DOCSLIB.ORG

Deployment-Grade Tools and Methodologies for Software Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Deployment-Grade Tools and Methodologies for Software Security From Theory to Practice: Deployment-grade Tools and Methodologies for Software Security Sazzadur Rahaman Dissertation submitted to the Faculty of the Virginia Polytechnic Institute and State University in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science and Applications Danfeng (Daphne) Yao, Chair Naren Ramakrishnan Patrick R. Schaumont Gang Wang David Evans July 20, 2020 Blacksburg, Virginia Keywords: Program Analysis, Static Analysis, Cryptographic Program Analysis, Taint Analysis, Program Slicing, Payment Card Industry, Data Security Standard, Internet Measurement, Website Scanning, Data Breach, Web Security Copyright 2020, Sazzadur Rahaman From Theory to Practice: Deployment-grade Tools and Methodologies for Software Security Sazzadur Rahaman (ABSTRACT) Following proper guidelines and recommendations are crucial in software security, which is mostly obstructed by accidental human errors. Automatic screening tools have great potentials to reduce the gap between the theory and the practice. However, the goal of scalable automated code screen- ing is largely hindered by the practical difficulty of reducing false positives without compromising analysis quality. To enable compile-time security checking of cryptographic vulnerabilities, I de- veloped highly precise static analysis tools (CRYPTOGUARD and TAINTCRYPT) that developers can use routinely. The main technical enabler for CRYPTOGUARD is a set of detection algorithms that refine program slices by leveraging language-specific insights, where TAINTCRYPT relies on symbolic execution-based path-sensitive analysis to reduce false positives. Both CRYPTOGUARD and TAINTCRYPT uncovered numerous vulnerabilities in real-world software, which proves the effectiveness. Oracle has implemented our cryptographic code screening algorithms for Java in its internal code analysis platform, Parfait, and detected numerous vulnerabilities that were pre- viously unknown. I also designed a specification language named SPANL to easily express rules for automated code screening. SPANL enables domain experts to create domain-specific secu- rity checking. Unfortunately, tools and guidelines are not sufficient to ensure baseline security in internet-wide ecosystems. I found that the lack of proper compliance checking induced a huge gap in the payment card industry (PCI) ecosystem. I showed that none of the PCI scanners (out of 6), we tested are fully compliant with the guidelines, issuing certificates to merchants that still have major vulnerabilities. Consequently, 86% (out of 1,203) of the e-commerce websites we tested, are non-compliant. To improve the testbeds in the light of our work, the PCI Security Council shared a copy of our PCI measurement paper to the dedicated companies that host, manage, and maintain the PCI certification testbeds. From Theory to Practice: Deployment-grade Tools and Methodologies for Software Security Sazzadur Rahaman (GENERAL AUDIENCE ABSTRACT) Automatic screening tools have great potentials to reduce the gap between the theory and the practice of software security. However, the goal of scalable automated code screening is largely hindered by the practical difficulty of reducing false positives without compromising analysis qual- ity. To enable compile-time security checking of cryptographic vulnerabilities, I developed highly precise static analysis tools (CRYPTOGUARD and TAINTCRYPT) that developers can use routinely. Both CRYPTOGUARD and TAINTCRYPT uncovered numerous vulnerabilities in real-world soft- ware, which proves the effectiveness. Oracle has implemented our cryptographic code screening algorithms for Java in its internal code analysis platform, Parfait, and detected numerous vulner- abilities that were previously unknown. I also designed a specification language named SPANL to easily express rules for automated code screening. SPANL enables domain experts to create domain-specific security checking. Unfortunately, tools and guidelines are not sufficient to ensure baseline security in internet-wide ecosystems. I found that the lack of proper compliance checking induced a huge gap in the payment card industry (PCI) ecosystem. I