Your search keyword '"Software inspection"' showing total 16 results

1. An efficient approach for reviewing security-related aspects in agile requirements specifications of web applications

Author

Villamizar, Hugo, Kalinowski, Marcos, Garcia, Alessandro F., Mendez, Daniel, Villamizar, Hugo, Kalinowski, Marcos, Garcia, Alessandro F., and Mendez, Daniel

Abstract

Defects in requirement specifications can have severe consequences during the software development life cycle. Some of them may result in poor product quality and/or time and budget overrun due to incorrect or missing quality characteristics, such as security. This characteristic requires special attention in web applications because they have become a target for manipulating sensible data. Several concerns make security difficult to deal with. For instance, security requirements are often misunderstood and improperly specified due to lack of security expertise and emphasis on security during early stages of software development. This often leads to unspecified or ill-defined security-related aspects. These concerns become even more challenging in agile contexts, where lightweight documentation is typically produced. To tackle this problem, we designed an approach for reviewing security-related aspects in agile requirements specifications of web applications. Our proposal considers user stories and security specifications as inputs and relates those user stories to security properties via natural language processing. Based on the related security properties, our approach identifies high-level security requirements from the Open Web Application Security Project (OWASP) to be verified and generates a reading technique to support reviewers in detecting defects. We evaluate our approach via three experimental trials conducted with 56 novice software engineers, measuring effectiveness, efficiency, usefulness and ease of use. We compare our approach against using: (1) the OWASP high-level security requirements and (2) a perspective-based approach as proposed in contemporary state of the art. The results strengthen our confidence that using our approach has a positive impact (with large effect size) on the performance of inspectors in terms of effectiveness and efficiency. © 2020, Springer-Verlag London Ltd., part of Springer Nature., open access

Published

2020

2. An efficient approach for reviewing security-related aspects in agile requirements specifications of web applications

Author

Villamizar, Hugo, Kalinowski, Marcos, Garcia, Alessandro F., Mendez, Daniel, Villamizar, Hugo, Kalinowski, Marcos, Garcia, Alessandro F., and Mendez, Daniel

Abstract

Defects in requirement specifications can have severe consequences during the software development life cycle. Some of them may result in poor product quality and/or time and budget overrun due to incorrect or missing quality characteristics, such as security. This characteristic requires special attention in web applications because they have become a target for manipulating sensible data. Several concerns make security difficult to deal with. For instance, security requirements are often misunderstood and improperly specified due to lack of security expertise and emphasis on security during early stages of software development. This often leads to unspecified or ill-defined security-related aspects. These concerns become even more challenging in agile contexts, where lightweight documentation is typically produced. To tackle this problem, we designed an approach for reviewing security-related aspects in agile requirements specifications of web applications. Our proposal considers user stories and security specifications as inputs and relates those user stories to security properties via natural language processing. Based on the related security properties, our approach identifies high-level security requirements from the Open Web Application Security Project (OWASP) to be verified and generates a reading technique to support reviewers in detecting defects. We evaluate our approach via three experimental trials conducted with 56 novice software engineers, measuring effectiveness, efficiency, usefulness and ease of use. We compare our approach against using: (1) the OWASP high-level security requirements and (2) a perspective-based approach as proposed in contemporary state of the art. The results strengthen our confidence that using our approach has a positive impact (with large effect size) on the performance of inspectors in terms of effectiveness and efficiency. © 2020, Springer-Verlag London Ltd., part of Springer Nature., open access

Published

2020

3. An efficient approach for reviewing security-related aspects in agile requirements specifications of web applications

Author

Villamizar, Hugo, Kalinowski, Marcos, Garcia, Alessandro F., Mendez, Daniel, Villamizar, Hugo, Kalinowski, Marcos, Garcia, Alessandro F., and Mendez, Daniel

