Secure Tropos framework for software product lines requirements engineering

Security and requirements engineering are two of the most important factors of success in the development of a software product line (SPL) due to the complexity and extensive nature of them, given that a weakness in security can cause problems throughout the products of a product line. Goal-driven security requirements engineering approaches, such as Secure Tropos, have been proposed in the literature as a suitable paradigm for elicitation of security requirements and their analysis on both a social and a technical dimension. Nevertheless, on one hand, goal-driven security requirements engineering methodologies are not appropriately tailored to the specific demands of SPL, while on the other hand specific proposals of SPL engineering have traditionally ignored security requirements. This paper presents work that fills this gap by proposing “SecureTropos-SPL” framework, an extension to Secure Tropos to support SPL security requirements engineering which is based on security goals and driven by security risks

Modeling Business Process Variability

This master thesis presents research findings on business process variability modeling. Its main goal is to analyze inherent problems of business process variability and solve them simply, innovatively and effectively. To achieve this goal, process variability is defined by analyzing scientific literature, its main problems identified and is illustrated using a healthcare running example: process variability is classified into process variability within the domain space and over time. These two forms of process variability respectively lead to process variability modeling and process model evolution problems. After defining the main problems inherent to process variability, the focus of this research project is defined: solving process variability modeling problems. First current business process modeling languages are evaluated to assess the effectiveness of their respective modeling concepts when modeling process variability, using a newly created set of evaluation criteria and the healthcare running example. The following business process modeling languages are evaluated: Event driven process chains (EPC), the Business Process Modeling Notation (BPMN) and Configurable EPC (C-EPC). Business process variability modeling and Software product line engineering have similar problems. Therefore the variability modeling concepts developed by software product line engineering are analyzed. Feature diagrams and software configuration management are the main variability management concepts provided by software product line engineering. To apply these variability management concepts to model process variability meant combining them with existing business modeling languages. Riebisch feature diagrams are combined with C-EPC to form Feature-EPC. Applying software configuration management, meant merging Change Oriented Versioning with basic EPC to create COV-EPC, and merging the Proteus Configuration Language with basic EPC to design PCL-EPC. Finally these newly created business process modeling languages are also evaluated using the newly designed evaluation criteria and the healthcare running example. EPC or BPMN are not suited to model business process variability within the domain space. C-EPC provide explicit means to model business process variability, however the process models tend to get big very fast. Furthermore the syntax, the contextual constraints and the semantics of the configuration requirements and guidelines used to configure the C-EPC process models are unclear. Feature-EPC improve C-EPC with domain modeling capability and clearly defined configuration rules: their syntax, contextual constraints and semantics have been clearly defined using a context free grammar in Backus-Naur form. Furthermore, consistent combinations of features and configuration rules are ensured using respectively constraints and a conflict resolution algorithm. However, Feature-EPC and C-EPC suffer from the same weakness: large configurable process models. In COV-EPC and PCL-EPC the problem of large configurable process models is solved. COV-EPC ensures consistent combinations of options and configuration rules using respectively validities and a conflict resolution algorithm. PCL-EPC guarantees consistent combinations of process fragments by means of a PCL specification

Traceability for Model Driven, Software Product Line Engineering

Traceability is an important challenge for software organizations. This is true for traditional software development and even more so in new approaches that introduce more variety of artefacts such as Model Driven development or Software Product Lines. In this paper we look at some aspect of the interaction of Traceability, Model Driven development and Software Product Line

An Empirical Study on Decision making for Quality Requirements

[Context] Quality requirements are important for product success yet often handled poorly. The problems with scope decision lead to delayed handling and an unbalanced scope. [Objective] This study characterizes the scope decision process to understand influencing factors and properties affecting the scope decision of quality requirements. [Method] We studied one company's scope decision process over a period of five years. We analyzed the decisions artifacts and interviewed experienced engineers involved in the scope decision process. [Results] Features addressing quality aspects explicitly are a minor part (4.41%) of all features handled. The phase of the product line seems to influence the prevalence and acceptance rate of quality features. Lastly, relying on external stakeholders and upfront analysis seems to lead to long lead-times and an insufficient quality requirements scope. [Conclusions] There is a need to make quality mode explicit in the scope decision process. We propose a scope decision process at a strategic level and a tactical level. The former to address long-term planning and the latter to cater for a speedy process. Furthermore, we believe it is key to balance the stakeholder input with feedback from usage and market in a more direct way than through a long plan-driven process

Analysis of Software Binaries for Reengineering-Driven Product Line Architecture\^aAn Industrial Case Study

This paper describes a method for the recovering of software architectures from a set of similar (but unrelated) software products in binary form. One intention is to drive refactoring into software product lines and combine architecture recovery with run time binary analysis and existing clustering methods. Using our runtime binary analysis, we create graphs that capture the dependencies between different software parts. These are clustered into smaller component graphs, that group software parts with high interactions into larger entities. The component graphs serve as a basis for further software product line work. In this paper, we concentrate on the analysis part of the method and the graph clustering. We apply the graph clustering method to a real application in the context of automation / robot configuration software tools.Comment: In Proceedings FMSPLE 2015, arXiv:1504.0301

Context for goal-level product line derivation

Product line engineering aims at developing a family of products and facilitating the derivation of product variants from it. Context can be a main factor in determining what products to derive. Yet, there is gap in incorporating context with variability models. We advocate that, in the first place, variability originates from human intentions and choices even before software systems are constructed, and context influences variability at this intentional level before the functional one. Thus, we propose to analyze variability at an early phase of analysis adopting the intentional ontology of goal models, and studying how context can influence such variability. Below we present a classification of variation points on goal models, analyze their relation with context, and show the process of constructing and maintaining the models. Our approach is illustrated with an example of a smarthome for people with dementia problems. 1

Towards guidelines for building a business case and gathering evidence of software reference architectures in industry

Background: Software reference architectures are becoming widely adopted by organizations that need to support the design and maintenance of software applications of a shared domain. For organizations that plan to adopt this architecture-centric approach, it becomes fundamental to know the return on investment and to understand how software reference architectures are designed, maintained, and used. Unfortunately, there is little evidence-based support to help organizations with these challenges. Methods: We have conducted action research in an industry-academia collaboration between the GESSI research group and everis, a multinational IT consulting firm based in Spain. Results: The results from such collaboration are being packaged in order to create guidelines that could be used in similar contexts as the one of everis. The main result of this paper is the construction of empirically-grounded guidelines that support organizations to decide on the adoption of software reference architectures and to gather evidence to improve RA-related practices. Conclusions: The created guidelines could be used by other organizations outside of our industry-academia collaboration. With this goal in mind, we describe the guidelines in detail for their use.Peer ReviewedPostprint (published version