showed that none of the PCI scanners (out of 6), we tested are fully compliant with the guidelines, issuing certificates to mer- chants that still have major vulnerabilities. Consequently, 86% (out of 1,203) of the e-commerce websites we tested, are non-compliant. To improve the testbeds in the light of our work, the PCI Security Council shared a copy of our PCI measurement paper to the dedicated companies that host the PCI certification testbeds. Dedication To my parents (Shajeda Akter and Md. Helal Uddin), who traded their dreams to afford my education. iv Acknowledgments In underprivileged settings, education loses its priority over the hurdles of “living”. I grew up with a first-hand experience of such hardship. Thanks to my mother’s determination to keep my education going, I am the first person to achieve a graduate degree from my locality. I deeply appreciate the sacrifices of my parents, grandparents, and the other family members for their unconditional love and support throughout my life. Without that, I might not have come this far. I would like to thank my Ph.D. advisor Dr. Danfeng (Daphne) Yao, who herself made her mark, sailing against countless adversaries. Her advice, patience and understanding as a mentor and help as a friend made my Ph.D. journey easier, enjoyable and rewarding. Thanks to Dr. Naren Ra- makrishnan, Dr. Patrick R. Schaumont, Dr. Gang Wang, Dr. David Evans for serving in my Ph.D committee and guidance over the years. I am also thankful to all my mentors, collaborators and fellow labmates, including Dr. Murat Kantarcioglu, Dr. Gang Wang, Dr. Omar Chowdhury, Dr. Haipeng Cai, Dr. Jung-Min (Jerry) Park, Fahad Shaon, Long Cheng, Sharmin Afrose, Mazharul Is- lam, Ya Xiao, Ke Tian, Miles Frantz, He Li, Md Salman Ahmed, Xiaodong Yu, Fang Liu, Hannah Roth, Alexander Kedrowitsch, Xiaokui Shu and Jamie Davis. I express my gratitude to my dearest friends including Bushra Tawfiq Chowdhury, Archi Das- gupta, Sajal Dash, Rubayet Elahi, Khan Mizan, Adrina Haldar, Rakibul Hasan, Sajal Iskandar, Reeba Khan, Subrato Kuri, Sufian Latif, Tahmid Nabi, Nabil Nowak, Fabiha Nowshin, Mazharul Islam Rakeb, Tonmoy Roy, Asif Salekin, Maruf Samu, Fahad Shaon, Farin Siddique, Munawwar Mahmud Sohul and many more. Without their cordial support and inspiration the journey would have been harder. A very special thank goes to my partner in crime, Ipsita Hamid Trisha. Her positive energy fueled the progress in darkest hours. Despite being a constant supporter, her attitude towards life always motivates and challenges me to become a better person. v Funding Acknowledgment: My work was supported in part by ONR Grant ONR-N00014-17-1- 2498, NSF grants CNS-1929701, CNS-1717028, CNS-1750101, SBIR-1647681, SBIR-1758628 and OAC-1541105, Virginia Tech Pratt Fellowship and Bitshare Fellowship. Declaration of Collaboration: In addition to my advisor Danfeng (Daphne) Yao, the research presented in this dissertation benefited from several collaborators: • Ya Xiao (VT), Sharmin Afrose (VT), Fahad Shaon (UTD), Ke Tian (VT), Miles Frantz (VT) and Murat Kantarcioglu (UTD) contributed to the work included in Chapter 3. • Haipeng Cai (WSU) and Omar Chowdhury (UI) contributed to the work in Chapter 4. • Gang Wang (UIUC) contributed to the work included in Chapter 5. vi List of Publications From This Thesis 1. [CCS’19] Sazzadur Rahaman, Gang Wang, Danfeng (Daphne) Yao. Security Certification in Payment Card Industry: Testbeds, Measurements, and Recommendations. ACM Con- ference on Computer and Communications Security (CCS’19). London, United Kingdom. November 2019. 2. [CCS’19] Sazzadur Rahaman, Ya Xiao, Sharmin Afrose, Fahad Shaon, Ke Tian, Miles Frantz, Murat Kantarcioglu, Danfeng (Daphne) Yao. CryptoGuard: High Precision Detec- tion of Cryptographic Vulnerabilities in Massive-sized Java Projects. ACM Conference on Computer and Communications Security (CCS’19). London, United Kingdom. November 2019. 3. [TDSC’19] Sazzadur Rahaman, Haipeng Cai, Omar Chowdhury and Danfeng (Daphne) Yao. From Theory to Code: Identifying Logical Flaws in Cryptographic Implementations. IEEE Transactions on Dependable and Secure Computing (TDSC). 2019. 4. [SecDeV’19] Sharmin Afrose, Sazzadur Rahaman, Danfeng (Daphne) Yao. CryptoAPI- Bench: A Comprehensive Benchmark on Java Cryptographic API Misuses. 