9

CHAPTER 2

THEORETICAL FOUNDATION

2.1 General Theories

2.1.1 XYZ Clinic

Clinic is defined as a healthcare facility intended for patient’s routine medical

needs (such as immunizations, or routine consultations), or for outpatient

treatments (diagnosis or sickness treatment) [8]. Clinics typically have less

features or functionalities, and are smaller in the scope of work compared to a

full-fledged hospital (such as clinics not providing hospitalization treatment or

service), thus clinics are purposed to solve simpler issues, whereas patients

with issues that are complex for the clinic will be referred to a hospital instead

for a more complete treatment.

XYZ Clinic is one of the clinics in Indonesia, and is the client of this project in

which the final product of a clinic management system is going to be delivered

to. As a measurement of the clinic’s size, the clinic has four rooms that are

dedicated for doctor’s consultation, an average of 1 to 2 active doctors per day,

and an average of 25 visiting patients per day.

2.1.2 Clinic Management System

Clinic Management System is a software system purposed to help handle the

major operational areas of typical clinics [4]. The need for a clinic management

system comes from the problems faced by clinics, such as in the sector of

record management alone, the significant use of paper for keeping records

resulted in difficulties in searching for a specific record (as computational

search cannot be done if the data is on paper). The effort of writing the records

to the paper and the planning of proper filing of the papers could also be

considered as inefficient, not to mention the probability of data loss caused by

improper filing or accident that damages the whole records’ repository.

Furthermore, reports made based on manual records are likely to be limited as

computational works that may help provide additional results are unavailable

with such manual approach [9].

The benefits of implementing a clinic management system is represented in the

figure below [10].

10

Figure 2.1 Benefits of Clinic Management System

By using a clinic management system, clinics can work with their records

management without the use of paper, thus not needing to figure out the filing

techniques and reducing the risk present in paper-based management, such as

the physical damage that may occur to paper records. The use of clinic

management system also allows computational work to help deliver quicker

access to specific data, a feature that cannot be accomplished with using paper-

based data. The integrated digital database applied in the management system

allows for better coordination between departments, as all the user roles will

be retrieving data from an integrated database, in which all kinds of updates

will be applied upon and the users will be able to receive the same version of

data (improving the data integrity). Computational work done by clinic

management systems allows for improved overall working efficiency in the

clinic, as processes that can be automated will be handled by the management

system instead of being done manually by the employees. Patients can also be

served by the system, such as the ability to do appointments (if exist in the

system) and the automation done by the system further reducing the waiting

time for patients (such as in the billing of prescriptions), thus increasing their

satisfaction. Exchanging data digitally instead of by paper is also likely to

11

increase the data accuracy of the clinic, such as better tracking of patient’s

health records and avoiding the illegible handwriting that doctors may make.

The major operational sectors of a clinic that the clinic management system

handles include (but not limited to) the management of doctor’s appointments,

patient’s medical records, prescription inventory, and accounting matters such

as the revenue records.

2.1.3 Web Application

Web application is defined as a software running on the Internet that is based

on the implementation of Hypertext Transfer Protocol (HTTP), Uniform

Resource Identifiers (URI), and a web architectural style such as REST.

Typically being deployed to the Internet, a web application must also be

compatible to the concurrent usage by undetermined number of users [11].

Web applications typically are based on a client-server architecture, the client-

side handling the display of the application (or also called as the Graphical

User Interface), while the server-side handling the business logic or data

processing of the application [12]. Web application also typically incorporates

a database where the data is stored, and where any changes to the data is applied

unto. The visualization of the architecture and its general flow of work is shown

in the figure below [13].

Figure 2.2 Web Application's Architecture and Process Flow

The model of such architecture allows for the separation of work and the

independent development of both sides. In addition, such separation also

enables the business logic or the server-side to provide its services to not only

12

a single application, but to also share its services to other applications by using

methods such as the REST API. This increases the reusability of the back-end’s

services, a concern that has become a growing importance in the development

of web applications. The examples of languages used in the application’s

server-side are PHP, C++, Java, and JSP, whereas the languages used in the

client-side are HTML, CSS, AJAX, jQuery, and JavaScript.