Abstract

Defects in requirement specifications can have severe consequences during the software development life cycle. Some of them may result in poor product quality and/or time and budget overrun due to incorrect or missing quality characteristics, such as security. This characteristic requires special attention in web applications because they have become a target for manipulating sensible data. Several concerns make security difficult to deal with. For instance, security requirements are often misunderstood and improperly specified due to lack of security expertise and emphasis on security during early stages of software development. This often leads to unspecified or ill-defined security-related aspects. These concerns become even more challenging in agile contexts, where lightweight documentation is typically produced. To tackle this problem, we designed an approach for reviewing security-related aspects in agile requirements specifications of web applications. Our proposal considers user stories and security specifications as inputs and relates those user stories to security properties via natural language processing. Based on the related security properties, our approach identifies high-level security requirements from the Open Web Application Security Project (OWASP) to be verified and generates a reading technique to support reviewers in detecting defects. We evaluate our approach via three experimental trials conducted with 56 novice software engineers, measuring effectiveness, efficiency, usefulness and ease of use. We compare our approach against using: (1) the OWASP high-level security requirements and (2) a perspective-based approach as proposed in contemporary state of the art. The results strengthen our confidence that using our approach has a positive impact (with large effect size) on the performance of inspectors in terms of effectiveness and efficiency. © 2020, Springer-Verlag London Ltd., part of Springer Nature., open access

Published

2020

4. An efficient approach for reviewing security-related aspects in agile requirements specifications of web applications

Author

Villamizar, Hugo, Kalinowski, Marcos, Garcia, Alessandro F., Mendez, Daniel, Villamizar, Hugo, Kalinowski, Marcos, Garcia, Alessandro F., and Mendez, Daniel

Abstract

Defects in requirement specifications can have severe consequences during the software development life cycle. Some of them may result in poor product quality and/or time and budget overrun due to incorrect or missing quality characteristics, such as security. This characteristic requires special attention in web applications because they have become a target for manipulating sensible data. Several concerns make security difficult to deal with. For instance, security requirements are often misunderstood and improperly specified due to lack of security expertise and emphasis on security during early stages of software development. This often leads to unspecified or ill-defined security-related aspects. These concerns become even more challenging in agile contexts, where lightweight documentation is typically produced. To tackle this problem, we designed an approach for reviewing security-related aspects in agile requirements specifications of web applications. Our proposal considers user stories and security specifications as inputs and relates those user stories to security properties via natural language processing. Based on the related security properties, our approach identifies high-level security requirements from the Open Web Application Security Project (OWASP) to be verified and generates a reading technique to support reviewers in detecting defects. We evaluate our approach via three experimental trials conducted with 56 novice software engineers, measuring effectiveness, efficiency, usefulness and ease of use. We compare our approach against using: (1) the OWASP high-level security requirements and (2) a perspective-based approach as proposed in contemporary state of the art. The results strengthen our confidence that using our approach has a positive impact (with large effect size) on the performance of inspectors in terms of effectiveness and efficiency. © 2020, Springer-Verlag London Ltd., part of Springer Nature., open access

Published

2020

5. An efficient approach for reviewing security-related aspects in agile requirements specifications of web applications

Author

Villamizar, Hugo, Kalinowski, Marcos, Garcia, Alessandro F., Mendez, Daniel, Villamizar, Hugo, Kalinowski, Marcos, Garcia, Alessandro F., and Mendez, Daniel

Abstract

Defects in requirement specifications can have severe consequences during the software development life cycle. Some of them may result in poor product quality and/or time and budget overrun due to incorrect or missing quality characteristics, such as security. This characteristic requires special attention in web applications because they have become a target for manipulating sensible data. Several concerns make security difficult to deal with. For instance, security requirements are often misunderstood and improperly specified due to lack of security expertise and emphasis on security during early stages of software development. This often leads to unspecified or ill-defined security-related aspects. These concerns become even more challenging in agile contexts, where lightweight documentation is typically produced. To tackle this problem, we designed an approach for reviewing security-related aspects in agile requirements specifications of web applications. Our proposal considers user stories and security specifications as inputs and relates those user stories to security properties via natural language processing. Based on the related security properties, our approach identifies high-level security requirements from the Open Web Application Security Project (OWASP) to be verified and generates a reading technique to support reviewers in detecting defects. We evaluate our approach via three experimental trials conducted with 56 novice software engineers, measuring effectiveness, efficiency, usefulness and ease of use. We compare our approach against using: (1) the OWASP high-level security requirements and (2) a perspective-based approach as proposed in contemporary state of the art. The results strengthen our confidence that using our approach has a positive impact (with large effect size) on the performance of inspectors in terms of effectiveness and efficiency. © 2020, Springer-Verlag London Ltd., part of Springer Nature., open access

Published

2020

6. An efficient approach for reviewing security-related aspects in agile requirements specifications of web applications

Author

Villamizar, Hugo, Kalinowski, Marcos, Garcia, Alessandro F., Mendez, Daniel, Villamizar, Hugo, Kalinowski, Marcos, Garcia, Alessandro F., and Mendez, Daniel

