An Approach Toward Implementing Continuous Security In Agile Environment

Traditionally, developers design software to accomplish a set of functions and then later add—or do not add—security measures, especially after the prevalence of the agile software development model. Consequently, there is an increased risk of security vulnerabilities that are introduced into the software in various stages of development. To avoid security vulnerabilities, there are many secure software development efforts in the directions of secure software development lifecycle process. The purpose of this thesis is to propose a software security assurance methodology and integrate it into the Msg Life organization’s development lifecycle based on security best practices that fulfill their needs in building secure software applications. Ultimately, the objective adhered to increasing the security maturity level according to the suggested security assurance roadmap and implemented partly in the context of this thesis.Tradicionalmente, os desenvolvedores projetam o software para realizar um conjunto de funções e, posteriormente, adicionam - ou não - medidas de segurança, especialmente após a prevalência do modelo de desenvolvimento ágil de software. Consequentemente, há um risco aumentado de vulnerabilidades de segurança que são introduzidas no software em vários estágios de desenvolvimento. Para evitar vulnerabilidades de segurança, existem muitos esforços no desenvolvimento de software nas direções dos processos do ciclo de vida desse mesmo software. O objetivo desta tese é propor uma metodologia de garantia de segurança de software e integrá-la ao ciclo de vida de desenvolvimento da Msg Life Company, com base nas melhores práticas de segurança que atendem às suas necessidades na criação de aplicativos de software seguros. Por fim, o objetivo aderiu ao aumento do nível de maturidade da segurança de acordo com o roteiro sugerido de garantia de segurança e implementado parcialmente no contexto desta tese

Automatic synthesis of SDL from MSC and its applications in forward and reverse engineering

Abstract Wider adoption of formal specification languages in industry is impeded by the lack of support for early development phases and for integration with older, legacy software. Methodology aimed at improving this situation is presented. The methodology uses Message Sequence Charts (MSC) as a "front-end" specification language and systematically applies an automatic synthesis technique to produce executable specifications in the telecommunications standard Specification and Description Language (SDL). Applications of the automatic synthesis technique for both forward and reverse engineering are demonstrated

An integrated search-based approach for automatic testing from extended finite state machine (EFSM) models

This is the post-print version of the Article - Copyright @ 2011 ElsevierThe extended finite state machine (EFSM) is a modelling approach that has been used to represent a wide range of systems. When testing from an EFSM, it is normal to use a test criterion such as transition coverage. Such test criteria are often expressed in terms of transition paths (TPs) through an EFSM. Despite the popularity of EFSMs, testing from an EFSM is difficult for two main reasons: path feasibility and path input sequence generation. The path feasibility problem concerns generating paths that are feasible whereas the path input sequence generation problem is to find an input sequence that can traverse a feasible path. While search-based approaches have been used in test automation, there has been relatively little work that uses them when testing from an EFSM. In this paper, we propose an integrated search-based approach to automate testing from an EFSM. The approach has two phases, the aim of the first phase being to produce a feasible TP (FTP) while the second phase searches for an input sequence to trigger this TP. The first phase uses a Genetic Algorithm whose fitness function is a TP feasibility metric based on dataflow dependence. The second phase uses a Genetic Algorithm whose fitness function is based on a combination of a branch distance function and approach level. Experimental results using five EFSMs found the first phase to be effective in generating FTPs with a success rate of approximately 96.6%. Furthermore, the proposed input sequence generator could trigger all the generated feasible TPs (success rate = 100%). The results derived from the experiment demonstrate that the proposed approach is effective in automating testing from an EFSM

