DOCSLIB.ORG

The State of Practice for Security Unit Testing: Towards Data Driven Strategies to Shift Security Into Developer's Automated Testing Workflows

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The State of Practice for Security Unit Testing: Towards Data Driven Strategies to Shift Security Into Developer's Automated Testing Workflows Rochester Institute of Technology RIT Scholar Works Theses 6-2021 The State of Practice for Security Unit Testing: Towards Data Driven Strategies to Shift Security into Developer's Automated Testing Workflows Danielle Nicole Gonzalez [email protected] Follow this and additional works at: https://scholarworks.rit.edu/theses Recommended Citation Gonzalez, Danielle Nicole, "The State of Practice for Security Unit Testing: Towards Data Driven Strategies to Shift Security into Developer's Automated Testing Workflows" (2021). Thesis. Rochester Institute of Technology. Accessed from This Dissertation is brought to you for free and open access by RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. The State of Practice for Security Unit Testing: Towards Data Driven Strategies to Shift Security into Developer's Automated Testing Workflows by Danielle Nicole Gonzalez A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computing and Information Sciences B. Thomas Golisano College of Computing and Information Sciences Rochester Institute of Technology Rochester, New York June 2021 The State of Practice for Security Unit Testing: Towards Data Driven Strategies to Shift Security into Developer's Automated Testing Workflows by Danielle Nicole Gonzalez Committee Approval: We, the undersigned committee members, certify that we have advised and/or supervised the candidate on the work described in this dissertation. We further certify that we have reviewed the dissertation manuscript and approve it in partial fulfillment of the requirements of the degree of Doctor of Philosophy in Computing and Information Sciences. Dr. Mehdi Mirakhorli Date Dissertation Advisor Dr. Laurie Williams Date Dissertation Committee Member Dr. Mohamed Wiem Mkaouer Date Dissertation Committee Member Dr. Christian Newman Date Dissertation Committee Member Dr. Darren Narayan Date Dissertation Defense Chairperson Certified by: Dr. Pengcheng Shi Date Ph.D. Program Director, Computing and Information Sciences ii iii ©2021 Danielle Nicole Gonzalez All rights reserved. The State of Practice for Security Unit Testing: Towards Data Driven Strategies to Shift Security into Developer's Automated Testing Workflows by Danielle Nicole Gonzalez Submitted to the B. Thomas Golisano College of Computing and Information Sciences Ph.D. Program in Computing and Information Sciences in partial fulfillment of the requirements for the Doctor of Philosophy Degree at the Rochester Institute of Technology Abstract The pressing need to \shift security left" in the software development lifecycle has motivated efforts to adapt the iterative and continuous process models used in practice today. Security unit testing is praised by practitioners and recommended by expert groups, usually in the context of DevSecOps and achieving \continuous security". In addition to vulnerability testing and standards adherence, this technique can help developers verify that security controls are implemented correctly, i.e. functional security testing. Further, the means by which security unit testing can be integrated into developer workflows is unique from other standalone tools as it is an adaptation of practices and infrastructure developers are already familiar with. Yet, software engineering researchers have so far failed to include this technique in their empirical studies on secure development and little is known about the state of practice for security unit testing. This dissertation is motivated by the disconnect between promotion of security unit testing and the lack of empirical evidence on how it is and can be applied. The goal of this work was to address the disconnect towards identifying actionable strategies to promote wider adoption and mitigate observed challenges. Three mixed- method empirical studies were conducted wherein practitioner-authored unit test code, Q&A posts, and grey literature were analyzed through three lenses: Practices (what they do), Perspectives and Guidelines (what and how they think it should be done), and Pain Points (what challenges they face) to incorporate both technical and human factors