2019 IEEE Se- cure Development Conference. McLean, VA. September 2019. 5. [SecDeV’17] Sazzadur Rahaman, Danfeng (Daphne) Yao. Toward Automatic Program Analysis of Cryptography Implementations for Security. 2017 IEEE Secure Development Conference. Cambridge, MA, USA. September, 2017. vii Contents List of Figures xiii List of Tables xviii 1 Introduction 1 1.1 Need for Deployment-grade Solutions ........................ 1 1.2 Contribution ...................................... 3 1.3 Organization of the Report .............................. 5 2 Literature Review 6 2.1 Tools to detect cryptographic vulnerabilities ..................... 6 2.2 Other analysis tools .................................. 7 2.3 Measuring ecosystem-wide security non-compliance ................ 8 3 Cryptographic API Misuse Detection 11 3.1 Introduction ...................................... 11 3.2 Threat Model and Overview ............................. 14 3.2.1 Threat Model ................................. 16 3.2.2 Technical Challenges and Solution Overview ................ 17 3.3 Map
Load more

Recommended publications
  • IPS Signature Release Note V9.17.79
    SOPHOS IPS Signature Update Release Notes Version : 9.17.79 Release Date : 19th January 2020 IPS Signature Update Release Information Upgrade Applicable on IPS Signature Release Version 9.17.78 CR250i, CR300i, CR500i-4P, CR500i-6P, CR500i-8P, CR500ia, CR500ia-RP, CR500ia1F, CR500ia10F, CR750ia, CR750ia1F, CR750ia10F, CR1000i-11P, CR1000i-12P, CR1000ia, CR1000ia10F, CR1500i-11P, CR1500i-12P, CR1500ia, CR1500ia10F Sophos Appliance Models CR25iNG, CR25iNG-6P, CR35iNG, CR50iNG, CR100iNG, CR200iNG/XP, CR300iNG/XP, CR500iNG- XP, CR750iNG-XP, CR2500iNG, CR25wiNG, CR25wiNG-6P, CR35wiNG, CRiV1C, CRiV2C, CRiV4C, CRiV8C, CRiV12C, XG85 to XG450, SG105 to SG650 Upgrade Information Upgrade type: Automatic Compatibility Annotations: None Introduction The Release Note document for IPS Signature Database Version 9.17.79 includes support for the new signatures. The following sections describe the release in detail. New IPS Signatures The Sophos Intrusion Prevention System shields the network from known attacks by matching the network traffic against the signatures in the IPS Signature Database. These signatures are developed to significantly increase detection performance and reduce the false alarms. Report false positives at [email protected], along with the application details. January 2020 Page 2 of 245 IPS Signature Update This IPS Release includes Two Thousand, Seven Hundred and Sixty Two(2762) signatures to address One Thousand, Nine Hundred and Thirty Eight(1938) vulnerabilities. New signatures are added for the following vulnerabilities: Name CVE–ID
    [Show full text]
  • Ofbiz an Insider View
    OFBiz An Insider View Prepared By: Basil Argasosy Senior Computer Engineering Student King Fahd University of Petroleum & Minerals (K.F.U.P.M) September 01, 2005 Contact Information [email protected] [email protected] or through my personal webpage 1 OFBiz : An Insider View Introduction: The OFBiz framework utilizes the common Three-Tier “Layers” Architecture model in all its applications. It has the Data Layer, the Business “logic” layer, and the Presentation “user interface” layer. The Data Layer and the Service layer have their own engines that are responsible for interaction with the layer. 1) Data Model Layer: It represents the database. There is an Entity Engine that is responsible of this layer that includes database connection, data retrieval, data storage…etc. It used the java Generic Delegator class to connect with the database, and it uses the java Generic Value to represent an entity row to be inserted in the database. 2) Business Logic Layer: It represents the logic, or the services provided to the user and performed on the data layer "database”. There can be services of many types like java, SOAP, simple, workflow, etc. and each type of service has its own handler. There is a Service Engine that is responsible for dealing with services, calling the service, etc. 3) Presentation Layer: OFBiz has moved to use "Screens" to represent the OFBiz pages. So, each page should normally be represented as a screen. An OFBiz page consists of many components like headers, footer, appheader,..etc, so when rendering the page, these are all combined in the order they were placed, or included, in the screen.