Potential Errors and Test Assessment in Software Product Line Engineering

Software product lines (SPL) are a method for the development of variant-rich software systems. Compared to non-variable systems, testing SPLs is extensive due to an increasingly amount of possible products. Different approaches exist for testing SPLs, but there is less research for assessing the quality of these tests by means of error detection capability. Such test assessment is based on error injection into correct version of the system under test. However to our knowledge, potential errors in SPL engineering have never been systematically identified before. This article presents an overview over existing paradigms for specifying software product lines and the errors that can occur during the respective specification processes. For assessment of test quality, we leverage mutation testing techniques to SPL engineering and implement the identified errors as mutation operators. This allows us to run existing tests against defective products for the purpose of test assessment. From the results, we draw conclusions about the error-proneness of the surveyed SPL design paradigms and how quality of SPL tests can be improved.Comment: In Proceedings MBT 2015, arXiv:1504.0192

Comparative Evaluation of the State-of-art Requirements-based Test Case Generation Approaches

The overall aim of software testing is to deliver the error-free and high-quality software products to the end users. The testing process ensures that a software is aligned with the user specification and requirements.  In software testing process, there are many challenging tasks however test case generation process is considered as the most challenging one. The quality of the generated test cases has a significant impact on efficiency and effectiveness of the testing process.  In order to improve the quality of a developed software, the test cases should be able to achieve maximum adequacy in the testing and requirements' coverage. This paper presents a comparative evaluation of the prominent requirement-based test case generation approaches. Five evaluation criteria namely, inputs for test case generation, transformation techniques, coverage criteria, time and tool's support are defined to systematically compare the approaches. The results of the evaluation are used to identify the gap in the current approaches and research opportunities in requirement-based test case's generation.

An Infrastructure to Support Interoperability in Reverse Engineering

An infrastructure that supports interoperability among reverse engineering tools and other software tools is described. The three major components of the infrastructure are: (1) a hierarchy of schemas for low- and middle-level program representation graphs, (2) g4re, a tool chain for reverse engineering C++ programs, and (3) a repository of reverse engineering artifacts, including the previous two components, a test suite, and tools, GXL instances, and XSLT transformations for graphs at each level of the hierarchy. The results of two case studies that investigated the space and time costs incurred by the infrastructure are provided. The results of two empirical evaluations that were performed using the api module of g4re, and were focused on computation of object-oriented metrics and three-dimensional visualization of class template diagrams, respectively, are also provided

Semantic discovery and reuse of business process patterns

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.In modern organisations business process modelling has become fundamental due to the increasing rate of organisational change. As a consequence, an organisation needs to continuously redesign its business processes on a regular basis. One major problem associated with the way business process modelling (BPM) is carried out today is the lack of explicit and systematic reuse of previously developed models. Enabling the reuse of previously modelled behaviour can have a beneficial impact on the quality and efficiency of the overall information systems development process and also improve the effectiveness of an organisation’s business processes. In related disciplines, like software engineering, patterns have emerged as a widely accepted architectural mechanism for reusing solutions. In business process modelling the use of patterns is quite limited apart from few sporadic attempts proposed by the literature. Thus, pattern-based BPM is not commonplace. Business process patterns should ideally be discovered from the empirical analysis of organisational processes. Empiricism is currently not the basis for the discovery of patterns for business process modelling and no systematic methodology for collecting and analysing process models of business organisations currently exists. The purpose of the presented research project is to develop a methodological framework for achieving reuse in BPM via the discovery and adoption of patterns. The framework is called Semantic Discovery and Reuse of Business Process Patterns (SDR). SDR provides a systematic method for identifying patterns among organisational data assets representing business behaviour. The framework adopts ontologies (i.e., formalised conceptual models of real-world domains) in order to facilitate such discovery. The research has also produced an ontology of business processes that provides the underlying semantic definitions of processes and their constituent parts. The use of ontologies to model business processes represents a novel approach and combines advances achieved by the Semantic Web and BPM communities. The methodological framework also relates to a new line of research in BPM on declarative business processes in which the models specify what should be done rather than how to ‘prescriptively’ do it. The research follows a design science method for designing and evaluating SDR. Evaluation is carried out using real world sources and reuse scenarios taken from both the financial and educational domains