Security Testing Techniques

In my previous blog, we discussed about Pentesting using ZAP tool, today we discuss the remaining 3 points of security testing. Security Testing can be classified according to the type of vulnerability have been exploited or type of testing should be done for it.

Roughly it can be done as:

1. Vulnerability Assessment
2. Penetration Testing
3. Runtime Testing
4. Code Review

Penetration Testing explained in our “Pentesting security testing using OWASP ZAP” blog.

Here we will explore the other 3 techniques.

Vulnerability Assessments:

Vulnerability Assessment also termed as Vulnerability Analysis is a process which defines, identifies and classifies the security holes (i.e. Vulnerabilities) in computer networks or communication systems.

Vulnerability Assessment has several steps-

• Defining and classifying network and system resources.
• Assigning level of importance to the assigned resources.
• Identifying potential threats to each resource.
• Making a strategy for dealing with the most serious potential problems first.
• Defining and implementing ways to minimize the consequences if an attack occurs

If vulnerabilities are found as a result of vulnerability analysis, a vulnerability disclosure may be required.

The person or organization that discovers the vulnerability, or a responsible industry body such as the Computer Emergency Readiness Team (CERT), may make the disclosure.

If the vulnerability is not classified as a high level threat, the vendor may be given a certain amount of time to fix the problem before the vulnerability is disclosed publicly.

The next stage of vulnerability analysis (identifying potential threats) is sometimes performed by a ‘white hat’ using ethical hacking techniques. Using this method to assess vulnerabilities, security experts deliberately probe a network or system to discover its weaknesses.

The term ‘white hat’ in security refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization’s information systems.

Runtime Testing:

Runtime application self-protection (RASP) is a security technology that is built into an application and can detect and then prevent real-time application attacks.

RASP prevents attacks by “self-protecting” or reconfiguring automatically without human intervention in response to certain conditions (security misconfigurations, threats, faults, attacks etc.).

RASP comes into play when the application is executed at runtime, causing the program to monitor itself and detect malicious input and behaviour.

How Runtime Application Self-Protection (RASP) Works-

RASP basically provides security into the running application where it resides on the server. It then intercepts all calls to the system to ensure they’re secure.

Effectively, RASP implants validation of data requests directly into the application.

RASP can be applied on Web along with Non-Web applications without affecting the actual design of it. Currently, RASP technology exists for Java virtual machine and .NET Common Language Runtime.

When specified security conditions are met, RASP gets control of the application and takes the necessary protection measures.

RASP’s protection measures include the following:

• User session termination
• Application termination (not affecting other applications on that server)]
• An alert sent to security personnel
• A warning sent to the user

Advantages of RASP technology-

RASP technology has a detailed view into the actions of the system, which can help improve security accuracy. In addition, with self-protecting data, the protection remains with the data, from its creation to destruction and everything in between.

Disadvantages of RASP technology-

One drawback to RASP is that each application must be individually protected. The dynamic nature of RASP can affect performance while protecting the application, potentially causing a performance degradation that would be apparent to the user. As RASP solutions cannot protect against all sorts of vulnerability, some security experts argue that it should not be used as the only solution for insecure software, but should be used in combination with other approaches to securing applications such as application security testing.

Code Review-

Code review is probably the single-most effective technique for identifying security flaws and vulnerabilities. When it is used along with automated testing tools and manual penetration testing, can significantly increase the cost effectiveness of an application security verification effort.

Manual security code review provides internal aspects of the “real risk” associated with insecure code.

Security Code Review-

Security code review is the process of auditing the source code for an application to verify that the proper security controls are present, that they work as expected, and that they have been called in all the right places. Code review is a way of ensuring that the application has been developed so as to be “self-defending” in its given environment.

Security code review is a method of assuring secure application developers are following secure development techniques. A general rule of thumb is that a penetration test should not discover any additional application vulnerabilities relating to the developed code after the application has undergone a proper security code review.

Along with automated tools human reviewers are also important to fill in for the significant blind spots where automated tools simply cannot check.

http://www.anarsolutions.com/security-testing-techniques/utm_source=Blogger.com

Why to Build with Mobile in Mind ?

