SlideShare une entreprise Scribd logo

Finacle - Secure Coding Practices

Infosys Finacle
Infosys Finacle

Finacle paper on secure coding practices gives an insight into application coding security and highlights how comprehensive approach in security is need to not only secure code but also web servers and databases.

Technologie
1  sur  7
Télécharger pour lire hors ligne
Secure coding practices Thought Paper www.infosys.com/finacle Universal Banking Solution | Systems Integration | Consulting | Business Process Outsourcing
Secure coding practices Writing good code is an art but equally defining variables and structures and passing important is programmers’ awareness of secure references and pointers from one module code practices, and the care they take when to another. Overview of code security While defining variables, programmers need to access to the structures using proper access first assess memory space to be allocated, controls such as “public, private or protected”, and clearly define the individual scope of inside the code. reference variables while passing references Another thing to be kept in mind is that variables, inside functions. In languages such as C++, used normally for handshaking between defining and using pointers is good practice as two modules – say, loans with payments – it improves performance and speed, especially should have a restricted set of values defined. in the case of applications like core banking These variables are normally static and their where there are multiple users. But on the flip scope should be defined within certain boundaries. side, this poses enormous risk to data security as pointers can be accessed from outside and Also, it is always reco-mmended to perform variable values can be manipulated. code audits before implementation, so that potential code vulnerabilities can be fixed. For Programmers should follow secure coding that, the code auditors should be enabled with practices while dealing with arrays, linked lists, proper know-how about individual languages stacks and vectors, which are the linear data and related secure code practices. structures normally used in coding, always keeping in mind that size of such data structures Moreover, programmers should be aware of should be strictly limited to the space required. specific security related features of each Location – the physical address at which these programming language. Code review by experts structures are defined – is an important aspect ensures that programmers implement good as well. In addition, it is essential to restrict security practices. Security breach in coding Security breaches in coding are primarily of 4 Malware passing/hosting: Malware, which is generic types: software written to perform malicious activities, can be passed inside Web interfaces if codes are Code injections: In most of the functionalities not written securely. where end users are allowed to upload file content, they can also inject codes in the Web Insecure database calls: Generic database calls server. These codes can perform malicious acts require variables like database passwords and and pass valuable system information to hackers. names and user names that are generally accessed 02 Thought Paper
through static storage variables or properties modified by system users. If such files are used, files. It is important to write these calls in a the variable values should be stored using manner that passwords and user names can interfaces and in encrypted format. However, it be generated at run time and passed in the is recommended to avoid these files altogether. program. It has been observed in security Further, if the property file of the server is audits that many enterprise applications use compromised, hackers can overload its access hardcoding of passwords and other parameters, methods and misuse them. It is preferable to which is a wrong programming practice. create combination keys with two or more Properties file misuse: Properties files normally resources instead of using just one properties used to access basic data, contain lists of file. These can be run time generated and passed unencrypted variables whose values can be to required modules. Change management and version control In general code writing practices, version with details and code review should be done control is achieved using version numbering. before deployment. Also, the vulnerabilities Secure practices need to be followed during the due to new changes in code should be change management implementation process. addressed explicitly. The changes in code should be highlighted General secure coding practices Concept of no tolerance Variable declarations: When variables are declared in code, the variable length and scope When coding, the tolerance related to variable of variable access should be predetermined; length, scope and accessibility should be declarations should be made accordingly. Use predetermined and only the required scope of fixed length variables should be avoided should be allowed. The tolerance for variable and preferably, variables should be defined length should be optimized. Scopes for with dynamic memory allocations. Many new generated objects should also be predetermined. compilers like VB and VC++ support postponement Ideally, code should not rely on variable scope of variable declaration by mentioning only predefined by the compiler. the variable name and not the type. In such cases, variable types and properties should Certain thumb rules of secure coding be determined within the scope without any Vertical and horizontal code drafting practices/ overload of unnecessary features. In languages Code Orientation: Although code drafting that support object referencing, programmers methods might change as per language should avoid making multiple copies of the specifications, the normal way of writing code is same variables. either vertical cascading or horizontal splitting of code. The vertical cascading method helps System level and semaphore variables: In programmers to understand the code whereas cases where shell variables are used, variable horizontal splitting enables them to define the values have to be sanitized. It is preferable scope of functions and variables. to initialize values and not to assume default Thought Paper 03
vales as per system usage. Normally for inter- and then further modified as per system usage. process communications where semaphores As the semaphore controlling variable values are implemented, the variables used to control are generally global in nature, it is important to the semaphores should be initialized in advance determine entry and exit point values in advance. Object oriented principles Partial and full implementation of Object multiple inheritances as it adds to code Oriented Programming (OOP) and security: vulnerability. Making major variable declarations OOP is in line with best security practices, with in public scope enables easy access, thereby some exceptions. For instance, high usage of compromising OOP abstraction. friend and virtual functions makes code more Prevention of inheritance by key words like insecure and prone to compromise. Well-defined ‘Final’: In certain languages like C++ and Java, scopes like public, private and protected, secure inheritance can be restricted using key words the code. Certain programming languages like such as ‘Final’, thus disallowing users from Java do not support multiple inheritances, thus inheriting class methods available in base class. protecting the methods defined under classes. This can be done when programmers do not Data abstraction and multiple inheritance want any further extensions and use defined linkages: Programmers should avoid using class members. Security for software deployment Secure deployments, keys protection in code applications. Preferably, deployments should deployment: Generally, codes are deployed be done serially and manual handling should through popular deployment tools which be strictly avoided. Keys used for secure compress the files and serially deploy them on deployments should be dynamic, with a specified the destination server. The deployment codes time period to avoid code misuse. might be insecure, resulting in holes in the Code level security for Web applications While SQL injection is a common Web messages (such as ‘page not found’) should be vulnerability, it is also important to write altered to prevent the user from getting details optimized queries in order to secure the data like Web server configuration and version path. objects. This ensures the safety of the SQL Web server default passwords and paths should output artifacts and also improves performance also be changed as per specific requirement. of database calls. Also, retrieval of unnecessary Secure way of code deployment on Web: database column values should be avoided. Web-based code deployment, being very Web server secure practices: Web server logs unsecure, should be managed well. Handshakes should always be configured to another drive should happen on key exchange mechanism where they can be stored. This will enable the and both client and server application should tracing of hacking attacks. In addition, error authenticate the connection between them. 04 Thought Paper
Best security practices at the individual language level Each programming language has its own features dropping can be reduced by transmitting all around which security practices are set. information between client and browser over Secure Sockets Layer (SSL). Programmers should C/C++ also ensure that client side options such as view Even if declared implicitly, array bounds in C++ state /hidden variables are not used to store should be set explicitly, and should not be left sensitive data. Further, sensitive information open-ended. The structures should be defined must be stored on the server and not on the dynamically as well. Also, loop arrays should client side. Additionally, appropriate error not be allowed to iterate beyond the end of the messages should be displayed just like in Java. array, so as to reduce buffer overflow attacks. In addition, conversions using void pointers should PHP be avoided, while the automatic variables used In the server-side programming language, PHP, need to be initialized before declaration. the majority of attacks can be reduced by sanitizing the input; functions like filter_input/ Java filter_id can be used. While using MySQL, it Sanitization of all data input irrespective of the would be preferred to change password source, substantially reduces risk of attacks such frequently. Malicious scripts can be prevented as code injections. It is also advisable to declare from running on the browser by removing data variables of a class as private, thereby content like special characters before it is sent restricting access. Even in the case of nested to the users. Attacks such as Remote File classes, the methods accessing the private Inclusion/Local File Inclusion can be reduced by members of the outer class should be declared sanitizing the inputs, restricting dynamic inputs as private. Besides, exceptions should not be that come from the user and placing strict allowed to expose sensitive information. The access controls for critical files. Again, error outcomes of exceptions should be changed by messages sent to the user must be generic and proper exception handling, so that users get not disclose any information. only valid exceptions. Use of the key word ‘Finally’ while handling the exception significantly Shell scripts reduces data vulnerability. Null pointers should not be de-referenced, as this can cause the null When using shell scripts, a popular scripting pointer exception. Error messages passed to the language mainly based on the Unix platform, user through servlets should be appropriate and restricted access must be ensured, with read, should not display any confidential data. write and execute permissions for individual scripts given according to users’ privilege. In fact, ASP.Net Unix is considered the most secure Operating System because of the security features offered When using the popular programming language though shell scripts. ASP.Net, data input from all users should be thoroughly sanitized. Stored procedures should Programmers should restrict privileges for be used to filter malicious user inputs, thereby specific command execution as well. For instance, mitigating code injection attacks. Also, session those given permission to view the directory hijacking attacks can be reduced by disparate should not be allowed to make any changes. transmission of authentication and session Additionally, the access controls for individual cookies and using only the HTTPS network for files and directories should be predetermined. the same. Authentication credentials should also Segregation of users based on privileges is very be passed only over HTTPS. Network eaves important too. Thought Paper 05
While writing and executing filters, steps to In addition, TCP/IP stack gets exposed to prevent data exposure should be taken care of programmers directly through shell script and in advance. During processing, programmers C programs and programmers should avoid should exercise caution when exposing kernel display of unnecessary stack information to end calls and switches to end users. They should users. There have been instances of companies also ensure that fork calls are finite and preparing their own protocol to avoid content controlled by defined system variables as they exposure through the TCP/IP stack. are highly sensitive to memory usage. Conclusion Application coding security is not restricted servers and databases, techniques of handling to just drafting ways of coding. Rather, it calls properties files et al. Best security practices for a comprehensive approach that encompasses should be formulated keeping in mind language methods of Web and database server specific features and should be applied during configuration, ways of making calls on Web configuration, coding and implementation. Bibliography 1. Session Hijacking: Refers to the exploitation of the operating system. Depending on the of the session, done mainly by theft of the value of the semaphore the process will know session key used to authenticate a valid user whether to utilize the resource or to wait. and gain access to services. 4. SQL Injection attack: SQL queries are drafted 2. Network Eavesdropping: Refers to the sniffing and inserted in Web forms maliciously to of the data packets transmitted along a extract sensitive information from databases. network to gain access to sensitive information. This is done using sniffers. 5. Array: Term referred to the use of a collection of variables belonging to a single type. 3. Semaphores: Used in operating systems, for coordinating activities between multiple 6. Pointers: A variable which is used to store processes that compete for using the resources the address of another variable. Makarand Madhukar Baji Senior Consultant, Finacle Payments, Infosys Sandhya Ravikumar Technology Analyst, Finacle E-Banking and Channel Support, Infosys 06 Thought Paper
About Finacle Finacle from Infosys partners with banks to transform process, product and customer experience, arming them with ‘accelerated innovation’ that is key to building tomorrow’s bank. For more information, contact Finacleweb@infosys.com www.infosys.com/finacle © 2012 Infosys Limited, Bangalore, India, Infosys believes the information in this publication is accurate as of its publication date; such information is subject to change without notice. Infosys acknowledges the proprietary rights of the trademarks and product names of other companies mentioned in this document. Thought Paper 07