    [Show full text]
  • ALEXANDER HSU [email protected]
    ALEXANDER HSU [email protected] EDUCATION UNIVERSITY OF CALIFORNIA, SANTA BARBARA Bachelor of Science Degree in Computer Science and Minor in Japanese July 2008 – Present Cumulative GPA: 3.89/4.0 (212 units); Expected Date of Graduation: June 2012 HONORS/AWARDS 2011 UCSB EACS Dept. Outstanding Service Award 2010 Boeing Corporation Scholarship 2011 National Engineering Week Scholarship Engineering Honors Program since Spring 2009 2011 Yardi Systems Scholarship 2009 Starting Line Cover Photography Award SKILLS Programming Languages: Proficient: C/C++, HTML/CSS, Java, JavaScript/JQuery, Matlab Familiar: Apache HBase, Apache OFBiz, Groovy, MySQL, OpenGL, Perl, Python, Qt Software: Photoshop, Eclipse, Netbeans General: Fluent in English and Chinese; 4th year college level Japanese WORK EXPERIENCE UCSB RESEARCH CENTER FOR VIRTUAL ENVIRONMENTS AND BEHAVIOR Position: Research Assistant Sept 2011 – Present Learning how to design and develop virtual environments through the use of 3DSMax Learning how to program immersive environments through the use of Python scripts to allow for experiments. UCSB DISTRIBUTED SYSTEM LAB Position: Research Assistant June 2011 – Present Implemented the Transaction management layer of G-Store, a scalable data store with transactional multi-key access functionality, using Strict Two Phase Locking (S2PL) to control concurrency. Implemented an independent working system following a regular Apache HBase key-value store implementation and using the Two Phase Commit protocol (2PC) to coordinate the participating nodes. WARP9INC Position: Web Development Intern March 2011 – Present Implement and manage dynamic ecommerce websites with MVC interaction pattern, through Apache OFBiz. Manage both front-end (HTML/CSS/JavaScript) and back-end (Java/Groovy/OFBiz/MySQL). UCSB ACCOUNTING SERVICES AND CONTROLS Position: Systems Administrator August 2010 – June 2011 Troubleshoot and remove viruses; set up/connect various computers onto the domain; and manage the department website.
    [Show full text]
  • Return of Organization Exempt from Income
    OMB No. 1545-0047 Return of Organization Exempt From Income Tax Form 990 Under section 501(c), 527, or 4947(a)(1) of the Internal Revenue Code (except black lung benefit trust or private foundation) Open to Public Department of the Treasury Internal Revenue Service The organization may have to use a copy of this return to satisfy state reporting requirements. Inspection A For the 2011 calendar year, or tax year beginning 5/1/2011 , and ending 4/30/2012 B Check if applicable: C Name of organization The Apache Software Foundation D Employer identification number Address change Doing Business As 47-0825376 Name change Number and street (or P.O. box if mail is not delivered to street address) Room/suite E Telephone number Initial return 1901 Munsey Drive (909) 374-9776 Terminated City or town, state or country, and ZIP + 4 Amended return Forest Hill MD 21050-2747 G Gross receipts $ 554,439 Application pending F Name and address of principal officer: H(a) Is this a group return for affiliates? Yes X No Jim Jagielski 1901 Munsey Drive, Forest Hill, MD 21050-2747 H(b) Are all affiliates included? Yes No I Tax-exempt status: X 501(c)(3) 501(c) ( ) (insert no.) 4947(a)(1) or 527 If "No," attach a list. (see instructions) J Website: http://www.apache.org/ H(c) Group exemption number K Form of organization: X Corporation Trust Association Other L Year of formation: 1999 M State of legal domicile: MD Part I Summary 1 Briefly describe the organization's mission or most significant activities: to provide open source software to the public that we sponsor free of charge 2 Check this box if the organization discontinued its operations or disposed of more than 25% of its net assets.
