Adopting an enterprise software security framework

Most organizations no longer take for granted that their deployed applications are secure. But even after conducting penetration tests, network and hosting security personnel spend considerable time chasing incidents. Your organization might be one of the many that have realized the "secure the perimeter" approach doesn't stem the tide of incidents because the software it's building and buying doesn't resist attack. A new approach offers help across the enterprise.     

Schlumberger's software improvement program

A corporate-wide software process improvement effort has been ongoing at Schlumberger for several years. Through the motivation efforts of a small group, productive changes have occurred across the company. We see improvements in many development areas, including project planning and requirements management. The catalysts behind these advances include capability assessments, training, and collaboration     

SEL's software process improvement program

We select candidates for process change on the basis of quantified Software Engineering Laboratory (SEL) experiences and clearly defined goals for the software. After we select the changes, we provide training and formulate experiment plans. We then apply the new process to one or more production projects and take detailed measurements. We assess process success by comparing these measures with the continually evolving baseline. Based upon the results of the analysis, we adopt, discard, or revise the process     

Delivery excellence: a practical program for continuous improvement [software development]

Simple measures and inspections can improve software delivery. These actions also provide a basis for strategic improvements to overall development practices.     

Interventions for long-term software security: Creating a lightweight program of assurance techniques for developers

Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. We propose that a series of lightweight interventions, six hours of facilitated workshops delivered over three months, can improve a team's motivation to consider security and awareness of assurance techniques, changing its security culture even when no security experts are involved. The interventions were developed after an Appreciative Inquiry and Grounded Theory survey of security professionals to find out what approaches work best. We tested the interventions in a participatory action research field study where we delivered the workshops to three software development organizations and evaluated their effectiveness through interviews beforehand, immediately afterwards, and after twelve months. We found that the interventions can be effective with teams with limited or no security experience and that improvement is long-lasting. This approach and the learning points arising from the work here have the potential to be applied in many development teams, improving the security of software worldwide.     

Knowledge for software security

A critical challenge facing software security today is the dearth of experienced practitioners. Approaches that rely solely on apprenticeship as a method of propagation won't scale quickly enough to address this burgeoning problem, so as the field evolves and establishes best practices, knowledge management can play a central role in encapsulating and spreading the emerging discipline more efficiently. This article is about the kinds of security knowledge that can provide a solid foundation for software security practices.     

Dynamic software security testing

Current software security techniques aren't able to produce the secure systems demanded by our increasingly interconnected society, so there persists the need for a more effective and scalable approach: dynamic software security testing.     

Managing software security risks

Most organizations manage computer security risk reactively by investing in technologies designed to protect against known system vulnerabilities and monitor intrusions as they occur. However, firewalls, cryptography, and antivirus protection address the symptoms, not the root cause, of most security problems. Buying and maintaining a firewall, for example, is ineffective if external users can access remotely exploitable Internet-enabled applications through it. Because hackers attack software, improving computer security depends on proactively managing risks associated with software and software development. The current "penetrate and patch" approach of fixing broken software only after it has been compromised is insufficient to control the problem     

Implementing a software metrics program at Nokia

Model solutions for implementing a measurement program do not always fit an organization without tailoring. The sizes and maturities of the processes vary from organization to organization. In an organization with mature software processes, carefully adjusting the created solution for a measurement program to the environment-specific needs and options can save considerable effort. The article demonstrates the real-world application of the Nokiaway software metrics program and how it benefited in its divergence from a typical goal-question-metric approach     

Improving software process improvement

Two dichotomies characterize software process improvement efforts and approaches: disciplined versus creative work and procurer risks versus user satisfaction. Based on these perspectives, the authors introduce six theses to illuminate the problems of pursuing SPI.     

浅谈计算机软件安全检测技术

自21世纪以来,科学和技术的不断发展使计算机开始广泛运用于各个领域,并为人们的便捷生活和信息化办公做出了巨大的贡献.目前,计算机已经成为人们生活中不可或缺的工具.与此同时,计算机的安全问题也成为人们日益关注的焦点,而软件作为计算机的“灵魂”,其安全更是人们所关注的核心.本文围绕计算机软件安全,就如何做好软件安全检测做了一个初探.     

软件安全性的静态分析

提出了基于整数区间和控制依赖图,通过静态分析来检测C语言源代码中安全漏洞的新方法.该方法在引入整数区间概念及其运算规则的基础上,把C语言中的数组、指针和整型表达式都抽象成整数区间,从而把相关安全性判断转换成整数区间之间的关系判断.最后讨论了该方法的具体算法.     

Cultivation and engineering of a software metrics program

Abstract. This paper reports from a case study of an organization that implements a software metrics program to measure the effects of its improvement efforts. The program measures key indicators of all completed projects and summarizes progress information in a quarterly management report. The implementation turns out to be long and complex, as the organization is confronted with dilemmas based on contradictory demands and value conflicts. The process is interpreted as a combination of a rational engineering process in which a metrics program is constructed and put into use, and an evolutionary cultivation process in which basic values of the software organization are confronted and transformed. The analysis exemplifies the difficulties and challenges that software organizations face when bringing known principles for software metrics programs into practical use. The article discusses the insights gained from the case in six lessons that may be used by Software Process Improvement managers in implementing a successful metrics program.     

软件过程改进框架

在软件开发过程中,软件工程师以及软件组织不可避免地会遇到各种困难,尤其是软件组织在实施能力成熟度模型(CMM)过程中面对的各种挑战.根据对CMM研究的体会与实践经验,提出了以集成的能力成熟度模型(CMMI)为基础,以个体软件过程和群组软件过程为支持的软件过程改进框架.     

Entropy based software processes improvement

Actual results of software process improvement projects show different levels of success. Although many software development organisations have adopted improvement models such as CMMI, it appears to be difficult to improve software development processes in the right way, e.g. tuned to the actual needs of the organisation. This paper presents a new approach to determine the direction of improvement for an organisation. This approach is based on an elaboration of the concept of entropy. The approach is empirically validated by carrying out interviews in 11 software development organisations in The Netherlands. The results of the research show that software development organisations can be classified and can be positioned on the basis of their internal and external entropy, c.q. the level of (dis)order in the business system and its environment. Based on a possible out-of-balance situation between the internal and external entropy, directions for software process improvement can be discussed. As such the proposed approach can support the application of current software process improvement methodologies such as the CMMI.

The business of software improvement

Leading software practitioners have an ongoing responsibility: the education of nontechnical software project stakeholders. Software practitioners sometimes perceive upper management and other nontechnical staff to be blocking the use of better practices. We complain that they fall to support better practices or even undermine them. I've generally found, however, that upper management, sales, marketing, product support, and other personnel are receptive to improved software practices when I take the time to explain those practices to them. Indeed, they are acutely aware of the problems caused by current practices and are eager to hear how they can help improve software projects.     

Genetic improvement of GPU software

We survey genetic improvement (GI) of general purpose computing on graphics cards. We summarise several experiments which demonstrate four themes. Experiments with the gzip program show that genetic programming can automatically port sequential C code to parallel code. Experiments with the StereoCamera program show that GI can upgrade legacy parallel code for new hardware and software. Experiments with NiftyReg and BarraCUDA show that GI can make substantial improvements to current parallel CUDA applications. Finally, experiments with the pknotsRG program show that with semi-automated approaches, enormous speed ups can sometimes be had by growing and grafting new code with genetic programming in combination with human input.