Web Site Requirements
Web Site Requirements
Table of Contents
TABLE OF CONTENTS ............................................................................................................................. 2 INTRODUCTION ........................................................................................................................................ 4 1 PURPOSE................................................................................................................................................... 4 2 SPONSOR, CUSTOMERS (USERS) AND OTHER STAKEHOLDERS ................................................................. 4 3 SCOPE ....................................................................................................................................................... 4 4 CONSTRAINTS ........................................................................................................................................... 4 5 DEFINITIONS, ACRONYMS AND ABBREVIATIONS...................................................................................... 4 Business Terms ....................................................................................................................................... 4 Technical Terms ..................................................................................................................................... 5 Program and Database Naming Conventions ........................................................................................ 5 6 ASSUMPTIONS .......................................................................................................................................... 5 Need to be investigated........................................................................................................................... 5 Unable to confirm................................................................................................................................... 5 Fact......................................................................................................................................................... 5 FUNCTIONAL REQUIREMENTS............................................................................................................ 6 1 USER CHARACTERISTICS .......................................................................................................................... 6 Actors...................................................................................................................................................... 6 2 FUNCTIONAL REQUIREMENTS .................................................................................................................. 7 Web Pages .............................................................................................................................................. 7 Reports.................................................................................................................................................... 8 External Interfaces ................................................................................................................................. 8 3 DATA REQUIREMENTS .............................................................................................................................. 8 Business Objects ..................................................................................................................................... 8 High Level Business Object Model......................................................................................................... 8 Class Hierarchy...................................................................................................................................... 8 Legacy Data............................................................................................................................................ 8 NON-FUNCTIONAL REQUIREMENTS.................................................................................................. 9 1 CODING STANDARDS ................................................................................................................................ 9 Coding Style............................................................................................................................................ 9 Permitted Technologies .......................................................................................................................... 9 Restricted Technologies.......................................................................................................................... 9 2 GRAPHICAL USER INTERFACE (GUI) GUIDELINES ................................................................................. 10 Page Size .............................................................................................................................................. 10 Page Layout.......................................................................................................................................... 10 Graphics ............................................................................................................................................... 10 Text ....................................................................................................................................................... 11 3 CONTENT ................................................................................................................................................ 11 4 NAVIGATION .......................................................................................................................................... 11 5 USABILITY AND ACCESSIBILITY ............................................................................................................. 11 6 CULTURAL AND POLITICAL .................................................................................................................... 12 7 PERFORMANCE ....................................................................................................................................... 12 8 CAPACITY, SCALABILITY AND MAINTAINABILITY.................................................................................. 12 9 RELIABILITY AND AVAILABILITY ........................................................................................................... 12 10 COMPATIBILITY, PORTABILITY AND OPERATIONAL ENVIRONMENT(S) ................................................ 13 Production and Acceptance test environments ..................................................................................... 13 Demonstration and System test environments ...................................................................................... 13 Development and Unit test environments ............................................................................................. 13 Client-side environments ...................................................................................................................... 13 11 BACK-UPS AND DISASTER RECOVERY .................................................................................................. 14
Page 2 of 21
12 FILE AND DATABASE INTEGRITY .......................................................................................................... 14 13 AUDIT ................................................................................................................................................... 15 Web Site Access .................................................................................................................................... 15 Web Application ................................................................................................................................... 15 Database (SQL Server)......................................................................................................................... 15 3rd Party Endorsement .......................................................................................................................... 15 14 SITE SECURITY ..................................................................................................................................... 15 Firewalls............................................................................................................................................... 15 DMZ Server Operating System (Windows 2000).................................................................................. 16 Intranet (Non DMZ ) Server Operating System (Windows 2000)......................................................... 17 DMZ Services e.g. Web Server (IIS) ..................................................................................................... 17 15 APPLICATION SECURITY ....................................................................................................................... 17 Client .................................................................................................................................................... 17 Internet Transmission ........................................................................................................................... 18 Web Application ................................................................................................................................... 18 Database (SQL Server)......................................................................................................................... 18 16 LEGAL .................................................................................................................................................. 19 17 MARKETING ......................................................................................................................................... 19 FUTURE ENHANCEMENTS................................................................................................................... 21
Page 3 of 21
Introduction
1 Purpose
In order to be competitive in the US Brokerage market, B&D feels that it needs to be able to offer it's existing and future clients the opportunity to trade US equities online. This project's goal is provide a basic online trading Web site (which can be enhanced in the future) ASAP. Note, This document is based of the IEEE 830 standard for Software requirements and describes the desired product, but does not attempt to specify the details of when, who or how much the product will be built, this information is covered in the corresponding project planning documentation.