    [Show full text]
  • Apache Ofbiz Advanced Framework Training Video Transcription
    Page 1 of 208 Apache OFBiz Advanced Framework Training Video Transcription Written and Recorded by David E. Jones Transcription and Editing by Nathan A. Jones Brought to you by Undersun Consulting Based on: The Apache Open For Business OFBiz.org Project Copyright 2006 Undersun Consulting LLC - All Rights Reserved Page 2 of 208 Copyright 2006 Undersun Consulting LLC Copyright 2006 David E. Jones Some content from The Apache Open For Business Project and is Copyright 2001-2006 Apache Software Foundation Copyright 2006 Undersun Consulting LLC - All Rights Reserved Page 3 of 208 Biz is running inside an application server, this infra- Advanced Framework structure still applies. The Containers and Compo- nents, they're just used in a slightly different way. The Overview easiest way to run OFBiz is out of the box, using the Introducing the Series OFBiz start executable jar file, which uses the con- tainer and component infrastructure to load everything Starting screen site/training/AdvancedFramework.html up, get all the tools started when the application server Hello my name is David Jones, and this is the Ad- shuts down, and to stop all of the tools and such as vanced Framework Training Video from Undersun Con- well. And also to configure each of the framework and sulting. I'll be recording and narrating this. I'm one of applications components that make up the open for the administrators of the Open for Business Project, business project. and offer various services including things like these So we'll talk about those, how they're configured, the training videos through a company that is run by myself different things to do plus some conventions for the and Andy Zeneski called Undersun Consulting.
    [Show full text]
  • Ofbench: an Enterprise Application Benchmark for Cloud Resource Management Studies
    OFBench: an Enterprise Application Benchmark for Cloud Resource Management Studies Jean Moschetta Giuliano Casale Imperial College London Imperial College London Department of Computing Department of Computing [email protected] [email protected] Abstract—We introduce OFBench, a new research benchmark To deal with this requirement, we propose OFBench, a for enterprise applications. OFBench is a load generator for realistic research benchmark for the demo e-commerce store the demo e-commerce component of the Apache OFBiz enter- distributed with the Apache Open For Business (OFBiz) ERP prise resource planning (ERP) framework. ERP applications are increasingly important in the cloud market due to the framework. OFBiz is a framework deployed in production growing popularity of Software-as-a-Service (SaaS) solutions, environments, hence our benchmark allows to experiment with hence OFBench is useful to explore the resource consumption a software architecture and a technology stack that are repre- patterns arising in these applications. On client-side, OFBench sentative of real business applications. For these applications, features randomized customer surfing patterns, workload gener- OFBench can stress a range of performance indicators such ation based on automation of real web browsers, reproducible burstiness in inter-request and inter-session think times, non- as response times, CPU utilization, memory consumption, stationary workload generation. On server-side, it features JMX number of active sessions over time, multi-threading levels, performance monitoring, business logic instrumentation, and data caching. JMX measurement beans and code instrumen- synchronization with client-side monitoring via TCP sockets. We tation are used on server-side to perform monitoring.
    [Show full text]
  • Code Smell Prediction Employing Machine Learning Meets Emerging Java Language Constructs"
