An agile model-driven method for involving end-users in DSL development

[EN] Domain-specific languages (DSLs) are considered to be a powerful tool for enhancing the efficiency of software developers and bring software development closer to end-users from complex domains. However, the successful development of a DSL for a complex domain is a challenge from the technical point of view and because end-user acceptance is key. Despite this fact, the relevant role of end-users during DSL development has traditionally been neglected. Normally, end-users participate at the beginning to communicate their preferences but they do not participate again until the DSL is completely implemented. As a consequence, if the language to develop reaches a complex domain, the chances that errors appear in the DSL are higher and solving them could involve large modifications that could have been avoided. As a solution, in this PhD thesis, we propose an agile, model-driven method to involve end-users in DSL development. This thesis researches if the combination of best practices from the model-driven development (MDD) discipline and best practices from agile methods is a suitable approach to involve end-users in the DSL development process. In order to validate the proposal, we have selected a highly complex domain such as the genetic analysis domain and we have collaborated with geneticists from three organizations. The proposed method has been used to involve these geneticists in the development of a DSL for the creation of genetic analysis pipelines. Simultaneously, we have carried out an empirical experiment to validate whether end-users and developers were satisfied with the proposal.[ES] Los lenguajes específicos de dominio (DSLs) son una herramienta muy potente para mejorar la eficiencia de los desarrolladores de software, así como para acercar el desarrollo software a usuarios sin conocimientos informáticos. Sin embargo, su principal problema es que desarrollar un DSL es complejo; no sólo desde el punto de vista técnico, sino especialmente porque la aceptación de dicho lenguaje por parte de los usuarios finales es clave. A pesar de este hecho, los métodos tradicionales de desarrollo de DSLs no enfatizan el importante rol de los usuarios finales durante el desarrollo. Normalmente, los usuarios participan al inicio para comunicar sus preferencias, pero no vuelven a participar hasta que el DSL está completamente desarrollado. Si el lenguaje a desarrollar aborda un dominio complejo, la posibilidad de que existan errores en el DSL es mayor, y su solución podría conllevar a modificaciones de gran calibre que podrían haberse evitado. Como solución, en esta tesis proponemos un método de desarrollo de DSLs, ágil, y dirigido por modelos que involucra a los usuarios finales. Esta tesis investiga si la combinación de buenas prácticas del desarrollo dirigido por modelos (MDD) y de buenas prácticas de métodos ágiles es adecuada para involucrar a los usuarios finales en el desarrollo de DSLs. Para validar la idoneidad de la propuesta, se ha seleccionado un dominio complejo como el de los análisis genéticos y se ha colaborado con un conjunto de genetistas procedentes de tres organizaciones. El método propuesto se ha utilizado para involucrar a dichos genetistas en el desarrollo de un DSL para la creación de pipelines para el análisis genético. Conjuntamente, se ha llevado a cabo un experimento empírico para validar si los usuarios finales y los desarrolladores están satisfechos con la propuesta de la presente tesis. En resumen, las contribuciones principales de esta tesis doctoral son el diseño e implementación de un método innovador, ágil y dirigido por modelos para involucrar a los usuarios finales en el desarrollo de DSLs, así como la validación de dicha propuesta en un entorno industrial en un desarrollo real de un DSL.[CA] Els llenguatges específics de domini (DSLs) son una ferramenta molt potent per a millorar l'eficiència dels desenvolupadors de programari, així com per a apropar el desenvolupament de programari a usuaris sense coneixements informàtics. El problema es que desenvolupar un DSL es complex, no sols des del punt de vista tècnic, sinó especialment perquè l'acceptació de dit llenguatge per part dels usuaris finals es clau. Malgrat aquest fet, els mètodes tradicionals de desenvolupament de DSLs no emfatitzen l'important rol dels usuaris finals durant el desenvolupament. Normalment, els usuaris participen a l'inici per a comunicar les seues preferències, però no tornen a participar fins que el DSL està completament desenvolupat. Si el llenguatge a desenvolupar aborda un domini complex, la possibilitat de que hi hagen errors en el DSL es major i solucionar-los podria implicar modificacions de gran calibre que podrien haver-se evitat. Com a solució, en aquesta tesis proposem un mètode de desenvolupament de DSLs, àgil i dirigit per models que involucra als usuaris finals. Aquesta tesis investiga si la combinació de bones pràctiques del desenvolupament dirigit per models (MDD) i de bones pràctiques de mètodes àgils es adequada per a involucrar els usuaris finals en el desenvolupament de DSLs. Per a validar la idoneïtat de la proposta, s'ha seleccionat un domini complex com el dels anàlisis genètics i s'ha col·laborat amb un conjunt de genetistes procedents de tres organitzacions. El mètode s'ha utilitzat per a involucrar a dits genetistes en el desenvolupament d'un DSL per a la creació de pipelines per al anàlisis genètic. Al mateix temps, s'ha dut a terme un experiment empíric per a validar si tant els usuaris finals com els desenvolupadors estan satisfets amb la proposta de la present tesis. En resum, les contribucions principals d'aquesta tesis doctoral son el disseny i implementació d'un mètode innovador, àgil i dirigit per models per a involucrar als usuaris finals en el desenvolupament de DSLs, així com la validació de la proposta en un entorn industrial amb un desenvolupament real d'un DSL.Villanueva Del Pozo, MJ. (2016). An agile model-driven method for involving end-users in DSL development [Tesis doctoral no publicada]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/60156TESI