Mobile phones are a part of life, to this extent that one cannot stay without a checking his/her phone once every few minutes. Applications on mobile now serve people and offer aid in a majority of regular activities. These applications have both personal and professional applications. For this reason, developing mobile software is an important step that needs to be taken off the checklist while developing a software application.
As the sophistication and the level of enhancement in regular use gadgets increases among people, as a firm, the requirement of keeping up with most recent technology is necessary. Not only does it benefit the consumer with a better experience but also for the company in the form of a competitive edge. This article will provide detail as to why a firm must build software with a mobile-compatible version in mind.

Why the need to develop Mobile Compatible Software
The standard protocol that operates at any firm is to first have a standard web application up running and develop a mobile counterpart of the software, if the response is good. This was the practical approach back when the software demographic wasn’t uniform. Currently, a majority of people that are potential customers interact better and understand all aspects of a smartphone and its applications. As a good share of the customer base is on an alternative platform, developing software with mobile in mind offers a wider scope at appealing to the users. A mobile compatible version enhances software accessibility to a great extent.

Opportunity Costs involved
A core advantage of building software with mobile in mind is in the ability to reduce an opportunity cost. While writing the code for the desktop version of the software, integrating elements that open the software to a mobile version with ease is crucial. Trying to develop mobile code after the release of a desktop version, without keeping mobile compatibility in mind would be a complicated and expensive affair. Double the efforts, more time taken, more resources required, and other complications related to app testing.
The elements of code that influence mobile compatibility are known as API’s (Application programming interface). APIs are often overlooked by firms that look to develop computer software. Little or no attention is paid to API’s, which can aid in converting your entire application code to a desktop compatible version.

To conclude
Competitive edge in this market is a valuable source. Building software with mobile compatibility in mind is a move that can outsmart competition and enhance the productivity of the software. Mobile is the future of software, inculcating it to your upcoming software is one step towards longevity and development of stable software.

http://www.anarsolutions.com/build-mobile-mind/utm_Source=Blogger.com

Modern SharePoint

Many teams utilize SharePoint lists to access, share, and collaborate around structured data.  With a focus on improving user experience, Microsoft has now (August 2016) brought in the modern SharePoint lists in Office 365 that will also feature the much-talked about single-click integration of PowerApps and Microsoft Flow. The modern lists will help SharePoint users create folders more easily, review metadata for a document using a new information panel, add links to files in other libraries, carry out metadata editing more conveniently and also enable a more responsive design for mobile devices.Thus, the ability to create apps using PowerApps that utilize SharePoint lists as a data source is an important capability.

With the launch of the new SharePoint modern list experience will come the ability to create an app for a list from directly within the SharePoint list experience. With modern SharePoint lists you can:

• Improve ease of use by empowering users to add columns to lists and sort, filter and group data in place.
• Elevate data quality by viewing and editing all item details in the information panel without leaving the list.
• Improve productivity by bulk editing list items with Quick Edit.
• Automate simple business processes with versions, approvals and alerts.
• Enrich static information with rich data types including people, images and managed metadata tags.

“Modern” list and libraries do not support as many customization options as “classic” lists and libraries. In this article we’ll provide details and examples of the supported options. The SharePoint team is working to support more options in the future. The list below gives a quick overview of the supported capabilities for “modern” lists and libraries:

• Subset of User Custom Actions
• Custom branding
• PowerApps and Flow integration

Let’s take a look at the features in modern SharePoint Lists that wow the end-users:

• (More) User Friendly & Improved UI
• Tiled View
• Pin to Top
• Get Link
• Information Panel
• Recent Activity
• Ribbon Improvements
• Improve Productivity with Quick Edit
• More Column View Options
• Automate Easily
• Enrich Static Information
• Responsive Design for Mobile Devices
• Build Business Applications Easily with PowerApps
• Integration of Microsoft Flow with SharePoint
• http://www.anarsolutions.com/modern-sharepoint/utm_source=Blogger.com
  
  
  

Power Apps, Logic Apps and Flow

Integration will be different for us with new tools to build solutions. Microsoft Azure provides us with services like Logic Apps, Flow, Functions and Power Apps. Some are intended for power users, others for developers. Logic Apps and Functions fall under the umbrella of developer type services, which can be built in a browser or Visual Studio. Power Apps and Microsoft Flow are limited to the browser only, hence are targeted for power users or business users if you like.

