Software quality tools and techniques presented in FASE’17

Software quality assurance aims to ensure that the software product meets the quality standards expected by the customer. This special issue of Software Tools for Technology Transfer is concerned with the foundations on which software quality assurance is built. It introduces the papers that focus on this topic and that have been selected from the 20th International Conference on Fundamental Approaches to Software Engineering (FASE’17)

Selected contributions from the Open Source Software Certification (OpenCert) workshops

We present to you this special issue dedicated to the 2nd, 3rd and 4th editions of the International Workshop on Foundations and Techniques for Open Source Software Certification (OpenCert) held in 2008 (Milan, Italy), 2009 (York, UK) and 2010 (Pisa, Italy) respectively. This is a compilation of a selected set of extended papers presented at these workshops. OpenCert provides for a unique venue advancing the state of the art in the analysis and assurance of open source software with an ultimate aim of achieving certification and standards. The dramatic growth in open source software over recent years has provided for a fertile ground for fundamental research and demonstrative case studies. Over the years, OpenCert has enabled a thriving community, small but focused, examining issues ranging from certification to security and safety analysis for applications areas as diverse as railways, aviation, knowledge management, sustainable development, and the open source developers community

In-situ and nondestructive test methods applied to the design and construction of pile foundation projects in coastal Louisiana

Construction projects in coastal Louisiana often require pile foundations as a result of the soft soils present, which complicate cast‐in‐place foundation construction and provide minimal support to shallow foundations. During a driven pile project, the engineering phase will require soil characterization and pile capacity determination, while construction will require quality assurance. These three elements, soil characterization, capacity determination, and quality assurance, are commonly accomplished using in‐situ and nondestructive testing. In this thesis, the application of some of these in‐situ and nondestructive methodologies to a project in Coastal Louisiana are examined. The Louisiana Transportation Research Center (LTRC) has released computer software that aids in soil characterization and pile capacity determination using cone penetration testing. This software utilizes a probabilistic approach to soil classification, which calculates the probabilities of the tested soil being clay, silt, or sand. The software also provides pile capacity computations. However, the software does not employ a method that considers the pore water pressure measurements obtained by the piezocone. This research examines the Statistical to Fuzzy Approach Toward CPT Classification (Zhang, et al., 1999) and evaluates whether the soil type probabilities calculated by the method correlate to soil grain size distribution. This was accomplished by comparing laboratory grain size tests on soil samples with the processed data from nearby cone penetrometer soundings. Furthermore, the pile capacity methods utilized in the LTRC software are compared to pile load tests alongside a capacity prediction method that uses pore water pressure measurements. The intent is to determine whether this CPTu method (Fellenius, et al., 1997), yields more accurate results than those methods already included in the software. Finally, the Case damping constants used in high‐strain dynamic testing are evaluated against published recommended values. Although this damping constant is not a measurable soil parameter, it is related to grain size. Therefore, it should be possible to calibrate the high‐strain dynamic test for a range of acceptable damping values at a given site, provided the soil conditions do not vary significantly. This evaluation is accomplished by calibrating high‐strain dynamic test data to several full‐scale static load tests

Proceedings of the Third International Workshop on Proof-Carrying Code and Software Certification

This NASA conference publication contains the proceedings of the Third International Workshop on Proof-Carrying Code and Software Certification, held as part of LICS in Los Angeles, CA, USA, on August 15, 2009. Software certification demonstrates the reliability, safety, or security of software systems in such a way that it can be checked by an independent authority with minimal trust in the techniques and tools used in the certification process itself. It can build on existing validation and verification (V&V) techniques but introduces the notion of explicit software certificates, Vvilich contain all the information necessary for an independent assessment of the demonstrated properties. One such example is proof-carrying code (PCC) which is an important and distinctive approach to enhancing trust in programs. It provides a practical framework for independent assurance of program behavior; especially where source code is not available, or the code author and user are unknown to each other. The workshop wiII address theoretical foundations of logic-based software certification as well as practical examples and work on alternative application domains. Here "certificate" is construed broadly, to include not just mathematical derivations and proofs but also safety and assurance cases, or any fonnal evidence that supports the semantic analysis of programs: that is, evidence about an intrinsic property of code and its behaviour that can be independently checked by any user, intermediary, or third party. These guarantees mean that software certificates raise trust in the code itself, distinct from and complementary to any existing trust in the creator of the code, the process used to produce it, or its distributor. In addition to the contributed talks, the workshop featured two invited talks, by Kelly Hayhurst and Andrew Appel. The PCC 2009 website can be found at http://ti.arc.nasa.gov /event/pcc 091

Too Trivial To Test? An Inverse View on Defect Prediction to Identify Methods with Low Fault Risk

Background. Test resources are usually limited and therefore it is often not possible to completely test an application before a release. To cope with the problem of scarce resources, development teams can apply defect prediction to identify fault-prone code regions. However, defect prediction tends to low precision in cross-project prediction scenarios. Aims. We take an inverse view on defect prediction and aim to identify methods that can be deferred when testing because they contain hardly any faults due to their code being "trivial". We expect that characteristics of such methods might be project-independent, so that our approach could improve cross-project predictions. Method. We compute code metrics and apply association rule mining to create rules for identifying methods with low fault risk. We conduct an empirical study to assess our approach with six Java open-source projects containing precise fault data at the method level. Results. Our results show that inverse defect prediction can identify approx. 32-44% of the methods of a project to have a low fault risk; on average, they are about six times less likely to contain a fault than other methods. In cross-project predictions with larger, more diversified training sets, identified methods are even eleven times less likely to contain a fault. Conclusions. Inverse defect prediction supports the efficient allocation of test resources by identifying methods that can be treated with less priority in testing activities and is well applicable in cross-project prediction scenarios.Comment: Submitted to PeerJ C

A Security Pattern for Cloud service certification

Cloud computing is interesting from the economic, operational and even energy consumption perspectives but it still raises concerns regarding the security, privacy, governance and compliance of the data and software services offered through it. However, the task of verifying security properties in services running on cloud is not trivial. We notice the provision and security of a cloud service is sensitive. Because of the potential interference between the features and behavior of all the inter-dependent services in all layers of the cloud stack (as well as dynamic changes in them). Besides current cloud models do not include support for trust-focused communication between layers. We present a mechanism to implement cloud service certification process based on the usage of Trusted Computing technology, by means of its Trusted Computing Platform (TPM) implementation of its architecture. Among many security security features it is a tamper proof resistance built in device and provides a root of trust to affix our certification mechanism. We present as a security pattern the approach for service certification based on the use TPM.Universidad de Málaga. Campus de Excelencia Internacional Andalucía Tec

TCG based approach for secure management of virtualized platforms: state-of-the-art

There is a strong trend shift in the favor of adopting virtualization to get business benefits. The provisioning of virtualized enterprise resources is one kind of many possible scenarios. Where virtualization promises clear advantages it also poses new security challenges which need to be addressed to gain stakeholders confidence in the dynamics of new environment. One important facet of these challenges is establishing 'Trust' which is a basic primitive for any viable business model. The Trusted computing group (TCG) offers technologies and mechanisms required to establish this trust in the target platforms. Moreover, TCG technologies enable protecting of sensitive data in rest and transit. This report explores the applicability of relevant TCG concepts to virtualize enterprise resources securely for provisioning, establish trust in the target platforms and securely manage these virtualized Trusted Platforms