Recommandé

Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
Megha Sahu
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 

Recommandé

Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
Megha Sahu
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Cloud-Native DDoS Attack Mitigation
Cloud-Native DDoS Attack MitigationCloud-Native DDoS Attack Mitigation
Cloud-Native DDoS Attack Mitigation
Amazon Web Services
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++
Dan-Claudiu Dragoș
 
DevOps for beginners
DevOps for beginnersDevOps for beginners
DevOps for beginners
Pradeep Patel, PMP®
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
davidjohnrace
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
Bangladesh Network Operators Group
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Jannis Kirschner
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
Security Innovation
 
Cybersecurity & Project Management
Cybersecurity & Project ManagementCybersecurity & Project Management
Cybersecurity & Project Management
Fernando Montenegro
 
Web security 2012
Web security 2012Web security 2012
Web security 2012
Mohamed Elabnody
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Anton Chuvakin
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information security
Ajit Dadresa
 
Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technology
trainersenthil14
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service Hardening
Digital Bond
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)
Umesh Kolhe
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
Security Innovation
 
introduction to finacle
introduction to finacleintroduction to finacle
introduction to finacle
dibashmajumder
 
Finacle - Menus and F Keys
Finacle - Menus and F KeysFinacle - Menus and F Keys
Finacle - Menus and F Keys
Charudutt Marathe
 

Contenu connexe

Tendances

Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 

Tendances (20)

DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
Cloud-Native DDoS Attack Mitigation
Cloud-Native DDoS Attack MitigationCloud-Native DDoS Attack Mitigation
Cloud-Native DDoS Attack Mitigation
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++
 
DevOps for beginners
DevOps for beginnersDevOps for beginners
DevOps for beginners
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
Cybersecurity & Project Management
Cybersecurity & Project ManagementCybersecurity & Project Management
Cybersecurity & Project Management
 
Web security 2012
Web security 2012Web security 2012
Web security 2012
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information security
 
Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technology
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service Hardening
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 

En vedette

introduction to finacle
introduction to finacleintroduction to finacle
introduction to finacle
dibashmajumder
 
Dop finacle process document ver1.5
Dop finacle process document ver1.5Dop finacle process document ver1.5
Dop finacle process document ver1.5
abh91231
 
Social media and retail banking
Social media and retail bankingSocial media and retail banking
Social media and retail banking
Infosys Finacle
 

En vedette (12)

introduction to finacle
introduction to finacleintroduction to finacle
introduction to finacle
 
Finacle - Menus and F Keys
Finacle - Menus and F KeysFinacle - Menus and F Keys
Finacle - Menus and F Keys
 
Infosys finacle-overview
Infosys finacle-overviewInfosys finacle-overview
Infosys finacle-overview
 
Finacle banking software commands for auditors
Finacle banking software commands for auditors Finacle banking software commands for auditors
Finacle banking software commands for auditors
 
Dop finacle process document ver1.5
Dop finacle process document ver1.5Dop finacle process document ver1.5
Dop finacle process document ver1.5
 
Social media and retail banking
Social media and retail bankingSocial media and retail banking
Social media and retail banking
 
Finacle Webinar – Innovation in Retail Banking 2013
Finacle Webinar – Innovation in Retail Banking 2013Finacle Webinar – Innovation in Retail Banking 2013
Finacle Webinar – Innovation in Retail Banking 2013
 
Finacle - Banking & Technology Trends 2013 | Technology Innovations
Finacle - Banking & Technology Trends 2013 | Technology InnovationsFinacle - Banking & Technology Trends 2013 | Technology Innovations
Finacle - Banking & Technology Trends 2013 | Technology Innovations
 
Branch of the future
Branch of the futureBranch of the future
Branch of the future
 
Core Banking Solution PPT of TCS and SBI
Core Banking Solution PPT of TCS and SBICore Banking Solution PPT of TCS and SBI
Core Banking Solution PPT of TCS and SBI
 
Core banking
Core bankingCore banking
Core banking
 
Clean coding-practices
Clean coding-practicesClean coding-practices
Clean coding-practices
 

Similaire à Finacle - Secure Coding Practices

Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
CSCJournals
 
Defensive coding practices is one of the most critical proactive s
Defensive coding practices is one of the most critical proactive sDefensive coding practices is one of the most critical proactive s
Defensive coding practices is one of the most critical proactive s
LinaCovington707
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code Analysis
Checkmarx
 
Internet security evaluation system documentation nikitha
Internet security evaluation system documentation nikithaInternet security evaluation system documentation nikitha
Internet security evaluation system documentation nikitha
Susmitha Reddy
 
Hacking DevOps
Hacking DevOpsHacking DevOps
Hacking DevOps
Phillip Marlow
 
New microsoft office word document
New microsoft office word documentNew microsoft office word document
New microsoft office word document
SIVAJISADHANA
 

Similaire à Finacle - Secure Coding Practices (20)

Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
 
Coding
CodingCoding
Coding
 
Defensive coding practices is one of the most critical proactive s
Defensive coding practices is one of the most critical proactive sDefensive coding practices is one of the most critical proactive s
Defensive coding practices is one of the most critical proactive s
 
Coding standard and coding guideline
Coding standard and coding guidelineCoding standard and coding guideline
Coding standard and coding guideline
 
core java basic learning presentation part 1
core java basic learning presentation part 1core java basic learning presentation part 1
core java basic learning presentation part 1
 
SE2018_Lec 17_ Coding
SE2018_Lec 17_ CodingSE2018_Lec 17_ Coding
SE2018_Lec 17_ Coding
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code Analysis
 
SE2_Lec 18_ Coding
SE2_Lec 18_ CodingSE2_Lec 18_ Coding
SE2_Lec 18_ Coding
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!
 