Although not fully definitive, the way web applications differ compared to

websites is that web application is considered to be a platform for data

processing, in which the web application considers user’s input and produces

the proper output (putting major emphasis on user’s interactions). Whereas

websites are considered more as a platform for information showcase (such as

a company profile website) [14].

2.2 Development Technologies

2.2.1 MERN Stack Architecture

The term “MERN” is short for MongoDB, Express.js, React.js, and Node.js,

while “Stack” refers to the multiple layers of technologies implemented. In its

entity, the MERN Stack is an architecture implementing all four technologies

for web application development, each of them having their own specific tasks

or purpose [15]. The development and usage of such stack comes from the

increasing demand of users wanting more features from web applications that

could bring them to similar experiences as what can be given by desktop and

mobile applications, while the developers needing the development tools that

would help them in producing the applications faster, and also enabling easier

modification and scalability [16]. What JavaScript may have been known

previously as a tool for simply producing animations for Web pages, has

changed into a development tool that can even handle front end and back end

processes, as what it has been doing in stacks such as MERN and MEAN

(replacing React.js with Angular.js).

The way MERN Stack divides each of the technologies’ purposes is:

MongoDB: Database that implements the document-based approach

from NoSQL, accessed by the back-end application through the usage

of JSON (JavaScript Object Notation).

13

Express.js: The Node.js web application framework that is able to

handle the routing of requests and also to make a RESTful API that can

be used by front end to get the response or data that it needs.

React.js: The front-end JavaScript library that renders the displays

client-side, although it is also able to render in the server-side.

Node.js: An asynchronous and event-driven JavaScript runtime

environment that runs processes for the back end of the web

application.

Thus, the overall working flow of the MERN Stack can be visualized as shown

in the figure below.

Figure 2.3 MERN Stack Architecture

It is important to implement stack approaches such as this, in order to provide

better standardization of the set of technologies used, and to also get more

support because of the common standardization. In addition, the usage of

RESTful APIs by the stack helps in not only separating the front end and back

end’s work, but also further expanding the reach of the web application by

being able to implement external, public APIs [16], such as enabling

registering or logging in to the web application from another social media, or

accessing external services for their processing such as chat bot services.

These are the benefits of using MERN stack [15]:

The use of JavaScript across the stack means that a single language is

used across the web application, even for the database processing of

MongoDB. This allows for benefits such as single path of learning for

developers (which is the overall JavaScript itself) and similar concepts

used for both the front end and back end programming. Although such

14

benefits are also applied to other stacks implementing similar

environments such as the MEAN stack, the usage of React.js allows

developers to not define a template in order to make pages. Instead, the

HTML is generated using JavaScript. This allows for better flexibility

and could lead to faster development rather than having to define the

needed templates beforehand. In addition, React considerably also

provides better performance compared to Angular, as it gives a solution

to a performance problem that was the reason why Facebook developed

it. Angular uses two-way data binding that could be costly if there are

larger data to be dynamically updated. React uses one directional data

flow that results in a more efficient state changes checking, which fits

better for larger data.

The use of JSON as the data’s form for transfer across the stack

provides more ease in data transformations, not having to fit a model

into a specific table’s structure. Using JSON also enables developer to

imagine the data more naturally in the form of object and its properties.

Node.js asynchronous or non-blocking I/O approach is likely to result

in faster web server processes, as waiting by elements does not need to

occur when an asynchronous function is processing. This is

increasingly important as the web application receives more traffic. The

npm support existing in Node.js environment also may provide a

significant help in giving modules for specific features of the web

application.

2.2.2 Node.js

Node.js is a JavaScript runtime environment based on Chrome’s V8 Javascript

engine that does processing in the server-side using JavaScript, implementing

an event-driven, asynchronous (or non-blocking I/O) approach [17]. Initially,

JavaScript may be known for requiring a platform in order to include multiple

JavaScript files, such as in a HTML file where JavaScript is commonly used to

make animations for Web pages. With the existence of Node.js, it uses its own

module system such that JavaScript file can stand on its own and is able to

import other JavaScript modules into it, with the help of CommonJS as the

basis of the module system [15]. This also helps to promote the separation of

15

task done by each module (or can also be called as library) and importing them

later on by using the require() function. This approach of implementing

modules also enables Node applications to use third-party libraries that are

available for Node, such as the ones provided by npm.

npm is the package manager for Node that is used for implementing external

libraries or modules. The libraries that need other dependencies can also be

handled by npm in their installations. Furthermore, the npm holds the highest

number of packages or libraries being handled by them of more than 250,000,

surpassing Maven who held the highest number before. This makes npm a great

environment for developers for developing their application’s back end as there

are high chances of the application’s problems or features already solved or

handled by the existing modules.

