Wednesday, March 21, 2012

COBIT Assessment Programme—Frequently Asked Questions (FAQs)


@: Why did ISACA select ISO 15504?
ISO 15504 effectively deals with a capability process assessment. It provides an understandable, logical, repeatable, reliable and robust methodology for assessing the capability of IT processes (evidentiary requirements).
@: What is the major value of using the new COBIT Assessment Programme?
a. The value derived from assessments using this approach includes reliable results that focus the enterprise on the benefits and resource implications arising from the performance and capability of its IT processes, and provide a sound basis for benchmarking and improvement, prioritization and planning.
b. There are a number of specific benefits for COBIT users in taking this approach:
- Focus first on confirming that a process is achieving its intended purpose anddelivering its required  
   outcomes as expected.
- Simplification of the content supporting process assessment.
- Improved reliability and repeatability of process capability assessment activities and evaluations, reduced 
   debates and disagreements between stakeholders on assessment results.
- Increased usability of process capability assessment results, as the new approach establishes a basis for 
   more formal, rigorous assessments to be performed, for both internal and potential external purposes such 
   as benchmarking.
- Compliance with a generally accepted process assessment standard (ISO 15504) and therefore strong 
   support for process assessment approach in the market.
@:Does the new COBIT Assessment Programme approach replace the existing COBIT 4.1CMM approach?
a. No, it does not; it is a different approach to assessing process capability that ISACA has selected to use. COBIT 4.1 CMM remains as published and the option of applying
a COBIT Assessment Programme approach as an alternative has been made available.
b. However, The CMM approach will not be offered in COBIT 5 because the new ISO
15504 approach is core to performing a capability process assessment using COBIT 5 content.
@: What is the difference between the COBIT 4.1 CMM and the new COBIT Assessment Programme approach?
a. The capability level scale is the same, i.e., 0 to 5 and some of the level names are very similar, but that is where the similarities end. The attributes assessed and measured in each approach are NOT the same nor is there a clean cut relationship between the two sets of attributes.
b. There are no specific requirements to provide evidentiary support for assessment results in the existing COBIT 4.1 CMM approach, but this is mandatory in the ISO 15504 approach. Providing such evidence in support of the assessment produces more robust, repeatable and defensible results.
c. The assessment done under the old COBIT 4.1 CMM approach will likely result in “higher scores,” due to the subjective averaging approach adopted, and also due to the more rigorous ISO 15504 requirements for level 1 in the new approach
@: Will COBIT 5 have the same process capability assessment approach using ISO 15504? And how will it differ?
a. COBIT 5 has been designed taking into account all of the ISO 15504 process capability assessment requirements. As a result the consistency of content between the COBIT 5 process content and the COBIT 5 PAM will be improved over those of COBIT 4.1.
b. For the purposes of applying the COBIT Assessment Programme approach, the only difference between COBIT 4.1 and COBIT 5 will be the level 1 content which is specific and unique to each framework version. Assessment levels 2 to 5 focus on generic process attributes (as defined in ISO 15504) and are therefore the same for both frameworks.
@:Why would you want to do a COBIT process capability assessment using COBIT 4.1 when COBIT 5 will be available in early 2012?
Enterprises have invested in using COBIT 4.1 and will continue to use it for a number of years—until a driver is encountered for them to consider a transition to COBIT 5. During this time a formal process capability assessment against COBIT 4.1 will be of value to them.
@: How is assessing cloud different from assessing other services?
There is no difference, cloud services are a subset of IT services, Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Regardless of the deployment model, private, public etc, cloud computing is a delivery of a service in the same way as any other IT service delivery; ISACA cloud publications provide a predefined selection of COBIT processes; the assessment of the processes itself will be the same for cloud as for any other IT service delivered. . For more information on
ISACA’s cloud publications visit: www.isaca.org/cloud
@: What other models, frameworks and approaches have been aligned to ISO 15504?
a. ITIL3 has been mapped to ISO 15504 but only at level 1; i.e., a Process Reference Model (PRM) has been developed and released via a Tudor publication. However, to our knowledge no full PAM has been developed.
b. The ISO group responsible for ISO 20000 on IT service management is also in the process of developing an ISO 15504 PAM
c. COSO has also developed an ISO 15504 PRM (level 1 only) but not a full PAM.
@:How long on average does a COBIT Assessment take to execute?
a. There is no specific answer to this as it depends on the scope of the assessment; 3 processes vs. 34/37. It depends on the business need and what processes management would like to see assessed/improved.
b. ISACA has provided a scoping tool as part of its tool kit to assist organizations in selecting processes to scope. (See tool kit link on the web site.)

