Pull request latency explained:an empirical overview

Pull request latency evaluation is an essential application of effort evaluation in the pull-based development scenario. It can help the reviewers sort the pull request queue, remind developers about the review processing time, speed up the review process and accelerate software development. There is a lack of work that systematically organizes the factors that affect pull request latency. Also, there is no related work discussing the differences and variations in characteristics in different scenarios and contexts. In this paper, we collected relevant factors through a literature review approach. Then we assessed their relative importance in five scenarios and six different contexts using the mixed-effects linear regression model. The most important factors differ in different scenarios. The length of the description is most important when pull requests are submitted. The existence of comments is most important when closing pull requests, using CI tools, and when the contributor and the integrator are different. When there exist comments, the latency of the first comment is the most important. Meanwhile, the influence of factors may change in different contexts. For example, the number of commits in a pull request has a more significant impact on pull request latency when closing than submitting due to changes in contributions brought about by the review process. Both human and bot comments are positively correlated with pull request latency. In contrast, the bot’s first comments are more strongly correlated with latency, but the number of comments is less correlated. Future research and tool implementation needs to consider the impact of different contexts. Researchers can conduct related studies based on our publicly available datasets and replication scripts

Um estudo exploratório a partir de um framework para seleção de práticas ágeis

Dissertação (mestrado) - Universidade Federal de Santa Catarina, Centro Tecnológico. Programa de Pós-Graduação em Ciência da ComputaçãoO principal objetivo dos métodos ágeis existentes é promover o desenvolvimento eficiente de software através de práticas que priorizam a comunicação com o cliente e entregas frequentes. Cada método ágil apresenta um conjunto próprio de práticas. Com esta diversidade de práticas torna-se interessante a construção de novos processos ágeis que contemplem apenas as práticas mais adequadas a partir destes métodos. O problema, entretanto, é que a combinação de práticas de diferentes métodos ágeis não garante, necessariamente, que o novo processo definido seja ágil. Este trabalho avalia a agilidade do conjunto de práticas de um framework de práticas ágeis e busca identificar quais práticas apresentam maior harmonia quando usadas no mesmo processo. A agilidade das práticas é avaliada através dos dados de uma grande pesquisa de opinião online e a harmonia entre elas é identificada através da técnica de análise de agrupamentos. Os melhores resultados foram apresentados pelas práticas de Integração contínua, Desenvolvimento lado a lado e Testes de aceitação. A análise de agrupamentos, por sua vez, formou quatro grupos de práticas: o primeiro formado por Projeto da arquitetura do sistema e Lista de requisitos; o segundo por Desenvolvimento coletivo de código, Integração contínua, Refatoração e Testes de aceitação; o terceiro por Projeto da iteração e Modelagem geral; e o quarto por Desenvolvimento lado a lado e Reuniões diárias.The main objective of agile methods is to promote efficient software development through practices that prioritize communication with the client and frequent deliveries. Each agile method presents its unique set of practices. This diversity of practices may lead to the definition of new agile processes that include only the more appropriate practices from these methods. The problem, however, is that combining practices from different methods does not guarantee that the resulting process can be considered agile. This work assesses the agility of a set of practices of a framework for selecting agile practices and seeks to identify which practices provide more harmony when used in the same process. The agility of the practices is evaluated using data from a large online survey and the harmony between them is identified by the technique of cluster analysis. The best results were presented by the practices of Continuous integration, Side by side development and Acceptance tests. The cluster analysis resulted in four practice groups: the first with System architectural design and Requirements list; the second with Collective code ownership, Continuous integration, Refactoring and Acceptance tests; the third with Iteration design and General modeling; and the fourth with Side by side development and Daily meetings

A Novel Practice-Based Process Model for Secure Agile Software Development

Nigeria is ranked second globally after India in reported incidences of cyberattacks. Attackers usually exploit vulnerabilities in software which may not have considered security features during the development process. Agile methodologies are a well-established paradigm in the software development field. Its adoption has contributed to improving software quality. However, agile software products remain vulnerable to security challenges and susceptible to cyberattacks. Agile methods also tend to neglect non-functional requirements such as security. Despite its significance, there is paucity of research addressing security. The problem tackled in this research is the lack of security practices integration in agile software development. Thus, this thesis aims to improve security of the software development process when using agile methods through the developed secure process model.The methodology arising from the research context is a multi-methods qualitative approach divided into four phases involving 35 practitioners from 17 organisations. The first phase describes an exploratory case study conducted to empirically explore the agile security practices adopted by software developers and security professionals in United Kingdom (UK). The second phase involves conducting semi-structured interviews to investigate the impact of regulatory policy for building secure agile software in Nigeria. The third phase developed a novel practice-based agile software development process model derived from the results of the interview data analysis conducted. Finally, the model was preliminarily validated through a focus group comprising of 5 senior agile cybersecurity professionals to evaluate its relevancy and novelty. The focus group was conducted online, comprising predominantly UK practitioners previously interviewed, along with a few participants who were not involved in the earlier stages of data collection. The model was also applied at a Nigerian company involved in secure agile software development.Using the adopted methodology, this thesis presents a taxonomy of security practices identified in the UK research sites. They were categorized according to agile use in organisation - roles, ceremonies, and artefacts. Based on the analysis of interviews conducted in Nigeria, a grounded theory of the security challenges confronting agile practitioners was also developed which was termed Policy Adherence Challenges (PAC) model. The four challenges identified are: (a) a lack of collaboration between security and agile teams; (b) the tendency to use foreign software hosting companies; (c) a poor cybersecurity culture; and (d) the high cost of building secure agile software. Also, the model developed in this thesis used swim lane diagrams to highlight the process flow of security activities. 24 security practices were identified and organized into a process flow. The practices were mapped onto five swim lanes each representing an agile role. The preliminary model evaluation conducted through a focus group workshop proposed a new practice, in response to an observed lack of collaborative ceremonies, to disseminate awareness of and hence compliance with security standards. Further evaluation of the secure process model led to several positive changes in the chosen organisation. These include enhanced collaboration through introducing security retrospectives sessions, intervention to reduce manager’s work tasks by introducing a security champion role, action to enhance team security competence by reducing collaborative gap with senior roles which form mitigation mechanisms to improve regulatory compliance in the global south context. This research recommends practitioners integrate practices such as the proposed “compliance sprint” to improve the security of their products thereby reducing the incidences of cyberattacks. Also, there is need for government action by creating the enabling environment to ensure compliance to regulatory policies and security standards for practitioners developing secure software products