3 Scope
See the associated "B&D Online Business Processes" document, which outlines the processes (computer and manual) that will need to be put in place for the B&D Online Web site to be implemented. Also, the associated "B&D Online Context Diagram" (in PowerPoint 97/2000) provides a high level overview of how all of the processes are dependent upon each other
4 Constraints
Total costs for the development and running of the Web site for the first year must not exceed $10 million A prototype of the Web site must be demonstrable within 1 month of project initiation The Web site must be operational within 2 months of project initiation The Web site will be free to existing clients Clients will not be willing to install personal certificates, personal firewalls nor be willing to authenticate themselves using some sort of biometric device or smartcard The project will have to be resourced with B&D's existing staff
Page 4 of 21
Technical Terms
See B&D's IT glossary for a list of technical terms/acronyms used in the B&D Online product that are not normally found in "everyday" language, but will be referenced within this document e.g. ASP - The term "ASP" has 2 distinct meanings - Microsoft has a technology (Active Server Pages) that allows developers to develop dynamic Web sites quickly. An industry term to describe companies (Application Service Providers) that offer individuals or enterprises access over the Internet to application programs and related services that would otherwise have to be located in their own personal or enterprise computers
Unable to confirm
Assumptions that can not be investigated until after the project is complete (if ever) More people will use the B&D Online Web site, if the Web site does not require the viewer to enable cookies During the first year of operation, the B&D Online Web site will not need to be ported to another ISP and/or system software platform e.g. Unix or 2 tier Windows NT Initial peak load is expected to be 10 concurrent users, with each user requesting a new page every minute Clients will be unwilling to install client-side certificates and would object to B&D probing their machines to read "private" information e.g. MAC address (Ethernet card), CPU serial # (Pentium III chips), O/S serial #'s or Network node names
Fact
As of this month 90+% of B&D's "Brochureware" Web site visitors use Microsoft 4.x (or higher) or Netscape 4.x (or higher), only 2.5% are AOL users A significant percentage (10%) of B&D's exiting clients spent a significant portion of their time outside of the U.S.
Page 5 of 21
Functional Requirements
1 User Characteristics
The associated series of Use Case descriptions (Word 97/2000) and Use Case diagrams (PowerPoint 97/2000) specify, the interactions between the Actors (Customers, Internal Admin and/or other Computer systems) and the parts of the previously documented "B&D Online Business Processes" that will be directly supported/implemented by the B&D Online Web Site.
Actors
The list of Actors would potentially include: Novice/First time investors Novice computer/Internet users Techie users Day traders Savvy/Experienced Investors Passive investors - no trading Financial newspaper readers Foreign/International investors Competitors clients Potential new B&D clients Existing B&D clients Investors with poor vision External mutual fund managers B&D analysts B&D brokers B&D employees B&D senior management B&D securities auditors B&D webmaster Other B&D computer systems (legacy systems) Other companies Webmasters Business partners (including ISPs) and supply chain vendors Business partner employees CEOs and CFOs of companies that are traded Analysts at other research firms Stockbrokers at other brokerages Tax accountants Trade press/Media (Reuters, PRNewsWire, BusinessWire etc.) Web site raters/critics Small business owners, CFOs, 401k, ESOP administrators/trustees (Legal) Regulators (e.g. SEC, IRS) and B&Ds Internal legal department External auditors (e.g. CPAs) Lawyers (e.g. class action) Hackers Competitors Children/Student - school/college research projects to bogus accounts Potential new hires B&D customer service/tech support B&Ds Testing (Diagnostic) team Search engines Agents - computers from other companies
Page 6 of 21
Note: Many of these potential actors could be merged if their site usage turned out to be the same
Page 7 of 21
Reports
For each required Report, see the associated "Report floorplan" and supporting description (in PowerPoint 97/2000).