Internet security evaluation system documentation nikitha
Internet security evaluation system documentation nikithaInternet security evaluation system documentation nikitha
Internet security evaluation system documentation nikitha
 
Code Inspection
Code InspectionCode Inspection
Code Inspection
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPA
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
Software engineering introduction
Software engineering introductionSoftware engineering introduction
Software engineering introduction
 
9 Tips to write efficient and scalable code.pdf
9 Tips to write efficient and scalable code.pdf9 Tips to write efficient and scalable code.pdf
9 Tips to write efficient and scalable code.pdf
 
SpringCloudConfig.pptx.pdf
SpringCloudConfig.pptx.pdfSpringCloudConfig.pptx.pdf
SpringCloudConfig.pptx.pdf
 
Hacking DevOps
Hacking DevOpsHacking DevOps
Hacking DevOps
 
How to do code review and use analysis tool in software development
How to do code review and use analysis tool in software developmentHow to do code review and use analysis tool in software development
How to do code review and use analysis tool in software development
 
Unit 1
Unit 1Unit 1
Unit 1
 
New microsoft office word document
New microsoft office word documentNew microsoft office word document
New microsoft office word document
 

Plus de Infosys Finacle

Perspective- Multi Channel Banking: A Five Point Strategy
Perspective- Multi Channel Banking: A Five Point Strategy Perspective- Multi Channel Banking: A Five Point Strategy
Perspective- Multi Channel Banking: A Five Point Strategy
Infosys Finacle
 
Banking in the Philippines : A close-up
Banking in the Philippines : A close-upBanking in the Philippines : A close-up
Banking in the Philippines : A close-up
Infosys Finacle
 
Smartphone leading wealth managment
Smartphone leading wealth managmentSmartphone leading wealth managment
Smartphone leading wealth managment
Infosys Finacle
 
Interactive online banking
Interactive online bankingInteractive online banking
Interactive online banking
Infosys Finacle
 
How small-banks-innovating
How small-banks-innovatingHow small-banks-innovating
How small-banks-innovating
Infosys Finacle
 

Plus de Infosys Finacle (20)

Finacle - New Banking Technology Advancement
Finacle - New Banking Technology Advancement Finacle - New Banking Technology Advancement
Finacle - New Banking Technology Advancement
 
Finacle - Bank Customer Service: Click or Dial versus Branch Banking
Finacle - Bank Customer Service: Click or Dial versus Branch BankingFinacle - Bank Customer Service: Click or Dial versus Branch Banking
Finacle - Bank Customer Service: Click or Dial versus Branch Banking
 
Finacle Digital Commerce
Finacle Digital CommerceFinacle Digital Commerce
Finacle Digital Commerce
 
Finacle Thought Paper - Digital Wallet Success Strategy
Finacle Thought Paper - Digital Wallet Success StrategyFinacle Thought Paper - Digital Wallet Success Strategy
Finacle Thought Paper - Digital Wallet Success Strategy
 
Finacle - Agency Banking: New Frontiers In Financial Inclusion
Finacle - Agency Banking: New Frontiers In Financial InclusionFinacle - Agency Banking: New Frontiers In Financial Inclusion
Finacle - Agency Banking: New Frontiers In Financial Inclusion
 
Thought Paper: Overview of Banking Applications
Thought Paper: Overview of Banking ApplicationsThought Paper: Overview of Banking Applications
Thought Paper: Overview of Banking Applications
 
Perspective- Multi Channel Banking: A Five Point Strategy
Perspective- Multi Channel Banking: A Five Point Strategy Perspective- Multi Channel Banking: A Five Point Strategy
Perspective- Multi Channel Banking: A Five Point Strategy
 
Thought Paper:Four Strategies to Build the Smarter Bank
Thought Paper:Four Strategies to Build the Smarter BankThought Paper:Four Strategies to Build the Smarter Bank
Thought Paper:Four Strategies to Build the Smarter Bank
 
Perspective: The rise and rise of emerging market banks
Perspective: The rise and rise of emerging market banksPerspective: The rise and rise of emerging market banks
Perspective: The rise and rise of emerging market banks
 
