{"title":"Towards Secure Agile Software Development Process: A Practice-Based Model","authors":"Abdulhamid A. Ardo, J. Bass, T. Gaber","doi":"10.1109/SEAA56994.2022.00031","DOIUrl":"https://doi.org/10.1109/SEAA56994.2022.00031","url":null,"abstract":"Agile methods are a well-established paradigm in the software development field. Agile adoption has contributed to improving software quality. However, software products are vulnerable to security challenges and susceptible to cyberattacks. This study aims to improve security of software products when using an agile software development process. A multi-methods qualitative research approach was adopted in this study. First, we conducted semi-structured interviews with 23 agile practitioners having varied years of cybersecurity experiences. An approach informed by grounded theory methodology was adopted for data analysis. Second, we developed a novel practice-based agile software development process model derived from the results of the data analysis conducted. Third, we validated the model through a focus group comprising five senior agile cybersecurity professionals to evaluate its relevancy and novelty. The study has identified 26 security practices, organized into the six - software development life-cycle phases: planning, requirements, design, implementation, testing, and deployment. We have mapped the practices onto four swim lanes each representing an agile role. The self-organizing team is exclusively involved in three security practices, the security specialist in nine, penetration tester in one and the DevOps team collaborates on one with the security specialist. There are also seven practices that are collaboratively performed by the self-organizing team and the security specialist. Each of the practices in the model was examined during the validation phase of the study. There are two contributions in this study. First, the paper proposes a novel practice-based model comprising of 26 security practices mapped to agile roles. Second, we propose a new practice, in response to an observed lack of collaborative ceremonies, to disseminate awareness of and hence compliance with security standards.","PeriodicalId":269970,"journal":{"name":"2022 48th Euromicro Conference on Software Engineering and Advanced Applications (SEAA)","volume":"96 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114694947","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"WALTS: Walmart AutoML Libraries, Tools and Services","authors":"Rahul Bajaj, Kunal Banerjee, Lalitdutt Parsai, Deepanshu Goyal, Sachin Parmar, Divyajyothi Bn, Balamurugan Subramaniam, Chaitanya Sai, Tarun Balotia, Anirban Chatterjee, Kailash Sati","doi":"10.1109/SEAA56994.2022.00013","DOIUrl":"https://doi.org/10.1109/SEAA56994.2022.00013","url":null,"abstract":"Automated Machine Learning (AutoML) is an upcoming field in machine learning (ML) that searches the candidate model space for a given task, dataset and an evaluation metric and returns the best performing model on the supplied dataset as per the given metric. AutoML not only reduces the man-power and expertise needed to develop ML models but also decreases the time-to-market for ML models substantially. In Walmart, we have designed an enterprise-scale AutoML frame-work called WALTS to meet the rising demand of employing ML in the retail business, and thus help democratize ML within our organization. In this work, we delve into the design of WALTS from both algorithmic and architectural perspectives. Specfiically, we elaborate on how we explore models from a pool of candidates along with describing our choice of technology stack to make the whole process scalable and robust. We illustrate the process with the help of a business use-case, and finally underline how WALTS has impacted our business so far.","PeriodicalId":269970,"journal":{"name":"2022 48th Euromicro Conference on Software Engineering and Advanced Applications (SEAA)","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129405293","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Utilization of Three Software Size Measures for Effort Estimation in Agile World: A Case Study","authors":"Hüseyin Ünlü, Tuna Hacaloglu, Fatma Büber, Kıvılcım Berrak, Onur Leblebici, Onur Demirörs","doi":"10.1109/SEAA56994.2022.00045","DOIUrl":"https://doi.org/10.1109/SEAA56994.2022.00045","url":null,"abstract":"Functional size measurement (FSM) methods, by being systematic and repeatable, are beneficial in the early phases of the software life cycle for core project management activities such as effort, cost, and schedule estimation. However, in agile projects, requirements are kept minimal in the early phases and are detailed over time as the project progresses. This situation makes it challenging to identify measurement components of FSM methods from requirements in the early phases, hence complicates applying FSM in agile projects. In addition, the existing FSM methods are not fully compatible with today’s architectural styles, which are evolving into event-driven decentralized structures. In this study, we present the results of a case study to compare the effectiveness of different size measures: functional -COSMIC Function Points (CFP)-, event-based - Event Points-, and code length-based - Line of Code (LOC)-on projects that were developed with agile methods and utilized a microservice-based architecture. For this purpose, we measured the size of the project and created effort estimation models based on three methods. It is found that the event-based method estimated effort with better accuracy than the CFP and LOC-based methods.","PeriodicalId":269970,"journal":{"name":"2022 48th Euromicro Conference on Software Engineering and Advanced Applications (SEAA)","volume":"107 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123233076","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Timing