    Appendix to the paper "Code smell prediction employing machine learning meets emerging Java language constructs" Hanna Grodzicka, Michał Kawa, Zofia Łakomiak, Arkadiusz Ziobrowski, Lech Madeyski (B) The Appendix includes two tables containing the dataset used in the paper "Code smell prediction employing machine learning meets emerging Java lan- guage constructs". The first table contains information about 792 projects selected for R package reproducer [Madeyski and Kitchenham(2019)]. Projects were the base dataset for cre- ating the dataset used in the study (Table I). The second table contains information about 281 projects filtered by Java version from build tool Maven (Table II) which were directly used in the paper. TABLE I: Base projects used to create the new dataset # Orgasation Project name GitHub link Commit hash Build tool Java version 1 adobe aem-core-wcm- www.github.com/adobe/ 1d1f1d70844c9e07cd694f028e87f85d926aba94 other or lack of unknown components aem-core-wcm-components 2 adobe S3Mock www.github.com/adobe/ 5aa299c2b6d0f0fd00f8d03fda560502270afb82 MAVEN 8 S3Mock 3 alexa alexa-skills- www.github.com/alexa/ bf1e9ccc50d1f3f8408f887f70197ee288fd4bd9 MAVEN 8 kit-sdk-for- alexa-skills-kit-sdk- java for-java 4 alibaba ARouter www.github.com/alibaba/ 93b328569bbdbf75e4aa87f0ecf48c69600591b2 GRADLE unknown ARouter 5 alibaba atlas www.github.com/alibaba/ e8c7b3f1ff14b2a1df64321c6992b796cae7d732 GRADLE unknown atlas 6 alibaba canal www.github.com/alibaba/ 08167c95c767fd3c9879584c0230820a8476a7a7 MAVEN 7 canal 7 alibaba cobar www.github.com/alibaba/
    [Show full text]
  • 2007 Javaonesm Conference Word “BENEFIT” Is in Green Instead of Orange
    there are 3 cover versions: Prospect 1 (Java) It should say “... Save $200!” on the front and back cover. The first early bird pricing on the IFC and IBC should be “$2,495”, and the word “BENEFIT” is in orange. ADVANCE CONFERENCE GUIDE Prospect 2 (Non-Java) The front cover photo and text is different from Prospect 1. The text of the introduction Last Chance to Save $200! Register by April 4, 2007, at java.sun.com/javaone paragraphs on the IFC is also different, the 2007 JavaOneSM Conference word “BENEFIT” is in green instead of orange. Features Java Technology, Open Source, Web 2.0, Emerging Technologies, and More Don’t miss this year’s newly expanded content. Advance your development skills with hundreds of expert-led, in-depth technical sessions in nine tracks over four days: The back cover and the IBC are the same as Consumer Technologies | Java™ SE | Desktop | Java EE | Java ME Prospect 1. The Next-Generation Web | Open Source | Services and Integration | Tools and Languages How to navigate this brochure and easily find what you need... Alumni For other information for Home Conference Overview JavaOnePavilion this year’s Conference, visit java.sun.com/javaone. It should say “... Save $300!” on the front Registration Conference-at-a-Glance Special Programs and back cover. The first early bird pricing on Hyperlinks Bookmark Buttons Search Click on any of the underlined Use the bookmark tab to Click on the buttons at the top Pull down from the Edit menu and the IFC and IBC should be “$2,395”, and the links to visit specific web sites.
    [Show full text]
  • Multi-Domain Engineering with Model-Driven Software Development Using Ontological Foundations
    HybridMDSD: Multi-Domain Engineering with Model-Driven Software Development using Ontological Foundations Dissertation zur Erlangung des akademischen Grades Doktoringenieur (Dr.-Ing.) vorgelegt an der Technischen Universität Dresden Fakultät Informatik eingereicht von Dipl.-Medien-Inf. Henrik Lochmann geboren am 4. Januar 1981 in Berlin Gutachter: Prof. Dr. rer. nat. habil. Uwe Aßmann, Technische Universität Dresden Associate Professor Kasper Østerbye, IT University of Copenhagen Tag der Verteidigung: 21.12.2009 Dresden, im Februar 2010 Confirmation I confirm that I independently prepared this thesis with the title HybridMDSD: Multi-Domain Engineering with Model-Driven Software Development using Ontological Foundations and that I used only the references and auxiliary means indicated in the thesis. Dresden, February 25, 2010 Dipl.-Medien-Inf. Henrik Lochmann vi Acknowledgments First and foremost a would like to thank my supervisor professor Uwe Aßmann for his motivation, constructive criticism, and his belief in my work. Once he was convinced by the topic, Uwe was a great sparring partner and excellent quality gate. Also, I would like to thank my second reviewer professor Kasper Østerbye, who proved to be very flexible in a tight schedule towards the submission deadline. I thank my employer the SAP AG, which even enabled me to write a PhD thesis in context its PhD programm. As research associate in the german research project feasiPLe and participant in company-internal projects, I got a valuable insight into professional practice and challenges of large scale software engineering. I owe a great debt to my colleagues at SAP, especially Falk Hartmann, Patrick Wustmann, Steffen Göbel, and Kay Kadner, who never let me down when a topic needed to be discussed.