of this phenomena. Accordingly, this work contributes novel and important insights into how developers write functional unit tests for at least nine security controls, including a taxonomy of 53 authentication unit test cases derived from real code and a detailed analysis of seven unique pain points that developers seek help with from peers on Q&A sites. Recommendations given herein for conducting and adopting security unit testing, including mitigating challenges and addressing gaps between available and needed support, are grounded in the guidelines and perspectives on the benefits, limitations, use cases, and integration strategies shared in grey literature authored by practitioners. iv Acknowledgments \I am the combined effort of everyone I've ever known." Chuck Palahniuk, Invisible Monsters It takes a village to raise a PhD student, and I would like to thank all those who have supported, motivated, comforted, inspired, and challenged me. I thank Dr. Darren Narayan for first seeing my research potential and mentoring me as a REU student. This experience was my introduction to the research world and instilled a sense of con- fidence in my ability to succeed in unfamiliar territory. I credit my interest in pursuing research as a career to the time spent in my PhD advisor Dr. Mehdi Mirakhorli's lab as an undergraduate student. I thank him for encouraging and sponsoring my entry into the field of software engi- neering research and for helping me navigate the intimidating worlds of academia, paper writing, rejections, conferences, funding, presentations, international travel, and much more throughout my time in his lab. Special thanks are extended to Dr. Thomas Zimmermann for his mentorship and for the opportunities to work with him and the SAINTes group at Microsoft Research in person and virtually during the pandemic. These experiences broadened my perspectives, challenged me in new ways, and left me with a lasting desire to make impactful and actionable contributions with my research in support of those whose work I study, i.e. developers. I am also incredibly grateful for Microsoft Research's support in awarding me a PhD Fellowship, which empowered me to concentrate on pursuing my ideas to the depths described herein. To any students who may read this in the future, having a group of PhD friends to lean on and learn from is vital to maintaining your health and sanity. Thanks to Nuthan Munaiah, Joanna Cecilia da Silva Santos, Blagovesta Kostova, Jamie Davis, and all of the PhD students who have climbed this hill alongside me and I am so fortunate to now call my friends. There are countless others I am lucky to have in my personal and professional life who have also contributed to my success | if you think this is about you, it probably is. v To my parents Christine and Manuel, who empowered and enabled me to pursue my dreams through their sacrifices and unwavering belief in my potential. To Joseph, the light by which I persevere, and so much more. vi Contents 1 Introduction 1 1.1 Motivation and Research Goal . .2 1.2 Research Questions . .2 1.3 Contributions . .3 1.4 Outline . .5 2 Background and Related Work 6 2.1 The Software Development Lifecycle . .6 2.2 Shifting Security Left . .6 2.2.1 Microsoft Secure Development Lifecycle (SDL) . .7 2.2.2 OWASP Secure Application Maturity Model (SAMM) . .7 2.2.3 DevSecOps: Adding Continuous Security to the DevOps Model . .7 2.3 Security Practices . .8 2.3.1 Building Security In: Architectural Tactics and Control Mechanisms . .8 2.3.2 Testing Security Throughout the SDLC . .9 2.3.3 Security Unit Testing . 11 vii CONTENTS viii 2.3.4 Human Factors Influencing Developer's Security Practices . 12 2.4 Automated Unit and Integration Testing . 13 2.4.1 Use in Practice . 15 2.4.2 Human Factors Influencing Developer's Testing Practices . 17 2.5 Empirical Studies of Developer's Q&A Posts . 19 2.6 Grey Literature Reviews in Software Engineering . 21 3 Research Design 24 3.1 Study 1: Grounded Theory Analysis of Unit Test Code . 25 3.2 Study 2: Mixed-Method Analysis of Developer's Q&A Posts . 26 3.3 Study 3: Qualitative Analysis of Grey Literature . 27 4 Security Unit Testing in Practice 28 4.1 What Security Controls Are Unit Tested? . 28 4.2 How Do Developers Unit Test Authentication? . 29 4.3 Conclusion . 34 4.4 Study Limitations . 34 5 Security Unit Testing Pain Points 36 5.1 The Unique Pain Points of Writing Security Unit Tests . 36 5.2 Conclusion . 