Complex Testing of a Product - Essay Example

Full Paper Answer One of the primary areas of concern is the load management i.e. increase in website visitors lead to slow response and sometimes making it inaccessible. Likewise, on the first day of its launch, the website was crashed due to massive number of visitors trying to register and do online shopping. Currently, the website is able to perform load management to a certain level; however, there are concerns, as one of the expectations from this website is to process seven million applications that need to be logged before a certain period of time. One more issue incorporates integration and changes of a module for the website. For instance, on its initial launch, users need to register for an account prior to do online shopping for insurance plans. There was a design flaw that was provoking uncertainty to the website visitors/users and hence was imposing a serious error in user e-commerce experience. Moreover, the design was constructed by non-technical personnel without any knowledge of how the website will utilize technology available at backend. It is astonishing that the user can access all the contents of the website without registration and the website should not degrade its performance when a large number of users trying to purchase health insurance. However, for a federal function website, 700, 000 is not a massive number in terms of other federal or government website visitors. Moreover, if we compare the number of visitors with some other popular social networking sites, they have billions of daily visitors. Likewise, the integration of this site with the other sites such as Internet Revenue Service and the Department of Veteran affairs has severely affected its navigation response. Moving forward, the website needs to validate information from different interfaces of other systems that are using old technology, there is a dependency that needs to be sorted in the design phase of this website. Currently, the delay occurring on these old systems is reflecting on the website and end user is suffering. Secondly, there is one more issue that adds more problems for the end users i.e. data corruption that has already been identified and it is increasing day by day. The data submitted by the end users is submitted to insurance companies via and they have already reported about receiving bad data, as there are issues in dependent classifications etc. As already more than fifty vendors were working on different areas of this site, glitches were expected. Experts concludes that the project was not handled to perfection and project management best practices were not followed along with the alignment of technology that was used to achieve objectives from this website. Besides, the security of this website currently does not portray any vulnerability in terms of poor software programming and validation checks. However, it is high probability that security can also be compromised if the issues stand still, as they will increase by the period of time. In a short period of time, this project seems to be rushed through, and it is high likely for oversights that are yet to be explored. A comprehensive tier 3 penetration testing is required for identifying any potential vulnerability that can be exploited by a threat. I would have aligned the solution with the relevant technology required for communicating with other systems as well as optimization for handling the number of users visiting the site. Moreover, I will change the layout of the website and restrict contents that can be seen by guest users also and unregistered users. Moreover, I would call a meeting with all the major stakeholders, technical teams and third party website as well. The issues will be discussed and weaknesses in the system can be discussed and sorted out. Answer 2 The Paid Search Engine Marketing (Pay per Click) is displayed on top of the search engine results and tagged as ‘ads by Google’. Likewise, all of these results are paid advertisements and the charge is made only when someone clicks on these advertisement links. This feature makes it a great tool for advertisement with minimum cost. However, the search engines calculate quality scores for every keyword that needs to be focused. The advertisement company needs to maintain quality scores in order to get better return on investment. A high price for pay per click comes in a range of $8 to $10 per click. The second search engine marketing method is called as organic search engine marketing where keyword research, search engine optimization, competition on research and making the right keywords are the factors that need consideration. There is no cost or fee for this type of marketing; however, there is one major drawback i.e. a lot of time is required for getting the website on top of the search engine list. Likewise, in the long term benefits, search engine optimizing wins because of getting thousands of clicks without pay, based on the development of organic rankings Answer 3 In the year 2009, a survey has been conducted on the productivity of Software. The survey revealed that insufficiency in developing software is generating low quality software that is costing a loss of $500 billion annually (Dave, 2011). For any system the main element is the software that helps in operating an OSI i.e. Open System Interconnection model. The hardware is rarely involved as the main interaction between the customer and the system is via software. Therefore, good quality software is mandatory because it can create a good relation between user and a system. For example, low quality software can lead the system towards risk, bug attacks, errors and malwares. In addition, the organizations are facing new threats regarding information systems and continuity of business has become a challenge for business owners. The vulnerabilities involved during production of low quality software leads an organization towards massive loss. Moreover, an organization with major banking tasks cannot allow any errors, malicious code and bugs entering into their system. The access to these vulnerabilities may leads towards huge disaster for an organization. Therefore, combining security as a product in an organization is considered as a core element. In recent years, security breaches are escalating rapidly due to our addiction on softwares, online applications and mobile apps. In fact, a variety of intricate transactions have