Handling Security Issues in SDLC

ASP.NET software companies in India must take special care while developing internal web applications that are accessed from outside with the help of world wide web. Moreover the increase in personally-owned mobile devices (e.g., watch gear, smartphones, tablets, and laptops) as well as the vast variety of vulnerable mobile apps results into a higher risk of revealing highly confidential and business-related information in the workplace. This is possible when such information is stored on personally-owned devices. Cyber-attacks often exploit such vulnerabilities inherent in applications and operating systems. Hence The software code must be developed following a secure coding guidelines and frequent updates and patches to software are necessary.

Security is unquestionably mandatory and no-one can overlook that. It may take longer and including security into SDLC may result into a more complicated practice.  Nevertheless, the alternatives are not that satisfactory as there are always hackers only too eager to disrupt into systems.

The consequences of not including security within the SDLC process can be catastrophic and could cause distressing concerns for companies' status and earnings. By safeguarding SDLC, unnecessary& un-planned costs can be evaded and security matters can be tackled as there is no need to wait for threats to emerge and then having to spend money in fitting current or probable matters that could have been dodged.

Software companies in India use secure-SDLC thatfocuses on enforcing security into the Software Development Life Cycle. Every phase of SDLC will emphasize the enforcement of security – over and above the present set of events. Incorporating S-SDLC into an organization’s structure has many benefits that guarantees a secure product.

The focus of asp .net software companies in India, with respect to security domain,ison phases of SDLC such as design, implementation, delivery, operation, maintenance, and retirement. Information security and privacy experts must be involved in all phases of SDLC so that the overall effectiveness of security controls with respect to privacy concerns are taken care of. 

The subsequent list recognizes key security guidelines at each stage in the development life cycle for asp .net software companies in India:

• System feasibility: Pinpoint security requirements, including governing requirements, in-house policies and standards that must be looked at. 
• Software plans and requirements: Recognize the vulnerabilities, threats, and risks to software. Outline the desired level of protection. Conduct a cost-benefit analysis. 
• Product design: Proposefor the security criteria in product design (e.g., access controls or encryption). 
• Detailed design: Determine business requirements and legal obligations within the design of security controls in a product or system. 
• Coding: Develop the security-related software code, comments and citations. 
• Integration product: Investigate security measures and make alterations. 
• Implementation: Implement any additional safetydealings prior to go-live. 
• Operations and maintenance: Observe the software and system for variations in security controls. Assess current controls against newly-discovered threats and vulnerabilities. Implement proper updates and patches, when essential. Certify the complete effectiveness of application and system security.
• Product retirement: Safeguard information that was used and warehoused (i.e., archived), relocated to another database or system, or sterilized (i.e., erased) from the system.

Thus asp .net software companies in India can identify, reduce, mitigate and eliminate various security threats and adverse impacts that could be present in each stage of SDLC. It ultimately results into reduction in overall cost, efforts and time of delivering the final product or service in IT industry.

Conception among ASP.NET haters

While asp.net software companies are growing day-by-day, rare platforms appeal the same amount of rage as ASP.NET (or .NET in general) appeals from the development community. While there are surely valid criticisms of the platform, the majority of negativity derives from those who haven’t spent any time with .NET. Those developers stereotypically rely on misunderstandings or speak out disgust to base their opinion, and they do a damage to others looking to learn a novel technology and to the platform itself.

Here are the most common misconceptions  ASP.NET haters carry among with their selves.

Misconception: It’s Made by Microsoft, hence it’s only for profits

This is probably the #1 reason for all ASP.NET hate. Microsoft is a gigantic software corporation, and similar to all other corporations, they’re in business to generate cash. This is fascinating because the other key technology companies, such as Google and Apple, are there to make money, but the admirers of those other companies stereotypically turn a blind eye (or are in denial). Normal people don't really care who creates a product as long as that product serves the purpose. The developers (and nerds) treat technology, and/or the company that creates it, as a belief. In order for somebody to actually dislike something, that person has to attempt it.

Misconception: It's Expensive

What is costly for private use can be measured cheap in a business atmosphere. In business, there are numerous factors that make up the “price” of a product. The primary expense noticeably needs to be considered, but the benefit of the product is also factored into the whole total.

