MINS 689:

DIRECTED
INTERNSHIP
Internship Guide: Dr. James Connonlly

Software Analyst
consultant at
Xchange Software

INTERNSHIP PROJECT FINAL REPORT

Software Analyst/ Project coordinator consultant at Xchange Software

Windows (VB6 and .Net) Application migration from Windows Server 2003 to 2012 at
Freddie Mac (McLean, VA)

Rahul Bhosale

Executive Summary
My nine-month Industrial Internship Program work term was with the Freddie Mac, McLean-VA. I
was involved in the Enterprise information system (EIS) application management, maintenance and
support during my work term, all of which will be outlined in this report. This report will cover some
background information on the projects I was involved in. There is one major project with 9 different
applications that I had a significant role in. The project involved upgrade of windows server from
2003 to 2008/2012 and if required initiate the Application platform upgrade (e.g. from VB6 to
VB.net). My work there was to

Understand the applications,

Research on application compatibility and feasibility analysis,

Create documentation for different teams to coordinate work of new server upgrade and
application deployment, including Development, Testing and production tasks.

Monitoring and controlling the upgrade project

The key factor of the project was to strictly adhere to the scope which is smooth migration of
application Servers without requirement alterations including & not limited to functional &
performance requirements.

I acquired and improved upon many new technical and non-technical skills throughout my work term.
I acquired new knowledge in the area of Enterprise information systems, Different database
technologies, Sybase and DB2. I also brushed up my .Net, VB, Windows Server skills while
upgrading the applications. Most importantly, the work experience was very good which included
good fellowship, cooperative teamwork and accepting responsibilities.

Although I spent a lot of time learning new things, I found that I was well trained in certain areas that
helped me substantially in my projects. Many skills that I used in my projects, such as programming
style and design, were ones that I had acquired during my studies in Undergrad engineering in
Information Technology as well as current MBA. This report concludes with my overall impressions
of my work experience as well as my opinion of the Industrial Internship Program in general.

Index
I. Introduction
a. Description of the purpose of this project Project Background
b. Identification of the organization being studied
c. Brief description of the organizations mission and strategy
II. Background and Scope
a. Statement of work and Project description
b. Strategic alignment and scope
c. Project success and constraints
d. Project assumptions and Risks
III. Description of Initiative
a. What you did
b. General Manual for Factory Developers for remediation (Prepared by Rahul Bhosale)
IV. Outcome(s)
a. Plan for collecting Tangible & data-based results of my intervention
b. Feedback from the manager to whom this report is directed
V. Reflections
a. Organizational impacts
i. Business need
ii. Business impact
b. Career impacts & lessons learned
c. Work Experience
d. Applying My University Skills
e. Recommendations for the future
VI. Conclusion
VII. References

I. Introduction
a. Description of the purpose of this project Project Background
Freddie mac maintains about 500 apps including Desktop based, Citrix based, Web based and
platforms including .Net, Webmethod, Weblogic JAVA and C++ on Windows server and Unix
servers. All of the Freddie mac windows servers are running on Windows Server 2003 operating
system which is subject to terminate service support end of the year 2014. Due to which the Windows
applications are forced to upgrade from 2003 to 2008 or 2012 according to existing application
compatibility thereby eliminating the need of upgrading codebase of existing applications which
would increase project budget enormously.

b. Identification of the organization being studied (Freddie Mac)

Freddie Mac was chartered by Congress in 1970 with a public mission to stabilize the nation's
residential mortgage markets and expand opportunities for homeownership and affordable rental
housing. Their statutory mission is to provide liquidity, stability and affordability to the U.S. housing
market. Freddie Mac participate in the secondary mortgage market by purchasing mortgage loans and
mortgage-related securities for investment and by issuing guaranteed mortgage-related securities,
principally those called PCs. The secondary mortgage market consists of institutions engaged in
buying and selling mortgages in the form of whole loans (i.e., mortgages that have not been
securitized) and mortgage-related securities. Freddie Mac does not lend money directly to
homeowners.

c. Brief description of the organizations mission and strategy

In 1970, Congress created Freddie Mac with a few important goals in mind:
1. Make sure that financial institutions have mortgage money to lend
2. Make it easier for consumers to afford a decent house or apartment
3. Stabilize residential mortgage markets in times of financial crisis

To fulfil this mission, Freddie Mac conducts business in the U.S. secondary mortgage market
meaning Freddie does not originate loans and works with a national network of mortgage lending
customers. Freddie has three business lines:
1. Single-Family Credit Guarantee Business for home loans
2. Multifamily Business for apartment financing
3. Investment Business portfolio
Through these business lines, Freddie plays a critical role in financing affordable housing for
America's families. (About Freddie Mac).