Abstract

Defects in requirement specifications can have severe consequences during the software development life cycle. Some of them may result in poor product quality and/or time and budget overrun due to incorrect or missing quality characteristics, such as security. This characteristic requires special attention in web applications because they have become a target for manipulating sensible data. Several concerns make security difficult to deal with. For instance, security requirements are often misunderstood and improperly specified due to lack of security expertise and emphasis on security during early stages of software development. This often leads to unspecified or ill-defined security-related aspects. These concerns become even more challenging in agile contexts, where lightweight documentation is typically produced. To tackle this problem, we designed an approach for reviewing security-related aspects in agile requirements specifications of web applications. Our proposal considers user stories and security specifications as inputs and relates those user stories to security properties via natural language processing. Based on the related security properties, our approach identifies high-level security requirements from the Open Web Application Security Project (OWASP) to be verified and generates a reading technique to support reviewers in detecting defects. We evaluate our approach via three experimental trials conducted with 56 novice software engineers, measuring effectiveness, efficiency, usefulness and ease of use. We compare our approach against using: (1) the OWASP high-level security requirements and (2) a perspective-based approach as proposed in contemporary state of the art. The results strengthen our confidence that using our approach has a positive impact (with large effect size) on the performance of inspectors in terms of effectiveness and efficiency. © 2020, Springer-Verlag London Ltd., part of Springer Nature., open access

Published

2020

7. An approach for reviewing security-related aspects in agile requirements specifications of web applications

Author

Villamizar, Hugo, Anderlin Neto, Amadeu, Kalinowski, M., Garcia, Alessandro Fabricio, Mendez, Daniel, Villamizar, Hugo, Anderlin Neto, Amadeu, Kalinowski, M., Garcia, Alessandro Fabricio, and Mendez, Daniel

Abstract

Defects in requirements specifications can have severe consequences during the software development lifecycle. Some of them result in overall project failure due to incorrect or missing quality characteristics such as security. There are several concerns that make security difficult to deal with; for instance, (1) when stakeholders discuss general requirements in meetings, they are often unaware that they should also discuss security-related topics, and (2) they typically do not have enough expertise in security. This often leads to unspecified or ill-defined security-related aspects. These concerns become even more challenging in agile contexts, where lightweight documentation is typically involved. The goal of this paper is to design and evaluate an approach for reviewing security-related aspects in agile requirements specifications of web applications. The approach considers user stories and security specifications as input and relates those user stories to security properties via Natural Language Processing. Based on the related security properties, our approach then identifies high-level security requirements from the Open Web Application Security Project to be verified and generates a reading technique to support reviewers in detecting defects. We evaluate our approach via two controlled experiment trials. We compare the effectiveness and efficiency of novice inspectors verifying security aspects in agile requirements using our approach against using the complete list of high-level security requirements. The (statistically significant) results indicate that using our approach has a positive impact (with large effect size) on the performance of inspectors in terms of effectiveness and efficiency. © 2019 IEEE.

Published

2019

8. Virtual world security inspection

Author

Patterson, Nicholas C., Hobbs, Michael, Patterson, Nicholas C., and Hobbs, Michael

Abstract

Virtual property theft is a serious problem that exists in virtual worlds. Legitimate users of these worlds invest considerable amounts of time, effort and real-world money into obtaining virtual property, but unfortunately, are becoming victims of theft in high numbers. It is reported that there are over 1 billion registered users of virtual worlds containing virtual property items worth an estimated US$50 billion dollars. The problem of virtual property theft is complex, involving many legal, social and technological issues. The software used to access virtual worlds is of great importance as they form the primary interface to these worlds and as such the primary interface to conduct virtual property theft. The security vulnerabilities of virtual world applications have not, to date, been examined. This study aims to use the process of software inspection to discover security vulnerabilities that may exist within virtual world software – vulnerabilities that enable virtual property theft to occur. Analyzing three well know virtual world applications World of Warcraft, Guild Wars and Entropia Universe, this research utilized security analysis tools and scenario testing with focus on authentication, trading, intruder detection and virtual property recovery. It was discovered that all three examples were susceptible to keylogging, mail and direct trade methods were the most likely method for transferring stolen items, intrusion detection is of critical concern to all VWEs tested, stolen items were unable to be recovered in all cases and lastly occurrences of theft were undetectable in all cases. The results gained in this study present the key problem areas which need to be addressed to improve security and reduce the occurrence of virtual property theft.

