk involved in making it is also higher. As it is made for specific client if it dose not work properly it can not be used anywhere else.

For safety purpose and effective planning custom software development companies should include risk management process while making plan for developing custom software. Risk management  allows to identify your projects strengths, weaknesses, opportunities, threats. Risk management is basically an approach in which we explore identify, analyse and mitigate the risks that can affect our project. By planning for an unexpected event you can avoid it when it arises. As custom software are high on cost,  it is very beneficial to identify all their risks related to cost, time, quality ,changing requirements to avoid failure. By identifying, avoiding and dealing with potential risks in advance, you ensure that your employees can respond effectively when challenges emerge and require intervention.

Major problem in custom software development is that the scope is creep. As it is created as per requirements it can be changed during the project development phase and it is difficult to deal with changing requirements. If we have made proper risk management plan it includes all the unplanned situation which can be arise. The risks associated with custom software application development can be minimized by following time-tested and widely accepted software development methodologies like Incremental, Prototyping and Spiral. Prototyping allows the developers to create prototype and test run it to see whether it can deliver the desired result. It is best way to avoid risk related to unsuccessful implementation.

Some of the benefits of risk management are it validates and communicates project progress and risks, Evaluate and quantify project progress against benchmark, ensure project accountability and benchmark, clarify accuracy and relevance of project etc.

Microsec implements custom software development. Allday, a technology company needed one software for their daily activity recording. Allday Time Systems has specialized in the accurate recording of staff working hours since the very earliest days of mechanical clock machines, right up to today's SAAS options for Public Sector, Hospitality and Retail. Their proposed modern software solution - central to long-term strategy - was on the drawing board, and they needed the right type of custom development partner to help them build it out. Microsec provided them solution. Company included all the aspects of related risks and how o mitigate them. It implemented software successfully. The finished platform specified and delivered by Microsec was based on SQL Server 2008, and utilising Windows Forms, VB.NET, C#, TCP/IP, Microsoft Remoting, and HTTP which is as per clients needs.

Thus,all the custom software development companies should include best practice of risk management for successful project development.

Author Signature : Venu Majmudar