II. Background and Scope

a. Statement of Work
The ITS Factory Remediation project is to remediate identified applications to meet their middleware
and database component target states. In addition, project remediates Security risks that exist as a
result of the Information Security Fortify tool findings. (Poole J., Gill K., 2014).

Project Description
The objective of this project is to remediate the applications running on component software that is
either not currently supported by the vendor or will be out of support by December 2014. The
following is a list of the target component software as of the approval of the Business Case:

Component Source

Target

DB2 versions 9.7 and below (non-SOX

DB2 v10.1 / RHEL 6.4
application)
Database

Oracle versions below 12c

Oracle 12c / RHEL 6.4

Sybase 15.0.3 and below

Sybase 15.7 / RHEL 6.4

MS SQL Server 2000

MS SQL Server 2012 / Win Server 2012

Middleware Apache all versions from ERS/SpringSource

Pivotal Apache v2.4 / RHEL 6.4

Tomcat all versions from ERS/SpringSource

Pivotal Tomcat V8.0 / RHEL 6.4

WebLogic versions below 10.3.6

WebLogic v10.3.6 / RHEL 6.4

webMethods versions below 8.2.2

webMethods v8.2.2 / Solaris 10 VM

JDK versions below 7

JDK 7
(Standalone Java apps & Tomcat apps)
Windows Server 2012/ 2008 per application
OS

Windows Server 2003

need
Table 1: List of target component software. (Poole J., Gill K., 2014).

b. Strategic Alignment
This project will reduce operational and security risk by upgrading applications to vendor supported
versions and by resolving commonly exploited security vulnerabilities resulting from out of support
vendor products. (Poole J., Gill K., 2014).

Project Scope
The project utilized established Factory model for the targeted applications remediation. Project
leveraged lessons learned from the prior implementations to efficiently leverage development tools,
testing strategies, and implementation processes to best accommodate efficient implementation and
deployment. (Poole J., Gill K., 2014).
In Scope:
1. Complete a planning process to analyze target applications to identify dependencies and
group applications as Packages of work that can then be assigned to the factory teams
2. Target the remediation of the middleware and database components for applications
3. Upgrade and perform risk-based testing of the applications that are in scope for this project
4. Remediate the Security Vulnerabilities identified as a result of Fortify scans
Out of Scope:
1. Application changes to business functionality or logic
2. Full regression testing of each application (Risk based testing to be used to reduce cost)

3. Apart from Fortify findings, scope for remediation does not include fixes for other security
audit findings (e.g. insecure FTP), previously existing non-compliance with BSC or TCM
standards, technology transformation (i.e. Sybase to MS SQL), previously existing issues or
known application defects (Janakiram A.).

c. Project Success
1. Successful upgrade of application component software to vendor supported version
2. Applications unable to deploy to production prior to 12/31/2014 due to the EOY blackout will
be counted as complete for the purposes of measuring the success of the project (Project
resources will be responsible for deploying the application once the EOY Blackout is over)

Constraints
1. Key application SME and Business resources may be unavailable due to higher priority
projects.
2. Risk based testing will be utilized based on the previous experience using the factory model
3. Other independent project schedules may cause a delay

d. Assumptions
1. Project team will only upgrade database and Middleware components
2. Project team will conduct risk based baseline and acceptance testing; for Sybase upgrades
full regression testing will be conducted.
3. Knowledgeable Business and BIO SMEs will be available to support the factory team as
allocated in Planview

4. As part of the Factory remediation process all application components will be upgraded to
the target states identified in Section 1.2 (excluding applications where it is not
technically possible to upgrade without a complete code re-write)

Risks:

# Risk Area

Likelihood

Risk Owner

Project Impact-Mitigation Plan

1 Resource

High

Project Managers

Applications will go thru a sequencing process that will

Availability

identify dependencies and resource constraints.

If

mitigation plans cannot be identified the application will

be replaced under later waves to be remediated upon
resource availability.
2 Coordination

Medium

Project Managers

Applications will go thru a sequencing process that will

identify dependencies and project/other development
effort constraints.

If mitigation plans cannot be

identified the application will be placed under later

waves to be remediated upon constraint resolution.
3 Scope

Low

Control

Project Managers

Process improvements, remediation complexity and

lessons learned from the previous implementations will
determine the level of testing for each application.

Table 2: RMMM plan matrix. (Poole J., Gill K., 2014).