been made by customers via online applications, websites and mobile apps thus leading it towards elevated threats. As a result, the security reasons need to be mentioned in any application that is implemented in an organization. In addition, the vendors that are offering applications overlook the security threats and risks while selling software to any organization. However, a more reliable resolution is to determine all the pros and cons during feasibility research. This will help to minimize security risks for an organization. The key to develop quality and secured software is the Integration of security controls. Furthermore, the cost related to the incorporation and deployment of security controls for an application can be decided during the research made practically for an organization. In general, organizations are not adopting best practices to develop in house application, as no secure coding standards are considered during the software development life cycle. However, application security audits are conducted by special auditing tools with limited resources and weaknesses are heighted after the developed and tested product (Edwards, 2006). Accordingly, if any design flaw or code error is found, the development team needs to sort the issue from the start i.e. the design stage. The security audit team performs a risk based audit and identifies all associated risk pertaining to a particular asset. There is a requirement of addresses the security issues for each stage of the software development life cycle, as this will save time and additional cost that may occur. Apart from incorporating security best practices, the development needs to ensure the shipment release is on time with no delays (Dave, 2011). After detection of any security vulnerability or any functionality that may cause risks to the organization, a report is publishes listing all the detected and identified vulnerabilities and submitted to the software development function for rectifying the issue (Dave, 2011). There are limitations in the report, as the associations of these risks do not reflect technical aspects in the report. There is a pressure of completing the software shipment on time and the report is not giving prime importance. Therefore, the solution of this issue is the integration of application security within every stage of software development life cycle, where the codes are validated to remove any bad coding practice that may become a primary threat or vulnerability later. To follow a secure coding practice, there are guidelines that are available on the Internet. Currently, there are no standards for secure coding practices, as they can vary from organization to organization and codes are secured as per their requirements. However, for taking guidelines, CERT has published a document called as CERT C. Equally; the document was constructed with the help of 320 application security experts and its new version, released in 2010, is also available on the Internet (Tai-hoon Kim et al.). These guidelines are adopted by many organizations to address application security vulnerabilities and program an application securely. It is not necessary that only one application platform needs to be secured i.e. one needs to check secure code practices for multiple platforms that becomes a challenging task. Furthermore, CERT is keen to develop high quality guidelines that may assist organization in implementing and developing the process as defined below (Pincar, 2008): The risks based on probability of occurrence are set to a scale by communities that are actively contributing towards software development. The output received by these communities can be considered as a de-facto standard and they will also be accountable for managing the standard document. Further, any change or modification in the document will be allowed to only CERT members and feedback form will be available on the website for any suggestion, improvement, additions etc. In addition, a forum will be available for discussions, issues, improvements, suggestions from the CERT users, application security experts as well as the application development community. Moreover, a variety of techniques are available for the deployment of security codes in any organization (Samek, n.d). The MISRA (Motor Industry Software Reliability Association) is working as a standard to promote guiding principles that are used while implementing C language in any system. However, it is also possible that self-secure coding standards may be implemented by organizations. For example, a coding standard named as Joint Strike Fighter Air Vehicle C++ is being created for public use is also utilized by federal military services (Samek, n.d). Similarly, there are many websites that are offering online coding standards for security purpose. The U.S. Department of Homeland Security (DHS) National Cyber Security Division has created the above mentioned online coding standard (Samek, n.d). In addition, a variety of programs is offered by the SAMATE Reference Dataset (SRD) and is funded by the National Institute of Science and Technology. These programs include the coding standards along with vulnerabilities and structural design that helps to lower the security risks for any organization. a detailed encyclopedia is available containing all the security weakness that can be oppressed in the coding standards. This encyclopedia is named as The Common Weaknesses Enumeration (CWE) that is funded via MITRE. Furthermore, there are number of techniques regarding application deployment are mentioned in this research study but no one offers secure coding standards that can be considered reliable for implementation. The Organization has to face a major loss in business due to security weakness. The security breach is faced due to unsuccessful application implementation by an organization. For instance, in an organization vulnerabilities can be present in unauthorized users access or unauthenticated module. In addition, the responsibility will automatically shift to the compliance department if the implementation of security application is not made via automate tools. In fact total cost of ownership will support the programmers and ease the implementation procedure for the language scripter. A dignified structure is utilized by an organization in order to use tools regarding application security (Bradbury, 2008). On the other hand, a major drawback linked with application