Integrated Hazard Identification (IHI): A Quick Accident Analysis and Quantification Method for Practitioners

There are many techniques for hazard identification and are divided into shortcut, standard and advanced techniques. Among these, HAZOP and What-If techniques are mostly engaged by practitioners in the chemical process industry. Both of these have certain advantages and limitations, i.e., HAZOP is structured, and what-if covers broad range of scenarios. There is no hazard identification method, which can cover a broad range of scenarios and is structured in nature. For this purpose, a new technique namely integrated hazard identification (IHI) is proposed in this article that integrates HAZOP and What-If. The methodology is demonstrated via hazard identification study of urea synthesis section. Risk ranking is used to sort out the worst-case scenario. This worst-case scenario is further studied in detail for quantification that is performed using the ALOHA software. This quantification has assisted to detect ammonia concentrations in nearby control room and surroundings for worst-case scenario. It is revealed that if ammonia pump is not stopped within 10 minutes, concentration inside and outside the control room may reach to 384 ppm and 2630 ppm, compared to 1100 ppm (AEGL-3). Thus the proposed method would be easy, time saving and covers more details and would be handy for practicing engineers working in different chemical process industries

Towards Cybersecurity by Design: A multi-level reference model for requirements-driven smart grid cybersecurity

This paper provides a first step towards a reference model for end-to-end cybersecurity by design in the electricity sector. The envisioned reference model relies, among others, on the integrated consideration of two currently fragmented, but complementary, reference models: NISTIR 7628 and powerLang. As an underlying language architecture of choice, we rely on multi-level modeling, specifically on the Flexible Meta Modeling and Execution Language (FMMLx), as multi-level modeling supports a natural integration across different abstraction levels inherent to reference models. This paper’s contributions are a result of one full consideration of Wieringa’s engineering cycle: for problem investigation, we describe the problems the reference model should address; for treatment design, we contribute the requirements the reference model should fulfill; for treatment implementation, we provide reference model’s fragments implemented in an integrated modeling and programming environment. Finally, for treatment evaluation, we perform expert interviews to check, among others, the artefact’s relevance and utility

A Model-Driven Approach for the Design, Implementation, and Execution of Software Development Methods