@: If all of the work (heavy lifting) is done to achieve level 1, which is deemed to be a
major achievement, what is the incentive to go to further levels of capability? Is it not a “nice to have’?”
a. There is always a cost/benefit trade off in how high a capability level an organization wants to achieve and indeed many organizations have focused a lot of their attention at level 1 because this is a major achievement to show that your processes are meeting fully their purpose.
b. Level 3 is seen by ISACA as the level that enterprises should aspire to for consistency in the performance of their processes irrespective of the staff involved.
c. Levels 4 and 5 will depend on the industry and product sector, so for example to meet a government contract to provide defense technology an organization may be
required to show a level 5 capability, i.e., “their processes are optimized.”
@: What tools are available to assist assessors in performing these process capability assessments?
a. ISACA has provided a tool kit for both the assessor and the self‐assessment guide.
b. There are also commercial organizations that provide ISO assessment tools both online and via software download that can be tailored to a specific organization’s needs.

Friday, March 16, 2012

PHP: Upload DBF File using Temporary Table


On this occasion I would like to share the writing of PHP programming script to import DBF file solutions. The method applied in this case is to import DBF file to a temporary table and then  stored into the next main or transactional table. The following more detailed explanation:

1. Prepare koneksi.php which serves as a database connection module and put into the LIB folder
2. Prepare the dbf_class PHP class that can be downloaded at and put into the LIB folder
3. Here is the script for the DBF file upload browse file method

<form name="form1" action="save.php" method="post" enctype="multipart/form-data" >
<?

class timerClass
    {
    var $startTime;
    var $started;
    function timerClass($start=true)
        {
        $this->started = false;
        if ($start) $this->start();
        }
  
    function start()
        {
        $startMtime = explode(' ',microtime());
        $this->startTime = (double)($startMtime[0])+(double)($startMtime[1]);
        $this->started = true;
        }
  
    function end($iterations=1)
        {
        $endMtime = explode(' ',microtime());
        if ($this->started)
            {
            $endTime = (double)($endMtime[0])+(double)($endMtime[1]);
            $dur = $endTime - $this->startTime;
            $avg = 1000*$dur/$iterations;
            $avg = round(1000*$avg)/1000;
            return "$avg milliseconds";
            }
        else
            {
            return "timer not started";
            }
        }
    }

if (isset($_POST['X']))
if ($_FILES['filenya']['size']>150000)
    {
    echo "<script>alert('File to big [max150Kb]')</script>";
    }
else
    {
    $thefile = '';
    $name = $_FILES['filenya']['name'];
  
    if (move_uploaded_file($_FILES['filenya']['tmp_name'],"dbf/$name")) $thefile = 'dbf/'.$name;
    include('./lib/koneksi.php');
    include('./lib/dbf_class.php');
    $timer = new timerClass();
    $timer ->start();
    $dbf = new dbf_class($dir.$thefile);
    $num_rec=$dbf->dbf_num_rec;
    $field_num=$dbf->dbf_num_field;
    $endexct = $timer->end();

    for($i=0; $i<$num_rec; $i++)
        {
        if ($row = $dbf->getRow($i))
            {
            $sql_sintax="";
            for($j=0; $j<$field_num; $j++)
                {
               
                switch ($j) {
                    case 0 : $kd_unit_tmp = substr($row[0],0,6);break;
                    case 1 : $tgl_order_tmp = $row[1];break;
                }
                   
               
                if ($dbf->dbf_names[$j]['type']=='N')
                    {
                    $sql_sintax = $sql_sintax . $row[$j] . ",";
                    }
                else if ($dbf->dbf_names[$j]['type']=='C')
                    {
                    $sql_sintax = $sql_sintax . "'" . $row[$j] . "',";
                    }
                else if ($dbf->dbf_names[$j]['type']=='D')
                    {
                    $sql_sintax = $sql_sintax . "date('" . $row[$j] . "'),";
                    }
                }
            $pjg_query= strlen($sql_sintax);
            $sql_sintax = "INSERT INTO temp_order VALUES (" . substr($sql_sintax, 0, $pjg_query-1) . ")";
           
            $sql_out=mysql_query($sql_sintax) or die ("<script>alert('data doble!')</script>");
            }
        }
    unlink($thefile);
  
  
    // output from  MySQL table
    $header=1;
    $kecuali="";
    $no=1;
    $sql_sintax = "select *    from temp_order where left(kd_order,6)='".$kd_unit_tmp."' and tgl_order=date('".$tgl_order_tmp."')";
    $sql_out=mysql_query($sql_sintax) or die ($sql_sintax);
    while ($row=mysql_fetch_array($sql_out))
        {
        $kd_order=$row["kd_order"];
        }
       
        if ($header)
            {
                echo "For HEADER display Table";