The typical practice of concurrency in processing nowadays implements the

Operating System’s threads, using other available thread when a thread must

be blocked because of a certain event such as file reading. The issues with such

approach is that it is difficult to develop applications that implements multiple

threads processing, not to mention the probability of deadlocks happening if

the application is not designed carefully beforehand [18]. Such approach of

concurrency would not be available. On the other hand, Node.js implements

asynchronous processing that does not require multiple threads. It depends on

callbacks to define whether a specific process has finished, and is able to do

other processes that do not require waiting while waiting for another task that

is being processed. Node achieved such approach by implementing an event

loop that will take requests from events and handle them to the appropriate

processing, thus their so-called characteristic of event-driven. Some processes

such as executing query in database may take some time. Node is able to

multitask then by executing such query in an asynchronous method, and then

getting back to the event loop to handle other requests while waiting for the

query execution’s result to be given. Thus, the overall working flow of Node.js

in the back end can be visualized in the figure below [19].

16

Figure 2.4 Asynchronous Working Flow of Node.js

2.2.3 Express.js

Express.js is a web framework implemented on top of Node.js that can help

developers in simplifying back-end codes development through the common

pattern in developing with Express, and also the provided features such as

routes definition. Express enables developers to set what to do when a specific

HTTP request (such as the GET or POST method) with the matching pre-

defined route is received [15]. Responses can also be set to be sent back as the

result from the request retrieval and processing, such as for sending the

processed data, or sending custom headers. The Express middleware can also

be used to implement additional methods in a processing path, such that some

tasks will implement similar processing (such as for logging in and defining

sessions). In addition, third-party middleware is also available to be installed

from npm, such that developers would not need to define common tasks from

scratch.

Although Express is a framework, it states itself as unopinionated. It means

that it has less restrictions to the way the codes must be constructed, thus

developers can still have flexibility on implementing and structuring codes

with Express (even still being able to put various codes into a single file or the

more recommended multiple files) [20]. This is different compared to

opinionated frameworks where the code structure is more rigid and is

documented well such that it is more standardized for multiple programmers

17

to work together. The disadvantage of opinionated frameworks is that because

of such restrictions, developers may find the framework limited in certain

specific functions of an application. This is why some opinionated frameworks

typically are more implemented towards specific purpose(s) or domain(s).

2.2.4 MongoDB

MongoDB is a database created and developed by MongoDB, Inc. that is

document-oriented and is based on NoSQL concept of non-relational database

[21]. The way MongoDB differs in compared to Relational Database

Management System (such as MySQL) can been seen from its implementation

of collections rather than tables, documents rather than rows, fields rather than

columns, and embedded documents rather than joins. The more flexible model

of document enables related data that were typically joined in RDBMS

approach to be embedded directly into a single document instead. This enables

even complex data relations and hierarchy to be defined in a single document.

Added with the implementation of JSON form in defining the document, this

promotes a more natural way of structuring data as an object, containing

multiple properties and even “sub-properties”. The definition of a document

structure for a specific purpose can even be done without any schema; a

document may have different set of fields compared to others of the same

collection. This may result in faster application development as developers

only need to think of the database definition in the application-side, not needing

to take care of any database definition changes in MongoDB (such as changing

the column name to fit with application’s changes if using RDBMS approach)

[15]. Such flexibility can be benefitted to experiment with various data

structures, to work quickly in the prototyping phase, or to adapt to data changes

that may happen often. If schema definition is needed, such as to standardize

specific document’s format for production or to reach a shared understanding

for all developers, Mongoose ODM (Object Document Mapper) can help with

such requirement.

