Degrees of tenant isolation for cloud-hosted software services : a cross-case analysis

A challenge, when implementing multi-tenancy in a cloud-hosted software service, is how to ensure that the performance and resource consumption of one tenant does not adversely affect other tenants. Software designers and architects must achieve an optimal degree of tenant isolation for their chosen application requirements. The objective of this research is to reveal the trade-offs, commonalities, and differences to be considered when implementing the required degree of tenant isolation. This research uses a cross-case analysis of selected open source cloud-hosted software engineering tools to empirically evaluate varying degrees of isolation between tenants. Our research reveals five commonalities across the case studies: disk space reduction, use of locking, low cloud resource consumption, customization and use of plug-in architecture, and choice of multi-tenancy pattern. Two of these common factors compromise tenant isolation. The degree of isolation is reduced when there is no strategy to reduce disk space and customization and plug-in architecture is not adopted. In contrast, the degree of isolation improves when careful consideration is given to how to handle a high workload, locking of data and processes is used to prevent clashes between multiple tenants and selection of appropriate multi-tenancy pattern. The research also revealed five case study differences: size of generated data, cloud resource consumption, sensitivity to workload changes, the effect of the software process, client latency and bandwidth, and type of software process. The degree of isolation is impaired, in our results, by the large size of generated data, high resource consumption by certain software processes, high or fluctuating workload, low client latency, and bandwidth when transferring multiple files between repositories. Additionally, this research provides a novel explanatory framework for (i) mapping tenant isolation to different software development processes, cloud resources and layers of the cloud stack; and (ii) explaining the different trade-offs to consider affecting tenant isolation (i.e. resource sharing, the number of users/requests, customizability, the size of generated data, the scope of control of the cloud application stack and business constraints) when implementing multi-tenant cloud-hosted software services. This research suggests that software architects have to pay attention to the trade-offs, commonalities, and differences we identify to achieve their degree of tenant isolation requirements

Optimal deployment of components of cloud-hosted application for guaranteeing multitenancy isolation

One of the challenges of deploying multitenant cloud-hosted services that are designed to use (or be integrated with) several components is how to implement the required degree of isolation between the components when there is a change in the workload. Achieving the highest degree of isolation implies deploying a component exclusively for one tenant; which leads to high resource consumption and running cost per component. A low degree of isolation allows sharing of resources which could possibly reduce cost, but with known limitations of performance and security interference. This paper presents a model-based algorithm together with four variants of a metaheuristic that can be used with it, to provide near-optimal solutions for deploying components of a cloud-hosted application in a way that guarantees multitenancy isolation. When the workload changes, the model based algorithm solves an open multiclass QN model to determine the average number of requests that can access the components and then uses a metaheuristic to provide near-optimal solutions for deploying the components. Performance evaluation showed that the obtained solutions had low variability and percent deviation when compared to the reference/optimal solution. We also provide recommendations and best practice guidelines for deploying components in a way that guarantees the required degree of isolation

Myths and Facts About Static Application Security Testing Tools: An Action Research at Telenor Digital

It is claimed that integrating agile and security in practice is challenging. There is the notion that security is a heavy process, requires expertise, and consumes developers’ time. These contrast with the agile vision. Regardless of these challenges, it is important for organizations to address security within their agile processes since critical assets must be protected against attacks. One way is to integrate tools that could help to identify security weaknesses during implementation and suggest methods to refactor them. We used quantitative and qualitative approaches to investigate the efficiency of the tools and what they mean to the actual users (i.e. developers) at Telenor Digital. Our findings, although not surprising, show that several barriers exist both in terms of tool’s performance and developers’ perceptions. We suggest practical ways for improvement.publishedVersio

Data-driven elicitation of quality requirements in agile companies

Quality Requirements (QRs) are a key artifact to ensure the quality and success of a software system. Despite its importance, QRs have not reached the same degree of attention as its functional counterparts, especially in the context of trending software development methodologies like Agile Software Development (ASD). Moreover, crucial information that can be obtained from data sources of a project under development (e.g. JIRA, github,…) are not fully exploited, or even neglected, in QR elicitation activities. In this work, we present a data-driven approach to semi-automatically generate and document QRs in the context of ASD. We define an architecture focusing on the process and the artefacts involved. We validate and iterate on such architecture by conducting workshops in four companies of different size and profile. Finally, we present the implementation of such architecture, considering the feedback and outcomes of the conducted workshops.Peer ReviewedPostprint (author's final draft