41 5.3 Study Limitations . 42 6 Perspectives and Guidelines 43 CONTENTS ix 6.1 Characterization of Practitioner-Authored Grey Literature . 43 6.1.1 Sources, Types, and Tones . 45 6.1.2 Scopes, Purposes, and Content Types . 48 6.2 Perspectives on Security Unit Testing . 52 6.2.1 When, How, & Why Practitioners Want You to Write Security Unit Tests . 53 6.3 Instruction and Guidelines for Security Unit Testing . 56 6.3.1 In Formal Security Testing Guides . 56 6.3.2 In Informal Guidelines from Practitioners . 57 6.4 Conclusion . 58 6.5 Study Limitations . 58 7 Discussion 61 7.1 The State of Practice for Security Unit Testing . 61 7.2 Recommendations . 63 7.2.1 Who Should Follow This Advice? . 63 7.2.2 Strategies for Formalization and Workflow Integration . 64 7.2.3 Summary & Important Considerations . 66 7.3 A Roadmap to Supporting Developer-Driven Security Testing . 67 7.3.1 Towards Actionable Guidelines for Test Design & Construction . 67 7.3.2 Towards Automated Tools that Recognize Developer's Needs & Priorities . 71 8 Conclusions 73 Appendices 94 CONTENTS x A Grounded Theory Analysis of Security Unit Test Code 95 B Mixed-Method Analysis of Developer's Q&A Posts 101 List of Figures 3.1 Grounded Theory Approach for Inductive Analysis of Security Unit Tests .
Load more

Recommended publications
  • Servoy Stuff Browser Suite FAQ
    Servoy Stuff Browser Suite FAQ Servoy Stuff Browser Suite FAQ Please read carefully: the following contains important information about the use of the Browser Suite in its current version. What is it? It is a suite of native bean components and plugins all Servoy-Aware and tightly integrated with the Servoy platform: - a browser bean - a flash player bean - a html editor bean - a client plugin to rule them all - a server plugin to setup a few admin flags - an installer to help deployment What version of Servoy is supported? - Servoy 5+ Servoy 4.1.8+ will be supported, starting with version 0.9.40+, except for Mac OS X developer (client will work though) What OS/platforms are currently supported? In Developer: - Windows all platform - Mac OS X 10.5+ - Linux GTK based In Smart client: - Windows all platform - Mac OS X 10.5+ - Linux GTK based The web client is not currently supported, although a limited support might come in the future if there is enough demand for it… What Java versions are currently supported? - Windows: java 5 or java 6 (except updates 10 to 14) – 32 and 64-bit - Mac OS X: java 5 or java 6 – 32 and 64-bit - Linux: java 6 (except updates 10 to 14) – 32 and 64-bit Where can I get it? http://www.servoyforge.net/projects/browsersuite What is it made of? It is build on the powerful DJ-NativeSwing project ( http://djproject.sourceforge.net/ns ) v0.9.9 This library is using the Eclipse SWT project ( http://www.eclipse.org/swt ) v3.6.1 And various other projects like the JNA project ( https://jna.dev.java.net/ ) v3.2.4 The XULRunner
    [Show full text]
  • Step by Step Tutorial: How to Build a Plugin for Servoy
    How to build a plugin for Servoy - A step by step tutorial brought to you by Servoy Stuff How to build a plugin for Servoy – A step by step tutorial brought to you by Servoy Stuff PART 3 J. The IScriptObject interface In the first part of this tutorial we went through the tedious details of configuring our Servoy/Eclipse environment, and set-up our project “WhoisPlugin”, now it’s time to actually build the plugin. Then in the second part, we implemented the IScriptPlugin using (and describing as we went along) the Eclipse IDE, we learned to rely on the API and to use the interface in an efficient way. Now is (finally!) time to implement our second main class, the “WhoisPluginProvider” class for which we already have a stub nicely prepared for us by Eclipse. As you remember, all we have to do is to follow the “TODO” task trail and implement each method one after the other. Or so it seems… But first, we need to take a good look at the IScriptObject interface that our WhoisPluginProvider class is going to implement, so let’s browse to the public API and click on the relevant link to get the interface definition: 1/26 How to build a plugin for Servoy - A step by step tutorial brought to you by Servoy Stuff We’re in luck because this interface doesn’t extend any other, so we only have to implement the methods above. Now, let’s look at them in details: ¾ getAllReturnedTypes() should return a Class array (“Class” is a java class that defines the type of class).