Misconception: It's Horrible for Small, Personal Websites

It’s really easy to get into the mentality that ASP.NET isn't appropriate for anything but large-scale establishments. Microsoft is a platform company, ultimately, and their products are largely dedicated towards business solutions. .NET isn’t really different in that context; it's massive in business environments, and its grip continues to mature as Microsoft magnifies novel and rejuvenated products like Azure (Microsoft’s Cloud platform) and Windows Phone, respectively.

Having a small business, one can always use the Web Pages, to develop it. But as business nurtures so does ASP.NET. ASP.NET lets one use MVC framework model. In which one can develop a web application, and ASP.NET allows developer to totally change the way the application is organized and used. One can edit Models, Controllers and Views to modify the content of the application, one can set ones’ own variables and so on.

Simplicity

Initially, Microsoft wants development on their platform, and they’ve acknowledged that it requires some (perhaps a lot of) simplification in order to produce. After all, PHP is as widespread as it is precisely because of its simplicity.

Misconception: It’s closed

Microsoft is a corporation that sells software, and they are certainly very defensive of their products’ source code. So, one might consider that ASP.NET (and .NET in general) is closed source, but that is not the situation. Microsoft brands the source code for the .NET Framework accessible for free, and one can step into the code while debugging ones’ individual apps. One can even construct ones’ private version of the .NET Framework. Microsoft also provides access to the source code of ASP.NET releases, giving the capability to test innovative features and provide opinion to the ASP.NET team.

Misconception: It's Not in Demand

Finally, it's often embraced that ASP.NET is not in demand, and that humbly is not true. Demand is somewhat subjective because different zones of the world and in the nation one has different job marketplaces. For all intentions and purposes, .NET has been the growth platform for Microsoft Windows environments (both for the desktop and the web) over the past few years.

ASP.NET comes up with one major feature that attracts clients to go for/ pay for the Microsoft functionality.

Security Features

ASP.NET is more secure than PHP. A novice will always make blunders in the code and will build an unsecure application. But, ASP.NET has few methods of its own that make is superior and secure. SQL Injection can be prohibited using the SQL Parameters that permit minimized injection.  ASP.NET has a security namespace that expresses all the methods that a company can use to safeguard its system.

Conclusion

The haters and cynics are probably having misconception, and ASP.NET is a technology that one should attempt and get to know. In the end, successful asp dot net software companies in India are adapters—able to write applications in several languages for different platforms.

Bibliography OF spring.net

SR NO	Web References
1	http://springframework.net/
2	https://github.com/spring-projects/spring-net
3	www.codeproject.com
4	www.tutorialspoint.com/spring/spring_dependency_injection.htm
5	martinfowler.com/articles/injection.html
6	http://tutorials.jenkov.com/dependency-injection/index.html
7	http://stackoverflow.com/questions/130794/what-is-dependency-injection
8	www.javatpoint.com/spring-aop-tutorial
9	www.tutorialspoint.com/spring/aop_with_spring.htm
10	hibernate.org/orm/what-is-an-orm/
11	http://sourceforge.net/projects/springnet/
12	sourceforge.net/projects/nhibernate/ http://www.ifourtechnolab.com/application-development.aspx

Spring.NET - Conclusion

At last using Spring.Net Software development companies can create decouple application which is useful for enterprise level. Spring.Net effectively uses dependency injection which is use for linking module at runtime. Thus it is used to make everything independent. AOP also use for keeping things separate from core logic so that we can keep core implementation and testing for QA separate for use.

Practical usage of spring.net

• Now to deal with data, Spring.NET provides NHibernate and ADO.NET support. 
• To NHibernate handles all things about database and work in the object world only.
• Now download Spring.Net source and find bin folder and load Spring.Core, Spring.Web,Spring,Spring.Data,Spring.Data.NHibernate12 and NHibernate from lib folder.

Let us take an example and understand the complete process. For hibernate i defined a table in the database named employee, create a new class named Employee and a NHibernate mapping file (Employee.hbm.xml). Reference: Custom software development company:

Employee Class

using System;

namespaceMyProject.DAO

{

public class Employee : ICodeEntity

{

private long idno;

private string fname;

privateint age;

//These methods should be virtual for NHibernate Mapping

public virtual long Id

{

get { return idno; }

set { idno = value; }

}

public virtual int Age

{

get { return age; }

set { age = value; }

}

public virtual string FName

{

get { return fname; }

set { fname = value; }

}

}

}

Employee.hbm.xml

<?xmlversion="1.0"encoding="utf-8" ?>

<hibernate-mappingxmlns="urn:nhibernate-mapping-2.2"namespace="MyProject.DAO"assembly="MyProject.DAO">