Simulating families of studies to build confidence in defect hypotheses

While it is clear that there are many sources of variation from one development context to another, it is not clear a priori what specific variables will influence the effectiveness of a process in a given context. For this reason, we argue that knowledge about software process must be built from families of studies, in which related studies are run within similar contexts as well as very different ones. Previous papers have discussed how to design related studies so as to document as precisely as possible the values of likely context variables and be able to compare with those observed in new studies. While such a planned approach is important, we argue that an opportunistic approach is also practical. The approach would combine results from multiple individual studies after the fact, enabling recommendations to be made about process effectiveness in context. In this paper, we describe two processes with which we have been working to build empirical knowledge about software development processes: one is a manual and informal approach, which relies on identifying common beliefs or ‘folklore’ to identify useful hypotheses and a manual analysis of the information in papers to investigate whether there is support for those hypotheses; the other is a formal approach based around encoding the information in papers into a structured hypothesis base that can then be searched to organize hypotheses and their associated support. We test these processes by applying them to build knowledge in the area of defect folklore (i.e. commonly accepted heuristics about software defects and their behavior). We show that the formal methodology can produce useful and feasible results, especially when it is compared to the results output from the more manual, expert-based approach. The formalized approach, by relying on a reusable hypothesis base, is repeatable and also capable of producing a more thorough basis of support for hypotheses, including results from papers or articles that may have been overlooked or not considered by the experts

Extracting Information From Experimental Software Engineering Papers

Experiments have been conducted to investigate analysis, design, implementation, testing, maintenance, quality assurance and reuse techniques, but, a body of evidence has not yet been built that enables a project manager to know with confidence what software processes produce what product characteristics and under what conditions. This paper extends an approach we proposed earlier to extract information from papers so that systematically analyzing results from several papers is possible. It also describes an in-vitro experiment we did with graduate students to validate, the approach. The results show that the approach is feasible and can be taught to less experienced researchers. © 2007 IEEE.105114Parsons, J., Saunders, C., Cognitive heuristics in software engineering applying and extending anchoring and adjustment to artifact reuse IEEE Transactions on Software Engineering, 30 (12), pp. 873-888Samoladas, I., Stamelos, I., Arigelis, L., Oikonomou, A., Open source software development should strive for even greater code maintainability (2004) Communications of the ACM, 47 (10), pp. 83-87. , OctoberVokac, M., Defect Frequency and Design Patterns: An Empirical Study of Industrial Code (2004) IEEE Transactions on Software Engineering, 30 (12), pp. 904-917. , DecMüller, M., Two controlled experiments concerning the comparison of pair programming to peer reviews (2005) Journal of Systems and Software, 78, pp. 166-179A. Gunes Koru, Jeff (Jianhui) Tian, Comparing High-Change Modules and Modules with the Highest Measurement Values in Two Large-Scale Open-Source Products, IEEE Transactions on Software Engineering, 31(8)625-642, Aug., 2005Selby, R.W., Enabling Reuse-Based Software Development of Large-Scale Systems (2005) IEEE Transactions on Software Engineering, 31 (6), pp. 495-510. , JunPretschner, A., Prenninger, W., Wagner, S., Kühnel, C., Baumgartner, M., Sostawa, B., Zölch, R., Stauner, T., (2005) One Evaluation of Model-Based Testing and its Automation Proc. 27th Intl. Conf. on Software Engineering (ICSE'05), pp. 392-401. , St. Louis, MayPurushothaman, R., Perry, D.E., Toward Understanding the Rhetoric of Small Source Code Changes (2005) IEEE Transactions on Software Engineering, 31 (6), pp. 511-526. , JunMolakken-Østvold, K., Magne Jørgensen: Group Processes in Software Effort Estimation (2004) Empirical Software Engineering, 9 (4), pp. 315-334Molokken-Ostvold, K., Jorgensen, M., A Comparison of Software Project Overruns-Flexible versus Sequential Development Models (2005) IEEE Transactions on Software Engineering, 31 (9), pp. 754-766. , SeptDyba, T., An Empirical Investigation of the Key Factors for Success in Software Process Improvement (2005) IEEE Transactions on Software Engineering, 31 (5), pp. 410-424. , MayHakan Erdogmus, Maurizio Morisio, Marco Torchiano, On the Effectiveness of the Test-First Approach to Programming, TEEE Transactions on Software Engineering, 31(3): 226-237, Mar., 2005Mohagheghi, P., Bente Anda, R.C., Effort estimation of use cases for incremental large-scale software development (2005) ICSE, pp. 303-311Liu, M.Y., Traore, I., Measurement Framework for Software Privilege Protection based on User Interaction Analysis (2005) 11th International Software Metrics Symposium, , Sponsored by the IEEE Computer Society, 19-22 September, Como, ItalyDinh-Trong, T.T., Bieman, J.M., The FreeBSD Project: A Replication Case Study of Open Source Development (2005) IEEE Transactions on Software Engineering, 31 (6), pp. 481-494. , JunRobillard, M.P., Coelho, W., Murphy, G.C., How Effective Developers Investigate Source CodeAn Exploratory Study (2004) IEEE Transactions on Software Engineering, 30 (12), pp. 889-903. , De