Published

2012

9. Empirical investigations supporting an extensible, theoretical approach to understanding software inspections

Author

Dr. Brian von Konsky, Cooper, David, Dr. Brian von Konsky, and Cooper, David

Abstract

Empirical software engineering research has directed substantial effort towards understanding and improving software inspection, a defect detection method much less costly than testing. However, software inspection suffers from a lack of theory governing the process and its outcomes, leading to apparently contradictory experimental outcomes that cannot easily be reconciled. This theoretical uncertainty hinders efforts to effectively address delocalisation - the occurrence of related information in different artefacts, or parts of a software system. Delocalisation is a hurdle to software comprehension, an activity fundamental to inspection.A gap currently exists between the development of inspection strategies and theories of software comprehension, manifested in two ways. First, although some strategies seek to enhance an inspector's understanding of key parts of the software, they generally ignore variability between inspectors. A particular form of guidance or cognitive support given to one inspector may have a different effect when given to another. Second, while models of inspection cost effectiveness exist, they are not expressed in terms of factors that might be manipulated to improve inspection performance. It is not clear how far an inspector should go to address one particular concern in the software, before the benefits of doing so are outweighed by the risk of ignoring other concerns.This thesis first reports on an industry survey examining the current state of practice with respect to peer reviews. Two more qualitative studies were conducted to explore approaches inspectors might take to the comprehension of artefact interrelationships and the challenges posed by delocalisation. A controlled experiment is then presented to show how active guidance and inspector expertise affect the detection of individual defects.Using the results of these studies, a theoretical framework and model of inspection cost effectiveness are proposed in which the effects of exp

Published

2010

10. The impact of time controlled reading on software inspection effectiveness and efficiency a controlled experiment

Author

Petersen, Kai, Rönkkö, Kari, Wohlin, Claes, Petersen, Kai, Rönkkö, Kari, and Wohlin, Claes

Abstract

Reading techniques help to guide reviewers during individual software inspections. In this experiment, we completely transfer the principle of statistical usage testing to inspection reading techniques for the first time. Statistical usage testing relies on a usage profile to determine how intensively certain parts of the system shall be tested from the users' perspective. Usage-based reading applies statistical usage testing principles by utilizing prioritized use cases as a driver for inspecting software artifacts (e.g., design). In order to reflect how intensively certain use cases should be inspected, time budgets are introduced to usage-based reading where a maximum inspection time is assigned to each use case. High priority use cases receive more time than low priority use cases. A controlled experiment is conducted with 23 Software Engineering M.Sc. students inspecting a design document. In this experiment, usage-based reading without time budgets is compared with time controlled usage-based reading. The result of the experiment is that time budgets do not significantly improve inspection performance. In conclusion, it is sufficient to only use prioritized use cases to successfully transfer statistical usage testing to inspections.

Published

2008

11. Closing the Defect Reduction Gap between Software Inspection and Test-Driven Development: Applying Mutation Analysis to Iterative, Test-First Programming

Author

Nunamaker, Jr., Jay F., Brown, Susan A., Moon, Bongki, Wilkerson, Jerod W., Nunamaker, Jr., Jay F., Brown, Susan A., Moon, Bongki, and Wilkerson, Jerod W.

Abstract

The main objective of this dissertation is to assist in reducing the chaotic state of the software engineering discipline by providing insights into both the effectiveness of software defect reduction methods and ways these methods can be improved. The dissertation is divided into two main parts. The first is a quasi-experiment comparing the software defect rates and initial development costs of two methods of software defect reduction: software inspection and test-driven development (TDD). Participants, consisting of computer science students at the University of Arizona, were divided into four treatment groups and were asked to complete the same programming assignment using either TDD, software inspection, both, or neither. Resulting defect counts and initial development costs were compared across groups. The study found that software inspection is more effective than TDD at reducing defects, but that it also has a higher initial cost of development. The study establishes the existence of a defect-reduction gap between software inspection and TDD and highlights the need to improve TDD because of its other benefits.The second part of the dissertation explores a method of applying mutation analysis to TDD to reduce the defect reduction gap between the two methods and to make TDD more reliable and predictable. A new change impact analysis algorithm (CHA-AS) based on CHA is presented and evaluated for applications of software change impact analysis where a predetermined set of program entry points is not available or is not known. An estimated average case complexity analysis indicates that the algorithm's time and space complexity is linear in the size of the program under analysis, and a simulation experiment indicates that the algorithm can capitalize on the iterative nature of TDD to produce a cost savings in mutation analysis applied to TDD projects. The algorithm should also be useful for other change impact analysis situations with undefined program entry point

