Journal of Software-Evolution and Process最新文献

{"title":"Empowering Software Engineers to Design More Secure Web Applications: Guidelines and Potential of Using LLMs as a Recommender Tool","authors":"Raffaela Groner,&nbsp;Klara Svensson,&nbsp;Drake Axelrod,&nbsp;Ranim Khojah,&nbsp;Mazen Mohamad,&nbsp;Rebekka Wohlrab","doi":"10.1002/smr.70083","DOIUrl":"https://doi.org/10.1002/smr.70083","url":null,"abstract":"<p>As software applications get increasingly connected and complex, cybersecurity becomes more and more important to consider during development and evaluation. Software engineers need to be aware of various security threats and the countermeasures that can be taken to mitigate them. Currently, there is a lack of guidance for software engineers aiming to develop secure web applications. We conducted a design science research study, resulting in a set of guidelines to aid software engineers in developing secure web applications. The set of guidelines was constructed based on interview data with 10 industry practitioners. These guidelines were then evaluated using a survey with 28 respondents. Additionally, we conducted experiments in which we provided a large language model with our guidelines and vulnerability reports as input. The large language model should extend the given vulnerability reports by recommending which of our guidelines can help prevent the given vulnerability in the future. The extended reports were evaluated by two external researchers experienced in cyber security and one author. Our results indicate that developers consider using these proposed guidelines for the development and assessment of secure web applications in different stages of the software development lifecycle. Our results also show that it is possible to automatically enhance vulnerability reports to support developers meaningfully and that the guidelines recommended by the large language model are useful to prevent the respective vulnerabilities in the future.</p>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"38 2","pages":""},"PeriodicalIF":1.8,"publicationDate":"2026-02-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1002/smr.70083","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"147275085","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Interest in Working Remotely: What Factors Are at Play?","authors":"Eriks Klotins,&nbsp;Darja Smite,&nbsp;Panagiota Chatzipetrou,&nbsp;Anastasiia Tkalich,&nbsp;Nils Brede Moe","doi":"10.1002/smr.70084","DOIUrl":"https://doi.org/10.1002/smr.70084","url":null,"abstract":"<p>In the postpandemic era, attitudes toward remote work appeared to undergo a lasting transformation, with a high degree of location flexibility becoming increasingly common. Yet, in recent years, many organizations have introduced return-to-office (RTO) initiatives aimed at re-establishing traditional workplace dynamics and prioritizing in-person collaboration. These mandates have drawn significant attention and criticism for limiting software developers flexibility, diminishing well-being, and potentially impacting women disproportionally. This study seeks to understand software developers preferences and actual work behaviors in companies that promote in-office presence. Specifically, we investigate whether certain demographic groups, including women, are differentially affected by RTO initiatives. We also explore a range of factors that may influence individual preferences for remote or on-site work, beyond gender-based assumptions. We report findings from a survey conducted in two large Scandinavian companies engaged in the development of software-intensive systems and services. Data analysis includes descriptive statistics, contingency tables along with post hoc tests, chi-square test of association, and Cramér's <span></span><math>\u0000 <semantics>\u0000 <mrow>\u0000 <mi>V</mi>\u0000 </mrow>\u0000 <annotation>$$ V $$</annotation>\u0000 </semantics></math> for effect sizes. Our findings reveal that gender differences among software developers in both industrial cases are minimal and statistically insignificant. Instead, other variables—such as the degree of collaborative work, commute time, and responsibility to support teammates—demonstrate a stronger association with both actual and preferred office attendance. Our results challenge common narratives around gendered responses to RTO mandates, suggesting that other contextual and task-related factors may play a more decisive role. While the impact of RTO initiatives should not be dismissed, our findings indicate that a deeper understanding of work dynamics—particularly around collaboration intensity and commuting burden—is essential to designing equitable and effective work policies. Finally, our findings imply that organizational recommendations for work location must go hand in hand with task design.</p>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"38 2","pages":""},"PeriodicalIF":1.8,"publicationDate":"2026-02-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1002/smr.70084","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146136104","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Formal Verification of Partitioned Scheduling in Real-Time Operating Systems Using Timed Automata","authors":"Jiaqi Yin,&nbsp;XinLong Chen,&nbsp;Jixun Yan,&nbsp;Shaolong Song,&nbsp;Yushen Han","doi":"10.1002/smr.70077","DOIUrl":"https://doi.org/10.1002/smr.70077","url":null,"abstract":"<div>\u0000 \u0000 <p>Partition scheduling plays a crucial role in ensuring temporal determinism and fault isolation in real-time operating systems. However, its correctness is difficult to guarantee through traditional testing due to the complexity of timing interactions