            }
                echo "detail row";
           
?>

  <div align="right">
    <input type="hidden" name="kd_unit_tmp" value="<?=$kd_unit_tmp?>">
    <input type="hidden" name="kecuali" value="<?=$kecuali?>">
    <input type="reset"  name="Cancel" value="Batal">
    <input type="submit" name="Submit" value="Konfirmasi">
  </div>
</form>

 4. Here is the script for save into main or transactional table and clear the temporary table
<?
include('./lib/koneksi.php');

$kd_unit=$_POST['kd_unit_tmp'];
$kecuali = $_POST['kecuali'];
echo "submit : " . $_POST['Submit'];
echo "kd_unit : " . $kd_unit;

if (isset($_POST['Submit']))
                {
                $perintah="insert into .......( main table )";
                $hasil=mysql_query($perintah) or die ($perintah);
                }
                
                // delete temporary
                $perintah="delete from temp_order where left(kd_order,6)='$kd_unit'";
                $hasil=mysql_query($perintah);

?>

<html>
<head>
<title>Save</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body onLoad="document.location='index.php'">

</body>
</html>

hope this article useful for you to see you at the other posts

Tuesday, March 13, 2012

PHP:Security in PHP programming

Make some PHP applications is pretty easy. Most people grasp the syntax rather quickly and will within short time be able to produce a script that works using tutorials, references, books, and help forum. The problem is that most people forget one of the most important aspects that one must consider when writing PHP applications. Many beginners forget the security aspect of PHP. Generally, your users are nice people, they will do as they are told and you will have no problem with these people whatsoever. However, some people are not quite as nice. Some people are outright malicious and are seeking to do damage on your website. They will scrutinize your application for security flaws and exploit these holes. Many times the beginner programmer did not know that these things would even be a problem and therefore it might be a problem to fix the holes. In this tutorial we will look at some of these issues so you can learn how to deal with them, and better yet, prevent them. Obviously I will not promise you that by following this tutorial you will never get successfully attacked. As you become bigger you will also become a bigger and therefore more interesting target.phpSec is a open-source PHP security library that takes care of the common security tasks a web developer faces.

phpSec is pretty plug and play there are needs some steps to take before you are ready to harness the power of phpSec. The first thing is to include phpSec into your application.


require_once 'phpsec.class.php';

You should be all set to start using phpSec on your application as below

1    require_once 'phpsec.class.php';
2    phpsec::$_dsn = 'filesystem:/var/www/phpSec/data';
3    phpsec::init();

Session Handler
All session data is encrypted using a user specific encryption key that is stored in a cookie on the users computer. This key is changed each 30 seconds. The data is saved in the phpSec store, allowing for storage in databases or flat files.
Easy to use

All you have to do to use the phpSec session handler is to add phpSec to your application as described in the getting started page. The session handler is enabled by default.
To disable just set phpsec::$_sessenable to false like this:

1    require_once 'phpsec.class.php';
2    phpsec::$_dsn = 'filesystem:/var/www/phpSec/data'; /* Note the filesystem: before the path. */
3   
4    phpsec::$_sessenable = false; /* Disable phpSec session handler. */    
6    phpsec::init();

Encrypting data in PHP can be done easy with phpSec. phpSec implements symmetric encryption using the mcrypt library, end is extremely easy to use.
for example

1    <?php
2    $data = 'This is some extremely secret information.';
3    /* Encrypt. */
4    $encrypted = phpsecCrypt::encrypt($data, 'secret key');
5    /* Decrypt. */
6    $data = phpsecCrypt::decrypt($encrypted, 'secret key');


Password hashing
To create a salted hash we use the phpsecHash:create() method. It takes just one argument and that is the password you wish to create an hash from.

1    <?php
2    require_once 'phpsec.class.php';
3    phpsec::init();
4   
5    $hash = phpsecHash::create('password');
6    echo $hash;

Validating passwords
When validating password we use the phpsecHash::check() method. This method takes two arguments. The first is the password we want to check, and the second is the hash we created before. phpsecHash::check() will atomatically detect the method used to create the hash.