[EN] Software development projects are diverse in nature. For this reason, software companies are often forced to define their methods in-house. In order to define methods efficiently and effectively, software companies require systematic solutions that are built upon sound methodical foundations. Providing these solutions is the main goal of the Method Engineering discipline. Method Engineering is the discipline to design, construct, and adapt methods, techniques, and tools for the development of information systems. Over the last two decades, a lot of research work has been performed in this area. However, despite its potential benefits, Method Engineering is not widely used in industrial settings. Some of the causes of this reality are the high theoretical complexity of Method Engineering and the lack of adequate software support. In this thesis, we aim to mitigate some of the problems that affect Method Engineering by providing a novel methodological approach that is built upon Model-Driven Engineering (MDE) foundations. The use of MDE enables a rise in abstraction, automation, and reuse that allows us to alleviate the complexity of our Method Engineering approach. Furthermore, by leveraging MDE techniques (such as metamodeling, model transformations, and models at runtime), our approach supports three phases of the Method Engineering lifecycle: design, implementation, and execution. This is unlike traditional Method Engineering approaches, which, in general, only support one of these phases. In order to provide software support for our proposal, we developed a Computer-Aided Method Engineering (CAME) environment that is called MOSKitt4ME. To ensure that MOSKitt4ME offered the necessary functionality, we identified a set of functional requirements prior to developing the tool. Then, after these requirements were identified, we defined the architecture of our CAME environment, and, finally, we implemented the architecture in the context of Eclipse. The thesis work was evaluated by means of a study that involved the participation of end users. In this study, MOSKitt4ME was assessed by means of the Technology Acceptance Model (TAM) and the Think Aloud method. While the TAM allowed us to measure usefulness and ease of use in a subjective manner, the Think Aloud method allowed us to analyze these measures objectively. Overall, the results were favorable. MOSKitt4ME was highly rated in perceived usefulness and ease of use; we also obtained positive results with respect to the users' actual performance and the difficulty experienced.[ES] Los proyectos de desarrollo de software son diversos por naturaleza. Por este motivo, las compañías de software se ven forzadas frecuentemente a definir sus métodos de manera interna. Para poder definir métodos de forma efectiva y eficiente, las compañías necesitan soluciones sistemáticas que estén definidas sobre unos fundamentos metodológicos sólidos. Proporcionar estas soluciones es el principal objetivo de la Ingeniería de Métodos. La Ingeniería de Métodos es la disciplina que aborda el diseño, la construcción y la adaptación de métodos, técnicas y herramientas para el desarrollo de sistemas de información. Durante las dos últimas décadas, se ha llevado a cabo mucho trabajo de investigación en esta área. Sin embargo, pese a sus potenciales beneficios, la Ingeniería de Métodos no se aplica ampliamente en contextos industriales. Algunas de las principales causas de esta situación son la alta complejidad teórica de la Ingeniería de Métodos y la falta de un apropiado soporte software. En esta tesis, pretendemos mitigar algunos de los problemas que afectan a la Ingeniería de Métodos proporcionando una propuesta metodológica innovadora que está basada en la Ingeniería Dirigida por Modelos (MDE). El uso de MDE permite elevar el nivel de abstracción, automatización y reuso, lo que posibilita una reducción de la complejidad de nuestra propuesta. Además, aprovechando técnicas de MDE (como por ejemplo el metamodelado, las transformaciones de modelos y los modelos en tiempo de ejecución), nuestra aproximación da soporte a tres fases del ciclo de vida de la Ingeniería de Métodos: diseño, implementación y ejecución. Esto es a diferencia de las propuestas existentes, las