External Interfaces
For each interface to an external system, see the associated interface specification and supporting description (in Word 97/2000).
Class Hierarchy
The associated "B&D Class Hierarchy" diagram (in PowerPoint 97/2000) shows the relationships between the Object classes that are used to insatiate instances of the Business Objects.
Legacy Data
The new B&D Online Web site must be integrated into the existing back office legacy (Mainframe) stock trading applications.
Page 8 of 21
Non-Functional Requirements
1 Coding Standards Coding Style
Visual Interdev 6.0 will be used to code all source code All Web pages should be W3C HTML 4.0 compliant All HTML code must should be Bobby Level 1 (cast.org) Accessibility compliant All Client-side scripting should be W3C JavaScript 1.2 compliant All Style Sheets should be W3C CSS Level I compliant, CSS Level 2 extensions are not to be used No proprietary (Microsoft or Netscape) HTML/JavaScript/CSS tags are to be used All server-side scripting should be coded in VBScript 5.0 All Database calls should be coded with SQL via ODBC. All development/testing source code will be document/commented with standard module headers (thereby making maintenance/debugging easier), especially for server side includes e.g.: Module name Original author Date initially written Language and version B&D Copyright Enhancements/changes log - who/when/why Note: For performance and security reasons, the production version (as seen by the user) will not contain this information (with the exception of the copyright, which should be placed in the "Copyright" meta tag). Where possible HTTP- EQUIV Meta tags are to be avoided (some browsers no not support this type of Meta tag) No absolute links are to be used for internal Web pages All client-side edit checks are to be redone on the server-side (since the user could turn off the client-side scripting language) Application error messages should be informative to the client, but no so descriptive as to useful to a hacker trying to figure out the internal workings of the application
Permitted Technologies
In addition the technologies implicitly permitted in the Coding Style section and other sections of this document, the following technologies are also permitted: Cookies (session and persistent - no expiration date) Server Side Includes (SSI and XSSI) Tables (nested tables may be used) Forms JavaScript Pop-ups Note, the Web site should degrade gracefully if the clients browser does not support any of these technologies.
Restricted Technologies
Client-side Java Applets/Servlets, Java Applications or ActiveX controls. This diminishes the benefits of signing the code, therefore developers will not be required to sign the code Server-side Java Beans (EJB), Java Servlets, Java Applications or ActiveX controls Framesets
Page 9 of 21
Java Style Sheets (JSS) are not to be used CGI scripts No Mailto's are to be used (all contact will be via Forms) XML vocabularies are not to be used (this may be reviewed in future release) WML will not be directly supported in the initial release rd No client-side Plug-ins (3 party or B&D developed) will be required Multiple domains will not be used, the entire contents of the Web site will reside within a single domain
Page Layout
The B&D corporate color palette will consist of 16 core "browser safe" colors (including white and black) No page should use more than 256 colors (including dithering colors) White should be used as the default background color Today's date will be displayed on each Web page (Tuesday, September 05, 2000 format) B&D Copyright will be displayed at the bottom of each Web page All page component sizes should be specified by a % of the page, rather than an absolute # of pixels All dropdowns controls should by default be sorted alphabetically and be wide enough to view all probable selections
Graphics
.jpg's are to be used for photographic images and should be compressed to the smallest size possible while maintaining a clear picture, use of the progressive feature should be avoided (they are not supported by 2.x Browsers and are problematic in some 3.x versions) except for exceptionally large files. .gif's (currently do not use .png's) are to be used for non-photographic images Where possible all image files should be composed of 8x8 pixel blocks (gif's are downloaded in blocks of 8x8 pixels) All image files should use a DPI of 72 No .gifs should use more than 16 colors (including differing colors) the main colors should be selected from the B&D corporate palette and "saved as" with as few colors as possible .gif's may be saved with Transparency but should not be interlaced Sponsor logo gifs must be 125x125 pixels in size (in advertising lingo this is refereed to as an industry standard "Square Button") and use no more than 16 colors All graphics must be assigned an <ALT> tag