III. Description of Initiative

a. What you did
I worked in Factory team for Windows line on Single and Multifamily Family Apps. The
Factory is responsible to upgrade 500 apps, Servers & Middleware as mentioned in the
objective. My role was to make the code upgrades and supervise the TCS development team,
Windows server upgrade from 2003 to 2008/2012 and ensure the seamless execution and
quality as per the Freddie policies. Then approve the build and send it to the QA. As an in
charge, Apps must be approved by me to be shipped to PROD server. I was responsible for
documenting Legendary Remediation Questionnaire (LRQ), Implementation, testing

strategy and test cases. Attending daily discussion meetings with developers, Tech Lead &
PM; weekly meetings with PM, business users, SME, QA, DBA and developers, leading kick
offs, owning and directing the application upgrade project.

b. General Manual for Factory Developers for remediation (Bhosale R. v1.1)

1. Get the documentation of the application

a. Docs: Ops Guide, LRQ, reference material, technical manuals, existing Test cases/test data
b. POCs and Sources: SME (Primary), PM, Tech Lead, ISO, BIO, ACR coordinators, DBA,
QA, QA Lead, other developers, Existing/Past Waves,
2. Prepare LRQ. Fill as much info as possible. To fill this info use above Docs, Sources and POCs
3. Record all IDs/Groups that are required to get access to the servers, databases, application
(OSSA), record them into appropriate TAB and column/row. Record the password expiration
method by asking SME (ex. 90 days manual reset). Do not record password in LRQ, make
personal note of it.
4. Get insights of the application/system. Engage SME, request for DEMO
5. Place all required MAC requests for:
a. All required IDs/ AD groups
b. Required database access/adding user into database (Sybase/DB2/SQL etc.)
c. Access to existing DEV/SIT/UAT hosts (Not PROD)
d. ClearCase and ClearQuest (if required to Check-in/Check-out code)
6. Install all required software on the local machine from Application Catalog. If the required
software is not in place, place DART request. Even the software is not in DART, contact PM
7. After getting access to ClearCase, create view using PuTTY. Do not create view using ClearCase
explorer. From ClearCase get the codebase.
8. Once the codebase is received, verify it whether it is Prod version of code. Talk to Tech Lead
about the same. After verification, place ACR (Fortify scan) request for Pre- remediation fortify
scan. Save the Scan report as an Artifact in Analysis folder.

9. Meanwhile, access the existing boxes (UAT/SIT/DEV) check the configuration of the
application. Reflect it to the sandbox assigned to team for development purpose, if possible and
test the application runs. Make notes of the action to make sure you dont have any issues with
new servers.
10. Verify the LRQ is up to date and has all required information to build a server. Place build
request for new servers to assigned engineer from ISO team. The build request process work as
follows:
a. ISO team takes request from developers/Factory teams one by one and build servers in FCFS
basis or as instructed/prioritized by PM
b. They first build DEV box for all, then go for UAT/SIT/Test (only one of these then rest) and
finally PROD. The number of environments/boxes for one application under one category
(DEV/UAT etc.) is all build first before moving to another application.
11. Obtain Implementation plan from SME
12. Prepare requirement document (if any) by working with appropriate teams
13. Once all information required for application configuration on new servers is in hand and the
DEV box is ready, start placing requests to appropriate teams for appropriate tasks. Ex. SSH
configuration, Installation of required Client software, publish the application to Citrix etc.
14. Meanwhile, testing team will plan and present Test strategy. Typically there will be two cycles
of test
a. Test Cycle 1 Pre-Remediation testing will be performed as Test Cycle1 on the current
platform (ex. Windows 2003) to capture expected results
b. Test Cycle 2 Post-Remediation testing will be executed as Test Cycle 2 to capture actual
results, once the build is moved to upgraded platform (assigned target windows version)
15. Give the application access to assigned tester from Testing team for Pre-factory baseline on DEV
environment.
16. Let Business users have access and does the functionality test on application. Once both tests are
done and approved by relative authorities/SMEs, go for UAT/TEST/SIT whichever applicable
and repeat the same with appropriate level resources.

17. Once everything is in place, request Prod implementation. There is nothing developers do on
Prod, nor do they have any access to it. We need to place all required requests to do the
implementation. The developer/factory team is on standby for the Ship stage.