and the need for exhaustive state exploration. Therefore, a rigorous and systematic verification approach is essential to ensure system design correctness under all execution scenarios.This paper presents a formal modeling and verification methodology for partition scheduling in operating systems, based on timed automata. The proposed model is developed and systematically verified using UPPAAL. It comprises four key components–Partition, Scheduler, TimeSynchronizer, and ErrorHandler–which collectively capture task execution flows, scheduling policies, clock synchronization, and fault-handling mechanisms. A comprehensive set of verification properties is defined using Linear Temporal Logic (LTL) to formally specify the system's temporal behaviors and safety requirements. The verification results confirm that the proposed approach effectively verifies partition switching correctness, time consistency enforcement, and exception recovery. This method provides a rigorous and practical formal foundation for modeling and analyzing real-time scheduling systems.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"38 1","pages":""},"PeriodicalIF":1.8,"publicationDate":"2026-01-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146148255","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"ECLYPSE: A Python Framework for Simulation and Emulation of the Cloud-Edge Continuum","authors":"Jacopo Massa,&nbsp;Valerio De Caro,&nbsp;Stefano Forti,&nbsp;Patrizio Dazzi,&nbsp;Davide Bacciu,&nbsp;Antonio Brogi","doi":"10.1002/smr.70081","DOIUrl":"https://doi.org/10.1002/smr.70081","url":null,"abstract":"<p>The Cloud-Edge continuum enhances application performance by bringing computation closer to data sources. However, it presents considerable challenges in managing resources and determining application service placement, as these tasks require analyzing diverse, dynamic environments characterized by fluctuating network conditions. Addressing these challenges calls for tools combining simulation and emulation of Cloud-Edge systems to rigorously assess novel application and resource management strategies. In this paper, we introduce <span>ECLYPSE</span>, a Python-based framework that enables the simulation and emulation of the Cloud-Edge continuum via adaptable resource allocation and service placement models. <span>ECLYPSE</span> features an event-driven architecture for dynamically adapting network configurations and resources. It also supports seamless transitions between simulated and emulated setups, thus enabling the execution of experiments in simulated, emulated, and hybrid settings. In this work, we illustrate and assess <span>ECLYPSE</span> capabilities over three use cases, demonstrating the framework's effectiveness in rapid prototyping across diverse scenarios.</p>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"38 1","pages":""},"PeriodicalIF":1.8,"publicationDate":"2026-01-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1002/smr.70081","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146099380","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"The Impact of COVID-19 on Open Source Development Activities: A Multi-Method Study","authors":"Márcio Vinicius Okimoto,&nbsp;Edna Dias Canedo,&nbsp;Rodrigo Bonifácio,&nbsp;Uirá Kulesza","doi":"10.1002/smr.70082","DOIUrl":"https://doi.org/10.1002/smr.70082","url":null,"abstract":"<p>The social isolation measures resulting from the COVID-19 outbreak changed work practices in various sectors, especially with the shift to working from home. However, the implications of the pandemic on the maintenance and evolution of open-source software (OSS) still deserve further studies. In this paper, we analyze the effects of COVID-19 on the development activity of OSS and how social isolation changed the productivity of OSS contributors. We conducted a mixed-method study composed of (i) a mining software repositories analysis of 155 popular and active OSS projects on GitHub, selected from an initial dataset of 1500 repositories based on activity thresholds (commits, pull requests, and size), and (ii) a survey with 57 core developers identified using an established literature-based heuristic. The mining study analyzed commits, code churn, pull requests, and pull request latency to assess changes before and after the pandemic, applying statistical tests and a mixed-effects Regression Discontinuity Design. The survey collected self-reported perceptions of productivity and engagement during the pandemic, enabling triangulation with repository activity trends. Our results show that while core developers' productivity remained stable, there was a sustained decline in newcomer participation and a temporary increase in core developer turnover. In the early days of the outbreak, we observed an increase in accepted pull requests, followed by a stabilization of most activity metrics. Some findings are supported by our survey study, whose results indicate that most of our survey respondents consider that COVID-19 did not change their productivity substantially. These findings offer insights into OSS resilience and sustainability in the face of large-scale disruptions, contributing to a broader understanding of the outbreak's impact and providing actionable lessons for managing distributed development in crisis scenarios.