<classname="Employee"table="tblemp">

<idname="Id">

<columnname="ID"not-null="true"/>

<generatorclass="increment" />

</id>

<versioncolumn="Age"name="Age" />

<propertyname="FName">

<columnname="FirstName"length="20"not-null="true" />

</property>

</class>

</hibernate-mapping>

Now using base class implements basic functionality of database like LoadALL,SaveOrUpdateetc. Define an Interface and implement.

using System;

usingSystem.Collections.Generic;

usingSystem.Collections;

namespaceMyProject.DAO

{

publicinterfaceIMainDAO<EntityT, idT>

{

IListGetAll();

EntityTGetByID(idT id);

IListLoad(stringhsqlQuery, object[] values);

void Save(EntityT fine);

voidSaveOrUpdate(EntityT fine);

NHibernate.ISessionFactorySessionFactory{ set; }

}

}

Implementation of interface

MainDAO

using System;

usingSystem.Collections.Generic;

usingSystem.Text;

usingSpring.Data.NHibernate;

usingNHibernate;

usingSystem.Collections;

namespaceMyProject.DAO

{

publicabstractclassMainDAO<EntityT, idT> : IMainDAO<EntityT, idT>

{

protectedHibernateTemplatehibernateTemplate;

publicISessionFactorySessionFactory

{

set

{

hibernateTemplate = newHibernateTemplate(value);

hibernateTemplate.TemplateFlushMode = TemplateFlushMode.Auto;

}

}

publicMainDAO()

{

}

publicvirtualEntityTGetByID(idT id)

{

EntityT entity = (EntityT)hibernateTemplate.Load(typeof(EntityT), id);

return entity;

}

publicvirtualIListGetAll()

{

returnhibernateTemplate.LoadAll(typeof(EntityT));

}

publicvirtualIList Load(stringhsqlQuery, object[] values)

{

returnhibernateTemplate.Find(hsqlQuery, values);

}

publicvirtualvoid Save(EntityT fine)

{

ICodeEntity entity = (ICodeEntity)fine;

hibernateTemplate.Save(fine);

}

publicvirtualvoidSaveOrUpdate(EntityT fine)

{

ICodeEntity entity = (ICodeEntity)fine;

hibernateTemplate.SaveOrUpdate(fine);

}

}

}

By Adding a new property to Default.aspx code file named EmployeeDAO we have to use the interface of DAO class here.

Default.aspx code

using System;

usingSystem.Data;

usingSystem.Configuration;

usingSystem.Web;

usingSystem.Web.Security;

usingSystem.Web.UI;

usingSystem.Web.UI.WebControls;

usingSystem.Web.UI.WebControls.WebParts;

usingSystem.Web.UI.HtmlControls;

usingMyProject.DAO;

publicpartialclass_Default : System.Web.UI.Page

{

privatestringmsg;

publicstringMsg

{

get { returnmsg; }

set { msg = value; }

}

privateMathmathx;

publicMathMaths

{

get { returnmathx; }

set { mathx = value; }

}

IEmpDAOempDAO;

publicIEmpDAO EMPDAO

{

get { returnempDAO; }

set { empDAO = value; }

}

protectedvoidPage_Load(object sender, EventArgs e)

{

Response.Write(msg);

Response.Write(mathx.add(10, 20));

Employee e1 = newEmployee();

e1.FName = "Martin Parmar";

EMPDAO.Save(e1);

Employee e416 = EMPDAO.GetByID(1); 

}

}

Now configuration of hibernate in web.xml file

<?xmlversion="1.0"?>

<configuration>

<configSections>

<!-- Spring -->

<sectionGroupname="spring">

<sectionname="context"type="Spring.Context.Support.WebContextHandler, Spring.Web"/>

<sectionname="objects"type="Spring.Context.Support.DefaultSectionHandler, Spring.Core"/>

<sectionname="parsers"type="Spring.Context.Support.NamespaceParsersSectionHandler, Spring.Core"/>

</sectionGroup>

</configSections>

<!-- Spring -->

<spring>

<parsers>

<parsertype="Spring.Data.Config.DatabaseNamespaceParser, Spring.Data"/>

</parsers>

<context>

<resourceuri="config://spring/objects"/>

</context>

<objectsxmlns="http://www.springframework.net"xmlns:db="http://www.springframework.net/database">

