Have you been to a physical marketplace(santhai)?

I have been hearing term market places in different contexts. Most of time I am not sure whether speaker has been to real physical market place.

Have you been to a physical market place?  While young, I visited physical market place(santhai) in Neyveli mostly every week along with my father. Here is a nice blog on santhai


A physical marketplace is location earmarked for buyers and sellers to come at specific times of week and perform commerce transaction. A marketplace is different from a market.  You see markets in Bangalore which are permanent structures for which seller pays monthly rent. This forces seller to be present mostly every day and across entire day awaiting the  buyer to arrive and purchase.

NLC offered a place  for small farmers with limited shelter to bring their farm produce and sell them to NLC employees, attracted to purchase fresh vegetables & fruits.  Marketplace functions only on few  weekdays( Tuesday, Thursday and Sunday) in different town corners.Farmer paid a daily fixed rent to use roofed facility(small sum) and open areas were offered free.  NLC facilitated supply-demand equation to enable commerce between small farmers(seller) and their employees(buyer), creating a physical marketplace. Salient feature of the working of marketplace(santhai) are

  1. Seller and Buyer are at Santhai for few week days  attracted by competitive prices, low overhead & convenience to get fresh produce.
  2. One can touch and feel the vegetable or fruit prior to purchase. Both seller and buyer negotiate prices
  3. There was no concept of home delivery. One needs to be present in person to buy or sell.
  4. Direct transaction between seller & buyer, reduces prices. To add.
    1. No commission per transaction to NLC.
    2. No tax  or no invoice for purchase- mostly fruits & vegetables.
  5. There is element of negotiation. I missed to learn from my father.
  6. NLC neither funded sellers to come to santhai and nor gave discounts to buyers to arrive at santhai.

At marketplace(santhai), economics of supply demand is working between buyer and seller.More demand & less supply of products increase product price. Less demand and more supply results in downward spiral of prices.

In a place like Trichy, there is morning market (Kalai Santhai) in front on my parent’s place. Works similar to santhai of Neyveli and the physical market place is owned by merchant association. No home delivery, no commission based on transaction and small fixed rent.

In physical market place, you are undoubtedly  the  customer for the seller and there are no other customers.The market place facilitates both seller and buyer on equal terms. The facilitation is done not to make money and neither funded by VCs.

Beyond convenience   promised & issues of home delivery faced, it would be good to understand how similar are eCommerce websites to market place. Are folks using term marketplace from marketing perspective?


Why should innovation always scale?

I  started to observe shopkeepers doing business on road and plight of employees working in large shops.  With no investors to back them, I think it is right to call them as startups. Being aware that some of them are illiterate , with less exposure, I am fascinated with awe on their understanding of customer behavior and observing also made me ask this question “Why should innovation always scale?”

At Chennai, walking down T.Nagar. I observed a road-side shopkeeper offering new fruit options to customer. Fresh Mango was cut in to pieces and offered in sachets for sale. Sale of whole fruits was also available & sale of sachets of pineapple,gooseberry and jack-fruit.
Food in sachets
I relished each sachet of fruits. On talking to one fruit-wallah,he shares that providing cut vegetables makes him sell more and offers better margins. He also adds that there is less negotiation and people are more happy to get things at convenience and less concerned of “Value for money”. Looks shopkeeper is leveraging convenience factor that is gaining importance today.

On last few visits to Trichy, I saw juice shop offering new approach. They neither have bottled juice drink nor have Colas and Pepsis. Juices are made in larger containers in morning and sold in  small glasses at Rs 5 each. On offer, variety of fruit juices like lemon, pineapple, rose-milk are available. With place and containers clean, the whole atmosphere looks hygienic.
juice in container
Find approach useful for poor guys to get healthy drinks at affordable price. Remember a coke bottle of similar quantity costs Rs 12 or more.

Let me complete with  food startups in ITPL area, Bangalore. Some days I order food from freshmenu for lunch and some days I visit food stalls at roadside in front of IT companies in ITPL area. Fresh chapathi, parothas(south Indian), and omlette are made hot and sold on road . Offer includes  non-veg curries and veg curries prepared at his home. The quality of food is evident from the crowd eating from shop. More evident when it drizzles and crowd still stands and eats in tree shade. Like equality where call center drivers & office boys are eating along with people wearing formal clothes working in IT companies.

Food in front of IT offices

Observing , I wonder what is value offered by food technology startups? The answer is to larger reach to customers and effective distribution.

As customer, what is important? Customer looks for quality food, variety and affordable prices. Preference is also to get food in nearby distance.

Once realizes that food stalls that produce good food , have decent variety and provide increased  value to customers. these stalls are less concerned of customer engagement via social media or distribution logistics.