IV. Outcome(s)
a. Plan for collecting Tangible & data-based results of my intervention
1. Legacy Remediation questionnaire (LRQ): The LRQ is the entry and exit point document for
Factory team to start the application remediation. Each application has its LRQ owned by
each developer. The LRQ has Business usage, Business and technical POC, Application,
Technology, Platform, Environment (Servers, Network), Codebase (ClearCase, SourceSafe),
Active Directory, Security and Storage details in Current and future state. The Application
developer is accountable to collect data from Intel Server Operations (ISO), Business
Information Office (BIO), Web Infrastructure operations (WIO), Database Support Team
(DBA), Subject matter expert (SME) and business users. The output of LRQ current state is
provided to Engineering team, Quality Assurance (QA) team and others to build environment,
implementation and production support. The new environment build details are then stored
back to LRQ future state as output documentation of Remediation project.
2. Tangible output of the project is new Production and Non-production environments (Servers)
ready to handover to Business users and Technical owners of the applications.
3. The data collection strategy is simple. In application intake phase developer is accountable to
coordinate with various team, collect data. In production the developer is responsible to input
all details in LRQ as future state.
4. The success of project is determined by QA test effort. Existing regression test cases are
utilized. If any changes are necessary to the code as part of the remediation, additional test
cases are developed, they are reviewed and required approvals are obtained prior to test
execution from Application SME / Business SME. QA team performs Risk based testing. Test

results are reviewed and approved by Business/BIO stakeholders upon completion of test
execution. Business users provide Sign-off on Test Results from cycle 2.

Entrance Criteria
1. Business Approval for Test Plan/Test cases is received.
2. Baseline of Expected Results are captured and documented
3. Existing environments identified for the applications will be available for the entire duration,
needed to perform the pre/post upgrade testing.
4. All the Test Data requirements are complete, for ex: database backups, sample input files.
5. INFOSEC has completed Pre-remediation Fortify scan.

Exit Criteria
1. No new open S1/S2 and S3 defects
2. Any new open S4/S5 defects can be deferred based on the business approval.
3. Test Results from Test Cycle 2 have been reviewed and approved by the business.

Regression Testing
1. Two test cycles will be executed to perform Regression testing for the impacted functionality:
a. Test Cycle 1 Pre-Remediation testing will be performed as Test Cycle1 on the current
platform (Windows 2003) to capture expected results
b. Test Cycle 2 Post-Remediation testing will be executed as Test Cycle 2 to capture actual
results, once the build is moved to upgraded platform (Windows 2012)
c. Test Results from Cycle 2 will be compared with the Cycle 1 baseline

expected results to

ensure that existing functionality is not impacted.

2. If there are output reports, files or emails with text or attachments, QA team will compare the pre
upgrade and post upgrade outputs to validate that there are no differences.

3. If the application does not have any output files or reports, QA Team will identify the tables (with
the help of BIO/Business SMEs) that are impacted due to the processes and verify the data
between pre and post upgrades is a match

Functional Testing
1. For the bug fixes identified, the following functionality will be verified in SWLS Management
system during regression testing by comparing Cycle 1 Test Results with Cycle 2 Test Results.
2. Database validation will be performed prior and post remediation to ensure that fixes are good
and values are correctly populated

Security Testing
1. QA team will follow the similar approach of identifying the impacted functionalities and validate
that the application behavior does not change between pre and post remediation.
2. QA team will come up with test cases for Security Vulnerabilities such as Cross-Site scripting
reflected, System Information Leak, Password hardcoded if applicable
3. QA team will validate that the Security Vulnerabilities identified in Pre-remediation fortify scan
do not show up in the Final Governance Scan of the application prior to UAT sign-off.

various categories of security vulnerabilities identified in the SWLS Management fortify scan
(Includes total of 37 individual vulnerability occurrences from Fortify Assessment Report
baseline)
Category
Buffer Overflow
Dangerous Function: strcpy()
J2EE Misconfiguration: Excessive Session Timeout
J2EE Misconfiguration: Missing Error Handling
Log Forging
Log Forging (debug)
Missing XML Validation
Often Misused: File Upload
Password Management: Password in Configuration File
Race Condition: Singleton Member Field
System Information Leak: External
Trust Boundary Violation
Unreleased Resource: Streams

Findings
4
4
1
1
6
1
1
1
3
8
2
2
3
37

Functionality
NF
NF
NF
NF
NF
NF
NF
NF
NF
NF
NF
NF
NF

Test Plan

b. Feedback from the manager to whom this report is directed

See attached files Feedback form

V. Reflections
a. Organizational impacts
i. Business Need

As a condition for closing MRA #136, Freddie Macs Management has implemented an
ongoing program (IT Sustainability) to maintain the Infrastructure and comply with Freddie
Macs reference architecture.