<!-- You may choose any database -->

<!--<db:provider id="DbProvider" provider="SqlServer-1.1" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=F:\projects\pm\App_Data\PM9Database.mdf;Integrated Security=True;User Instance=True"/>

<db:provider id="DbProvider" provider="SqlServer-1.1" connectionString="Data Source=.\SQLEXPRESS;"/>-->

<db:providerid="DbProviderMySQL"provider="MySql"connectionString="Server=localhost;Database=persondb;User ID=root;Password='';"providername="MySql.Data.MySqlClient"/>

<objecttype="Spring.Objects.Factory.Config.PropertyPlaceholderConfigurer, Spring.Core">

<propertyname="ConfigSections"value="databaseSettings"/>

</object>

<objectid="SessionFactory"type="Spring.Data.NHibernate.LocalSessionFactoryObject, Spring.Data.NHibernate12">

<!-- Depending on database you want set it-->

<propertyname="DbProvider"ref="DbProviderMySQL"/>

<propertyname="MappingAssemblies">

<list>

<value>MyProject.DAO</value>

</list>

</property>

<propertyname="HibernateProperties">

<dictionary>

<entrykey="hibernate.connection.provider"value="NHibernate.Connection.DriverConnectionProvider"/>

<entrykey="hibernate.dialect"value="NHibernate.Dialect.MySQLDialect"/>

<entrykey="hibernate.connection.driver_class"value="NHibernate.Driver.MySqlDataDriver"/>

</dictionary>

</property>

</object>

<!--TxManager-->

<objectid="HibernateTransactionManager"type="Spring.Data.NHibernate.HibernateTransactionManager, Spring.Data.NHibernate12">

<propertyname="DbProvider"ref="DbProviderMySQL"/>

<propertyname="SessionFactory"ref="SessionFactory"/>

</object>

<objectname="MyMathObj"type="Math, App_code"/>

<objectid="EmployeeDAO"type="MyProject.DAO.EmployeeDAO, MyProject.DAO">

<propertyname="SessionFactory"ref="SessionFactory"/>

</object>

<objectid="EmployeeDAOTx"type="Spring.Transaction.Interceptor.TransactionProxyFactoryObject, Spring.Data">

<propertyname="PlatformTransactionManager"ref="HibernateTransactionManager"/>

<propertyname="Target"ref="EmployeeDAO"/>

<propertyname="TransactionAttributes">

<name-values>

<addkey="Save*"value="PROPAGATION_REQUIRES_NEW"/>

<addkey="SaveO*"value="PROPAGATION_REQUIRES_NEW"/>

<addkey="Delete*"value="PROPAGATION_REQUIRED"/>

<addkey="Update*"value="PROPAGATION_REQUIRED"/>

<addkey="Query*"value="PROPAGATION_REQUIRED"/>

</name-values>

</property>

</object>

<!-- Pages -->

<objecttype="Default.aspx">

<propertyname="Msg"value="Hello!!! I am from webconfig"/>

<propertyname="Maths"ref="MathObj"/>

<propertyname="EmployeeDAO"ref="EmployeeDAOTx"/>

</object>

</objects>

</spring>

<appSettings/>

<connectionStrings/>

<system.web>

<compilationdebug="true">

<assemblies>

<addassembly="System.Transactions, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>

<addassembly="System.Configuration.Install, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/></assemblies></compilation>

<authenticationmode="Windows"/>

<httpHandlers>

<!-- Spring Handler -->

<addverb="*"path="*.aspx"type="Spring.Web.Support.PageHandlerFactory, Spring.Web"/>

<addverb="*"path="*.asmx"type="Spring.Web.Services.WebServiceHandlerFactory, Spring.Web"/>

</httpHandlers>

<httpModules>

<addname="SpringModule"type="Spring.Context.Support.WebSupportModule, Spring.Web"/>

<!-- Required for managing NHibernate session between http requests-->

<addname="OpenSessionInView"type="Spring.Data.NHibernate.Support.OpenSessionInViewModule, Spring.Data.NHibernate12"/>

</httpModules>

</system.web>

</configuration>

Above source code sample is from a custom software development company.