Another difference of MongoDB compared to other RDBMS is MongoDB’s

non-relational approach, meaning that it does not promote data joins by default

like what RDBMS does. Instead, related data can be embedded into the

correlated document directly, thus the application only needs to get the single

18

document to also retrieve other related data (also referred as denormalization).

Even though such approach has some concerns, such as the data integrity that

must be always checked when changing a certain value that should affect the

related documents (as it is cannot be done automatically because of no relation

definition), having no implementation of relations could help in improving

application’s performance. Join method done by prior relation definitions can

be costly in performance; this is why denormalization is the common solution

to increase performance [21]. By designing the document structure well and

implementing MongoDB in the suitable use cases (such as applications with

no complex transactions), the use of MongoDB can result in better database

performance for the application.

MongoDB is also set to be used for big data, which can be seen from its

characteristic of horizontal scaling. MongoDB is purposed to scale

horizontally, by means of implementing more servers into the cluster rather

than improving the current server(s). MongoDB’s approach of using the

document model enables easier distribution of data to multiple servers.

MongoDB is also able to automatically do functions for multiple servers’ setup

such as load balancing, which further help such scaling method [21].

2.2.5 Mongoose ODM

Mongoose ODM (Object Document Mapper) is one of the ODM implemented

for MongoDB database and for working in an asynchronous approach. Object

Document Mapper in general is purposed to form the data in the application

into JavaScript Object Notation (JSON) format that is used throughout the

application and the database [22].

Mongoose ODM enables the definition of schema for MongoDB documents,

defining specific structure of a certain document along with their data types.

Implementing such schema helps in standardizing and clarifying certain

documents’ structures, which can be suited for cases such as the production

stage. In addition, Mongoose ODM also enables the definition of data

validation from the schema definition and business logic that would further

help developers in in supporting the usage of MongoDB with the application

[23].

19

2.2.6 JSON

JSON, short for JavaScript Object Notation, is a data interchange format that

is used to exchange data between programming languages or systems [24].

Although it holds the name of “JavaScript” and is based on JavaScript, JSON

is not dependent of any programming languages because in the end, it is still a

data format that is purposed mainly for data exchange, thus it must be accepted

by many programming languages or systems in order to be useful. Putting data

into object-based format such as JSON enables a more natural representation

of data; processing data in terms of objects that have specific properties.

JSON implemented name-value pairs as its main concept of formatting. The

name must be defined in string data type, while the value can be of a string, a

number, a JSON object (thus making a nested object), an array, a Boolean, or

null. The name-value pair(s) is/are then enclosed by curly brackets, thus

forming an object. An example of JSON can be seen in the figure below [25].

Figure 2.5 JSON Example

The example above is a JSON consisting of name-value pairs, such as a pair

consisting of the name “Age” (in string data type) and the value of 999 (in

number data type).

2.2.7 RESTful APIs

API, short for Application Programming Interface, is a tool that enables system

to share its services to other systems by only giving the appropriate data and

access. Developers can define further the access allowed from specific API

services such as read-only, into even adding or editing specific data. This

access control enables the implementation of API as processing services

sharing without compromising the system’s own security [26]. The examples

20

of API are the APIs provided by Facebook and Twitter, such as the Twitter

API that enables external applications to get a user’s feeds in the form of JSON

for further processing.

While REST stands for Representational State Transfer, a web architectural

style pioneered by Roy Fielding that is used for designing and managing

distributed systems [27]. The overall concept of REST is to use the HTTP

protocol as a way for a computer to access resources from another system,

affecting the way URL is formatted to help represent data model (such as

getting users list from /users). REST is purposed to generally increase the

performance, scalability, simplicity, modifiability, portability, reliability, and

visibility of distributed systems implementing such style. To achieve such

benefits, REST defines the constraints that are needed to be fulfilled:

Client-Server

Client-server architecture enables the separation of tasks between the

front-end side that focuses more on data display and the back-end side

that focuses on data processing. By separating in such model, it also

enables either side of the application to develop independently of each

other.

