RUP在小型J2EE项目中的应用

RUP是IBM公司的一个软件过程产品,适合于规模比较大的软件项目和大型的软件开发组织或团队。在实际中,软件项目团队根据自身客观条件的限制和技术的影响,应该对RUP进行必要的裁剪,从而最大限度地发挥RUP的作用。论文讲述了如何把RUP应用到小型项目团队开发J2EE应用系统的过程中,并且结合J2EE技术的特点从项目管理、架构设计、开发和测试等方面重点阐明了对RUP的裁剪。     

Forecasting Malware Conditions: Worsening Conditions,Some Bright Spots

ABSTRACT

With a simple model originating from mathematical biology, the dependencies for the number of infected computers are identified. The actions in the battle between cyber attack and cyber defense are linked to these dependencies. The article shows that using statistics directly to quantify the effect of security measures is difficult. The security effect is calculated for a periodic reset of all software and software compartments. Software diversity needs coordination above the level of individual organizations. Looking at the big picture, more countermeasures are proposed to improve security against malware in general.     

Managing Your Security Future

ABSTRACT

Information technology organizations within most corporations are spending significant time and resources securing IT infrastructure. This increased need for security is driven by a number of factors. These factors include increased dependency on the Internet, financial and legal liability, protection of personal identity information and sensitive corporate data, increased numbers and age of legacy systems with limited vendor support, deploying complex systems, and new regulations governing corporate transactions. There a number of technologies on the market today that can mitigate most of these security factors. However, managers in IT organizations need to identify potential future threats and security technologies to assess and potentially mitigate risk through the deployment of those technologies. This article investigates three areas critical to the successful deployment and securing of information technology.     

探索软件开发过程的CMM最佳实践方法

基于中、小型规模的软件开发特点,通过融合多种软件过程开发实践,保证快速、合理、低代价和清晰的软件开发过程控制基础上,作者基于工程实践的总结和归纳,提出一种基于组件构建软件系统的CMM和RUP的有序过程控制的最佳实践方法,该方法具有清晰过程控制、可被重复检验和理解,允许在软件过程中进行适应性的自我调整和完善。通过实际案例的统计和规律性分析,证明该种软件开发过程的最佳实践方法在实际的工程项目管理中具有较强的工程指导意义和现实参考价值。     

A comprehensive pattern-oriented approach to engineering security methodologies

ContextDeveloping secure software systems is an issue of ever-growing importance. Researchers have generally come to acknowledge that to develop such systems successfully, their security features must be incorporated in the context of a systematic approach: a security methodology. There are a number of such methodologies in the literature, but no single security methodology is adequate for every situation, requiring the construction of “fit-to-purpose” methodologies or the tailoring of existing methodologies to the project specifics at hand. While a large body of research exists addressing the same requirement for development methodologies – constituting the field of Method Engineering – there is nothing comparable for security methodologies as such; in fact, the topic has never been studied before in such a context.ObjectiveIn this paper we draw inspiration from a number of Method Engineering ideas and fill the latter gap by proposing a comprehensive approach to engineering security methodologies.MethodOur approach is embodied in three interconnected parts: a framework of interrelated security process patterns; a security-specific meta-model; and a meta-methodology to guide engineers in using the latter artefacts in a step-wise fashion. A UML-inspired notation is used for representing all pattern-based methodology models during design and construction. The approach is illustrated and evaluated by tailoring an existing, real-life security methodology to a distributed-system-specific project situation.ResultsThe paper proposes a novel pattern-oriented approach to modeling, constructing, tailoring and combining security methodologies, which is the very first and currently sole such approach in the literature. We illustrate and evaluate our approach in an academic setting, and perform a feature analysis to highlight benefits and deficiencies.ConclusionUsing our proposal, developers, architects and researchers can analyze and engineer security methodologies in a structured, systematic fashion, taking into account all security methodology aspects.     