Published

2008

12. Checklist inspections and modifications: applying Bloom's taxonomy to categorise developer comprehension

Author

Lammel, R., Krikhaar, R., McMeekin, D., Von Konsky, Brian, Chang, Elizabeth, Cooper, David, Lammel, R., Krikhaar, R., McMeekin, D., Von Konsky, Brian, Chang, Elizabeth, and Cooper, David

Abstract

Software maintenance can consume up to 70% of the effort spent on a software project, with more than half of this devoted to understanding the system. Performing a software inspection is expected to contribute to comprehensionof the software. The question is: at what cognition levels do novice developers operate during a Checklist-Based code inspection followed by a code modification? This paper reports on a pilot study of Bloom's taxonomy levels observed during a Checklist-Based inspection and while adding new functionality unrelated to the defects detected. Bloom's taxonomy was used to categorise think-aloud data recorded while performing these activities. Results show the Checklist-Based Reading technique facilitates inspectors to function at the highest cognitive level within the taxonomy and indicates that using inspections with novice developers to improve cognition and understanding may assist integrating developers into existing project teams.

Published

2008

13. Improving the software inspection process with patterns

Author

Harjumaa, L. (Lasse) and Harjumaa, L. (Lasse)

Abstract

The quality of a software product depends largely on the quality of the process that is used to develop it. In small software companies, the development process may be informal or even ad hoc, which causes uncertainty and variation in the product quality. However, quality issues are as important in small companies as in their larger counterparts. To sustain their dynamics and competitiveness, small organizations need to concentrate on the most effective quality assurance methods. Software inspection is a proven method for improving product quality and it provides a very cost-effective way for small companies to improve their development processes. This study introduces a framework for adjusting the inspection process for the organization’s specific needs and evaluating its capabilities. The main focus of this work, however, is on refining and improving the inspection process. The improvement is guided by concrete instructions that are documented as process patterns. The pattern approach has already been used successfully in several other areas of software engineering. Patterns aim at capturing the best practices of software development and transferring this knowledge between people or organizations. The framework for inspection process capability originates from the literature relating to different types of peer review methods and experiments with flexible and tool-supported inspections in small companies. Furthermore, generic process improvement models are studied to find a feasible structure for the framework. As a result of the analysis, the i3 capability model is introduced. The feasibility of the model has been investigated in real-life software organizations carrying out inspections. After the capability evaluation, the inspection process can be upgraded with the aid of improvement patterns, which provide structured and easy-to-follow guidelines for implementing improvements. An initial list of patterns, describing solutions to the most common problem

Published

2005

14. Comparing Reading Techniques for Object-Oriented Design Inspection

Author

Sabaliauskaite, Giedre, Kusumoto, Shinji, Inoue, Katsuro, Sabaliauskaite, Giedre, Kusumoto, Shinji, and Inoue, Katsuro

Published

2004

15. Extended Metrics to Evaluate Cost Effectiveness of Software Inspections

Author

Sabaliauskaite, Giedre, Kusumoto, Shinji, Inoue, Katsuro, Sabaliauskaite, Giedre, Kusumoto, Shinji, and Inoue, Katsuro

Published

2004

16. A replicated experiment of usage-based and checklist-based reading

Author

Thelin, Thomas, Andersson, Carina, Runeson, Per, Dzamashvili-Fogelström, Nina, Thelin, Thomas, Andersson, Carina, Runeson, Per, and Dzamashvili-Fogelström, Nina

Abstract

Software inspection is an effective method to detect faults in software artefacts. Several empirical studies have been performed on reading techniques, which are used in the individual preparation phase of software inspections. Besides new experiments, replications are needed to increase the body of knowledge in software inspections. This paper presents a replication of an experiment, which compares usage-based and checklist-based reading. The results of the original experiment show that reviewers applying usage-based reading are more efficient and effective in detecting the most critical faults from a user's point of view than reviewers using checklist-based reading. This paper presents the data of the replication together with the original experiment and compares the experiments. The main result of the replication is that it confirms the result of the original experiment. This replication strengthens the evidence that usage-based reading is an efficient reading technique. © 2004 IEEE.

Published

2004