GovTech Modernization · Read-only Audit Findings

e-District Uttarakhand

Legacy ASP.NET Web Forms citizen-services portal assessed across four independent lenses — security, maintainability, complexity, and testability — with an evidence-backed migration plan.

CriticalHighMediumLow

Platform

.NET 3.5

Web Forms · VS2008

Codebase

~2,150

files · ~91.6K VB LOC

Security posture

CRITICAL

5 critical findings

Test coverage

no tests · no CI

Target

.NET 10

Blazor · C# · LTS

What this system is

A state-wide citizen-services portal issuing caste, income, domicile, hill and birth/death certificates, running pensions, family registers, revenue court cases, food licences and payments. It handles citizens' PII, Aadhaar numbers and legally-signed documents, and is used daily by citizens and officers across Uttarakhand.

459

.aspx pages

3,080

functions

functional modules

external integrations

Technology stack

version · status

Component	Version	Status
.NET Framework	3.5 (SP1)	End of life
ASP.NET	Web Forms + code-behind	End of life
Languages	VB.NET (352 files) + C# (107)	Legacy
Visual Studio	2008 · Website project	End of life
Database	SQL Server · ukedistrict	Carry forward
Data access	Hand-written ADO.NET (no ORM)	Legacy
AjaxControlToolkit	legacy build	End of life
Crystal Reports	10.5.3700	End of life
ReportViewer	9.0	End of life
jQuery	1.8 / 1.9 / 1.10 (3 copies)	Legacy
Digital signature	CAPICOM COM interop	End of life
Payment	BridgePG.dll (vendored)	Legacy

Module map — sized by footprint, coloured by risk

click any module to trace its risks → migration slice

7⚑

Certificates

~90 .aspx

7⚑

Officer Workflow

~40 .aspx

3⚑

Public Portal

~50 .aspx

5⚑

Pension

~30 .aspx

3⚑

Reporting

~45 .rdlc/.aspx

7⚑

Web Services / Mobile

~10 .asmx/.svc

1⚑

Masters

~25 .aspx

2⚑

Administration

~20 .aspx

3⚑

Pariwar Register

~20 .aspx

2⚑

Employment

~18 .aspx

2⚑

Revenue Court Case

~18 .aspx

2⚑

Payment · CSC/UTC

~12 .aspx

2⚑

Land Mutation

~14 .aspx

3⚑

Digital Signature

COM + .pfx

8⚑

Authentication

6⚑

Shared Infra (BL·Dal·WSM)

App_Code

⚑ = number of audit findings attributed to the module. The four worst (Certificates, Officer Workflow, Web Services, Authentication) carry the critical concentration.

External integrations

6 systems

UMANG

Govt mobile platform API

PayGov / CSC

Payment gateway (BridgePG)

Employment Service

Job-seeker SOAP service

SMS Gateway

OTP / status SMS

Digital Signature

CAPICOM COM — migration risk

WebCam

Flash photo capture — dead tech

red = modernization risk needing a modern replacement (decisions D-5 / D-6).

Auth model

Home-grown challenge-response. Each weakness threads to a finding.

Client-side MD5 challenge over a nonce; unsalted password storage F-08

Broken framework authorization; enforced ad-hoc in 171 files F-07

Custom ASMSAUTH cookie + single-active-session in master page CG-09

Weak machineKey (3DES, auto-generated) F-13

→ Migrates as slice 3b

Architecture — three-tier, hub-and-spoke

request flow

Browser · Mobile App · External APIHTTP entry

IIS / ASP.NET RuntimeWindows + Forms hybrid auth

Web Forms .aspx · .asmx · .svc459 pages · postbacks

App_Code hub — BL · WSM · Dal · connectioncls~196 files instantiate connectioncls

ADO.NET SqlClientinline SQL · no ORM

SQL Server · ukedistrictshared tables = the coupling

Inter-module coupling is overwhelmingly data coupling through one database, keyed by application number — there are very few direct module-to-module calls.

Data flow — two parallel paths

Path A · ad-hoc readsPage → Dal/BL → inline SQL → DB

Path B · application writesPage → Member* object → addNewRecord → DB

Both hit the same ukedistrict tables→ shared-table coupling

Every authenticated request is gated by the master page (ASMSAUTH cookie → login_sessionstatus → audit row) before page logic runs.