    [Show full text]
  • Guide De L'open Source
    GUIDE DE L'OPEN SOURCE I .T IS OPE N PREAMBULE SMILE Smile est une société d’ingénieurs experts dans la mise en œuvre de solutions open source et l’intégration de systèmes appuyés sur l’open source. Smile est membre de l’APRIL, l’association pour la promotion et la défense du logiciel libre, du PLOSS – le réseau des entreprises du Logiciel Libre en Ile-de-France et du CNLL – le conseil national du logiciel libre. Smile compte plus de 1200 collaborateurs dans le monde ce qui en fait le premier intégrateur français et européen de solutions open source. Depuis 2000, environ, Smile mène une action active de veille technologique qui lui permet de découvrir les produits les plus prometteurs de l’open source, de les qualifier et de les évaluer, de manière à proposer à ses clients les produits les plus aboutis, les plus robustes et les plus pérennes. Cette démarche a donné lieu à toute une gamme de livres blancs couvrant différents domaines d’application. La gestion de contenus (2004), les portails (2005), la business intelligence (2006), la virtualisation (2007), la gestion électronique de documents (2008), les PGIs/ERPs (2008), les VPN open source (2009), les Firewall et Contrôle de flux (2009), les Middleware orientés messages (2009), l’ecommerce et les Réseaux Sociaux d'Entreprise (2010), le Guide de l’open source et NoSQL (2011), Mobile et Recensement et audit (2012), et plus récemment Big Data et ERP open source pour l’e-commerce (2014). Chacun de ces ouvrages présente une sélection des meilleures solutions open source dans le domaine considéré, leurs qualités respectives, ainsi que des retours d’expérience opérationnels.
    [Show full text]
  • Testsmelldescriber Enabling Developers’ Awareness on Test Quality with Test Smell Summaries
    Bachelor Thesis January 31, 2018 TestSmellDescriber Enabling Developers’ Awareness on Test Quality with Test Smell Summaries Ivan Taraca of Pfullendorf, Germany (13-751-896) supervised by Prof. Dr. Harald C. Gall Dr. Sebastiano Panichella software evolution & architecture lab Bachelor Thesis TestSmellDescriber Enabling Developers’ Awareness on Test Quality with Test Smell Summaries Ivan Taraca software evolution & architecture lab Bachelor Thesis Author: Ivan Taraca, [email protected] URL: http://bit.ly/2DUiZrC Project period: 20.10.2018 - 31.01.2018 Software Evolution & Architecture Lab Department of Informatics, University of Zurich Acknowledgements First of all, I like to thank Dr. Harald Gall for giving me the opportunity to write this thesis at the Software Evolution & Architecture Lab. Special thanks goes out to Dr. Sebastiano Panichella for his instructions, guidance and help during the making of this thesis, without whom this would not have been possible. I would also like to express my gratitude to Dr. Fabio Polomba, Dr. Yann-Gaël Guéhéneuc and Dr. Nikolaos Tsantalis for providing me access to their research and always being available for questions. Last, but not least, do I want to thank my parents, sisters and nephews for the support and love they’ve given all those years. Abstract With the importance of software in today’s society, malfunctioning software can not only lead to disrupting our day-to-day lives, but also large monetary damages. A lot of time and effort goes into the development of test suites to ensure the quality and accuracy of software. But how do we elevate the quality of test code? This thesis presents TestSmellDescriber, a tool with the ability to generate descriptions detailing potential problems in test cases, which are collected by conducting a Test Smell analysis.
    [Show full text]
  • Apache Ofbiz™
    Getting Started with Apache OFBiz™ In 5 Easy Steps Ruth Hoffman Last Updated June 2010 Title: Getting Started with Apache OFBiz® In 5 Easy Steps Author: Ruth Hoffman ©2009-2010 Ruth Hoffman, All Rights Reserved ISBN 978-0-9842907-2-7 About the Author: Ruth Hoffman has over 25 years of computer industry experience. She began her career designing and writing real-time command & control systems. From there, she moved into software engineering and technical marketing where she was responsible for operating systems, database and infrastructure product management, marketing and sales support. She has held roles in project management, training and software sales. Over the last several years, she has moved back to her roots designing and implementing complex enterprise software systems using state-of-the-art open source tech- nologies. As an advocate of OFBiz, she has been using the OFBiz project software since early 2000 for a variety of successful enterprise projects including numerous e-commerce and ERP implementations. Her most recent project, myOFBiz.com, is an endeavor to use OFBiz exclusively to develop, market and distribute the highest quality learning resources for and about OFBiz. Please visit the website at: http://www.myofbiz.com ©2010 Ruth Hoffman, All Rights Reserved Page 2 Getting Started with Apache OFBiz® in 5 Easy Steps Table of Contents Introduction ............................................................................................................................................................4 Purpose ...............................................................................................................................................................4
    [Show full text]