We can discuss Microsoft Flow and Azure Logic Apps together because they are both configuration-first integration services, which makes it easy to build processes and workflows and integrate with various SaaS and enterprise applications.

• Flow is built on top of Logic Apps
• They have the same workflow designer
• Connectors that work in one can also work in the other

Logic Apps have been around since last quarter of 2016 when it became general available, almost at the same time as Flow. A Logic App is a hosted piece of integration logic in Microsoft Azure. To be more precise, the hosting is done in Azure in a similar way as a Web App and the logic is built by creating a trigger followed by a series of actions similar to a workflow. And you can simply create them in a browser (Visual Designer) or Visual Studio.

PowerApps is a service for building and using custom business apps that connect to your data and work across the web and mobile – without the time and expense of custom software development.

Power Apps and Microsoft Flow are the tools for business- or power users for building business applications in Office365 environment. Both are fully metadata-driven and extensible so you can connect to any of your own services, third party API’s or even Functions. And through the on premise data gateway you can consume your on premise systems and applications.

Logic Apps and Functions are tools for developers and IT-pros for building more mission critical applications. Both are extensible by code, and connection to custom API’s. And through the Enterprise Integration Pack, Logic App Adapter in BizTalk Server 2016, or Service Bus you can interact with on premise systems and applications.

Microsoft Flow and Logic Apps are both so called configuration first integration services and are easy to use in a browser. Both have the same workflow designer; however, Flow is built on top of Logic Apps, which means one abstraction level higher. Yet both can use the same set of connectors.

http://www.anarsolutions.com/power-apps-logic-apps-flow/utm_Source=Blogger.com

IoT and Heatlhcare

The overall cost, the experience in the hospital, patient outcomes and technology is changing and improving healthcare. Costs are reduced by the use of remote patient monitoring and reducing the number of hospital visits. Sensor technology offers tracking of medical devices and improves overall efficiency. Predictive maintenance decreases downtime of medical equipment offering consistent and accurate use. Healthcare providers are among the earliest adopters of Internet of Things (IoT).

IoT in healthcare covers various computing and wireless broadcasting information systems and devices that help patients and providers to monitor, track and store patients’ important statistics or medical information. Nowadays multiple hospitals have started to use smart beds that can sense the proximity of a patient and automatically set themselves to the correct side and force to give peculiar support without the requirement for a nurse to interrupt.

Internet-of-Things can include some of the following:

• Consumer Fitness Tracking – Fitness Bands like FitBit, MisFit, etc.
• Wearable External Devices – Insulin Pumps.
• Implanted Devices – Pacemakers.
• Stationary Devices – Fetal Monitors.

In short, Internet-of-Things for healthcare includes those devices that can sense and collect actionable data.  When shared with physicians or healthcare professionals via cloud computing, this data saves significant time and augments patient care.

Healthcare is such a vast ecosystem and once you also start including personal healthcare, the pharmaceutical industry, healthcare insurance, RTHS, healthcare building facilities, robotics, biosensors, smart beds, smart pills, anything remote and the various healthcare specializations, activities and even (treatments of) diseases, that list of Internet of Things applications in healthcare quickly becomes endless. The advantages of IoT in healthcare are seemingly endless, but here’s just a few of the major benefits:

• Reduced Errors – IoT allows for the accurate collection of data, automated workflows and minimised waste, but most importantly it reduces the risk of error.
• Decreased costs – With IoT, patient monitoring can be done in real-time, drastically cutting down the need for doctors going out and making visits. Connected home care facilities will also help reduce hospital stays and re-admissions.
• Better patient experience – A connected healthcare system creates an environment that meets each patient’s needs. Dedicated procedures, enhanced treatment options and improved diagnosis accuracy make for a better patient experience.
• Improved disease management – With real-time data healthcare providers can continuously monitor patients. This means that they can spot any disease before it spreads and becomes serious.
• Homecare– Allows patients to be monitored in the comfort of their own homes. Sensors are installed onto various pieces of medical apparatus (e.g. heart rate monitors) by the bedside of a patient. The data gathered is sent to the hospital where a qualified member of staff analyses it for any abnormalities.

The developments of IoT have the potential to really revolutionise healthcare in a positive way.