Where are food startups in a cooperative model like India Coffee house? No doubt of the potential to scale in food. Yes food startups like Adayar Anandha Bhavan or Subway scaled well. May be techies entering food industry should start with a food stall and learn nuances of business first.

Some food firms have failed to focus on customers and put their focus on things like real estate. Sure customers would not visit them and need help.  Are technology startups supporting lazy inefficient food firms?



Does “Not picking mobile”means “buyer not at home”?

Few months back I wrote  blog “Pain at work for e-commerce delivery boy”  I was really concerned about the plight of the delivery boys. While I talk from the delivery boy needs, the insufficient or no training offered to delivery boys has become a pain for e-retail buyer.

I  am not regular buyer on  e-commerce website beyond books.  Books can be delivered to security or neighbor and we  faced no issue with delivery boys. we purchased mobile on amazon.in. At time of order, Amazon committed to deliver on 4th or 5th days from the order date. After one day from order date, an email was received that delivery would be done on the second day of the order. Looked impressive  and was open for delivery.

[Day 3] I get a call on my mobile  at 11:30  am and being asked whether the delivery can be done at home. he wants to deliver at my home. I informed my absence at home and asked him to deliver after 4 pm and my wife would be at home.  When asked whether he was in front of my house door, his response was negative. I call this person at 6:30 pm and he  shares that he is present somewhere in Old Airport Road and he would deliver.

After multiple Follow-up  and person agrees to deliver and then fails to deliver causes an irritating experience. The delivery does not happen and status changes as “could not be delivered as no one was available to receive it” . We know for sure that guy did not come to our door and have not even visited apartment security gate

[Day 4] The next day, I forgot my mobile at home. When I returned home, I saw missed calls on the phone and called and the person asked me to call the carrier. When I check my order email,there is no contact number to reach e-commerce retailer. Then I figured an option where I could provide a mobile number and call center reaches me. The service representative offered to get package delivered at earliest.

When I talked to customer representative, I hear interesting words. “We have to request the delivery agency”. On talking to supervisor, you hear underlying message that we have no control & are not sure when things will get delivered. Luckily, package was delivered today [Day 5].

May be e-commerce firms can collect buyer preferences before specifying  delivery date  for order.

  • Provide the buyer with time slots in day  & ask buyer to choose time slot  for delivery. Instead asking  customer to choose time, provide time ranges like 8 to 10 am, 10 am  to 6 pm, 6 pm to 8 pm.
  • For items of low value, ask buyer whether item can be delivered with security or neighbor. May be option is not offered when purchase is high value item.

May be e-commerce firms can capture more data to verify the authenticity of delivery person and buyer in mid of conflict. When delivery person visits house and house is locked, ask person to take picture of locked house and upload the same to site. Display this to buyer and you verified delivery boy really tried.

My wife started worrying whether order will be delivered. Not sure whether her saying ” After 2 times getting message door is locked, you need to cancel existing order and perform re-order” is true. Looks the horror in delivery is known to all customers. Makesme wonder whether delivery boy takes role of important person in e-commerce transaction.

Four Words that can Trigger a Four-Letter Word

Copied from Four Words that can Trigger a Four-Letter Word for my reference

The English language, like any language, was designed to help communicate an idea, a thought, a feeling, a decision….

But, sometimes, the crafting of the words into a sentence can lead to confusion, fear, and angst.

A lawyer told me that some of the trickiest questions asked of any defendant in a court case can be:

  • Have you stopped beating your spouse, or
  • Have you stopped taking bribes, or
  • Have you stopped eating beef?

“Please answer with a ‘Yes’ or a ‘No’,” says the wily lawyer.

You are trapped.

A “Yes” – the lawyer explained – to any of the above 3 questions can get you into a lot of trouble as it implies that you were indulging in that alleged act and had stopped recently.

You are, therefore, guilty for past crimes.

But if you said “No” it means that:

  • You confess that you are still in the habit of beating your spouse and, therefore, need to be punished;
  • You confess that you still have your hand in the till and are taking bribes and, therefore, need to be punished;
  • You still enjoy eating beef and, therefore, need to be punished.

Now try asking the Federal Reserve Board the question:

  • Are you still keeping interest rates low so that speculators can continue having a field day and ensure that the bonus pay outs of the financial honchos can reach peak levels by Christmas?

The Fed can answer with a “Yes” or a “No”.
A “Yes” would mean that the Fed did all this rescue effort and pumped up its balance sheet by USD 4.5 trillion since September 2008 to feed it to the Wall Street crowd.
A “No” would mean that they were doing it – but have decided to stop.

Development Process to handle security Flaws


A security vulnerability is an error that an attacker can exploit system from security perspective. The same security vulnerability can be found with product/solution in windows, mac and Linux environment.  Fix for a security flaw depends on the coding language and underlying operating system or browser.