Page 10 of 21
Maximum of 1 animated image per page (more than one .gif file is permitted if they are visually located next to each other, thereby appearing to the viewer to be a single animated area) Client-side image maps can be used to improve download times, but Server-side image maps are not to be used
Text
All text will use the B&D corporate Cascading Style Sheet (W3C CSS level 1), named bd.css Assume only proportional fonts are to be used. No fixed-width fonts are to be used No Embedded fonts are to be used No tiny fonts are to be used i.e. point size < 8 No obscure fonts are to be used e.g. Haettenschweiler All Dates, Telephones #, Addresses and Currency amounts should be displayed using standard U.S business formats e.g. mm/dd/ccyy or ccyy format, however input fields should be able to accept international variations e.g. alphanumeric postal codes
3 Content
All text (Initial release) must be in U.S. English - No Spelling mistakes are permitted The narrative content of any edited article should be understandable by a viewer with a reading age between 16 and 25, lower than 16 and the average investor may find the article too simplistic, higher than 25 and a significant percentage of viewers may find the article too challenging Real time data (e.g. stock quotes) should typically not be more than 30 minutes old No content that is copyrighted or trade marked by another organization is to be used without explicit written agreement by that organization Non real time content will be updated daily (e.g. Market news articles)
4 Navigation
All links will use browser default colors Each page must have a meaningful page name and be Bookmarkable The Site map must match the actual Site Navigational Hierarchy The bdonline.com Web site should be available using either http:\\www.bd-trade.com and/or http:\\bd-trade.com There should be no internal broken links The Web site should have a customized (user friendly) error page e.g. 404 page not found Internal URL links should reuse the existing Browser instance (the exception would be any help pop-up Windows) External URL links should spawn a new Browser All Web pages should be reachable within 5 clicks of the Home page (using a scroll bar counts as a click), excepts include pages that are part of a multi page transaction and should not be reached without traversing other pages within the transaction
Page 11 of 21
The Web site must explain B&D's policy of privacy (the legal department is currently working on this) The Web site's Browser requirements must be posted e.g. 4.x (or higher) generation of browser JavaScript, Session Cookies are required - persistent cookies, style sheets, 800x600 resolution (min), 256 colors (min) recommended for optimal performance The Web site should be Bobby Level 1 (www.cast.org/bobby/advanced.html) Accessibility compliant Mandatory data entry fields may be flagged with a visual cue e.g. highlight in red The Web site should be intuitive - Once the Web site goes live, if more than 10% of the emails received by B&D are from viewers having trouble using the Web site, the Web site will be deemed to be non-intuitive and would become a candidate for redesign
7 Performance
When accessing any not database Web page from anywhere in the continental 48 states, 95% of the pages requested (while the Web site is up) during U.S business hours (m-f 8-9 EST) using an average PC with a 28.8kb modem that is connected to a tier 1 ISP and a 5.x generation MS IE/Netscape Windows based Browser must completely load within 10 seconds The requirement for database orientated Web pages is 20 seconds
Page 12 of 21
B&D Online Web site Requirements Specification 90% update during non-core hours Mean time to repair (MTTR) 1 hour Maximum one 10 hour plus outage per month Server memory leakage's must not exceed 10k per day External broken links should be detected and fixed/removed within 24 business hours
Client-side environments
Web pages should be accurately rendered by all on the U.S. general release versions of the following Browser software: Netscape Navigator 4.0 and 4.x (where x is the last release) MS IE 4.0 and 5.x (where x is the last release)
Page 13 of 21
Running any of the following U.S. general release client Operating Systems: Windows 95 nd Windows 98 2 Edition Windows Millennium Windows NT 4 Workstation (no support packs) Windows 2000 Professional Note: Y2K upgrades may be installed Assuming Hardware is sufficient to efficiently run any of these combinations e.g. Windows NT will not be installed on a 486 machine
Page 14 of 21
Web Application
Audit trails in accordance with regulatory guidelines will be implemented. These application audit trails will be initially maintained within the database and subsequently migrated to an off-site medium, where they will be stored for a minimum of 7 years (unless regulations require otherwise).