However, we must be careful. Health data is sensitive and if it’s shared inappropriately or misused has the potential to damage people’s privacy. Ensuring hospitals have secure and manageable infrastructure is essential in the healthcare sector.

http://www.anarsolutions.com/iot-heatlhcare/utm_Source=Blogger.com

The Difference between Scrum and Kanban

In industries, there are many complex projects that are needed to be done and to execute these tasks smoothly there are major development and managing tools. Two of them are Scrum and Kanban.

Scrum:

Scrum is basically a tool used to break a project into small and manageable pieces that can be done by a cross functional team within the prescribed period of time. Scrum relies on three processes in order to plan, organize, administer and optimize a process. They are;

• The product owner who is responsible for initial planning, organizing and making communication with the company.
• The Scrum master whose responsibility is to look after the job during each sprint.
• The team members whose job is to execute the job prescribed for each such sprint.

Kanban:

Kanban is a tool used to organize work in order to gain efficiency. This process uses Just in Time manufacturing or JIT. Kanban was developed in Toyota lab in order to improve manufacturing by an industrial engineer. Kanban limits the work on the basis of any one condition.

Similarities between Scrum and Kanban:

There are many basic similarities in Kanban and Scrum as they both were designed to improve efficiency and to solve complex problems. Both of them are basically to break down a large and complex task in order to gain maximum efficiency. Both of them share visible work flow that keeps the team into the leap while executing a job.

Difference between the Two:

There are basically many differences between the two but you need to look into this from three different points.

1. Scheduling, Iteration and Cadence: The Scrum process heavily relies on scheduling. The team is provided with a list of projects that need to be finished and shipped depending upon their priorities. With every scheduling, the quality and efficiency goes high and this method is turned into iteration where the same sprint is repeated. Whereas in case of Kanban, the process is naturally iterative and the work continuously improves with each process.
2. Roles and Responsibility: The Scrum team has basically three roles as mentioned above. The role of the owner, the Scrum manager and the Team. The Scrum team needs to be cross functional. In case of Kanban, there is no need of a cross functional team nor a special role needs to be assigned.
3. The Board: There is difference between the Scrum Board and a Kanban Board. The Scrum board is based on time based workflow which is known as sprint whereas in case of Kanban, it is based on workflow states with one vital difference that it allows a limited set of stories on each column which sets a limit for the team.

Conclusion:

The Kanban and the Scrum both are equally powerful and have great expertise. You can create a hybrid for best usage and learn to use both of them depending on the conditions.

http://www.anarsolutions.com/difference-scrum-kanban/utm_source=blogger

Scrum Vs SAFe

Companies that highly relied on Scrum are now turning their back towards Scrum and are now investing in Scaled Agile Framework. SAFe has been claimed to be a successful framework while Scrum seems to be fading away. Therefore it is necessary to do a comparison between both of them.

Scrum:

Scrum is basically a tool used to break a project into small and manageable pieces that can be done by a cross functional team within the prescribed period of time. Scrum relies on three processes in order to plan, organize, administer and optimize a process. They are;

• The product owner who is responsible for initial planning, organizing and making communication with the company.
• The Scrum master whose responsibility is to look after the job during each sprint.
• The team members whose job is to execute the job prescribed for each such sprint.

SAFe:

Scaled Agile Framework is little different from Scrum as it includes the whole organization within its framework unlike Scrum that is based only for small pool of people. It consumes the whole enterprise and not just a team and it is meant for covering what Scrum cannot cover. SAFe focuses on program management, portfolio management and team management. It also stresses on release planning and retrospect in order to make improvement which Scrum somehow lacks.

There are three important parts of SAFe:

• Agile Software Development
• Lean Product Development
• System Thinking

Major Differences:

The major difference lies in the way they handle work. Scrum is basically for small teams to organize and manage their work while SAFe is for the whole organization. Scrum misses many important aspects which the SAFe manages to contain within. Scrum looks simple but is hard to implement on the ground.

Other grounds that differentiates:

SAFe has been subject to major criticism as well. There are various points that have been raised. Some critics say that this framework lacks maturity and fails in field testing. Some say that it is over simplified and fits in all cases because it is designed for various consultancies.