Security vulnerabilities are classified in to security taxonomies or flaw categories by computer security researchers. These classification are done independent of programming language, operating system or browser. Here are few links/ points to understand better.

  • CVE is a dictionary of publicly known information security vulnerabilities and exposures
  • CWE provides a unified, measurable set of software weaknesses enabling more effective discussion, description.

When security researcher report security flaw, the researcher also supplies CWE-ID to represent flaw. To know more about CWE-ID, please check FAQ compiled from MITRE.

For the reported security flaw, the security vulnerability of flaw can be classified to two categories.

  • Flaws in product/solution implementation
  • Flaws in product design.

The vulnerabilities present at design level are hard to detect and handle. Design level vulnerability are the most prevalent and critical ones. To determine that a program has design-level vulnerability is difficult, even with great expertise. The harder it is to automate the same.

Some software development approaches identify issues by performing a security assessment of applications after they are developed and then fix these issues. Patching software in this way can help, but it is a costlier approach to address the issues. This cycle of Testing – Patching – Re-testing runs into multiple iterations and can be avoided to a great extent by addressing issues earlier in the Life Cycle.

Once can choose to look product from security angle only after a hacker reports security vulnerability from the field or can choose to be prepared and incorporate security practices as part of software development cycle. Here are articles to facilitate implementing S-SLDC in your firm.

Requirements & Planning Stage: Right from the start time where product features are specified, the security requirements of the product/solution needs to be identified and written down. In addition, it is worth to create a list of security abuse to be handled by the product and this in more apt time to undergo security training, if needed.

  • Make the test engineers aware of security requirements and encourage them to write risk based security tests in their test plans.
  • Identify features and plan features to be implemented as part of agile milestones and track them for completion from security standpoint.

At design Stage, identify Design Requirements from security perspective, perform Architecture & Design Reviews and Threat Modeling with respect to security. In addition, the design should be subjected to a risk analysis for security.  Any security flaw identified during design stage is easier to fix flaw with less effort compared to flaws found across future phases.

Coding Stage  Coding Best Practices for Security enables  developers to write code, less prone to security vulnerability. In addition we need process is required to evaluate code on regular basis for security flaws and identify security flaws. The process of evaluation can happen at regular intervals, end of agile milestone or end of every sprint.

Security vendors like Veracode offer static analysis as service to find security flaws in the code, if the code binaries are uploaded. Every organization needs a different discussion to understand risks involved in sharing code with third party, how far to trust them, what protection are provided by security vendors.

Once code is assessed for security vulnerability, the first thing to perform is understanding each one of the security vulnerability listed in report. For every vulnerability, first understand why it is classified as security flaw, what is severity of the flaw and analyse the same. Your earlier risk analysis during design stage can help you to perform better analysis of vulnerability to come with mitigation plans (where needed).

Most vendors are not aware whether usage of tool happens inside or external to your network or enterprise network. This leads to the challenge of more security flaws reported in product/solution.  Plan for resources to interpret security flaw in context of your application and that specific context drives decision to fix flaw or mitigate flaw.

For security flaw reported either through self-analysis or third party ,

  • If you are aware of the solution, the flaw needs to be fixed. Go ahead to fix vulnerability.
  • Flaws may be reported in internal utility of the product used within network. You may choose to mitigate the flaw and not fix the same.
  • Some flaws may not have immediate fix. You need to follow-up with your teams and community to find solution.
  • Your product/solution has made use of new approach to security or as part of implementation. As your implementation is not yet a standard, security vendor reports the same as flaws. You may choose to mitigate the flaw as “False Positive” and provide reason why the flaw does not impact your solution.

Depending on your team’s bandwidth, team can start working on security flaws starting from severity “High” down to ones with severity “Low” or “Informational”. Any security flaw identified during coding stage is easier to fix flaw with less effort compared to flaws found after production.

Your web product has moved to pre-production or staging phase. This is time where penetration testing is planned to happen. Today vendors like Veracode offers dynamic analysis/security black box testing to identify flaws in product deployed in staging environment, simulation of vulnerability in real world.

Once system goes in to production, security lapses also come as feedback from field and it becomes important to capture security flaws reported from field and track security incidents reported from the field to closure. Managing security incident involves tasks like managing patch releases, upgrading current threat model, reassessing the code thru static analysis.

India Travel: Technology vs Local Language

While relaxing on vacation, I was not able to stop observing how technology meets the ground. You choose to use online application available  in English to book flights & hotel on and feel good that “All is done”.  What is you status in reality.

Observation 1 Taxi drivers do not know English. Be prepared to answer in Hindi when the taxi driver calls to confirm pick-up address and share when taxi would arrive at starting destination. In my case, Took help from my wife or relative to talk to driver in Hindi. What would happen if entire family does not know local language?