Stateless

In addition to the previous constraint, communication between the

client and the server must be stateless, by means of a request being sent

from the client must contains all the needed data required for the server

to process. This brings benefits such as better monitoring, as all the

information is contained in the request and there is no need for data

storing. The disadvantage of such approach is that network

performance may suffer from the complete data that must be sent,

especially if some of data is repeated.

Cacheable

This constraint states that response to a request should be cacheable.

The implementation of cache can bring benefits for both the client-side

and server-side, such as performance improvement as requested data

that are cached can be used again, without the need of processing to get

21

the data again. The disadvantage that may be caused from this approach

is the probability of problems occurring because of poor caching rules.

Uniform Interface

Uniform interface must be applied in the system’s interactions such that

various client types can still interact with the system. By providing a

clear standard, different client types will be able to follow the

uniformed rules set by the system in order to connect to it. The downfall

of this constraint is that by making the system having the uniformed

approach to accept various client types, it may harm the performance

compared to approaches that are focused on optimizing specific client

type.

Layered System

The concept of layered system separates the system’s concerns (such

as the business logic and storage) into layers. This enables clear

separation of concerns for better monitoring, and is suited for complex

systems, especially the ones that are growing rapidly as scalability is

better monitored in this layered form. Such approach may be seen as a

disadvantage for smaller systems, as layering the system could cause

latency whereas the system is not actually in need of layering the

system yet.

Code-On-Demand

This constraint is an optional constraint of REST, meaning that systems

can actually use it or not, depending on the system’s function or need.

Code-on-demand means enabling system to provide codes for the client

if requested, for the client to use. This may be unsuitable for

applications implementing RESTful APIs, as clients who use API

typically only need to get the resulting data from the processing, rather

than the processing code itself.

The visualization of system implementing all the constraints of REST is shown

in the figure below [27].

22

Figure 2.6 System Implementing REST Constraints

A RESTful API is an API implementing HTTP requests to do the creation,

reading, updating, and deletion of data (CRUD) [26]. REST API accepts

common HTTP verbs with the endpoint URL, and does the processing if the

HTTP verbs and the URL matches the definition set beforehand. Using REST

API usually will result in the processed data as a response back from the

request. The examples of HTTP verbs used in REST APIs are:

GET for data retrieval.

POST for data insertion.

PUT for updating data.

DELETE for deleting data.

The actions or processing done by the RESTful API must correspond to the

defined verbs of that API, such as data updating cannot be done using REST

API that implements the GET method.

2.3 Security Concerns and Technologies

2.3.1 JSON Web Token

JSON Web Token is an open, industry standard (also referred as RFC 7519)

used for securely transferring claims or information between two parties in the

form of JSON object [28]. JSON Web Token implementation can be done by

using a secret, or a public/private key as the signing method. JSON Web Token

(JWT for short) is often used for authentication purposes and information

exchange. In authentication, JWT would be generated when the user

23

successfully logged, in which the token will be used by the client to access

routes that require special permission in the web application. JWT is also used

in achieving Single Sign On (being able to access multiple applications with a

single login), because of JWT’s ease of usage for different servers having the

correct secret. JWT can also be used for secure information exchange, as the

token is signed using a specific secret or key, it can strengthen the information

transfer security and also avoiding any tampering in the data being transferred.

The JSON Web Token contains three parts that are separated by a period sign:

1. Header

The header, when decoded, contains the type of the token (which

would contain “JWT” for a JSON Web Token) and the signing

algorithm (such as HMAC256).

2. Payload

The payload contains the information or the data that is embedded

to the token when it is generated. It is advised that the data being

embedded to the token should not be a sensitive data.

3. Signature

Lastly, the signature part contains the resulting signature from the

header, the payload, the defined secret, and the algorithm. The

signature is used to ensure that the data in the token is valid, and

that there is no tampering happened in the data transfer.

In authentication, typically there are two ways of handling a login, which are

cookie-based authentication and token-based authentication. In cookie-based

authentication, a session is typically created in the server and a cookie will be

returned for the client to be used for all later requests. A database access would

be needed to validate and also access the user data. While in a token-based

authentication, the approach uses the signed token that will be passed into the

application’s API for validation to enter protected sections of the application.