1    <?php
2    require_once 'phpsec.class.php';
3    phpsec::init();
4   
5    if(phpsecHash::check($_POST['password'], $hash)) {
6      echo "Valid password";
7    }

Changing hash method
There are several options you could use to tune phpsecHash the way you want it to work.

    phpsecHash::BCRYPT
    phpsecHash::PBKDF2
    phpsecHash::SHA256
    phpsecHash::SHA512

1    <?php
2    require_once 'phpsec.class.php';
3    phpsec::init();
4    phpsecHash::$_method = phpsecHash::BCRYPT;
5   
6    $hash = phpsecHash::make('password');
7    echo $hash;

I think this is the best breakthrough in the field of PHP programming, however it is still in beta release, we will wait for the version that is even better

source: http://phpseclib.com/download

Wednesday, March 7, 2012

SHA2 vs MD5 Encryption Method

Data security has become a basic need in every organization or company. Generally, to support their businesses,organizations or companies need a mean of communication between the branch offices so that intranet is needed. Basically, intranet is a local network and internet is an open network and has not a security mechanism on its protocol (TCP/IP). A security mechanism which guarantees command integrity and authenticity is needed. The selected message security mechanism which uses the cryptography technique using SHA-512 is implemented to guarantee data integrity and authenticity.

MD5 encryption method
MD5 is one of a series of message digest algorithms designed by Professor Ronald Rivest of MIT (Rivest, 1994). When analytic work indicated that MD5's predecessor MD4 is to be insecure, MD5 was designed in 1991 as the successor of MD4 (MD4 weaknesses found by Hans Dobbertin). In cryptography, MD5 (Message-Digest algortihm 5) is a cryptographic hash function is used extensively with 128-bit hash value.
On the Internet standard (RFC 1321), MD5 has been utilized in a variety of security applications, and MD5 are also commonly used for testing the integrity of a file.

SHA is a set of cryptographic hash functions designed by the National Security Agency (NSA) and published by NIST as a U.S. Federal Information Processing Standard.
SHA is the Secure Hash Algorithm. The types of the SHA SHA-0, SHA-1, and SHA-2.
For SHA-2 algorithms are identical to the summary measure of well-known variables as SHA-224, SHA-256, SHA-384, and SHA-512.

Peter Selinger has made a demonstration of two different pieces of executable files but have the same MD5 hash value. The scenario is of two files one is the original file, another is a bad file. Both have the size and the same MD5 hash value.
This will trick the similarity hash Tripwire and the people who download files from the internet. Tripwire will silence even though the file has been modified executables attacker. So wheb the man who download an executable file from the internet
it turns out that he had received file has been changed mid-way.
However, because after the calculated value hash matches with the original file, the victim will think that's true and original file but different.

Why SHA512 is a superior hashing algorithm to MD5.
It depends on your use case. But there are areas where MD5 has been broken:

1.    For starters: MD5 is old, and common. There are tons of rainbow tables against it, and they're easy to find. So if you're hashing passwords (without a salt - shame on you!) - using md5 - you might as well not be hashing them, they're so easy to find. Even if you're hashing with simple salts really.
2.    Second off, MD5 is no longer secure as a cryptographic hash function (indeed it is not even considered a cryptographic hash function anymore as the Forked One points out). You can generate different messages that hash to the same value. So if you've got a SSL Certificate with a MD5 hash on it, I can generate a duplicate Certificate that says what I want, that produces the same hash. This is generally what people mean when they say MD5 is 'broken' - things like this.
3.    Thirdly, similar to messages, you can also generate different files that hash to the same value so using MD5 as a file checksum is 'broken'.

Algorithm SHA-512 hash functions including the type of which is the development of the algorithm SHA-1. hash function
map the message regardless of length M with a hash value of fixed length h (particular, depending
the algorithm). For the algorithm SHA-512 hash value of the resulting length is 512 bits. Hash function that
produces output with its small size vulnerable to attact birthday [4]. This attack was carried out with
how to get two random messages that have the same hash value h.
SHA-512 as the hash function has properties as follows:
(1). h is easily calculated when given M.This trait is a must, because if h is difficult calculated, then the hash function can not be used.
(2). M can not be counted if it is only known to h.This trait is also called one-way function, or easy to calculate h and difficult to be returned to the M
original. These properties are important in cryptographic techniques, as if without this trait then the attacker can find the value of M by knowing its hash value h.
(3). It is impossible sought M and M 'such that H (M) = H (M').This trait is also called collision free. These properties prevent the possibility of forgery.



Tuesday, March 6, 2012

Setting Database Sybase Anywhere

Here is an explanation for setting up databases Sybase Anywhere on the Server side and Client on windows XP or 7

Server
side
Go to control panel then odbc menu and do like the picture below, don't forget you must set path to the DBSERV#.exe, ADD ODBC for Adaptive Server Anywhere, and many library of database Anywhere. You must define login and password for database in login tab

Client side
Go to control panel then odbc menu
ADD ODBC for Adaptive Server Anywhere and do like the picture below, set the IP server on client set. Yau must define login and password for database in login tab