Blockchain and Smart Contract Engineering

Blockchains help to build trust among a decentralized network of unknown and untrusted peers who need to agree on a common protocol and trust the correctness and compatibility of the corresponding software implementations. The software engineering discipline cannot ignore this trend, as it fundamentally affects the way software is designed, developed, deployed, and delivered.1 As with the emergence of the Internet, software smart contracts for solving new classes of real-world problems, as opposed to introducing blockchains everywhere, where they may be unnecessary, or provide an inefficient and environmentally unsound solution.

Enhancing GDPR compliance through data sensitivity and data hiding tools

Since the emergence of GDPR, several industries and sectors are setting informatics solutions for fulfilling these rules. The Health sector is considered a critical sector within the Industry 4.0 because it manages sensitive data, and National Health Services are responsible for managing patients’ data. European NHS are converging to a connected system allowing the exchange of sensitive information cross different countries. This paper defines and implements a set of tools for extending the reference architectural model industry 4.0 for the healthcare sector, which are used for enhancing GDPR compliance. These tools are dealing with data sensitivity and data hiding tools A case study illustrates the use of these tools and how they are integrated with the reference architectural model

Software prozesuen hobekuntzarako ekimenen biziraupen-analisia eta sailkapen-ikasketa, eta horien ondorioak enpresa txikietan

116 p.Softwareak funtsezko papera dauka negozio gehienetan. Hain zuzen ere, edozein negozioren abantaila lehiakorraren gako nagusietako bat dela esan daiteke. Software hori enpresa handi, ertain edo txikiek sor dezakete. Testuinguru horretan, erakunde mota horiek prozesuak hobetzeko ekimenak martxan jartzeko hautua egiten dute, merkatuan eskaintzen dituzten zerbitzuen edo azken produktuen kalitatea hobetzeko helburuarekin. Hortaz, ohikoa izaten da enpresa handi eta ertainek azken produktuen garapen-prozesuak zehaztea, are eredugarriak diren kalitate-ereduak erabiltzea, industriatik eratorritako jardunbide egokiekin. Izan ere, hobekuntza-ekimen bat aurrera eramaten laguntzeko erreferentziazko eredu eta estandar asko daude. Hortaz, erakundeek hainbat eredutako eskakizunak bete behar izaten dituzte aldi berean. Estandar horien barruan antzekoak diren praktika edo eskakizunak egon ohi dira (bikoiztasunak), edo neurri handiko erakundeentzat pentsatuta daudenak. Erakunde txikien esparruan, bikoiztasun horiek gainkostua eragiten dute ekimen hauetan. Horren ondorioz, erreferentziazko ereduekin loturiko prozesuak zehazteko orduan, burokrazia-lana handitu egiten da. Horrez gain, eredu hauen bikoiztasunak ezabatzera eta bere prozesuak hainbat arau aldi berean aintzat hartuta berraztertzera behartzen ditu. Egoera hori bereziki delikatua da 25 langiletik behera dituzten erakunde txikientzat, Very Small Entities (VSE) izenez ere ezagunak direnak. Erakunde mota hauek ahal duten modurik onenean erabiltzen dituzte haien baliabideak, eta, haien ikuspegitik, erreferentziazko eredu hauek gastu bat dira inbertsio bat baino gehiago. Hortaz, ez dute prozesuak hobetzeko ekimenik martxan jartzen. Ildo horretatik, erakunde horiei VSE-en beharretara egokituko zen eredu bat eskaintzeko sortu zen ISO/IEC 29110.ISO/IEC 29110 arauaren lehen edizioa 2011n sortu zen eta, ordutik, zenbait ikerketa-lan eta industria-esperientzia garatu dira testuinguru horren barruan. Batetik, ez dago VSE-ekin loturik dauden nahikoa industria-esperientzia, eta, beraz, ez da erraza jakitea zein den VSE-en portaera. 2011tik, ISO/IEC29110 arauarekin zerikusia duten hainbat lan argitaratu dira, baina, orain arte, lan horien tipologia oso desberdina izan da. Horrenbestez, ezinbestekoa da lehen esperientzia hauek aztertu eta ezagutzea, egindako lehen lan horiek sailkatu ahal izateko. Bestetik, prozesuak hobetzeko ekimenek ez dute beti arrakastarik izaten, eta mota honetako ekimen baten iraupena zein izango den ere ez da gauza ziurra izaten. Hartara, ekimen hauek testuinguru hauetan daukaten biziraupen maila zein den aztertu behar da, bai eta VSE-etan prozesuak hobetzeko ekimenak garatu eta ezarri bitartean eman daitezkeen lan-ereduak identifikatzea ere. Azkenik, garatzen dituzten produktuen segurtasun-arloarekin kezka berezia izan ohi dute VSEk. Hortaz, segurtasun-alderdi nagusiak kudeatzeko mekanismoak ezarri behar izaten dituzte.Lehenik eta behin, lan honetan, ISO/IEC 29110 arauarekin loturiko artikuluen azterketa metodiko bat egin dugu, eta ikerketa-esparru nagusiak eta egindako lan mota garrantzitsuenak jaso ditugu. Bigarrenik, VSEk prozesuak hobetzeko martxan jarritako mota honetako ekimenen biziraupena aztertzeko marko bat proposatu dugu. Hirugarrenik, haien portaeraren ezaugarriak zehazteko, ekimen hauetan ematen diren ereduak identifikatzeko ikuspegia landu dugu. Laugarrenik, VSEn softwarearen garapenaren bizi-zikloan segurtasun-arloko alderdiak gehitzeko eta zor teknikoa kudeatzeko proposamena egin dugu