    [Show full text]
  • Curriculum Vitae
    Curriculum Vitae DATOS PERSONALES ● Nombre: Juan Andrés Moreno Rubio ​ ● Fecha de Nacimiento: 02-03-1980 ​ ● Lugar de Nacimiento: Plasencia (Cáceres) ​ ● Nacionalidad: Española ​ ● Tfno: 676875420 ​ ● E-mail: [email protected] ​ ● Vive en: Barcelona. ​ ● Experiencia: 12 años ​ FORMACIÓN ● TÍTULO UNIVERSITARIO _ ○ Licenciado en Ingeniería Informática por la Universidad de Extremadura (Escuela Politécnica de ​ Cáceres). ○ Periodo: 1999 - Febrero 2008. (Los últimos 2 años sólo con el PFC) ​ ● FORMACIÓN SECUNDARIA _ ○ Curso de Orientación Universitaria obtenido en 1999 y título de Bachiller obtenido en 1998 en el ​ Instituto Valle del Jerte (Plasencia). CONOCIMIENTOS ● CONOCIMIENTOS INFORMÁTICOS _ ○ CMS's, herramientas y entornos de producción web (Avanzado): Worpdress, Joomla, Magnolia ​ CMS, Tridion, Macromedia Dreamweaver, Frontpage y diversos plugins de eclipse para desarrollo ​ web. RapidWeaver (Mac), XWiki. ​ ​ ○ Frameworks Javascript: (Avanzado): NodeJS, ReactJS (redux/reflux), webpack2, jQuery, ​ prototpye, mootools. ember.js. Moustache y jade para templating. ○ IDEs de Desarrollo (Avanzado): Atom, Cloud9, WebRatio, Eclipse, Aptana Studio, LAMP, IBM ​ ​ Rational Software Architecht, Servoy, NetBeans, IntelliJ Idea, Coda. ○ Sistemas Operativos (Avanzado): Windows, Linux y Mac OS. ​ ○ Servidores de Aplicaciones (Avanzado): Tomcat, JBOSS, Weblogic, Resin, Jetty, Nginx, y Apache. ​ Amazon WS y Google Cloud Platform. ○ Programación (Avanzado): Ensamblador, Visual Basic, Pascal FC, C, C++, JAVA. Shell Script y PHP ​ ​ scripting. ES5 y ES6 (Javascript). ○ Desarrollo Web (Avanzado): HTML, JavaScript, CSS, LESS, SASS, VELOCITY, PHP, JSP, XML, ​ XSLT, J2EE, y Action Script. ​ ​ ○ Bases de datos (Intermedio): Conocimientos de diseño, administración y mantenimiento de bases de ​ ​ datos Oracle, Mysql, Postgresql e Hypersonic, y dominio del lenguaje SQL. Redis. Mongo. Página 1 de 7 CURRICULUM VITAE CRONOLÓGICO. Juan Andrés Moreno Rubio ○ Frameworks JAVA (Intermedio /Avanzado): Spring, Struts, Freemarker, Hibernate, Ibatis, JEE,.