Perspective: Needed, A Holistic Approach to Reputation Risk Management in Banks
Perspective: Needed, A Holistic Approach to Reputation Risk Management in Banks Perspective: Needed, A Holistic Approach to Reputation Risk Management in Banks
Perspective: Needed, A Holistic Approach to Reputation Risk Management in Banks
 
Perspective: Auditing norms for pki based applications
Perspective: Auditing norms for pki based applicationsPerspective: Auditing norms for pki based applications
Perspective: Auditing norms for pki based applications
 
Mobile Banking – A Transformation of Traditional Banking
Mobile Banking – A Transformation of Traditional BankingMobile Banking – A Transformation of Traditional Banking
Mobile Banking – A Transformation of Traditional Banking
 
Retail Banking: Making other Channels mobile
Retail Banking: Making other Channels mobileRetail Banking: Making other Channels mobile
Retail Banking: Making other Channels mobile
 
International remittances
International remittancesInternational remittances
International remittances
 
Agile banking managing
Agile banking managingAgile banking managing
Agile banking managing
 
Banking in the Philippines : A close-up
Banking in the Philippines : A close-upBanking in the Philippines : A close-up
Banking in the Philippines : A close-up
 
Smartphone leading wealth managment
Smartphone leading wealth managmentSmartphone leading wealth managment
Smartphone leading wealth managment
 
Content management
Content managementContent management
Content management
 
Interactive online banking
Interactive online bankingInteractive online banking
Interactive online banking
 
How small-banks-innovating
How small-banks-innovatingHow small-banks-innovating
How small-banks-innovating
 

Dernier

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Dernier (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 