is Everything! A Test and Production Class View of Self-Admitted Technical Debt","authors":"S. Counsell, S. Swift","doi":"10.1109/SEAA56994.2022.00056","DOIUrl":"https://doi.org/10.1109/SEAA56994.2022.00056","url":null,"abstract":"In this short paper, we investigate whether the “time of day” when recognised changes are made to code influences the self-admission of technical debt (SATD). We look at this question from a test and production class perspective. We examine if there is a specific time of day when technical debt is “self-admitted” more frequently and whether there are any similarities in this sense between test and production classes. We also analyse whether class complexity makes a difference to SATD occurrence. To facilitate our analysis, we used a data set of over 300k changes developed by Riquet et al., as a basis. Results suggest that a lower proportion of SATD occur in afternoons as opposed to mornings and that class complexity has a significant say in the role and application of SATD.","PeriodicalId":269970,"journal":{"name":"2022 48th Euromicro Conference on Software Engineering and Advanced Applications (SEAA)","volume":"26 1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123326215","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Living in a Pink Cloud or Fighting a Whack-a-Mole? On the Creation of Recurring Revenue Streams in the Embedded Systems Domain","authors":"H. H. Olsson, Jan Bosch","doi":"10.1109/SEAA56994.2022.00033","DOIUrl":"https://doi.org/10.1109/SEAA56994.2022.00033","url":null,"abstract":"For companies in the embedded systems domain, digitalization and digital technologies allow endless opportunities for new business models and continuous value delivery. While physical products still provide the core revenue, these are rapidly being complemented with offerings that allow for recurring revenue and that are based on software, data and artificial intelligence (AI). However, while new digital offerings allow for fundamentally new and recurring revenue streams and continuous value delivery to customers, the creation of these proves to be a challenging endeavour. In this paper, we study how companies explore ways to create new or additional value with the intention to complement their product portfolio with offerings that allow for recurring revenue. Based on multi-case study research, we identify the key challenges that companies in the embedded systems domain experience and we derive four organizational patterns that we see slow down innovation. Second, we present a framework outlining alternative types of offerings to customers. Third, we provide a value taxonomy in which we detail the different types of offerings and the value these provide to customers. For each value offering, we indicate whether this offering is (1) static or evolving, (2) bundled or unbundled, (3) free or monetized, and we provide examples from the case companies we studied.","PeriodicalId":269970,"journal":{"name":"2022 48th Euromicro Conference on Software Engineering and Advanced Applications (SEAA)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131422194","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Synthesis of Pareto-optimal Policies for Continuous-Time Markov Decision Processes","authors":"Naif Alasmari, R. Calinescu","doi":"10.1109/SEAA56994.2022.00071","DOIUrl":"https://doi.org/10.1109/SEAA56994.2022.00071","url":null,"abstract":"We present a work-in-progress method for the synthesis of continuous-time Markov decision process (CTMDP) policies–an important problem not handled by current probabilistic model checkers. The policies synthesised by this method correspond to configurations of software systems or software controllers of cyber-physical systems (CPS) that satisfy predefined nonfunctional constraints and are Pareto-optimal with respect to a set of optimisation objectives. We illustrate the effectiveness of our method by using it to synthesise optimal configurations for a client-server system, and optimal controllers for a driver-attention management CPS.","PeriodicalId":269970,"journal":{"name":"2022 48th Euromicro Conference on Software Engineering and Advanced Applications (SEAA)","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128987363","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Francesco Lomio, Sergio Moreschini, Xiaozhou Li, Valentina Lenarduzzi
{"title":"Anomaly Detection in Cloud-Native Systems","authors":"Francesco Lomio, Sergio Moreschini, Xiaozhou Li, Valentina Lenarduzzi","doi":"10.1109/SEAA56994.2022.00023","DOIUrl":"https://doi.org/10.1109/SEAA56994.2022.00023","url":null,"abstract":"Companies develop cloud-native systems deployed on public and private clouds. Since private clouds have limited resources, the systems should run efficiently by keeping performance related anomalies under control. The goal of this work is to understand whether a set of five performance-related KPIs depends on the metrics collected at runtime by Kafka, Zookeeper, and other tools (168 different metrics). We considered four weeks worth of runtime data collected from a system running in production. We trained eight Machine Learning algorithms on three weeks worth of data and tested them on one week’s worth of data to compare their prediction accuracy and their training and testing time. It is possible to detect performance-related anomalies with a very high level of accuracy (higher than 95% AUC) and with very limited training time (between 8 and 17 minutes). Machine Learning algorithms can help to identify runtime anomalies and to detect them efficiently. Future work will include the identification of a proactive approach to recognize the root cause of the anomalies and to prevent them as early as possible.","PeriodicalId":269970,"journal":{"name":"2022 48th Euromicro Conference on Software Engineering and Advanced Applications (SEAA)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128848700","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Investigating the Adoption of History-based Prioritization in the Context of Manual Testing in a Real Industrial Setting","authors":"Vinicius Siqueira, Breno Miranda","doi":"10.1109/SEAA56994.2022.00030","DOIUrl":"https://doi.org/10.1109/SEAA56994.2022.00030","url":null,"abstract":"Many test case prioritization techniques have been proposed with the ultimate goal of speeding up fault detection. History-based prioritization, in particular, has been shown to be an effective strategy. Most of the empirical studies conducted on this topic, however, have focused on the context of automated testing. Investigating the effectiveness of history-based prioritization in the context of manual testing is important because, despite the popularity of automated approaches, manual testing is still largely adopted in industry. In this work we propose two history-based prioritization heuristics and evaluate them in the context of manual testing in a real industrial setting. For our evaluation we collected historical test execution information for 23 products, spanning over seven years of historical information, accounting for a total of 2,352 unique test cases and 3,993,863 test results. The results of our experiments showed that the effectiveness of the proposed approach is not far from a theoretical optimal prioritization, and that they are significantly better than alternative orderings of the test suite, including the order suggested by the test management tool and the execution order followed by the testers during the real execution of the test suites evaluated as part of our study.","PeriodicalId":269970,"journal":{"name":"2022 48th Euromicro Conference on Software Engineering and Advanced Applications (SEAA)","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129029245","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Anastasia Terzi, Orfeas Christou, S. Bibi, P. Angelidis
{"title":"Software Reuse and Evolution in JavaScript Applications","authors":"Anastasia Terzi, Orfeas Christou, S. Bibi, P. Angelidis","doi":"10.1109/SEAA56994.2022.00048","DOIUrl":"https://doi.org/10.1109/SEAA56994.2022.00048","url":null,"abstract":"JavaScript (JS) is one of the most popular programming languages on GitHub. Most JavaScript applications are reusing third-party components to acquire various functionalities. Despite the benefits offered by software reuse there are still challenges, during the evolution of JavaScript applications, related to the management and maintenance of the third-party dependencies. Our key objective is to explore the evolution of library dependencies constraints in the context of JavaScript applications in terms of (a) the changeability (i.e., number of removed, added, or maintained libraries) (b) the update frequency of the library dependencies. For this purpose, we conducted a case study on the 86 most forked JavaScript applications hosted on GitHub and analyzed reuse data from a total of 2.363 successive releases. In general, 39% of the packages introduced in the first version of the project are being reused in the entire project’s lifetime. The number of package dependencies slightly grows over time, while several other are being permanently removed. Regarding the evolution of third-party applications, it is observed that developers do not update the dependencies constraints to a most recent version, waiting to reach probably “breaking points” when the updates will be inevitable.","PeriodicalId":269970,"journal":{"name":"2022 48th Euromicro Conference on Software Engineering and Advanced Applications (SEAA)","volume":"671 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121993072","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Ehsan Zabardast, J. Gonzalez-Huerta, Francis Palma
{"title":"The Impact of Forced Working-From-Home on Code Technical Debt: An Industrial Case Study","authors":"Ehsan Zabardast, J. Gonzalez-Huerta, Francis Palma","doi":"10.1109/SEAA56994.2022.00054","DOIUrl":"https://doi.org/10.1109/SEAA56994.2022.00054","url":null,"abstract":"Background: The COVID-19 outbreak interrupted regular activities for over a year in many countries and resulted in a radical change in ways of working for software development companies, i.e., most software development companies switched to a forced Working-From-Home (WFH) mode. Aim: Although several studies have analysed different aspects of forced WFH mode, it is unknown whether and to what extent WFH impacted the accumulation of technical debt (TD) when developers have different ways to coordinate and communicate with peers. Method: Using the year 2019 as a baseline, we carried out an industrial case study to analyse the evolution of TD in five components that are part of a large project while WFH. As part of the data collection, we carried out a focus group with developers to explain the different patterns observed from the quantitative data analysis. Results: TD accumulated at a slower pace during WFH as compared with the working-from-office period in four components out of five. These differences were found to be statistically significant. Through a focus group, we have identified different factors that might explain the changes in TD accumulation. One of these factors is responsibility diffusion which seems to explain why TD grows faster during the WFH period in one of the components. Conclusion: The results suggest that when the ways of working change, the change between working from office and working from home does not result in an increased accumulation of TD.","PeriodicalId":269970,"journal":{"name":"2022 48th Euromicro Conference on Software Engineering and Advanced Applications (SEAA)","volume":"32 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126799031","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}