基于构件的RUP研究

在软件过程领域,Rational公司的RUP(RationalUnifiedProcess)占据主流,但它不是针对基于构件的开发(Compo nent-BasedDevelopment,CBD)提出,没有体现CBD的本质。CBD也需要软件过程的指导。文中将构件技术应用到RUP中,提出基于RUP的CUP(ComponentUnifiedProcess),对RUP进行改进,在软件开发过程中将项目管理、业务建模、构件技术、软件质量等统一起来。同时CUP与统一建模语言(UML)集成,有多种CASE工具支持,缩短了需求到实现的距离。并以医院管理系统为例,对CUP进行研究。     

Investigating software testing and maintenance reports: Case study

ContextAlthough many papers have been published on software development and defect prediction techniques, problem reports in real projects quite often differ from those described in the literature. Hence, there is still a need for deeper exploration of case studies from industry.ObjectiveThe aim of this study is to present the impact of fine-grained problem reports on improving evaluation of testing and maintenance processes. It is targeted at projects involving several releases and complex schemes of problem handling. This is based on our experience gained while monitoring several commercial projects.MethodExtracting certain features from detailed problem reports, we derive various measures and present analysis models which characterize and visualize the effectiveness of testing and problem resolution processes. The considered reports describe types of problems (e.g. defects), their locations in project versions and software modules, ways of their resolution, etc. The performed analysis is related to eleven projects developed in the same company. This study is an exploratory research with some explanatory features. Moreover, having identified some drawbacks, we present extensions of problem reports and their analysis which have been verified in another industrial case study project.ResultsFine-grained (accurate) problem handling reports provide a wider scope of possible measures to assess the relevant development processes. This is helpful in controlling single projects (local perspective) as well as in managing these processes in the whole company (global perspective).ConclusionDetailed problem handling reports extend the space and quality of statistical analysis, they provide significant enhancement in evaluation and refinement of software development processes as well as in reliability prediction.     

A study of software reuse in NASA legacy systems

Software reuse is regarded as a highly important factor in reducing development overheads for new software projects; however, much of the literature is concerned with cost and labor savings that reuse brings to industrial software development and little is known about the inherent risks associated with reuse, particularly in the case of mission and safety-critical software systems. We present the preliminary findings of a research project geared toward assessing the impact of risk in National Aeronautics and Space Administration (NASA) legacy software in flight control systems. We introduce the concept of context variables and the impact they have on reuse within these legacy systems as well as the genealogy classification models, which provide a simple, concise method of mapping reuse between families of software projects. This research was conducted at Global Science and Technology, Inc. under NASA grant number NCC0NNG06GI57G.     

Estimating,planning and managing Agile Web development projects under a value-based perspective

ContextThe processes of estimating, planning and managing are crucial for software development projects, since the results must be related to several business strategies. The broad expansion of the Internet and the global and interconnected economy make Web development projects be often characterized by expressions like delivering as soon as possible, reducing time to market and adapting to undefined requirements. In this kind of environment, traditional methodologies based on predictive techniques sometimes do not offer very satisfactory results. The rise of Agile methodologies and practices has provided some useful tools that, combined with Web Engineering techniques, can help to establish a framework to estimate, manage and plan Web development projects.ObjectiveThis paper presents a proposal for estimating, planning and managing Web projects, by combining some existing Agile techniques with Web Engineering principles, presenting them as an unified framework which uses the business value to guide the delivery of features.MethodThe proposal is analyzed by means of a case study, including a real-life project, in order to obtain relevant conclusions.ResultsThe results achieved after using the framework in a development project are presented, including interesting results on project planning and estimation, as well as on team productivity throughout the project.ConclusionIt is concluded that the framework can be useful in order to better manage Web-based projects, through a continuous value-based estimation and management process.     

Dinosaur meets Archaeopteryx? or: Is there an alternative for Rational’s Unified Process?

Since 1999, Rationals Unified Process (RUP) is being offered as a guideline for software projects using the Unified Modeling Language (UML). RUP has been advertised to be iterative, and incremental, use case-driven and architecture-centric. These claims are discussed while RUP core concepts like phase, iteration, discipline (formerly: workflow) and milestone are reviewed in more detail. It turns out that the RUP constitutes a considerable step towards a broad dissemination of software process modelling ideas but some of the RUP definitions and structures lack clear structure and are too complex and overloaded for practical use.Among others, I see the following particular problems: (1) phases do still dominate the process and iteration structure, (2) the term software architecture is not clearly defined and its role is still underestimated, (3) RUP disciplines are a partly redundant concept complicating the process more than supporting it, (4) powerful and transparent structuring principles like recursion and orthogonality do not get the attention they deserve. As an alternative, our model for Evolutionary, Object-oriented Software development (EOS) is contrasted with the RUP.     