14 Site Security
The Bdonline Web application will installed on to a collection of servers and network connections collectively known as the Web site. To ensure that the security mechanisms built into the Web application cannot be circumvented, it is extremely important to ensure that the Web site upon which the Web application is installed is itself secure. Therefore the standard security policy used by B&D for any server/network that is connected to the outside World will be implemented. The following is a summary of the Web centric portions of this policy:
Firewalls
The Web site will implement a standard 2-layer firewall. The first layer will be a network level (packet filtering) firewall designed to protect the Web server and any other servers that need direct access to the Internet. The second layer will be an application level (proxy server) firewall designed to provide extremely tight security even if performance is impacted. The area between the two-firewall layers is typically referred to as a Demilitarized zone or DMZ. Basic access control requirements (rules) for the first layer include: Only TCP/IP traffic is permitted, non-IP and UDP/IP traffic should be dropped
Page 15 of 21
Any inbound IP packet that claims to have originated from a machine located within the Web site or intranet should be dropped Any outbound IP packet that claims to have originated from a machine not located within the Web site or intranet should be dropped Any inbound IP packet that is destined for any machine other than a machine within the DMZ should be dropped Only requests to/from port 80 (HTTP), 443 (HTTPS) or 21 (FTP) are to be permitted, all other requests are to be dropped Any vendor default user IDs, passwords or remote login capabilities have been disabled The default router banner has been replaced with a B&D legal notice
Basic access control requirements (rules) for the second layer include: Only TCP/IP traffic is permitted, no non-IP or UDP/IP traffic Only traffic that originated from a DMZ machine is permitted into the intranet Only traffic intended for a machine in the DMZ is permitted to exit from the intranet IP application and port combinations that are permitted include: HTTP (80), HTTPS (443), SMTP (25) and NetBios (135-139) Any vendor default user IDs, passwords or remote login capabilities have been disabled The default router banner has been replaced with a B&D legal notice In addition, B&Ds ISP will be contacted to determine what capabilities the ISP has in place to minimize the effect of a denial of service attack on B&Ds Web sites and weather any of the ISPs routers that are up-stream from the B&D Web site can be configured to act as an additional network layer firewall.
Page 16 of 21
The machines internal IP address resolution tables should not contain entries for any machine located on the intranet. The entries for the firewalls and other DMZ machines should be static and not modifiable remotely DMS transfers should be prohibited All files hosted on each server will be scanned for viruses before they are made available to the public An Intruder Detection System (IDS) should be installed; since it is fairly safe to assume that these servers will be attacked regularly, rather than setting off a warning several times a day, the IDSs automated notification will be set to a low sensitive setting
A Honey Pot server will be set up in the DMZ, this server will have limited hardware resources and will not be connected to the intranet (even through the proxy server). However, some of the security settings on this machine will be lax and its banner and directory structures will make it appear to be a server used by the testing department. In reality, the entire machine will be configured to act as one huge tripwire.