There are too many regulations that make it less practical in nature whereas some say that is the nature of Agile. Though all these criticism will continue to happen, SAFe has remained vindicated because of its framework and looks that it will continue to dominate over Scrum and other such agile frameworks.

http://www.anarsolutions.com/scrum-vs-safe/utm_Source=Blogger.com

Secure Coding

Secure Coding – With the scare of recent cyber crimes and leaks occurring over the internet even with the deepest firewall security in place, developers are required to rely on prohibiting their code from being the subject to malice from the roots. This protocol defined as secure coding primarily relies on the writing code and developing programs that are resilient and not prone to attack by Trojan viruses and malware. This security also prevents mass cyber attacks that link private company computers to local servers for a business thereby dispersing confidential and private company information through the attack leading to major issues including complete shutdown and compromising of business data.

Secure Coding

Targets
As far as targets are concerned, every program can be a potential target and source of information. As is the case with most attackers, they will try to find spots of vulnerability in your server firewalls and use that to corrupt server data, steal information, gain unauthorized yet complete access to all data, and even to the extent of gaining control of your computer. For businesses, even a minor attack can lead to loss of key client data close to millions of dollars.

Principles
Incorporating the secure coding practices while writing code is to be done as per the principles and requirements of the software. The nature of threats to the software have to be accessed to develop smarter solutions. Without thorough planning, the secure coding practices would be rendered useless to fix the code vulnerabilities.
•    Validating Inputs
•    Encoded Output
•    Managing passwords through authenticated sources
•    Manage Sessions
•    Control for access to code
•    Use of cryptography
•    Log and report errors
•    Secure, encrypted communication
•    Configuring systems
•    Secure database management
•    File and memory disk Management
•    Best Coding Practices

Secure Coding Practices

•    Approved secure code, tested for authenticity to be used over new, unauthenticated code.

•    Built-in stock specific APIs to be used for tasks that are directed to the Operating System directly.

•    Check for integrity of code and extended configuration files using checksums or hashes

•    Lock to prevent simultaneous access

•    Protect variables and resources from cross-access

•    Extended privileges are to be used and dropped immediately

•    Avoid calculation errors during code writing

•    Restriction of users from extending or rewriting existing code with their own

•    Review third party code before development of programs for secure coding compliance

•    Safe, encrypted channels for updating along with cryptography security.

http://www.anarsolutions.com/secure-coding/utm_source=Blogger

Opportunistic Refactoring

What is Opportunistic Refactoring!!

Looking at your existing code to add some more functionality. You found some miss placed class, or some unused variables, or might be something else. There comes the role of Opportunistic Refactoring also known as the boy scout rule. You use this opportunity to redo something or some part of your existing code. This way you can constantly and continuously modify and clean up your code. So that you are actually putting more value to the product for your client.

Who and When!!

Whenever you are planning to add some more lines to your existing code, look a while into your existing code before that. Look for any part of the code, that is irritating you. If you find any such block, then first work on it. Do whatever you feel like to make the things look good.

Now the question is who and when should perform the refactoring task in a software development lifecycle! There might be some scheduled refactoring phase available in some places, but the best option is to do it as an opportunistic activity.

That means, whenever some one spots a block of code, which is not as clearly written as it should be, takes this opportunity and rewrite the code to make it clear. As this approach makes the code better than it was found, it improves the health of the code base also. And if all the team members are doing this on a regular basis, they are also contributing in the process significantly.

The opportunity may come at any stage of implementing some new feature or at the time of fixing a bug. When you are trying to implement something new you may find that, it will be an easier process if the API of an existing class is structured differently. So you first make the necessary changes into the API, then start adding the functionality.

You may found yourself in such a situation, when you are actually in middle of another work, and an idea of another refactor strikes you. Don’t interrupt your current work. Rather make a note of the idea, finish the task on your hand then get back to the idea and complete it.

Things to keep in mind

In this process, you might then found that, some of the code you are writing is partially a copy of another block. Then you refactor that part to make things clean.

Do it in small units at a time. And run your unit test, every time you make any changes. If any thing goes wrong, go back to the previous state, find the problems and fix them.

This continuous attention to the code is very important, as it improves the quality of the product significantly.

http://www.anarsolutions.com/opportunistic-refactoring/utm_source=Blogger.com

Scaled Agile vs Agile scrum

Scaled Agile vs Agile scrum – While developing software, there are certain principles that are followed with jurisdiction to properly develop a solution that complies with all the requirements of an organization. Certain type of software, such as the Agile software, also have certain requirements that have evolved with collaborative cross-functional teams. Over the course of the evolution, the Agile software has seen two different frameworks. The first being the Agile Scrum, heavily based on an approach of adaptive planning and collaboration. The second framework is the Scaled Agile framework (SAF). The SAF enables the organization to be a scalar entity and encourages a faster and less rigid response to change.

