Mastersoft ERP Solutions Pvt.Ltd

Page Access / Authorization is mainly on page number and not on page name causing unauthorised access of pages to User

Matching page name and page number from link table and in case of not matching, redirected user to unauthorised access page.
Need to work on url rewriting or encryption of url so that page url will not be visible to end User.
Solution find out by Ajay will be tested thoroughly and finalise the same on priority.

In case of report, User can copy report page url and pass different number to access other Id reports (it happened for Hall Ticket where student can generate other student Hall ticket)

Response.redirect is used to open report page in case User copy past report url exception through Unauthorised access.
In this case also url rewriting / url encryption should be used and direct report should be visible to end user.
Solution find out by Ajay will be tested thoroughly and finalise the same on priority.

Important data like Password, Grade, Marks etc. should be encrypted and stored in DB

At present 3DES algorithm is used in couple of project for encryption of password in DB.
Need to finalize list of fields where data encryption is required
Also new more secured algorithm need to used, hence RSA and AES combination will be used to handle encryption.
Field level encryption handling also need to finalise.

Pages like Mark Entry, Grade Entry, Salary Processing, Result Processing etc. need extra validation, security and authentication and authorization.

List of such pages will be suggested by lead and complied by Suhas
Security arrangements mentioned below should be consider
- IP / MAC restriction (google analytics)
- OTP based access (up on submit ask for OTP)
- Email / SMS to User upon access / save / modification
- Log should be maintain for every access and activity performed on the page by User.

Session Id before login should be checked and validated

No Connection with DB on login home page.

SVN Checking

List of all codes with last update date will be provided by Suhas
Every month such report will be submitted to Amit / Anand
Unused code will be removed and kept on NAS as backup
SVN for onsite developer will be configured and maintained onward

On Premise Installation Checking

Regular checking of client server machine will be performed to ensure following points. Suhas and Vijay will workout process for the same
- No VS on server
- No Code, only published code
- No patch code
- DB Backup Scheduler
- DB Security implementation
- Use of Requirement Portal for all requirement etc..

User Password Security

Password Recovery option will be deleted from All project and new encrypted password will be implemented
Forgot password will be implemented on home page
On change password email / SMS confirmation to User about new password
First Login check with term and Condition (I agree)
Add Term and Condition on Home page for Data access and usages policy
Email / Mobile is must for all user to access application
Single Sign On implementation should be discussed so that Project can be split and merging of application using SSO can be achieved.
Implementation of User Profile to maintain email and mobile
Email and Mobile verification before set it to User Profile

Capcha implementation

Capcha is must for all cloud users, it should be configurable for on-premise installation and development User.

DB Security

Keep existing Security
DB Backup to client should contain only tables and no other objects
Password protected DB should be handover to Client
Client wise DB Backup for Cloud CCMS should be possible
Handover of data in other format should also be consider

Unauthorized Modification by User in Student Information form

Currently we are using two different update statement in procedure where based on usertype fields in student table updated.
Need configurable Student information Page, where fields on student information update form can be enabled / disabled dynamically and accordingly only enabled fields get updated for that User Type.

Activity page should be used in all client, working on activity page is required

Log of all activity done by User should be maintained

Home page should be as much light as possible

Minify should be used to reduce server trips

Views should be used instead of complex quires which is hard to understand by Jr Developer

TESTPREP

Gather the information
you need

Candidate Login

TESTPREP

Gather the information you need

Candidate Login

Gather the information
you need