15 Application Security
The overall security of the Web site will not be enforced using a single layer of protection, rather security measures will be adopted at all potential security breach points i.e.:
Client
The following procedures/techniques will be used to establish the "True" identity of the user attempting to access the B&D Online Web site via a Browser Clients must log on with a valid user ID and password before accessing the body of the Web site, the client will only be required to remember one user ID/password combination. The user
Page 17 of 21
id and initial password will be assigned by B&D, but clients will be able to change their password after successfully logging on to the system (see B&Ds security policy for further explanation of what constitutes a strong user ID and password) After 3 unsuccessful login attempts, the account will be locked out for 30 minutes User sessions should be timed out after 30 minutes of inactivity Clients will not be required to periodically change their passwords Client-side security will not rely on client-side scripting e.g. JavaScript (since the User could modify the code or even turn it off)
Internet Transmission
HTTPS/SSL will be used to ensure secure transmission of certain data sensitive pages. The associated Web page specification will specify which pages/page objects should and should not be encrypted. All HTTPS/SSL encrypted pages will use a 128bit key encryption Sensitive data will not be transmitted unencrypted, this includes cookies (session or persistent), hidden tags on an HTML form or via long URLs (e.g. using the HTTP Get command) The HTTP Post command (as opposed to the HTTP Get command) will be used to transfer all data to the Web site
Web Application
The following additional security checks should be built into the B&D Online application: The Web application should be robust enough to handle all "out of bounds" or buffer overflow input data (e.g. a client enters a value of 13 or 9999999999999999999999999 for a month) without relying on any client-side validation (which can be circumvented) Data input that contains inappropriate meta-character sequences will be discarded e.g. && No sensitive data (User id's, Passwords, Account #'s etc) should be persistently stored on the client and any sensitive data stored for the session should be encrypted Persistent cookies should expire after 6 months A parity check/checksum will be embedded into each cookie to ensure that it is not tampered with in transmission or while resident of the client machine Incorrectly formatted cookies and cookies from old versions of the Web site should be replaced wherever possible without requiring the user to resubmit the data contained in the cookie If a cookie becomes corrupted mid-way through a session, the user will be required to re login to reestablish their authenticity
Page 18 of 21
Information used to authenticate a client (e.g. mothers median name, social security # etc) who has forgotten his/her user ID/password will be stored in a separate database to the database containing the clients accounts.
16 Legal
Since B&D is incorporated in New York state and the Web site will primarily be hosted on servers residing in New York city, all New York City, State and U.S Federal Laws & Regulations must be complied with. In addition, because clients around the world may view the Web site, the Web site must comply with the Laws and Regulations on the municipality, states and countries that B&D may legally conduct a meaningful amount of business e.g. U.S and International copyright laws must be complied with Other organizations trademarks are only to be used with their written consent Tax/Regulatory commissions will be collected where appropriate
17 Marketing
Keyword and Description Meta tags (currently being defined by the Marketing department) should be used on all Public Web pages i.e. those Web pages that can be accessed without a valid login/password. All non-public Web pages should use: <meta name="robots" content="noindex,nofollow"> Within 2 months of the Web site going into production, the Web site should appear on the first results page of 8 out of 10 of the following Search Engines/Directories: Altavista AOL Netfind Excite HotBot InfoSeek Lycos Northern Light WebCrawler Yahoo Yellow Pages For 8 out of 10 of the following keyword searches: Brown +Donaldson Online +Trade Online +Trading Online +Broker Brokerage Stocks Buy +Stocks Stock +Quotes NASDAQ NYSE Within 6 months of the Web site going into production, the Web site should have at least 10,000 unique visitors per day with 50% of all registered clients visiting the Web site at least once per week The production Web site must be able to provide current and prior data on pages hits per hour/day/week/month The production Web site must be able to count "click-throughs" to sponsor Web sites (reporting should be via the web sites Web log analysis tool) The additional domain names should "point" to the xyz.com Web site: xyz.com
Page 19 of 21
Page 20 of 21
Future Enhancements
Possible enhancements that could be made to the Web site, but are currently consider out of scope e.g. Relevance and/or "fuzzy logic" search engine Support for multiple languages Support for video and or audio clips Wireless connectivity Chat events Low res/high res graphics option Utilize XML for data transmissions Replace CSS with XSL/ESL Expand audit trail and audit reporting Email to a friend feature Printer friendly feature
Page 21 of 21