By using token-based approach, various ways can be implemented to use the

token, thus making the approach more flexible. The use of JSON Web Token

can also help with performance as the token can be self-contained (containing

the needed user data in itself), thus there would be no need for database access

24

on every request. Most importantly, the use of token for authentication

provides a clear separation of purpose between the client and the server, as this

time the token generated from the server will be given to the client, and that

the server will only need to wait until a client sends a request with its token to

be processed by the server. The clear separation of purpose enables server to

act as the provider, while the client acting as the requester.

2.3.2 Encryption

Encryption is the process of converting a data or information that was

originally readable or understandable, into an encrypted form which is

unreadable [29]. In its encrypted form, the original meaning of the data would

not be able to be obtained because of its unreadability. Whereas decryption can

be considered as the opposite of encryption, which is the process of converting

an encrypted data into its original form to obtain the actual meaning.

Encryption is considered as two-way because of data that is encrypted can be

converted back into its original form through decryption. Encryption is

implemented to data that would need to be converted back in order to get its

actual values back, such as for text messaging application. In such application,

the text messages would be encrypted so that the message’s privacy can be

kept, but the messages should be able to be decrypted so that the original

meaning can be given to the retriever.

There are two types of encryption methods [30]:

1. Symmetric encryption, where the same key (secret key) is used for

both the encryption and decryption processes.

2. Asymmetric encryption, where specific keys are assigned for

encryption and decryption separately. The public key would be

shared for the encryption, but the secret key (for decryption would

only be owned by the receiving side. The asymmetric encryption is

found to be almost a thousand times slower compared to symmetric

encryption, as the encryption of public key itself requires high,

intensive computational processing. This would affect the usage of

such technique on smaller devices.

25

There are also various methods of implementing encryption. Some examples

of the encryption methods are Triple DES (Triple Data Encryption Algorithm),

RSA (Rivest-Shamir-Adleman), Blowfish, Twofish, and AES (Advanced

Encryption Standard).

2.3.3 Hashing and Salting

Hashing is a method of getting a variable-length input or data, and generating

a fixed-length data with different value (typically a fixed-length integer value)

that eliminates the original meaning of the data [31]. Hashing is used for

security purposes, such as for securing sensitive data by not storing its actual

value into the database. The resulting value from hashing method is called the

hash value. Although encryption and hashing share the similar purpose of

securing data by altering its value visually, the difference between the two

methods is that hashing is referred as one-way. Hashing method enables the

encoding of a data into a hash value, but the resulting hash value cannot be

decoded back, thus the original value cannot be retrieved from a hashed data.

Such characteristic of being one-way makes security attack likely to be harder,

because this time the attempt of getting the value back from the same data is

impossible. Instead, the attacker would have to either guess the secret used in

the hash, or by guessing the actual value of the data itself (in which both

approaches are done by brute force exhaustively) [32].

The problem with the hashing approach is that if hashing is the only method

implemented for securing a data, a same data would produce the same hash

value. This enables the possibility of attackers to guess the actual value of the

password by brute force until the same hash value is found. An example of this

attacking method is called the dictionary attack. A dictionary attack is an

attempt of finding the actual value from a hashed data, by comparing the

hashed data with words from the dictionary or words used commonly as

passwords that are hashed too, by brute force. If the actual value of the

password stored is common enough, such attack would be successful. To

overcome with the weakness found in only implementing hashing method,

salting is used to complement hashing method. Salt is a random data (typically

of significant length) that is used as an additional input for the hash function.

It is implemented to ensure the uniqueness of any hash value generated [33].

26

By implementing both methods, even though there are data with the exact same

value, the resulting hash values from those data would all be unique, thus

overcoming the problem that was present beforehand and further securing the

data from attacks such as the dictionary attacks. It is important to note that the

salt value used should always be randomized, and not to be reused, as a reused

salt would produce the same hash value from the case of same data.

Some examples of hashing functions are bcrypt, PBKDF2, and scrypt. In

particular, the PBKDF2 (Password-Based Key Derivation Function 2) is a

function used to derive a secret key from the given password (to be stored)

along with a salt, in which the process is done many times. By repeating the

process multiple times, it makes password attacks harder to find the actual

value. PBKDF2 hash function has some benefits such as being developed from

an academic background and having been tested and researched over the years.