cuales, por lo general, sólo dan soporte a una de estas fases. Con el objetivo de proporcionar soporte software para nuestra propuesta, implementamos una herramienta CAME (Computer-Aided Method Engineering) llamada MOSKitt4ME. Para garantizar que MOSKitt4ME proporcionaba la funcionalidad necesaria, definimos un conjunto de requisitos funcionales como paso previo al desarrollo de la herramienta. Tras la definción de estos requisitos, definimos la arquitectura de la herramienta CAME y, finalmente, implementamos la arquitectura en el contexto de Eclipse. El trabajo desarrollado en esta tesis se evaluó por medio de un estudio donde participaron usuarios finales. En este estudio, MOSKitt4ME se evaluó por medio del Technology Acceptance Model (TAM) y del método Think Aloud. Mientras que el TAM permitió medir utilidad y facilidad de uso de forma subjetiva, el método Think Aloud permitió analizar estas medidas objetivamente. En general, los resultados obtenidos fueron favorables. MOSKitt4ME fue valorado de forma positiva en cuanto a utilidad y facilidad de uso percibida; además, obtuvimos resultados positivos en cuanto al rendimiento objetivo de los usuarios y la dificultad experimentada.[CA] Els projectes de desenvolupament de programari són diversos per naturalesa. Per aquest motiu, les companyies es veuen forçades freqüenment a definir els seus mètodes de manera interna. Per poder definir mètodes de forma efectiva i eficient, les companyies necessiten solucions sistemàtiques que estiguin definides sobre uns fundaments metodològics sòlids. Proporcionar aquestes solucions és el principal objectiu de l'Enginyeria de Mètodes. L'Enginyeria de Mètodes és la disciplina que aborda el diseny, la construcció i l'adaptació de mètodes, tècniques i eines per al desenvolupament de sistemes d'informació. Durant les dues últimes dècades, s'ha dut a terme molt de treball de recerca en aquesta àrea. No obstant, malgrat els seus potencials beneficis, l'Enginyeria de Mètodes no s'aplica àmpliament en contextes industrials. Algunes de les principals causes d'aquesta situació són l'alta complexitat teòrica de l'Enginyeria de Mètodes i la falta d'un apropiat suport de programari. En aquesta tesi, pretenem mitigar alguns dels problemes que afecten a l'Enginyeria de Mètodes proporcionant una proposta metodològica innovadora que està basada en l'Enginyeria Dirigida per Models (MDE). L'ús de MDE ens permet elevar el nivell d'abstracció, automatització i reutilització, possibilitant una reducció de la complexitat de la nostra proposta. A més a més, aprofitant tècniques de MDE (com per exemple el metamodelat, les transformacions de models i els models en temps d'execució), la nostra aproximació suporta tres fases del cicle de vida de l'Enginyeria de Mètodes: diseny, implementació i execució. Açò és a diferència de les propostes existents, les quals, en general, només suporten una d'aquestes fases. Amb l'objectiu de proporcionar suport de programari per a la nostra proposta, implementàrem una eina CAME (Computer-Aided Method Engineering) anomenada MOSKitt4ME. Per garantir que MOSKitt4ME oferia la funcionalitat necessària, definírem un conjunt de requisits funcionals com a pas previ al desenvolupament de l'eina. Després de la definició d'aquests requisits, definírem la arquitectura de l'eina CAME i, finalment, implementàrem l'arquitectura en el contexte d'Eclipse. El treball desenvolupat en aquesta tesi es va avaluar per mitjà d'un estudi on van participar usuaris finals. En aquest estudi, MOSKitt4ME es va avaluar per mitjà del Technology Acceptance Model (TAM) i el mètode Think Aloud. Mentre que el TAM va permetre mesurar utilitat i facilitat d'ús de manera subjectiva, el mètode Think Aloud va permetre analitzar aquestes mesures objectivament. En general, els resultats obtinguts van ser favorables. MOSKitt4ME va ser valorat de forma positiva pel que fa a utilitat i facilitat d'ús percebuda; a més a més, vam obtenir resultats positius pel que fa al rendiment objectiu dels usuaris i a la dificultat experimentada.Cervera Úbeda, M. (2015). A Model-Driven Approach for the Design, Implementation, and Execution of Software Development Methods [Tesis doctoral no publicada]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/53931TESI