    [Show full text]
  • 2008 BZ Research Eclipse Adoption Study
    5th Annual Eclipse Adoption Study November 2008 (With comparisons to November 2007, November 2006, November 2005 and September 2004 Studies) 7 High Street, Suite 407 Huntington, NY 11743 631-421-4158 www.bzresearch.com © BZ Research November 2008 Eclipse Adoption Study © BZ Research November 2008 Table of Contents Table of Contents................................................................................................................................................... 2 Methodology .......................................................................................................................................................... 4 Universe Selection ................................................................................................................................................. 6 Question 1. Do the developers within your organization use Eclipse or Eclipse-based tools? ........................ 7 Question 2. Which version(s) of Eclipse are you using? .................................................................................... 8 Question 3. How long have you been using Eclipse or Eclipse-based tools and technologies (either at work, or for your personal projects)?.............................................................................................................................. 9 Question 4. What type of software are you (or your organization) developing using Eclipse-based tools and technologies? (Note: OSI refers to Open Source Initiative, see www.opensource.org for more information.) ...............................................................................................................................................................................10
    [Show full text]
  • Stanford University Medical Center Department of Pathology
    STANFORD PATHOLOGY RESIDENT/FELLOW HANDBOOK 2011-12 Stanford University Medical Center Department of Pathology Resident and Clinical Fellow Handbook 2012-2013 300 Pasteur Drive Lane Bldg., Room L-235 Stanford, CA 93205-5324 Ph (650) 725-8383 Fx (650) 725-6902 1 STANFORD PATHOLOGY RESIDENT/FELLOW HANDBOOK 2012-2013 TABLE OF CONTENTS SECTION PAGE # Overview................................................................................................. 4 Trainee Selection.................................................................................... 4 Anatomic Pathology (AP) Training ......................................................... 7 Clinical Pathology (CP) Training ............................................................ 7 Combined Anatomic & Clinical Pathology (AP/CP) Training ................. 8 Combined Anatomic & Neuropathology (AP/NP) Training ………………. 9 Goals of the Residency Program …………........................................... 10 GENERAL INFORMATION Regular Work Hours & Availability......................................................... ………14 Call Guidelines.......................................................................................... 15 Anatomic Pathology..........................................................................16 Clinical Pathology..............................................................................17 MedHub Residency Management System ...................................................20 Conferences .................................................................................................21
    [Show full text]
  • Microsoft Visual Foxpro 11.- 13.11.2010 Developer Conference 2010 Frankfurt / Main
    17. Microsoft Visual FoxPro 11.- 13.11.2010 Developer Conference 2010 Frankfurt / Main The Speakers the European Developer 50+ different Rainer Becker Conference regarding sessions Joachim Dürr It's the seventeenth Tim Fischer Microsoft Visual time our annual Visual Sebastian Flucke FoxPro Developers' Uwe Habermann FoxPro 9.0 Conference takes place in Frankfurt. Again we Doug Hennig Lindner Congress Hotel Venelina Jordanova have set up a huge Frankfurt (Höchst) schedule of sessions. Markus Kißling In more than 50 differ- Ken Levy ent lectures, many Kevin McNeish well-known German Armin Neudert and American speakers Michael Niethammer will present not only Steffen F. Pirsig Thursday - Saturday the essential stuff in Cathy Pountney 3 days action the world of Visual Rick Schummer packed programme FoxPro 9.0 SP2 Sedna, Christof Wollenhaupt but also our new mi- gration path from there Jürgen Wondzinski to Microsoft Silver- light. Discounts To reduce the cost of attendance we offer various discounts for usergroup-members, usergroup-leaders and co-orders of Visual FoxPro and Visual Extend. Special discounts for long-time Alumnis are available. Or you can deselect the printed binder to save another 115,00 EURO. Tracks Converting applications to Microsoft Silverlight is the subject in focus at this year's Dev Con. As usual, there will be a VFP introduction course on the first day for Visual FoxPro 9.0 new- comers. On the second day we offer a lecture track on C# for VFP developers which also pro- vides knowledge for converting existing apps to Silverlight. All sessions are based on the most recent version 9.0 SP2 of Visual FoxPro, but within some limitations they are valid for previous versions, too.
    [Show full text]
  • Step by Step Tutorial: How to Build a Bean for Servoy
    How to build a bean for Servoy - A step by step tutorial brought to you by Servoy Stuff How to build a bean for Servoy – A step by step tutorial brought to you by Servoy Stuff PART 1 A. Introduction This tutorial is going to look into details on how to build beans for Servoy. We are not going to see in particular how to create a Swing bean (there are lots of available books and resources which will give you this information - you can use any kind of beans because as you will see you can use “normal” java beans coming from any source, being standard Swing beans, or third parties open source or commercial components), no, we are going to build what we will call a “Servoy-aware” bean, meaning a bean adapted for the Servoy platform to facilitate its use in Servoy and allow it to communicate back with Servoy clients. This first part is going to look at how to use regular beans in the Servoy IDE, how to script them and what you can do with them, which is quite a lot already. But we will see some of the shortcomings of using beans not adapted for Servoy and the amount of code necessary each time you want one of these “regular” beans to be integrated into the Servoy environment. In the next parts we will take one bean in particular and start to extend it to make it “Servoy-aware”, we will also see how we can add scripting, call-backs, and so on, and then we will try to make it fully web compatible by creating a wicket version of the bean, usable in the web client so that our final bean will be usable on any Servoy clients.