Remediate vulnerabilities identified by Fortify Scans to address Information Privacy and

Internal Audit Review

ii. Business Impact: The Windows Remediation Project has two significant impacts on
the company.

Security remediation: The mentioned password sniffing vulnerability is eliminated.

Windows upgrade: By upgrading all 1600 Windows 2003 Servers to Windows Server
2008/2012 depending on application compatibility, Freddie mac saves cost of $10,000/per server for extended duration but limited technical support by Microsoft per year. The
project cost nearly 10-20% of total support cost.

b. Career impacts & lessons learned

The Internship program was quite beneficial for me. It helped me in improving my various
technical and managerial skills and enhanced my knowledge in new areas.

I gained new knowledge in the area of Databases and Distributed Databases, the various
issues involved and mechanisms in these systems etc.

By studying Enterprise systems, I also learnt that how database products function and
implemented and what is the various issues one need to be aware of while looking for
Information Management solutions.

I got some insight into a how a finance field looks like and what are the various things which
need to be done initially like requirement analysis, survey of existing solutions etc.

After working for many years as an entrepreneur, very first time I worked in an Fortune 100
company at mid-level position. I learned how to work under someone while utilizing my
coordination and management skills in association with technical talent.

c. Work Experience
My internship was satisfactory in terms of work environment and Technical requirements. The team I
worked with was very friendly and helped me a lot in all my efforts. Enhanced experiences include

Teamwork

Coordination

Project management

In these projects 4-5 teams worked together thus providing enough opportunity for proper teamwork
and coordination. This was a good experience for me as the team was very cooperative and
understanding. At some point some teams, due to very busy schedule and very small % contribution
assignment, becomes aggressive, in such situation being a good communicator and mediator, I
managed to calm them down and get the work done.

Responsibility and keeping commitments

The importance of honoring commitments and time of others was an important thing, which I learnt as
a summer Intern. Especially, while working as a team it is very important to keep these points in
mind.

d. Applying My University Skills

My education at CSU Chico and University of Mumbai was very helpful in my Internship. Structural
acadeical base to my existing management and leadership skills were very helpful in project
coordination. The courses Data structures and Algorithms, Computer Programming and
Middleware and enterprise integration technology were especially helpful in this regard.
Course on MINS 526 (Business Intellegince and Data warehousing) from CSUC and Data
warehousing, Mining and BI and Advance database technology from university of Mumbai were
also very helpful as it covered some database concepts which were required in understanding database
management and connecitivity of Sybase databases.
The courses MGMT635 (Management of People and organization) and BADM 647 (Leadership,
Globa ethics and corporate resposibility) were especially helpful in this regard when working with
non-public private data of millions of customers.
Course on MKTG 673 ( Strategic Marketing) was also very helpful as it covered concepts of intial
research of a marketing which I applied in our project for the research and developing LRQ.

e. Recommendations for the future

Freddie mac has 1600 Windows Server 2003 for 500+ different windows application containing
various programming language including VB5, VB6, JAVA and so on, and various Component offthe-shelf (COTS) Product. Currently we only migrated over 40 PROD and Non-PROD server for 5
financial and 3 non-financial non-SOX applications.

VI. Conclusion
Thus working in a Fortune 32nd company in Information technology with different teams such as
Business users, information technology and security, engineering solution providers and DBA was an
pleasant, enjoyable and helpful experience.

VII. References

About Freddie Mac. Retrieved from

http://www.freddiemac.com/corporate/company_profile/our_business/?intcmp=AFCP
OB

Bhosale R. (2014, September 18). General Manual for Factory Developers for remediation,
Department: IT/Delivery Services Factory team
Bhosale R. (2014, October 8). LPTS application initial research on Remediation state, target
and alternatives. Department: IT/Delivery Services Factory team
Freddie Mac Learning center glossary (n.d.). Retrieved from
http://www.freddiemac.com/learn/lo/glossary/
Janakiram A. (2014, October 7). Application Management Factory - Windows Upgrade Test,
Department: IT/Delivery Services Factory team
Poole J., Gill K. (2014, April 17). Project Charter & Scope (P1264 ITS Infrastructure
008818), Department: IT/Delivery Services Factory team
Robbins J. (2001, April 13). Getting started reverse engineering. Retrieved from
http://www.codeguru.com/cpp/vs/debug/reverseengineering/article.php/c4413/Getting-Started-ReverseEngineering.htm
The Loan secondary market brief overview (n.d.). Retrieved from
http://www.goodmortgage.com/Learn/Rates/Why_Are_Loans_Sold.html