DAG-Based Attack and Defense Modeling: Don't Miss the Forest for the Attack Trees

This paper presents the current state of the art on attack and defense modeling approaches that are based on directed acyclic graphs (DAGs). DAGs allow for a hierarchical decomposition of complex scenarios into simple, easily understandable and quantifiable actions. Methods based on threat trees and Bayesian networks are two well-known approaches to security modeling. However there exist more than 30 DAG-based methodologies, each having different features and goals. The objective of this survey is to present a complete overview of graphical attack and defense modeling techniques based on DAGs. This consists of summarizing the existing methodologies, comparing their features and proposing a taxonomy of the described formalisms. This article also supports the selection of an adequate modeling technique depending on user requirements

A new, evidence-based, theory for knowledge reuse in security risk analysis

Security risk analysis (SRA) is a key activity in software engineering but requires heavy manual effort. Community knowledge in the form of security patterns or security catalogs can be used to support the identification of threats and security controls. However, no evidence-based theory exists about the effectiveness of security catalogs when used for security risk analysis. We adopt a grounded theory approach to propose a conceptual, revised and refined theory of SRA knowledge reuse. The theory refinement is backed by evidence gathered from conducting interviews with experts (20) and controlled experiments with both experts (15) and novice analysts (18). We conclude the paper by providing insights into the use of catalogs and managerial implications

Towards Automated Attack Simulations of BPMN-based Processes

Process digitization and integration is an increasing need for enterprises, while cyber-attacks denote a growing threat. Using the Business Process Management Notation (BPMN) is common to handle the digital and integration focus within and across organizations. In other parts of the same companies, threat modeling and attack graphs are used for analyzing the security posture and resilience. In this paper, we propose a novel approach to use attack graph simulations on processes represented in BPMN. Our contributions are the identification of BPMN's attack surface, a mapping of BPMN elements to concepts in a Meta Attack Language (MAL)-based Domain-Specific Language (DSL), called coreLang, and a prototype to demonstrate our approach in a case study using a real-world invoice integration process. The study shows that non-invasively enriching BPMN instances with cybersecurity analysis through attack graphs is possible without much human expert input. The resulting insights into potential vulnerabilities could be beneficial for the process modelers.Comment: Submitted for review to EDOC 202

Threat modeling in web applications

Todays competitive and profit-driven online environment needs a web application to be much secure as it is going to be tested in all possible ways by the attackers for any sign of vulnerability which can be converted into a big success for him to gain control to the maximum of the software. In order to produce a secure application, it has to be securely built right from the design phase throughout the software development life cycle. The most effective methodology of implementing this is threat modeling. There have been a lot of improvements and researches on the process of threat modeling and its approaches. Following these, Some tools are developed by some Enterprises to support the process of systematic threat modeling. In this thesis, the most widely accepted process of threat modeling, that has been proposed by Microsoft, is explained along with other approaches for it. Two industrial projects, with the support of Microsoft SDL tool for Threat modeling have been threat modeled and discussed. Towards the end, some modifications to the hybrid approach of threat modeling have been proposed and have been implemented on the open source workbench supporting that approach

Exploiting natural language structures in software informal documentation

© 2019 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.Communication means, such as issue trackers, mailing lists, Q&A forums, and app reviews, are premier means of collaboration among developers, and between developers and end-users. Analyzing such sources of information is crucial to build recommenders for developers, for example suggesting experts, re-documenting source code, or transforming user feedback in maintenance and evolution strategies for developers. To ease this analysis, in previous work we proposed DECA (Development Emails Content Analyzer), a tool based on Natural Language Parsing that classifies with high precision development emails' fragments according to their purpose. However, DECA has to be trained through a manual tagging of relevant patterns, which is often effort-intensive, error-prone and requires specific expertise in natural language parsing. In this paper, we first show, with a study involving Master's and Ph.D. students, the extent to which producing rules for identifying such patterns requires effort, depending on the nature and complexity of patterns. Then, we propose an approach, named NEON (Nlp-based softwarE dOcumentation aNalyzer), that automatically mines such rules, minimizing the manual effort. We assess the performances of NEON in the analysis and classification of mobile app reviews, developers discussions, and issues. NEON simplifies the patterns' identification and rules' definition processes, allowing a savings of more than 70% of the time otherwise spent on performing such activities manually. Results also show that NEON-generated rules are close to the manually identified ones, achieving comparable recall