    [Show full text]
  • Servoy Developer
    CONOSCERE SERVOY Di Michele Annese Open Know h ow Memoria delle basi “E’ TUTTO COSÌ SEMPLICE CIÒ CHE GIÀ SI CONO SCE , BASTA SEGUIRE ....” Questo documento è stato prodotto da Metamorfosi in proprio . Rev. Data Rev. Data 1° Pubblicazione Scritto da: Prodotto da: 4 14/3/2007 30/11/2006 Michele Annese Metamorfosi Indice Introduzione….. ................................ ................................ ................................ ...... ………….......3 Smart Technology for Smart ClientsServoy Product Suite............................................... ...…...........4 Servoy Developer ...............................................................................................................….............8 Servoy Server ................................................................................. ....................................................10 Le FAQ 1 I Prodotti Servoy Le domande più ricorrenti ................................................................12 Le FAQ 2 L’Ambiente Servoy Le domande più ricorrenti ......................... ......................................20 Le FAQ 3 Open Source DB..........................................................................................................…28 INTRODUZIONE Questo Manuale non ha l’intendimento di spiegare in ma niera sistematica e completa il mondo Servoy. Nell’affrontare una materia che ha già i suoi autorevoli riferimenti nei manuali ufficiali della casa olandese di Amersfoort, si è voluto lasciare la parola a chi ha affrontato direttamente le varie problematic
    [Show full text]
  • Visual Foxpro to Servoy Conversion Procedure 1 Step 1 - Get Info
    Visual FoxPro to Servoy Conversion Procedure 1 Step 1 - Get Info 1.1 Visual FoxPro Conversion - Step 1 - Get Info 4 2 Step 2 - Create Table 2.1 Visual FoxPro Conversion - Step 2 - Create Table 18 3 Step 3 - Transfer Data 3.1 Visual FoxPro Conversion - Step 3 - Transfer Data 23 4 Import MetaData 4.1 Visual FoxPro Conversion - Import MetaData 30 5 Visual FoxPro .MPR Menu Conversion 5.1 Visual FoxPro Menu Converter - Servoy 39 6 Visual FoxPro .PRG Code Conversion 6.1 Visual FoxPro Code Converter - Servoy 45 7 Servoy Conversion 7.1 Create Servoy Eclipse Project 58 7.2 Enter Servoy Project Parameters 60 7.3 Servoy Migration - Migrate Button 63 7.4 Servoy Migration - Refresh Project 64 7.5 Post Migration Tasks - Visual FoxPro to Servoy Migration 66 Step 1 - Get Info Visual FoxPro to Servoy Conversion Procedure - 3 Visual FoxPro Conversion - Step 1 - Get Info This document explains the process of importing a Visual FoxPro project into FmPro Migrator. Once the metadata has been imported into FmPro Migrator, the Visual FoxPro project can then be converted into any of the database development environments supported by FmPro Migrator. The Visual FoxPro DBF file data can also be converted into a wide range of databases including: Microsoft Access, DB2, FileMaker Pro, FrontBase, MySQL, OpenBase, Oracle, PostgreSQL, SQLite, SQL Server or Sybase. Document Version 7 Updated for FmPro Migrator Developer Edition 5.97 Updated with Visual FoxPro Menu Converter Info Updated with Visual FoxPro Code Converter Info 1/12/2011 Pre-Migration Tasks Before starting the Visual FoxPro Conversion process: 1) Add any Free Tables in the Visual FoxPro project to a new or existing database file.