It is also established as a standard crypto function in Node.js, thus making it

easier to be implemented in such environment.

2.3.4 SQL Injection

SQL injection is a hacking technique of attempting to access the data in the

database through SQL syntax manipulation. Databases that are based on SQL

(Structured Query Language) such as MySQL and PostgreSQL send queries

using string of dedicated and structured statements [34]. This creates a problem

as attackers can manipulate the queries that are given to the database, and get

information out of the queries (such as by doing blind SQL injection; just trying

out random parameters that would eventually produce information from the

database) [35]. For an example, a query for accepting user’s login would look

like:

SELECT * FROM userTable WHERE uName = ‘$uName’ AND pass =

‘$pass’

If the query is not handled well, the query can be manipulated by attackers in

order to bypass the login, such as by adding partial string to become:

SELECT * FROM userTable WHERE uName =’’ or 1=1--’ AND pass = ‘’

27

This would create a “confusion” in the database, especially with the

manipulation of the use of the quote and dash symbols. Such manipulation

would make the password parameter to be ignored, and to ultimately always

result as true (with the parameter 1=1 always resulting in true), thus allowing

the attacker to bypass the login.

In contrast to SQL, MongoDB does not send queries by using strings. Instead,

each of the operations has its own dedicated method, and that no other

operation besides of the method’s own purpose can be done with the method

[36]. For example, the login query mentioned before would look like the query

shown below in MongoDB:

db.users.find({uName: uName, pass: pass});

The find method itself is only purposed for finding data, and nothing else. By

implementing such approach, MongoDB is considerably more secure by

default compared to SQL-based databases.

To further make the implementation of MongoDB secure, careful sanitization

of data can be implemented in the application such that the inputted request

would have the desired format, thus preventing the system from request

injection attacks (submitting request containing system-reserved words). In

addition, specific use of parameter in MongoDB queries can also be

implemented such that specific actions will only affect the specific

corresponding data, thus further reducing the possible scope of work that the

attackers can approach [36].

28

2.4 Agile Software Development

Agile software development is a software development philosophy based on the Agile

Manifesto’s values and principles that acts as the base concept of its methods and

practices. The values from Agile Manifesto is shown in the figure below [37].

Figure 2.7 Values from Agile Manifesto

29

While the principles from Agile Manifesto is shown in the figure below.

Figure 2.8 Principles from Agile Manifesto

From the values and principles in Agile Manifesto, it can be seen that the agile software

development emphasizes on self-organization, team interactions, openness and the

adaptation to changes, the pursue of working product rather than running straight to

the final product, and also the collaboration with the client to achieve a valuable

software. Such philosophy comes from the realization that changes and evolution in

technology, in how businesses are done, and even in how humans behave are

happening quickly, and it is not showing any sign of slowing down too. However, such

quick changes in technology actually play an important role in keeping up with

changes from businesses and human behaviors, as technologies such as software are a

key component in those sectors; helping out business’ problems into even specific

human’s needs and wants [38]. Although it does bring benefits, such quick changes in

technology would mean problems to the developers, as the need of new software and

30

also software updates increases, but time given or available for the development is

decreasing in order to cope up with the continuous changes. This would mean that

developers cannot work the same way as before anymore, and that having improved

individuals (in terms of skills) alone may not be the solution too. Developers would

have to change the way they think and work with software development, in order to

cope up with such rapid changes in the world that have not been experienced before.

By implementing agile software development, the resulting software quality can be

enhanced because of the involvement of the client early in the development process.

By having the client working together with the development of the product, the

developers will be able to get feedbacks directly from the actual client that is going to

use the product, and essentially working towards developing features that are made to

fit with that the client really wanted.

By enabling the client to interact with developers regularly, developers would be able

to get exactly the client’s feeling about a certain progress, such as whether they liked

it, whether it needed some revisions, or whether the features are not needed. This

would bring benefits to the team’s commitment, as now the developers can have an

actual goal close to them, which is to fulfill the client’s actual needs that would

eventually resulted in their positive feedbacks. This is achieved by enabling both

parties to interact during the development phase, rather than the developers only being

tasked to deliver a final product in which they might not receive any feedbacks from

the client at all in the end. In addition, involving client in the development is also likely

to improve customer relationship, as the connection between the developer and the

client is not only focused on contract anymore, but the agile software development

also builds a connection that focuses on getting the customers satisfied with an

accurate final product efficiently developed by the developer.