信息安全项目管理文档系统的分析与设计

文章首先对信息安全项目管理及其管理文档系统的构成和特点进行了详细的论述和分析,然后在此基础上,结合一个项目实例给出了信息安全项目管理文档系统的结构设计和计算机程序实现,最后,对我国信息安全工程项目管理的发展方向提出了自己的观点。     

MoDisco: A model driven reverse engineering framework

ContextMost companies, independently of their size and activity type, are facing the problem of managing, maintaining and/or replacing (part of) their existing software systems. These legacy systems are often large applications playing a critical role in the company’s information system and with a non-negligible impact on its daily operations. Improving their comprehension (e.g., architecture, features, enforced rules, handled data) is a key point when dealing with their evolution/modernization.ObjectiveThe process of obtaining useful higher-level representations of (legacy) systems is called reverse engineering (RE), and remains a complex goal to achieve. So-called Model Driven Reverse Engineering (MDRE) has been proposed to enhance more traditional RE processes. However, generic and extensible MDRE solutions potentially addressing several kinds of scenarios relying on different legacy technologies are still missing or incomplete. This paper proposes to make a step in this direction.MethodMDRE is the application of Model Driven Engineering (MDE) principles and techniques to RE in order to generate relevant model-based views on legacy systems, thus facilitating their understanding and manipulation. In this context, MDRE is practically used in order to (1) discover initial models from the legacy artifacts composing a given system and (2) understand (process) these models to generate relevant views (i.e., derived models) on this system.ResultsCapitalizing on the different MDRE practices and our previous experience (e.g., in real modernization projects), this paper introduces and details the MoDisco open source MDRE framework. It also presents the underlying MDRE global methodology and architecture accompanying this proposed tooling.ConclusionMoDisco is intended to make easier the design and building of model-based solutions dedicated to legacy systems RE. As an empirical evidence of its relevance and usability, we report on its successful application in real industrial projects and on the concrete experience we gained from that.     

极限编程在软件项目开发中的研究与应用

软件项目开发曾被喻为“野马”,如何驾驭好这匹“野马”,以适应市场的需要,提高软件开发的生产效率,是软件界一直在追寻、探讨的问题。目前国际上最有影响力的软件过程方法有：Rational统一过程（RUP）,敏捷过程（AP）,极限编程（xp）,微软过程（MP）。通过对极限编程在一个债权管理系统中实际开发应用,阐述极限编程方法在软件项目开发中的应用特点。     

小型软件项目RUP裁剪模型的研究

依据RUP统一过程模型,结合小型软件项目的特点,对RUP模型进行了适当的裁剪,从而建立了一个适用于小型软件项目开发的模型.为综合评价RUP裁剪模型的功效,对该模型在电信公司的电话自动停机复机系统中进行了应用研究,应用该模型完成了电话自动停机复机系统的开发,实践表明:该模型相对瀑布、喷泉、螺旋等模型有明显的优势,大大提高了电话自动停机复机软件的开发效率,保证了电话自动停机复机系统的开发质量,实现了对该软件的优化生成,做到了软件的按期交付.     

EFSOC: A Layered Framework for Developing Secure Interactions between Web-Services

Enterprises are rapidly extending their relatively stable and internally-oriented business processes and applications with loosely-coupled enterprise software services in order to support highly dynamic, cross-organizational business processes. These services are no longer solely based on internal enterprise systems, but often implemented, deployed and executed by diverse, external service providers. The ability to dynamically configure cross-organizational business processes with a mixture of internal and external services imposes new security requirements on existing security models. In this paper, we address the problem of defining and enforcing access control rules for securing service invocations in the context of a business process. For this purpose, we amortize existing role-based access control models that allow for dynamic delegation and retraction of authorizations. Authorizations are assigned on an event-driven basis, implementing a push-based interaction protocol between services. This novel security model is entitled the Event-driven Framework for Service Oriented Computing (EFSOC). In addition, this article presents an experimental prototype that is explored using a realistic case study. This work has been partially funded by the Netherlands Organization for Scientific Research (NWO) as part of the PRONIR project. Recommended by: Asuman Dogac     