Object Relational Mapping in Spring.Net

Object relation mapping is one king of method that relates real world object to data source as described by software development companies. There are certain issues to map object to data source but ORM provides three ways to deal it like bottom up, top-down and meet in the middle. Each approach has its own advantage and disadvantage. To select the best software solution, developers have to understand the environment and design requirementscompletly. 

There are certain benefits of ORM:

• Simplified development because ORM automates object-to- data table and data table-to-object conversion, resulting in lower development and maintenance costs
• Code is reduce as compare to other database like stored procedure. 
• Improve performance by keeping transparent caching in application.
• By creating optimum solution, it makes application faster.

Custom software development companies should consider following object relational mapping tools which are used in .Net

·         Base One Foundation Component Library, free or commercial

·         Castle ActiveRecord, ActiveRecord for .NET, open source

·         DatabaseObjects .NET, open source

·         DataBloks .NET, free or commercial

·         DataObjects.NET, commercial

·         Dapper, open source

·         ECO, commercial but free use for up to 12 classes

·         Entity Framework, included in .NET Framework 3.5 SP1 and above

·         EntitySpaces, was commercial, now free

·         iBATIS, free open source, maintained by ASF but now inactive.

·         LINQ to SQL, included in .NET Framework 3.5

·         LLBLGen Pro, commercial

·         Neo, open source but now inactive.

·         nHydrate, open source

·         Persistor.NET, free or commercial

·         Quick Objects, free or commercial

·         Signum Framework, open source

·         SubSonic, open source

Transaction management in Spring.net

Transaction management in Spring.net provides following main benefits as custom software development companies :

• Provides a straightforward API for programming model such as ADO.NET, Enterprise Services and System. Transactions, and NHibernate.
• Provide declarative transaction management using any of the data access technologies
• Provides API which is very easy to use and applicable on programmatic transaction management
• Integrates with high level persistence integration APIs such as AdoTemplate.

Cosider following interface which is defined by transaction. It is called

Spring.Transaction.IPlatformTransactionManager interface, shown below:

public interface IPlatformTransactionManager {

ITransactionStatusGetTransaction(ITransactionDefinition definition );

void Commit( ITransactionStatustransactionStatus );

void Rollback( ITransactionStatustransactionStatus );

}

IPlatformTransactionManager is an interface and its implementations can be defined by any other object in the IoC container. Consider following implementations:

• AdoPlatformTransactionManager: Transaction based on local ADO.NET
• ServiceDomainPlatformTransactionManager: like distributed transaction manager from Enterprise Services
• TxScopePlatformTransactionManager:It is local/distributed transaction manager which belongs toSystem.Transactions.
• HibernatePlatformTransactionManager:It is local transaction manager which is use with NHibernate or ADO.NET/NHibernate data access operations.

The following API are made. For the AdoPlatformTransactionManager,

Transaction.Begin(), Commit(), Rollback(). ServiceDomainPlatformTransactionManager uses the'Services without Components' update so that your objects do not need to inherit fromServicedComponent or directly call the Enterprise Services API ServiceDomain.Enter(), Leave;ContextUtil.SetAbort()TxScopePlatformTransactionManager calls; new TransactionScope(); .Complete(),Dispose(), Transaction.Current.Rollback(). Configuration properties for each transaction manager are specific tothe data access technology used. Refer to the API docs for comprehensive information but the examples shouldgive you a good basis for getting started. The HibernatePlatformTransactionManager is described more in thefollowing section.

The GetTransaction(..) method returns a ITransactionStatus object and it is depending on aITransactionDefinition parameters. The returned ITransactionStatus may represent a new or existingtransaction (if there was a matching transaction in the current call stack - with the implication being that ITransactionStatus is associated with a logical thread of execution.

The ITransactionDefinition interface is described by software development companies as follow:

• Isolation: the degree of isolation means the transaction is reading data of another transaction. So if another transaction leave in uncommitted phase then current transaction has data which is not exist.
• Propagation: Most of code executed within a transaction boundary will run in that transaction‘s scope. However, there are several possible options there to specify behavior if a transactional method is executed when a transaction context already exists like, simply continue running in the existing transaction or suspending the execution of existing transaction and creating another new transaction.
• Timeout: Amount of time taken by transaction before timeout. It is automatically being rolled back by the underlying transaction infrastructure.
• Read-only status: Any data cannot be modified by a read-only transaction. This type of transaction is very much useful for optimization purpose in some area (Especially while using NHibernate).