Finacle - Secure Coding Practices

  • 1. Secure coding practices Thought Paper www.infosys.com/finacle Universal Banking Solution | Systems Integration | Consulting | Business Process Outsourcing
  • 2. Secure coding practices Writing good code is an art but equally defining variables and structures and passing important is programmers’ awareness of secure references and pointers from one module code practices, and the care they take when to another. Overview of code security While defining variables, programmers need to access to the structures using proper access first assess memory space to be allocated, controls such as “public, private or protected”, and clearly define the individual scope of inside the code. reference variables while passing references Another thing to be kept in mind is that variables, inside functions. In languages such as C++, used normally for handshaking between defining and using pointers is good practice as two modules – say, loans with payments – it improves performance and speed, especially should have a restricted set of values defined. in the case of applications like core banking These variables are normally static and their where there are multiple users. But on the flip scope should be defined within certain boundaries. side, this poses enormous risk to data security as pointers can be accessed from outside and Also, it is always reco-mmended to perform variable values can be manipulated. code audits before implementation, so that potential code vulnerabilities can be fixed. For Programmers should follow secure coding that, the code auditors should be enabled with practices while dealing with arrays, linked lists, proper know-how about individual languages stacks and vectors, which are the linear data and related secure code practices. structures normally used in coding, always keeping in mind that size of such data structures Moreover, programmers should be aware of should be strictly limited to the space required. specific security related features of each Location – the physical address at which these programming language. Code review by experts structures are defined – is an important aspect ensures that programmers implement good as well. In addition, it is essential to restrict security practices. Security breach in coding Security breaches in coding are primarily of 4 Malware passing/hosting: Malware, which is generic types: software written to perform malicious activities, can be passed inside Web interfaces if codes are Code injections: In most of the functionalities not written securely. where end users are allowed to upload file content, they can also inject codes in the Web Insecure database calls: Generic database calls server. These codes can perform malicious acts require variables like database passwords and and pass valuable system information to hackers. names and user names that are generally accessed 02 Thought Paper
  • 3. through static storage variables or properties modified by system users. If such files are used, files. It is important to write these calls in a the variable values should be stored using manner that passwords and user names can interfaces and in encrypted format. However, it be generated at run time and passed in the is recommended to avoid these files altogether. program. It has been observed in security Further, if the property file of the server is audits that many enterprise applications use compromised, hackers can overload its access hardcoding of passwords and other parameters, methods and misuse them. It is preferable to which is a wrong programming practice. create combination keys with two or more Properties file misuse: Properties files normally resources instead of using just one properties used to access basic data, contain lists of file. These can be run time generated and passed unencrypted variables whose values can be to required modules. Change management and version control In general code writing practices, version with details and code review should be done control is achieved using version numbering. before deployment. Also, the vulnerabilities Secure practices need to be followed during the due to new changes in code should be change management implementation process. addressed explicitly. The changes in code should be highlighted General secure coding practices Concept of no tolerance Variable declarations: When variables are declared in code, the variable length and scope When coding, the tolerance related to variable of variable access should be predetermined; length, scope and accessibility should be declarations should be made accordingly. Use predetermined and only the required scope of fixed length variables should be avoided should be allowed. The tolerance for variable and preferably, variables should be defined length should be optimized. Scopes for with dynamic memory allocations. Many new generated objects should also be predetermined. compilers like VB and VC++ support postponement Ideally, code should not rely on variable scope of variable declaration by mentioning only predefined by the compiler. the variable name and not the type. In such cases, variable types and properties should Certain thumb rules of secure coding be determined within the scope without any Vertical and horizontal code drafting practices/ overload of unnecessary features. In languages Code Orientation: Although code drafting that support object referencing, programmers methods might change as per language should avoid making multiple copies of the specifications, the normal way of writing code is same variables. either vertical cascading or horizontal splitting of code. The vertical cascading method helps System level and semaphore variables: In programmers to understand the code whereas cases where shell variables are used, variable horizontal splitting enables them to define the values have to be sanitized. It is preferable scope of functions and variables. to initialize values and not to assume default Thought Paper 03
  • 4. vales as per system usage. Normally for inter- and then further modified as per system usage. process communications where semaphores As the semaphore controlling variable values are implemented, the variables used to control are generally global in nature, it is important to the semaphores should be initialized in advance determine entry and exit point values in advance. Object oriented principles Partial and full implementation of Object multiple inheritances as it adds to code Oriented Programming (OOP) and security: vulnerability. Making major variable declarations OOP is in line with best security practices, with in public scope enables easy access, thereby some exceptions. For instance, high usage of compromising OOP abstraction. friend and virtual functions makes code more Prevention of inheritance by key words like insecure and prone to compromise. Well-defined ‘Final’: In certain languages like C++ and Java, scopes like public, private and protected, secure inheritance can be restricted using key words the code. Certain programming languages like such as ‘Final’, thus disallowing users from Java do not support multiple inheritances, thus inheriting class methods available in base class. protecting the methods defined under classes. This can be done when programmers do not Data abstraction and multiple inheritance want any further extensions and use defined linkages: Programmers should avoid using class members. Security for software deployment Secure deployments, keys protection in code applications. Preferably, deployments should deployment: Generally, codes are deployed be done serially and manual handling should through popular deployment tools which be strictly avoided. Keys used for secure compress the