    [Show full text]
  • More Usable Recommendation Systems for Improving Software Quality
    ABSTRACT SONG, YOONKI. More Usable Recommendation Systems for Improving Software Quality. (Under the direction of Emerson Murphy-Hill.) Recommendation systems have a well-established history in both the research literature and industrial practice. Recommendation systems for software engineering (RSSEs) are emerging to assist developers in completing various software engineering tasks. However, most RSSEs have focused on finding more relevant recommendation items and improving ranking algorithms, without improving the usability of RSSEs. In this dissertation, I present three more usable RSSEs of software testing (called UnitPlus and Viscovery) and bug fixing (called FixBugs) for improving software quality. First, UnitPlus is designed to assist developers in writing unit test code more efficiently by rec- ommending code. I have conducted a feasibility study for UnitPlus with four open source projects in Java to demonstrate its potential utility. The results indicate the test code can be improved by the code recommended by UnitPlus. Second, Viscovery is a structural coverage visualization tool that aims to help developers understand problems that Dynamic Symbolic Execution (DSE) tools face and to provide recommendations for developers to deal with those problems. In an experiment with 12 developers, I found Viscovery helps developers use DSE tools 50% more correctly, 29% more quickly, and substantially more enjoyably than existing DSE tools and DSE tools with textual problem-analysis results. Third, FixBugs is an interactive code recommendation tool that is designed to recommend code to fix software defects. The results of an experiment with 12 developers shows that the approach is as effective as non-interactive approaches, faster in some cases, and leads to greater user satisfaction.
    [Show full text]
  • White Paper Choosing an Application Development Platform
    White Paper Choosing an Application Development Platform Choosing an Application Development Platform Table of Contents 1. Introduction ............................................................................................................... 3 2. Application Development Platform (ADP) .................................................................... 3 2.1 Typical Requirements of an ADP ........................................................................ 3 2.2 Market adoption of application development platform ........................................... 4 3. Why ADP? ................................................................................................................... 4 4. Development Strategy – 3GL Versus 4GL .................................................................... 6 4.1 3 GL .......................................................................................................... 6 4.1.1 Advantages of 3 GL ............................................................................... 6 4.1.2 Disadvantages of 3 GL ........................................................................... 6 4.2 4GL .......................................................................................................... 6 4.2.1 Advantages of 4GL ................................................................................ 7 4.2.2 Disadvantage of 4GL ............................................................................. 7 5. Development Approaches ..........................................................................................
    [Show full text]
  • Topic # 2 Software Engineering: Process Models
    Topic # 2 Software Engineering: Process Models 1 Software Process: An Overview The roadmap to building high quality software products is software engineering process. User/Customer Software Engineering (processes) Final Software Requirements Product Various software processes are designed in order to meet in OPTIMAL way the needs of software engineers and managers as they undertake the development of a specific software product. Different types of software projects require different software engineering processes. Constraint 1 (time) Con- User/Customer Final Software straint Constraint Requirements 3 (human Product 4 (techn.) Constraint resources) 2 (cost) 2 Constraints/Limits Examples: Used Car, Rental Dorm Software Process: An Overview (cont.) A software process provides a well-structured framework for managing activities that can very easily get out of control. “No framework (no well-defined and tested activities) = NO control and NO quality at all”. Software process models used by professional software engineers and developers to manage large-scale (with hundreds of thousands and millions lines of code amd dozens of SW engineers involved) software projects. A well-planned and well-managed software process will produce high quality products (programs/codes, data and data structures, documentation), on time and within designated budget. In some particular cases (small projects; projects in small-size companies with limited number of SE engineers and SW developers), software processes must be agile, demanding only those activities, controls, and work products that are appropriate for software team and/or software product (Details are available in Ch. 4) 3 Software Development: Core Activities Software Life Cycle or Generic Process Framework Initiation/Communication (getting input initial) Planning (resources, time, cost, etc.) Analysis/Modeling/Prototyping Analysis of requirements Design Models (Diagrams) Development (construction) Code generation Testing Deployment/Implementation 1.
    [Show full text]