Threats Management Throughout the Software Service Life-Cycle

Software services are inevitably exposed to a fluctuating threat picture. Unfortunately, not all threats can be handled only with preventive measures during design and development, but also require adaptive mitigations at runtime. In this paper we describe an approach where we model composite services and threats together, which allows us to create preventive measures at design-time. At runtime, our specification also allows the service runtime environment (SRE) to receive alerts about active threats that we have not handled, and react to these automatically through adaptation of the composite service. A goal-oriented security requirements modelling tool is used to model business-level threats and analyse how they may impact goals. A process flow modelling tool, utilising Business Process Model and Notation (BPMN) and standard error boundary events, allows us to define how threats should be responded to during service execution on a technical level. Throughout the software life-cycle, we maintain threats in a centralised threat repository. Re-use of these threats extends further into monitoring alerts being distributed through a cloud-based messaging service. To demonstrate our approach in practice, we have developed a proof-of-concept service for the Air Traffic Management (ATM) domain. In addition to the design-time activities, we show how this composite service duly adapts itself when a service component is exposed to a threat at runtime.Comment: In Proceedings GraMSec 2014, arXiv:1404.163

Relevance, benefits, and problems of software modelling and model driven techniques—A survey in the Italian industry

Context Claimed benefits of software modelling and model driven techniques are improvements in productivity, portability, maintainability and interoperability. However, little effort has been devoted at collecting evidence to evaluate their actual relevance, benefits and usage complications. Goal The main goals of this paper are: (1) assess the diffusion and relevance of software modelling and MD techniques in the Italian industry, (2) understand the expected and achieved benefits, and (3) identify which problems limit/prevent their diffusion. Method We conducted an exploratory personal opinion survey with a sample of 155 Italian software professionals by means of a Web-based questionnaire on-line from February to April 2011. Results Software modelling and MD techniques are very relevant in the Italian industry. The adoption of simple modelling brings common benefits (better design support, documentation improvement, better maintenance, and higher software quality), while MD techniques make it easier to achieve: improved standardization, higher productivity, and platform independence. We identified problems, some hindering adoption (too much effort required and limited usefulness) others preventing it (lack of competencies and supporting tools). Conclusions The relevance represents an important objective motivation for researchers in this area. The relationship between techniques and attainable benefits represents an instrument for practitioners planning the adoption of such techniques. In addition the findings may provide hints for companies and universitie

BOF4WSS : a business-oriented framework for enhancing web services security for e-business

When considering Web services' (WS) use for online business-to-business (B2B) collaboration between companies, security is a complicated and very topical issue. This is especially true with regard to reaching a level of security beyond the technological layer, that is supported and trusted by all businesses involved. With appreciation of this fact, our research draws from established development methodologies to develop a new, business-oriented framework (BOF4WSS) to guide e-businesses in defining, and achieving agreed security levels across these collaborating enterprises. The approach envisioned is such that it can be used by businesses-in a joint manner-to manage the comprehensive concern that security in the WS environment has become

Six reasons for rejecting an industrial survey paper

Context: Despite their importance in any empirically based research program, industrial surveys are not very common in the software engineering literature. In our experience, a possible reason is their difficulty of publication. Goal: We would like to understand what are the issues that may prevent the publication of papers reporting industrial surveys. Method: In this preliminary work, we analyzed the surveys we conducted and extracted the main lessons learned in terms of issues and problems. Results: Most common critics posed to industrial surveys are: lack of novelty, limitation of the geographic scope and sampling issues. Conclusions: Most objections that led to reject a survey paper actually are not easy to overcome and others are not so serious. These objections could restrain researchers from conducting this type of studies that represent an important methodological asset. For these reasons, we think that reviewers should be less severe to judge survey papers provided that all the limitations of the study are well explained and highlighte

Towards a reference framework for open source software adoption

Nowadays, the use of Open Source Software (OSS) components has become a driver for the primary and secondary information technology (IT) sector, among other factors, by the openness and innovation benefits that can give to the organizations, regardless of its business model and activities' nature. Nevertheless, IT companies and organizations still face numerous difficulties and challenges when making the strategic move to OSS. OSS is aligned with new challenges, which mainly derive from the way OSS is produced and the culture and values of OSS communities. In fact, OSS adoption impacts far beyond technology, because it requires a change in the organizational culture and reshaping IT decision-makers mindset. Therefore, this research work proposes a framework to support OSS adopters (i.e., software-related organizations that develop software and/or offer services relate to software) to analyze and evaluate the impact of adopting OSS as part of their software products and/or services offered to their customers/users, mainly in terms of their software related activities.Peer ReviewedPostprint (published version

BIM: a technology acceptance model in Peru

The purpose of this paper is to empirically study factors that facilitate the adoption of building information modelling (BIM) among practitioners using the unified theory of technology acceptance model (TAM). The factors identified in the TAM were examined using a quantitative approach. The empirical investigation has been conducted using a survey questionnaire. The data set has been obtained from 73 architects and engineers in Peru. Results show that Perceived Usefulness (PU) is the most important determinant of Behavioural Intention (BI), while Perceived Ease of Use (PEOU) is found to have no significant effect on BI. The findings provide an excellent backdrop in the development of policy and a roadmap for BIM implementation in Peru. The original contribution and value of the paper is the use of TAM to provide empirical evidence on factors that facilitate BIM adoption in Peru

The use of iStar in situational method engineering: an ongoing study

Context: Situational Method Engineering (SME) is the discipline that aims at the systematic definition of methods adapted to specific contexts of use (situations). The use of goal-oriented methods for supporting SME is an active research line where the iStar 2.0 language is applied. Objective: We plan to conduct an experiment to investigate some designated pragmatic qualities, namely the perceived usefulness, ease of use and accuracy of iStar 2.0 when used in the SME context. Method:This paper presents our current work on designing an empirical study for the use of iStar 2.0 in SME. Next steps: We plan to refine our current study and run pilots until our measurement tools and sample population are ready for experimental execution.Peer ReviewedPostprint (published version

Methods for anticipating governance breakdown and violent conflict

In this paper, authors Sarah Bressan, Håvard Mokleiv Nygård, and Dominic Seefeldt present the evolution and state of the art of both quantitative forecasting and scenario-based foresight methods that can be applied to help prevent governance breakdown and violent conflict in Europe’s neighbourhood. In the quantitative section, they describe the different phases of conflict forecasting in political science and outline which methodological gaps EU-LISTCO’s quantitative sub-national prediction tool will address to forecast tipping points for violent conflict and governance breakdown. The qualitative section explains EU-LISTCO’s scenario-based foresight methodology for identifying potential tipping points. After comparing both approaches, the authors discuss opportunities for methodological advancements across the boundaries of quantitative forecasting and scenario-based foresight, as well as how they can inform the design of strategic policy options