Observation 2 On confirmation of booking accommodation, you received an email with the hotel name, booking details and address in addition to SMS. I have taken printout of the email. The print-out contains the hotel address without landmark and Google map. When driver checks with wife for landmark and your wife asks the same, there is no landmark at your hand. I got a feeling that “All is not set”. Being techie, I made frantic attempts to connect over internet and view Google map. As internet connects intermittently, Google maps was not accessible and when connected and I searched in Google Maps, the connection broke down. Patted myself for carrying the print-out that saved me from wrath of my family.

Can travel website/provider provide landmark as part of accommodation confirmation email? In addition, it would be useful to have hotel address provided also in local language prevalent in the vicinity of the hotel  location.

Observation 3:  We reached hotel at 1 AM, post-midnight. At 10 PM, our driver asked for the hotel address and when conveyed, driver requested for a landmark for hotel. Found that neither phone connection  was not available nor internet was working for some time. After multiple calls( it is already 10 PM), the hotel staff picked call. where we just asked driver to talk to hotel staff. Both conversed in Hindi and the driver acknowledged the way to the hotel to my wife in Hindi..

When reached the hotel(post 1 PM) , the computer is switched off  and hotel staff does not understand English. Explained booking in broken Hinglish and shared with him the print-out carried. Thanks to God that we had acknowledgement email. The print-out brought a sense of belief in eyes of hotel staff, though he does not know English, while the entire print-out is in English. We got our room key.

What would happen if I have missed to take a print-out with us for hotel booking?

Introduction to Application Security Vulnerability

Today more and more browser application or mobile application leverages third party libraries and open source code in terms of java-script and mobile code. While application development is quicker with third party component, application has increased risk for the presence of security flaws in application. Security flaws get introduced by wrong usage of third party code or already present in the third-party code or by developer in his/her code. This blog introduces security vulnerability at higher level

Security flaws are challenge in consumer app scenario and the challenge increases in magnitude for enterprise application. Any loophole in web application security has potential to allow hackers to gain access to enterprise data. Hence testing web application security is a high priority for enterprise today. Large enterprises evaluate a software products for security vulnerability and prefer to evaluate product that are less prone to security flaws.

With enterprise IT infrastructure comprising of wide range of products across compute, network and storage, application security testing requires significant cost in terms of software and there is need for skilled personnel in security testing. How to evaluate the product for security vulnerability? Who pays for product’s security assessment?

Enterprise do not want to spend  due to the risk that product may fail security assessment or satisfying alone cannot lead to product purchase. Product developer hesitates to spend with the risk that enterprise may choose a competitor product product( for reasons), though product satisfies security assessment

In addition, a product developer might know to detect and fix few commonly found and standard flaws and may not be aware of all security flaws present in the product. On reporting of security flaw, developer finds it tricky to find & implement solution to fix the flaw. In addition, no developer can understand IT infrastructure configuration of all enterprises.

Here comes the role of security testing vendors. The enterprise engages security vendor to audit its IT infrastructure and provide recommendation for security perimeter fencing of the enterprise. Now the enterprise pays and uses recommendation to assess and evaluate products for satisfying the security fencing requirements of enterprise.

Publishing security fencing requirements increases risk of enterprise being prone to being hacked for security. Hence enterprise choose  to evaluate products certified by known security vendors for standard security assessment.

Security vendor offer different security assessments to product developer in different stages of product development.Once product is assessed and certified by security vendor, product developer is allowed to share certification with interested enterprises. Here are capability what product developer can obtain from the security vendor.

Check source code for security flaws : Any security flaws found earlier in product development gets fixed easilty with less cost compared to flaws found later in development. Here the developer is enabled with capability to test their application code on weekly basis for security flaws.

Training/Consulting in security As explained earlier, product company will find costly to employ security experts full-time and their current developers are not equipped to come with solution to fix security flaw. Hence training in security related courses or availability of security consulting would be helpful.

Check application in staging environment(before production) for security flaws: The product developer may choose to share infrastructure details of staging environment to get application assessed for security flaws under normal working behavior of the application, planned hours and known IT environment. As the time of security attack by the security vendor is known, the staging environment components like firewalls and network elements can be prepared not to raise false security alarms.

  • If automation test scripts for product are available, the security vendor can leverage the same to insert security flaw tests in between product feature testing and observe the application for presence of security flaws. Effectively this approach tries to identify security flaws in known working behavior/ use case of the application.
  • When product features can be accessed only by login using username and password, security vendor needs valid user credentials to enter the product and identify security flaws.
  • The security vendors can be engaged to identify security flaws in unknown working behavior/ use case of the application.

In next blog, we can discuss more on security vulnerability and how are they classified across technology stacks. We will also discuss how application security flaws  classified and reported by test vendor and what does enterprise make use of security assessment report of product.