As its name already suggest, being agile (moving swiftly) also allows for reduced

waste, which can be seen from their approaches, such as getting the working product

as soon as possible for early feedbacks. By receiving early feedbacks, developers can

work accurately on scaling the product’s development into the right path, thus

decreasing the probability of any rework that could happen in the later stage because

of inaccurate requirements. Another example is agile software development’s

31

approach in writing only sufficient documentation enough to serve the concerned

actors [39].

One of the key differences between agile software development and other development

concepts, such as the waterfall model, is that it emphasizes on testing and feedback

retrieval from during the development phase (even early in the development), whereas

waterfall software development is likely to separate the development and the testing

phase (typically conducting testing after the development phase only), thus only

involving the client at the end of the development. Agile software development

involves the clients in the development of the product, and works with such

development and testing with the client work flow repeatedly until the product is

acceptable to the client. The agile software development work cycle is shown in the

figure below [40].

Figure 2.9 Agile Software Development Cycle

2.4.1 Scrum Software Development Methodology

As agile software development is only a base concept in developing products,

companies would need an actual method that is practical to be actually

implemented by the company. Scrum is one of the development methodology

that is based on the concept of agile software development, designed to be able

to tackle complex issues into a usable product through the implementation of

the iterative characteristic of agile.

32

There are three roles in the Scrum methodology [41], each having its own

purposes in the execution of Scrum:

1. Product owner

The product owner acts as the representative between the stakeholders

or the client to the team, with the main purpose of driving the

development team such that they work toward bringing value to the

business. Aside from the funding management (receiving and

managing funds for the project), product owner is also responsible for

using the given initial requirements to the team such that the

development team will be working on finishing features that are more

valuable first.

2. Scrum Master

The Scrum Master is the person that is responsible for making sure that

the team is working by following the Scrum software development

method, including teaching the method to the team, making sure that

the method’s implementation fits the team, and also to deal with any

obstacles that hold the team from implementing Scrum method.

3. Development team

The development teams are self-managing and cross-functional teams

that are responsible for fulfilling the list of requirements through the

iterative process of Scrum, working toward not only the success of the

final process, but also the success of each iteration.

The way Scrum method works is by the product owner firstly receiving the

goal from the client and also the initial requirements. The product owner then

creates a Product Backlog, which is a list of requirements that when fulfilled

will be able to fulfill the goal given from the client. The Product Backlog is

created such that the requirements are ordered by their priority (higher priority

means bringing higher value to the business). After that, the product owner

would hold the initial Sprint planning meeting. In Scrum, Sprint is a term of an

iteration period in which a certain list of tasks is done (can be set in weeks or

even months). In a Sprint planning meeting, the product owner defines the list

of requirements that should be developed into functionalities in the product

(based on higher priority) for the Sprint period, and the team would be able to

33

argue or question the purpose. The development team would then need to

determine the requirements that will be the target for the Sprint period to the

product owner, and then start to plan how to develop the requirements (the

Sprint period starts here).

In addition to the Sprint period mentioned before, daily meeting called Daily

Scrum must also be held by the development team. In Daily Scrum, the team

members will share each of their progress, next progress plan, and any obstacle

that they may face. This enables the team members to have the same

understanding to the current team’s progress, and to also foster the self-

management in the team.

A Sprint review will then be held at the end of a Sprint period, where the

development team will present the progress to the Product Owner and also any

stakeholders who may want to attend. At that meeting, the next tasks along

with any revisions for the development team will also be discussed. In addition,

a Sprint retrospective is also held between the development team and the Scrum

Master, discussing about any idea or changes that must be done in order to

further improve the implementation of Scrum method in the team.

All the workflow of Scrum mentioned above, as also shown in the figure

below, is done iteratively until the product is accepted by the client (ready for

production).

Figure 2.10 Scrum Software Development Method Workflow