security is to investigate the issues that are involved in the code. Therefore, in order to detect the issues in application security a method is present that work by making its way into the codes. According to the technology manager of Compuware, Gordon Alexander, an important issue is discussed that is identified from programmers (Bradbury, 2008) "Defects manifest themselves in operation, and the cost of that will be borne out of the operational budget. The development budget does not see that cost," he says further, "That makes it difficult for developers to invest in the process to fix these security problems." Furthermore, the application security is judged as an authority issue if the drawbacks are present at managerial levels (Bradbury, 2008). For example, the sensitive information that is provided by the customer is at stake if the security issues are not addressed appropriately. Therefore, for all the issues related to authority’s high level training must be provided to the developers in order to resolve the issues. Conversely, if appropriate training is not provided to the developers the issues cannot be resolved promptly then workload will shift to the assurance department to resolve the security issues. Thus, developers are not responsible for the drawbacks as they are not given proper training and are not chasing the guidelines described by coding standards. The technical flaws related to security breaches are mentioned below (Bradbury, 2008): The malicious and unspecified elements must be blocked from entering into the system. For this purpose, all the void input must be verified in order to prevent security risks. In an application, the combination and coordination of software communication is called as programming interface. Similarly, the idea is provided through increased and decreased levels of applications that transmit calls and data. In fact, programming interface allows the access to implement related data via communication and network application (Application programming interface.2007). In order to access API, a major challenge is that it can be accessed by cyber criminals. The API is prone to vulnerabilities and may allow the threats to enter into software. Moreover, in any application the modules and encryption must be configured appropriately in order to minimize the security risk. In many organizations, the access management system is not managed correctly thus allowing threats and risks to enter via applications into the systems. In fact, numerous challenges are not explained and described briefly by many the security specialist for the independent systems. The independent systems are connected together via different networks according to user’s demand. Moreover, the network will collapse if the cyber-criminal or hacker has determined any loop holes in a running software. . The recent conditions can be handled properly in order to overcome any vulnerabilities or security risks. Moreover, many organizations do not emphasis on the root causes related to the security breach and mishandle the errors that helps in determining sensitive information regarding malicious attack. The functions of software may get harmed due to mishandling and casual coding approach towards security risks. In an organization the sensitive data is covered via software on the contrary, low quality software can cause pitfalls and high risk for the sensitive information. In order to minimize the threats, the data transmission must be ensured and protected via well-established application. However, coding has to remain limiting the access of malware to protect the sensitive data. Answer 4 Electronic health architecture represents life history of a patient’s medical history. In fact, it is an electronic version of the patient’s medical history and is updated by health care professionals as required. The electronic version also includes medical and administrative data specific to the patient being treated. In addition, the electronic health record includes demographics, progress notes, issues, vital signs, medications, immunizations, test reports, laboratory data and radiology reports (Carter, 2008). Moreover, a comprehensive idea related to its architectural requirements stated as a group of technical and clinical supplies (Carter, 2008). The definition represents the flow of these health records across the different geographical locations within the computerized network. As the information flows on the network, there is always a probability related to security and data protection of these health records. Moreover, the program named as Advanced Informatics in Medicine (AIM) highlighted severe safety problems. Furthermore, the group was created for addressing the issues on the basis of Six Safety First Principles for medical informatics. Consequently, the findings were remarkable as previously no issues were highlighted with prime concerns (Lacoste, 2000). For instance, the issues involve giving the wrong treatment to the patients, refuse to give the appropriate treatment, delay the treatment due to insufficient information etc. These issues are of prime concern, as they can result in premature death for any patient or patients (Mennerat, 2002). For detecting unknown patterns that are considered to be a probe within the wireless computer network, specialized tools can be utilized. For deploying a tool named as ‘Snort’, a security specialist will load a script to monitor and trace raw data packets that are exchanged from one interface to another on layer three i.e. the network layer. The protocols will be utilized with the wireless network involves point to point protocol, virtual private network and Serial Line Interface Protocol loaded with a kernel called as ‘Libpcap’. These protocols will be utilized with the kernel to initiate a preprocessing function within the decoder located in the packet. Further, the preprocessing function make modification to data packets before they get to the engine detection, as it inspects the packets and sends alerts if any unknown pattern is discovered in the packet header. The major functionality of the preprocessor function is to inject the rules in the data packets for preparing them to the next stage called as the detection engine (Cox & Gerg, 2009). The tool will also decode the HTTP code and regenerate streams of transmission control protocol that is controlled by the cyber-criminal. The mechanism engine comprises of a major element