A Service based Development Environment on Web 2.0 Platforms

Governments are investing on the IT adoption and promoting the socalled e-economies as a way to improve competitive advantages. One of the main government’s actions is to provide internet access to the most part of the population, people and organisations. Internet provides the required support for connecting organizations, people and geographically distributed developments teams. Software developments are tightly related to the availability of tools and platforms needed for products developments. Internet is becoming the most widely used platform. Software forges such as SourceForge provide an integrated tools environment gathering a set of tools that are suited for each development with a low cost. In this paper we propose an innovating approach based on Web2.0, services and a method engineering approach for software developments. This approach represents one of the possible usages of the internet of the future

Automatic Program Repair

Following along with the theme of this issue of IEEE Software, this column reports on papers about automatic program repair (APR) from the 35th IEEE/ACM International Conference on Automated Software Engineering (ASE20), the 35th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW20), and the 13th IEEE International Conference on Software Testing, Validation and Verification (ICST20). Feedback or suggestions are welcome. In addition, if you try or adopt any of the practices included in the column, please send us and the authors a note about your experiences

Continuous Quantitative Risk Management in Smart Grids Using Attack Defense Trees

Although the risk assessment discipline has been studied from long ago as a means to support security investment decision-making, no holistic approach exists to continuously and quantitatively analyze cyber risks in scenarios where attacks and defenses may target different parts of Internet of Things (IoT)-based smart grid systems. In this paper, we propose a comprehensive methodology that enables informed decisions on security protection for smart grid systems by the continuous assessment of cyber risks. The solution is based on the use of attack defense trees modelled on the system and computation of the proposed risk attributes that enables an assessment of the system risks by propagating the risk attributes in the tree nodes. The method allows system risk sensitivity analyses to be performed with respect to different attack and defense scenarios, and optimizes security strategies with respect to risk minimization. The methodology proposes the use of standard security and privacy defense taxonomies from internationally recognized security control families, such as the NIST SP 800-53, which facilitates security certifications. Finally, the paper describes the validation of the methodology carried out in a real smart building energy efficiency application that combines multiple components deployed in cloud and IoT resources. The scenario demonstrates the feasibility of the method to not only perform initial quantitative estimations of system risks but also to continuously keep the risk assessment up to date according to the system conditions during operation.This research leading to these results was funded by the EUROPEAN COMMISSION, grant number 787011 (SPEAR Horizon 2020 project) and 780351 (ENACT Horizon 2020 project)

