Vulnerability anti-patterns:a timeless way to capture poor software practices (Vulnerabilities)

There is a distinct communication gap between the software engineering and cybersecurity communities when it comes to addressing reoccurring security problems, known as vulnerabilities. Many vulnerabilities are caused by software errors that are created by software developers. Insecure software development practices are common due to a variety of factors, which include inefficiencies within existing knowledge transfer mechanisms based on vulnerability databases (VDBs), software developers perceiving security as an afterthought, and lack of consideration of security as part of the software development lifecycle (SDLC). The resulting communication gap also prevents developers and security experts from successfully sharing essential security knowledge. The cybersecurity community makes their expert knowledge available in forms including vulnerability databases such as CAPEC and CWE, and pattern catalogues such as Security Patterns, Attack Patterns, and Software Fault Patterns. However, these sources are not effective at providing software developers with an understanding of how malicious hackers can exploit vulnerabilities in the software systems they create. As developers are familiar with pattern-based approaches, this paper proposes the use of Vulnerability Anti-Patterns (VAP) to transfer usable vulnerability knowledge to developers, bridging the communication gap between security experts and software developers. The primary contribution of this paper is twofold: (1) it proposes a new pattern template – Vulnerability Anti-Pattern – that uses anti-patterns rather than patterns to capture and communicate knowledge of existing vulnerabilities, and (2) it proposes a catalogue of Vulnerability Anti-Patterns (VAP) based on the most commonly occurring vulnerabilities that software developers can use to learn how malicious hackers can exploit errors in software

Coordination in Open Source versus Commercial Software Development

Process patterns based on particular coordination mechanisms have been used to describe and understand the work practices of commercial software development. However, there has not been much work done on whether the specific coordination mechanisms noticed in commercial software development are indeed applicable to Open Source software development projects. Such an analysis can help managers of Open Source projects in coordinating their project. In this paper we explore whether three Commercial software development patterns are applicable to Open Source software development projects. We do this through an analysis of published case studies

Detecting Coordination Problems in Collaborative Software Development Environments

Software development is rarely an individual effort and generally involves teams of developers collaborating to generate good reliable code. Among the software code there exist technical dependencies that arise from software components using services from other components. The different ways of assigning the design, development, and testing of these software modules to people can cause various coordination problems among them. We claim\ud that the collaboration of the developers, designers and testers must be related to and governed by the technical task structure. These collaboration practices are handled in what we call Socio-Technical Patterns.\ud The TESNA project (Technical Social Network Analysis) we report on in this paper addresses this issue. We propose a method and a tool that a project manager can use in order to detect the socio-technical coordination problems. We test the method and tool in a case study of a small and innovative software product company

The Use of Software Design Patterns to Teach Secure Software Design: An Integrated Approach

Part 2: Software Security EducationInternational audienceDuring software development, security is often dealt with as an add-on. This means that security considerations are not necessarily seen as an integral part of the overall solution and might even be left out of a design. For many security problems, the approach towards secure development has recurring elements. Software design patterns are often used to address a commonly occurring problem through a “generic” approach towards this problem. The design pattern provides a conceptual model of a best-practices solution, which in turn is used by developers to create a concrete implementation for their specific problem. Most software design patterns do not include security best-practices as part of the generic solution towards the commonly occurring problem. This paper proposes an extension to the widely used MVC pattern that includes current security principles in order to teach secure software design in an integrated fashion

DevOps in Practice -- A preliminary Analysis of two Multinational Companies

DevOps is a cultural movement that aims the collaboration of all the stakeholders involved in the development, deployment and operation of soft-ware to deliver a quality product or service in the shortest possible time. DevOps is relatively recent, and companies have developed their DevOps prac-tices largely from scratch. Our research aims to conduct an analysis on practic-ing DevOps in +20 software-intensive companies to provide patterns of DevOps practices and identify their benefits and barriers. This paper presents the preliminary analysis of an exploratory case study based on the interviews to relevant stakeholders of two (multinational) companies. The results show the benefits (software delivery performance) and barriers that these companies are dealing with, as well as DevOps team topology they approached during their DevOps transformation. This study aims to help practitioners and researchers to better understand DevOps transformations and the contexts where the practices worked. This, hopefully, will contribute to strengthening the evidence regarding DevOps and supporting practitioners in making better informed decisions about the return of investment when adopting DevOps.Comment: 8 pages, 1 figure, 2 tables, conferenc

Communication Patterns and Strategies in Software Development Communities of Practice

Some of the greatest challenges in the relatively new field of software development lie in the decidedly old technology of communication between humans. Software projects require sophisticated and varied communication skills because software developers work in a world of incomplete, imperfect information where teams evolve rapidly in response to evolving requirements and changing collaborators. While prescriptive models for software process such as Agile suggest ways of doing, in reality these codified practices must adapt to the complexities of a real workplace. Patterns, rather than rules of behavior within software process are more suitable to the varied and mutable nature of software development. Software development communities are also learning communities, attempting to sustain themselves through internal ambiguity and external changes. We study different types of software development communities to fulfill our goal of understanding how these communities implement and evolve different communication strategies to sustain themselves through change. We observe student software development projects, open source software development, and a professional, rigorously Agile software development community. We employ Wenger\u27s concept of Community of Practice to frame our understanding, especially focusing on the notions of identity, participation, reification, negotiation of meaning and trajectory of the participants of the software development communities. From these different sources, we identify the emergent themes of mentoring and knowledge management as critical for sustainable communities. Through our long running, immersive, participant observer, ethnographic study of the Agile software development community, we contribute both a quantitative and qualitative analysis of the their communication practices and depict the evolving nature of their onboarding and mentoring strategies. We share our experience of implementing such an immersive industry ethnographic study. We employ a pattern language approach to capturing, analyzing and representing our results, thereby contributing and relating to the larger bodies of work in Scrum and Organizational Patterns. This work also informs our concurrent efforts to enhance our undergraduate computer science and software engineering curriculum, exposing students to the communication challenges of real software development and help them to develop skills to meet these challenges through practice in inquiry, critique and reflection

An Ontology for Formalising Agreement Patterns in Auction Markets

Knowledge and best practices on auction systems are cur- rently disseminated across the research literature, which limits its access, reuse, evaluation and feedback by practitioners. This article presents a systematic approach to collect this knowledge as design patterns, in order to provide assistance to software developers. An ontology has been de- _ned for formalising design patterns in auction systems, with the aim of improving its searchability by software developers. Finally, a case study illustrates how the proposed pattern ontology provides assistance in the development of a dynamic pricing model for an e-commerce servic

A patterns based reverse engineering approach for java source code

The ever increasing number of platforms and languages available to software developers means that the software industry is reaching high levels of complexity. Model Driven Architecture (MDA) presents a solution to the problem of improving software development processes in this changing and complex environment. MDA driven development is based on models definition and transformation. Design patterns provide a means to reuse proven solutions during development. Identifying design patterns in the models of a MDA approach helps their understanding, but also the identification of good practices during analysis. However, when analyzing or maintaining code that has not been developed according to MDA principles, or that has been changed independently from the models, the need arises to reverse engineer the models from the code prior to patterns' identification. The approach presented herein consists in transforming source code into models, and infer design patterns from these models. Erich Gamma's cataloged patterns provide us a starting point for the pattern inference process. MapIt, the tool which implements these functionalities is described.This work is funded by ERDF - European Regional Development Fund through the COMPETE Programme (operational programme for competitiveness) and by National Funds through the FCT Fundacao para a Ciencia e a Tecnologia (Portuguese Foundation for Science and Technology) within project FCOMP-01-0124-FEDER-015095