Agile Scrum Framework Implementation
The Agile Scrum approach was designed to tackle the traditional approach that is based on a sequential order of operations within an organization. As Scrum dictates collaboration and self-encouragement, it is not a favourite among middle management for implementing in an organization. With Agile Scrum framework there is minimal managerial authority, intervening the work culture. For this reason, while implementing the Agile Scrum is recommended as an ideal framework for an individual, it is not ideal for an organization where there are differential managerial levels.

Agile Scrum values:

•    Promise
•    Courage
•    Concentration
•    Directness
•    Value

Scale Agile Framework implementation

Unlike the Agile Scrum, the Scale Agile framework has been designed to be implemented in an organization, enabling the managerial body to use it to their advantage. It is a smarter and more integrative approach to software solution development. It is enterprise-friendly unlike Agile Scrum implementation enabling the management to ascertain their managerial and reporting authority. The management find working with SAF to be safe. Another added advantage of working with SAF implemented is in the ability of the organization to operate at different levels of authority. This advantage makes SAF, a scalar and flexible entity.

The principles of a Scale Agile Framework are:

•    Consider economics in every viewpoint
•    Adopt an approach of systems (systemic approach)
•    Consider and assume inconsistency to preserve better options
•    Integrative and terse learning cycles for a faster built
•    Objective and thorough evaluation of setting milestones for working systems
•    Restrict batch sizes to manage queue lengths better
•    Reduce WIP (Work-in-progress)
•    Synchronize and manage time across all domains for effective planning and management
•    Decision-making and authority are to be decentralized

To conclude
While the Scrum approach offers a better learning experience and lays down the perfect foundation for a better approach meant for a professional mind-set and work culture. This is where the Scale Agile Framework offers a better and scalar approach for the organization.

Code Refactoring: Concept and Analysis

Code refactoring is used to rearrange or restructure the existing computer code. The process takes by executing factoring without changing the external behavior of the code. The reason one uses code refactoring is to improve the nonfunctional characters of the code. It helps in removing the complexions of the code and enhancing the reliability of the code. Code refactoring also helps in removing vulnerabilities of the system and also removes bugs. Basically it is a cycle of continues improvement of the code by different methods to make better.

Concept of Code Refactoring and how it Works:

Code refactoring usually takes place after code smell. Code smell is basically a long written code which is repetitive or is the duplicate of other code. This all can be address by changing the source code. After it is done, the new code will have the same meaning but there won’t be any “smell” or duplicity. There are various ways for code refactoring and some of them are mentioned below.

• Techniques that Push for Abstraction: The Encapsulate field forces the code to derive the field by using getter and setter methods. Using replacing method to replace conditional with polymorphism. Creating generalize type for producing more general types in order to share more codes. By replacing type-checking code with state or strategy.
• Method and Strategy used to break code into more logical pieces: By using the method of componentization, one can break code into reusable, well defined, clear and simple to function units. By using the method of extract class one can move the code from an existing to new class. One can also turn the old and long method into new method by using extract method.
• Strategy and Technique to improvise code name and location: One can move the code into an appropriate file by using move method. Rename method can be used to give a new name to the code that also defines its function. Also by using pull-up and pull-down, one can bring the class to OOP and back to sub class.

Advantages of Code Refactoring:

Extensible Code: Code Refactoring makes the code more extensible for adding many other function to it. It also helps in increasing the flexibility of the code and by this the capability of code increases.

Maintainability: After refactoring, the code is fresher, easier to understand or read, less complex and easier to maintain.

Disadvantages of Code Refactoring:

Time Consuming: You may have no idea how much time it may take to complete the process. It may also land you into a situation where you have no idea where to go.

Chance of Mistakes: In case if it went wrong, you will have to waste much more time in solving the problem and there are probable chances that it may go wrong due to complexity of the code.

Code Refactoring is a wise method of extending the code and making it more capable and in the same way it has some disadvantages. One need to make up his/her mind whether it is necessary to go for refactoring or not.