A standard-based framework to integrate software work in small settings

Small software companies have to work hard in order to survive. They usually find it challenging to spend time and effort on improving there operations and processes. Therefore, it is important to address such needs by the introduction of a proposed framework that specifies ways of getting things done while consciously encourage them to enhance their ability to improve. Although there are many software process improvement approaches, none of them address the human factors of small companies in a comprehensive and holistic way. Samay is a proposed framework to integrate human factors in the daily work as a way to deal with that challenge. This study suggests managing human factors but pointing out the software process life cycle. The purpose is to converge toward a continuous improvement by means of alternative mechanisms that impact on people. This framework was developed based upon reviews of relevant standards (such as ISO/IEC 29110, ISO 10018, OMG Essence and ISO/IEC 33014) and previously published studies in this field. Moreover, an expert review and validation findings supported the view that Samay could support practitioners when small software companies want to start improving their ways of work

Burnable Pseudo-Identity: A Non-Binding Anonymous Identity Method for Ethereum

The concept of identity has become one common research topic in security and privacy where the real identity of users must be preserved, usually covered by pseudonym identifiers. With the rise of Blockchain-based systems, identities are becoming even more critical than before, mainly due to the immutability property. In fact, many publicly accessible Blockchain networks like Ethereum rely on pseudonymization as a method for identifying subject actions. Pseudonyms are often employed to maintain anonymity, but true anonymity requires unlinkability. Without this property, any attacker can examine the messages sent by a specific pseudonym and learn new information about the holder of this pseudonym. This use of Blockchain collides with regulations because of the right to be forgotten, and Blockchain-based solutions are ensuring that every data stored within the chain will not be modified. In this paper we define a method and a tool for dealing with digital identities within Blockchain environments that are compliant with regulations. The proposed method provides a way to grant digital pseudo identities unlinked to the real identity. This new method uses the benefits of key derivation systems to ensure a non-binding interaction between users and the information model associated with their identity. The proposed method is demonstated in the Ethereum context and illustrated with a case study.PoSeID-on is a project funded by the European Commission. This project has received funding from the European Union’s Horizon 2020 program under Grant Agreement n◦ 786713

Service Level Agreement-based GDPR Compliance and Security assurance in (multi)Cloud-based systems

Compliance with the new European General Data Protection Regulation (Regulation (EU) 2016/679) and security assurance are currently two major challenges of Cloud-based systems. GDPR compliance implies both privacy and security mechanisms definition, enforcement and control, including evidence collection. This paper presents a novel DevOps framework aimed at supporting Cloud consumers in designing, deploying and operating (multi)Cloud systems that include the necessary privacy and security controls for ensuring transparency to end-users, third parties in service provision (if any) and law enforcement authorities. The framework relies on the risk-driven specification at design time of privacy and security level objectives in the system Service Level Agreement (SLA) and in their continuous monitoring and enforcement at runtime.The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644429 and No 780351, MUSA project and ENACT project, respectively. We would also like to acknowledge all the members of the MUSA Consortium and ENACT Consortium for their valuable help

Mass surveillance and technological policy options: Improving security of private communications

The 2013 Snowden revelations ignited a vehement debate on the legitimacy and breadth of intelligence operations that monitor the Internet and telecommunications worldwide. The ongoing invasion of the private sphere of individuals around the world by governments and companies is an issue that is handled inadequately using current technological and organizational measures. This article(1) argues that in order to retain a vital and vibrant Internet, its basic infrastructure needs to be strengthened considerably. We propose a number of technical and political options, which would contribute to improving the security of the Internet. It focuses on the debates around end-to-end encryption and anonymization, as well as on policies addressing software and hardware vulnerabilities and weaknesses of the Internet architectureThis work has been partially funded by the European Parliament, under the following contract number: 03210-02-00/5127/9840