files and serially deploy them on deployments should be dynamic, with a specified the destination server. The deployment codes time period to avoid code misuse. might be insecure, resulting in holes in the Code level security for Web applications While SQL injection is a common Web messages (such as ‘page not found’) should be vulnerability, it is also important to write altered to prevent the user from getting details optimized queries in order to secure the data like Web server configuration and version path. objects. This ensures the safety of the SQL Web server default passwords and paths should output artifacts and also improves performance also be changed as per specific requirement. of database calls. Also, retrieval of unnecessary Secure way of code deployment on Web: database column values should be avoided. Web-based code deployment, being very Web server secure practices: Web server logs unsecure, should be managed well. Handshakes should always be configured to another drive should happen on key exchange mechanism where they can be stored. This will enable the and both client and server application should tracing of hacking attacks. In addition, error authenticate the connection between them. 04 Thought Paper
  • 5. Best security practices at the individual language level Each programming language has its own features dropping can be reduced by transmitting all around which security practices are set. information between client and browser over Secure Sockets Layer (SSL). Programmers should C/C++ also ensure that client side options such as view Even if declared implicitly, array bounds in C++ state /hidden variables are not used to store should be set explicitly, and should not be left sensitive data. Further, sensitive information open-ended. The structures should be defined must be stored on the server and not on the dynamically as well. Also, loop arrays should client side. Additionally, appropriate error not be allowed to iterate beyond the end of the messages should be displayed just like in Java. array, so as to reduce buffer overflow attacks. In addition, conversions using void pointers should PHP be avoided, while the automatic variables used In the server-side programming language, PHP, need to be initialized before declaration. the majority of attacks can be reduced by sanitizing the input; functions like filter_input/ Java filter_id can be used. While using MySQL, it Sanitization of all data input irrespective of the would be preferred to change password source, substantially reduces risk of attacks such frequently. Malicious scripts can be prevented as code injections. It is also advisable to declare from running on the browser by removing data variables of a class as private, thereby content like special characters before it is sent restricting access. Even in the case of nested to the users. Attacks such as Remote File classes, the methods accessing the private Inclusion/Local File Inclusion can be reduced by members of the outer class should be declared sanitizing the inputs, restricting dynamic inputs as private. Besides, exceptions should not be that come from the user and placing strict allowed to expose sensitive information. The access controls for critical files. Again, error outcomes of exceptions should be changed by messages sent to the user must be generic and proper exception handling, so that users get not disclose any information. only valid exceptions. Use of the key word ‘Finally’ while handling the exception significantly Shell scripts reduces data vulnerability. Null pointers should not be de-referenced, as this can cause the null When using shell scripts, a popular scripting pointer exception. Error messages passed to the language mainly based on the Unix platform, user through servlets should be appropriate and restricted access must be ensured, with read, should not display any confidential data. write and execute permissions for individual scripts given according to users’ privilege. In fact, ASP.Net Unix is considered the most secure Operating System because of the security features offered When using the popular programming language though shell scripts. ASP.Net, data input from all users should be thoroughly sanitized. Stored procedures should Programmers should restrict privileges for be used to filter malicious user inputs, thereby specific command execution as well. For instance, mitigating code injection attacks. Also, session those given permission to view the directory hijacking attacks can be reduced by disparate should not be allowed to make any changes. transmission of authentication and session Additionally, the access controls for individual cookies and using only the HTTPS network for files and directories should be predetermined. the same. Authentication credentials should also Segregation of users based on privileges is very be passed only over HTTPS. Network eaves important too. Thought Paper 05
  • 6. While writing and executing filters, steps to In addition, TCP/IP stack gets exposed to prevent data exposure should be taken care of programmers directly through shell script and in advance. During processing, programmers C programs and programmers should avoid should exercise caution when exposing kernel display of unnecessary stack information to end calls and switches to end users. They should users. There have been instances of companies also ensure that fork calls are finite and preparing their own protocol to avoid content controlled by defined system variables as they exposure through the TCP/IP stack. are highly sensitive to memory usage. Conclusion Application coding security is not restricted servers and databases, techniques of handling to just drafting ways of coding. Rather, it calls properties files et al. Best security practices for a comprehensive approach that encompasses should be formulated keeping in mind language methods of Web and database server specific features and should be applied during configuration, ways of making calls on Web configuration, coding and implementation. Bibliography 1. Session Hijacking: Refers to the exploitation of the operating system. Depending on the of the session, done mainly by theft of the value of the semaphore the process will know session key used to authenticate a valid user whether to utilize the resource or to wait. and gain access to services. 4. SQL Injection attack: SQL queries are drafted 2. Network Eavesdropping: Refers to the sniffing and inserted in Web forms maliciously to of the data packets transmitted along a extract sensitive information from databases. network to gain access to sensitive information. This is done using sniffers. 5. Array: Term referred to the use of a collection of variables belonging to a single type. 3. Semaphores: Used in operating systems, for coordinating activities between multiple 6. Pointers: A variable which is used to store processes that compete for using the resources the address of another variable. Makarand Madhukar Baji Senior Consultant, Finacle Payments, Infosys Sandhya Ravikumar Technology Analyst, Finacle E-Banking and Channel Support, Infosys 06 Thought Paper
  • 7. About Finacle Finacle from Infosys partners with banks to transform process, product and customer experience, arming them with ‘accelerated innovation’ that is key to building tomorrow’s bank. For more information, contact Finacleweb@infosys.com www.infosys.com/finacle © 2012 Infosys Limited, Bangalore, India, Infosys believes the information in this publication is accurate as of its publication date; such information is subject to change without notice. Infosys acknowledges the proprietary rights of the trademarks and product names of other companies mentioned in this document. Thought Paper 07