i.e. time, as it extensively collect evidence and the time elements comes in, when one or more than one rules needs to be processes. ‘Snort’s detection engine has a limitation, as it gets halted whenever a rule mismatches. For this reason, a security specialist will deploy only those rules that are specific and targeted for hackers. As per the configuration of a precise rule, the packets will be logged via detection engine or an alert will be sent to the defined communication channel. Accordingly, prior to the generation of an alert, Snort assures that all the defined rules are complemented. The collection engine of Snort will collect the evidences via different hosts for assisting any forensic investigation currently in process. Whereas, another tool called as ‘Windump’ is known for detecting installation on servers and workstations embedded with a malicious code (Ec-Council, 2009). As any installation comprising of a malicious code will allow a remote session to the hacker for penetrating within the network or server. This tool is designed to support processes associated with forensic evidence collection and also assist in filtering data. If we take an example of a forensic case associated with inspecting SSL related data to detect an unauthorized activity and filters only relevant SSL packets. Additionally, it also filters packets generated from a possible denial of service attack. Answer 5 A wireless connectivity will be preferred, as ‘Access points’ are the device which is used to connect devices equipped with wireless technology. ‘Access points’ transmits and receive radio signals adjacent to a network hub over a limited distance. However, distant varies from different model types and wireless technology adopted. The clinical staff needs access to the network resources for pulling electronic health records securely on their handheld devices. The integration is based on an intra-room network including computing devices that are communicatively coupled with the primary computer device Likewise, computing devices consists of vital signs monitor, devices for patient bed, IP cameras, motion sensors etc. The type of devices is dependent on facilities provided. In order to access healthcare systems, a user-friendly web portal is available for the staff to administer and monitor patient and staff activities. These web portals are used extensively in a metropolitan area network or wide area network to link staff and resources where required. Furthermore, the most prevalent health care systems in USA named as “esri”, navigates via a web portal in order to ‘geographically’ monitor and analyze service issues in hospitals. The integration of wireless technology in healthcare systems has significantly triggered the health care with rapid responses to the patient. The information required for any particular disease is easy, as online doctor is now common and is accessible by anyone connected to the Internet. Similarly, mobile technology provides SMS based alerts for patient appointments, booking, medication reminder, disease symptoms, dietary information etc. Furthermore, RFID systems connect the network wirelessly for automating patient monitoring and track treatment from which they are suffering. Instead of documenting patient wealth information that is also time consuming, RFID systems enable instant access to the information by simply scanning tags. The patients will receive quick response of the health care services because the doctor may get all the information related to a patient in seconds. Patients can review the treatment history by scanning the tag. The treatment history includes what care has already been provided and what treatment they need next. This feature will increase the productivity of a doctor (Health-care tracking systems). The requirements for a health care professional are associated with; Shielding patient privacy, Abide by regulations, Improving Information Technology efficiency, Business alliance Controlling costs The integration of healthcare technologies in the cell phone is more beneficial rather than taking the patient to the hospital. For instance, doctor can give medication and instruction to the patient as soon as the doctor detects any uncertain event. However, the monitoring of pulse rate via cell phone is not in the picture, again, there are many diseases that can be cured at the initial stage by only curing them by monitoring the heart rate or blood pressure. The role of information technology is to provide a priority based calling whenever there is an emergency “Health Call” in order to secure the transmission channel of the doctor and the patient. Hence, the integration of health care system in the cell phone with the required mechanism to detect blood pressures and heart rates can significantly save lives of millions. References Application programming interface.(2007). Network Dictionary, , 40-40. Bradbury, D. (2008). Secure coding from first principles. Computer Weekly, , 18. Carter, J. H. (2008). Electronic health records: A guide for clinicians and administrators American College of Physicians. Cox, K. J., & Gerg, C. (2009). Managing security with snort & IDS tools OReilly Media. Dave, R. (2011). Best practices for tackling security early in development. Electronics World, 117(1908), 10-11. Edwards, M. J. (2006). Audit your web applications for better security. Windows IT Security, 6(6), 6-10. Ec-Council. (2009). Computer forensics: Investigating network intrusions and cybercrime [with access code] Course Technology Ptr. Lacoste, G., 1946-. (2000). SEMPER--secure electronic marketplace for europe Springer; Springer Verlag, 1120 U.S. Highway 22 East, Bridgewater, NJ, 08807. Mennerat, F. (2002). Electronic health records and communication for better health care: Proceedings of EuroRec 01 IOS Press. Pincar, J. (2008). Development process - C++ secure coding practices - CERT secure coding standards Retrieved 3/9/2012, 2012, from https://www.securecoding.cert.org/confluence/display/cplusplus/Development+Process Samek, M. Practical UML statecharts in C/C++ event-driven programming for embedded systems Amsterdam ; Newnes/Elsevier, c2009. Tai-hoon Kim, Adeli, H., Slezak, D., Frode Eika Sandnes, Xiaofeng Song, Kyo-Il Chung, et al. Future generation information technology: Third international conference, FGIT 2011, jeju island, december 8-10, 2011. proceedings (lecture notes in ... applications, incl. Internet/Web, and HCI) Springer. Read More