Understanding Expressions of Unwanted Behaviors in Open Bug Reporting

Open bug reporting allows end-users to express a vast array of unwanted software behaviors. However, users ’ expectations often clash with developers’ implementation intents. We created a classification of seven common expectation violations cited by endusers in bug report descriptions and applied it to 1,000 bug reports from the Mozilla project. Our results show that users largely described bugs as violations of their own personal expectations, of specifications, or of the user community’s expectations. We found a correlation between a reporter’s expression of which expectation was being violated and whether or not the bug would eventually be fixed. Specifically, when bugs were expressed as violations of community expectations rather than personal expectations, they had a better chance of being fixed. 1

Got Issues? Who Cares About It? A Large Scale Investigation of Issue Trackers from GitHub

International audienceFeedback from software users constitutes a vital part in the evolution of software projects. By filing issue reports, users help identify and fix bugs, document software code, and enhance the software via feature requests. Many studies have explored issue reports, proposed approaches to enable the submission of higher-quality reports, and presented techniques to sort, categorize and leverage issues for software engineering needs. Who, however, cares about filing issues? What kind of issues are reported in issue trackers? What kind of correlation exist between issue reporting and the success of software projects? In this study, we address the need for answering such questions by performing an empirical study on a hundred thousands of open source projects. After filtering relevant trackers, the study used about 20,000 projects. We investigate and answer various research questions on the popularity and impact of issue trackers

What Developers Want and Need from Program Analysis: An Empirical Study

Program Analysis has been a rich and fruitful field of research for many decades, and countless high quality program analysis tools have been produced by academia. Though there are some well-known examples of tools that have found their way into routine use by practitioners, a common challenge faced by researchers is knowing how to achieve broad and lasting adoption of their tools. In an effort to understand what makes a program analyzer most attractive to developers, we mounted a multi-method investigation at Microsoft. Through interviews and surveys of developers as well as analysis of defect data, we provide insight and answers to four high level research questions that can help researchers design program analyzers meeting the needs of software developers. First, we explore what barriers hinder the adoption of program analyzers, like poorly expressed warning messages. Second, we shed light on what functionality developers want from analyzers, including the types of code issues that developers care about. Next, we answer what non-functional characteristics an analyzer should have to be widely used, how the analyzer should fit into the development process, and how its results should be reported. Finally, we investigate defects in one of Microsoft's flagship software services, to understand what types of code issues are most important to minimize, potentially through program analysis

Utilizing Software Analytics to Guide Software Development

Modern software systems often produce vast amounts of software usage data. Previous work, however, has indicated that such data is often left unutilized. This leaves a gap for methods and practices that put the data to use. The objective of this thesis is to determine and test concrete methods for utilizing software usage data and to learn what use cases and benefits can be achieved via such methods. The study consists of two interconnected parts. Firstly, a semi-structured literature review is conducted to identify methods and use cases for software usage data. Secondly, a subset of the identified methods is experimented with by conducting a case study to determine how developers and managers experience the methods. We found that there exists a wide range of methods for utilizing software usage data. Via these methods, a wide range of software development-related use cases can be fulfilled. However, in practice, apart from debugging purposes, software usage data is largely left unutilized. Furthermore, developers and managers share a positive attitude towards employing methods of utilizing software usage data. In conclusion, software usage data has a lot of potential. Besides, developers and managers are interested in putting software usage data utilization methods to use. Furthermore, the information available via these methods is difficult to replace. In other words, methods for utilizing software usage data can provide irreplaceable information that is relevant and useful for both managers and developers. Therefore, practitioners should consider introducing methods for utilizing software usage data in their development practices

DDoS-Capable IoT Malwares: comparative analysis and Mirai Investigation

The Internet of Things (IoT) revolution has not only carried the astonishing promise to interconnect a whole generation of traditionally “dumb” devices, but also brought to the Internet the menace of billions of badly protected and easily hackable objects. Not surprisingly, this sudden flooding of fresh and insecure devices fueled older threats, such as Distributed Denial of Service (DDoS) attacks. In this paper, we first propose an updated and comprehensive taxonomy of DDoS attacks, together with a number of examples on how this classification maps to real-world attacks. Then, we outline the current situation of DDoS-enabled malwares in IoT networks, highlighting how recent data support our concerns about the growing in popularity of these malwares. Finally, we give a detailed analysis of the general framework and the operating principles of Mirai, the most disruptive DDoS-capable IoT malware seen so far

COORDINATION BY REASSIGNMENT IN THE FIREFOX COMMUNITY

According to the so-called mirroring hypothesis , the structure of an organization tends to replicate the technical dependencies among the different components in the product (or service) that the organization is developing. An explanation for this phenomenon is that socio-technical alignment, which can be measured by the congrunce of technical dependencies and human relations (Cataldo et al., 2008), leads to more efficient coordination. In this context, we suggest that a key organizational capability, especially in fast-changing environments, is to quickly reorganize in response to new opportunities or simply in order to solve problems more efficiently. To back up our suggestion, we study the dynamics of congrunce between task dependencies and expert attention within the Firefox project, as reported to the Bugzilla bug tracking system. We identify in this database several networks of interrelated problems, known as bug report networks (Sandusky et al., 2004). We show that the ability to reassign bugs to other developers within each bug report network does indeed correlate positively with the average level of congrunce achieved on each bug report network. Furthermore, when bug report networks are grouped according to common experts, we find preliminary evidence that the relationship between congrunce and assignments could be different from one group to the other

IoT Sentinel: Automated Device-Type Identification for Security Enforcement in IoT

With the rapid growth of the Internet-of-Things (IoT), concerns about the security of IoT devices have become prominent. Several vendors are producing IP-connected devices for home and small office networks that often suffer from flawed security designs and implementations. They also tend to lack mechanisms for firmware updates or patches that can help eliminate security vulnerabilities. Securing networks where the presence of such vulnerable devices is given, requires a brownfield approach: applying necessary protection measures within the network so that potentially vulnerable devices can coexist without endangering the security of other devices in the same network. In this paper, we present IOT SENTINEL, a system capable of automatically identifying the types of devices being connected to an IoT network and enabling enforcement of rules for constraining the communications of vulnerable devices so as to minimize damage resulting from their compromise. We show that IOT SENTINEL is effective in identifying device types and has minimal performance overhead