一种航空机载嵌入式软件安全性评价方法研究

机载嵌入式软件是航空电子系统的重要组成部分,其安全性直接关系到飞行安全。由于软件安全性包含的范围较广,对安全性的评价往往周期长、结果不明确。针对嵌入式软件安全性评价的难题,在软件的整个生命周期采用分类模糊综合评价方法,建立了评价模型,提出了一种嵌入式软件安全性评价方法,在软件生命周期的5个阶段提出了59种评价元素,每种评价元素均反应出软件在每个阶段的关键活动。在各个阶段选择相关项目人员对每个元素进行评价,并依据计算公式得出软件安全分值。通过工程实践证明,该方法切实可用,评价过程相比传统的方法节约了时间,评价结果准确、直观,为航空机载嵌入式软件尤其是型号软件的安全性评价提供了一种新方法,为软件总体质量的评价和软件安全性的改进方向提供支撑。     

Experiences from introducing UML-based development in a large safety-critical project

UML and UML-based development methods have become de facto standards in industry, and there are many claims for the positive effects of modelling object-oriented systems using methods based on UML. However, there is no reported empirical evaluation of UML-based development in large, industrial projects. This paper reports a case study in ABB, a global company with 120,000 employees, conducted to identify immediate benefits as well as difficulties and their causes when introducing UML-based development in large projects. ABB decided to use UML-based development in the company’s system development projects as part of an effort to enable certification according to the IEC 61508 safety standard. A UML-based development method was first applied in a large, international project with 230 system developers, testers and managers. The goal of the project was to build a new version of a safety-critical process control system. Most of the software was embedded. The project members were mostly newcomers to the use of UML. Interviews with 16 system developers and project managers at their sites in Sweden and Norway were conducted to identify the extent to which the introduction of UML-based development had improved their development process. The interviewees had experienced improvements with traceability from requirements to code, design of the code, and development of test cases as well as in communication and documentation. These results thus support claims in the literature regarding improvements that may be obtained through the use of UML. However, the results also show that the positive effects of UML-based development were reduced due to (1) legacy code that it was not feasible to reverse engineer into UML, (2) the distribution of requirements to development teams based on physical units and not on functionality, (3) training that was not particularly adapted to this project and considered too expensive to give to project members not directly involved in development with UML, and (4) a choice of modelling tools with functionality that was not in accordance with the needs of the project. The results from this study should be useful in enabling other UML adopters to have more realistic expectations and a better basis for making project management decisions.

Web 2.0 Injection Infection Vulnerability Class

ABSTRACT

Web 2.0 defines a changing trend in the use of World Wide Web application development and web design technology. Web 2.0 design concepts have led to the evolution of a web culture that has allowed social-networking and ease of design use of non-secure component applications to enter the business domain of the enterprise. These Web 2.0 component applications are then commingled with other business legacy applications including databases. This article focuses on the taxonomy of the injection infection class of vulnerabilities associated with Web 2.0 application security issues.     

Survival analysis on the duration of open source projects

ContextOpen source (FLOSS) project survivability is an important piece of information for many open source stakeholders. Coordinators of open source projects would like to know the chances for the survival of the projects they coordinate. Companies are also interested in knowing how viable a project is in order to either participate or invest in it, and volunteers want to contribute to vivid projects.ObjectiveThe purpose of this article is the application of survival analysis techniques for estimating the future development of a FLOSS project.MethodIn order to apply such approach, duration data regarding FLOSS projects from the FLOSSMETRICS (This work was partially supported by the European Community’s Sixth Framework Program under the Contract FP6-033982) database were collected. Such database contains metadata for thousands of FLOSS projects, derived from various forges. Subsequently, survival analysis methods were employed to predict the survivability of the projects, i.e. their probability of continuation in the future, by examining their duration, combined with other project characteristics such as their application domain and number of committers.ResultsIt was shown how probability of termination or continuation may be calculated and how a prediction model may be built to upraise project future. In addition, the benefit of adding more committers to FLOSS projects was quantified.ConclusionAnalysis results demonstrate the usefulness of the proposed framework for assessing the survival probability of a FLOSS project.