</p>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"38 1","pages":""},"PeriodicalIF":1.8,"publicationDate":"2026-01-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1002/smr.70082","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146002164","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Function-Guided Extended Latent Dirichlet Allocation Model for Complementary Cloud API Recommendation in Mashup Development","authors":"Zhen Chen,&nbsp;Xiaolong Wang,&nbsp;Denghui Xie,&nbsp;Haonan Liao,&nbsp;Dianlong You,&nbsp;Limin Shen","doi":"10.1002/smr.70078","DOIUrl":"https://doi.org/10.1002/smr.70078","url":null,"abstract":"<div>\u0000 \u0000 <p>In the cloud era, cloud application programming interface (API), as the best carrier for service delivery, capability replication, and data output, has become the core element of service-oriented software development. The existing cloud API recommendation methods adhere to a common paradigm: leveraging perceived quality of service and keyword matching to generate high-quality, single-function results, while overlooking the objective needs for function-guided complementary cloud APIs in service-oriented software development. Function-guided complementary cloud API recommendation aims to generate cloud APIs that are frequently co-invoked in conjunction with those API having given function, thereby satisfying the joint interests of developers. To this end, we proposed a function-guided extended latent Dirichlet allocation (ELDA) model for complementary cloud API recommendation. Specifically, we first conduct an analysis of real-world data from the cloud API ecosystems to illustrate both the necessity for complementary cloud API recommendations and the objective existence of a head effect within these APIs. Then we conceptualize the complementary relationship between a function and cloud APIs by treating the function as a document, with the corresponding cloud APIs represented as words within that document. Furthermore, we extend the classic latent Dirichlet allocation model by introducing two additional factors: (1) cloud API popularity and (2) functional sensitivity. These factors are designed to capture head effects within complementary cloud APIs. Additionally, we train both a positive and a negative ELDA model using the respective positive and negative corpus sets obtained. Furthermore, complementary cloud APIs relevant to the targeted function are generated by integrating the results from both the positive and negative ELDA models. Finally, experiments were conducted on two real-world cloud API datasets. The results demonstrate that the performance of ELDA surpasses that of the comparative methods. Sensitivity analysis of hyperparameters and case study findings further validate the effectiveness and practicality of ELDA.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"38 1","pages":""},"PeriodicalIF":1.8,"publicationDate":"2026-01-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145963768","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Continuous Deployment Adoption: Insights From a Public Sector Implementation","authors":"Aapo Linjama,&nbsp;Tuomas Granlund","doi":"10.1002/smr.70080","DOIUrl":"https://doi.org/10.1002/smr.70080","url":null,"abstract":"<p>Continuous deployment is a significant trend in software development, yet its adoption and potential benefits within the public sector remain under-researched. This paper examines a case study of continuous deployment implementation in a public sector project undertaken by Solita, a software development company, for a client utilizing agile methodologies. The study provides a comprehensive overview of the motivations, benefits, and challenges encountered during continuous deployment adoption. This study contributes to the growing body of knowledge on continuous deployment by providing valuable insights into its application within the public sector context, offering practical recommendations for overcoming challenges and achieving successful implementation.</p>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"38 1","pages":""},"PeriodicalIF":1.8,"publicationDate":"2026-01-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1002/smr.70080","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145963736","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"An Integrated Cybersecurity Framework for Software Development and Risk-Aware Practices in the SDLC","authors":"Hussein A. Al Hashimi","doi":"10.1002/smr.70075","DOIUrl":"https://doi.org/10.1002/smr.70075","url":null,"abstract":"<div>\u0000 \u0000 <p>Cybersecurity risks are increasing in frequency and complexity, but many organizations struggle to plan and implement adequate protections at all stages of the software development life cycle (SDLC). Security is frequently added at the end of development (afterthought), and making effective use of safeguard space is difficult for IT leaders. The purpose of this study is to produce an all-encompassing framework to adopt and ensure security throughout each phase of the SDLC, from planning through maintenance. The aim is to minimize vulnerabilities and improve the resilience of software by making “security by design” a structure that not only adopts security elegantly as a living document but also is built to be part of the development process. This study adopted a mixed-methods approach. The initial stage of inquiry involved a systematic literature review (SLR) to identify common cybersecurity issues associated with each SDLC phase. The SLR was followed by an empirical survey of 71 software professionals from a variety of organizations. The survey was designed to gather perceived threats, current practices, and challenges associated with software development for survey participants' organizations. The data collected were analyzed and reviewed statistically, through chi-square tests and ANOVA, to profile the variance relative to the size of the organization, geographic region, and experience level of the practitioner. The results noted several high-risk challenges across the SDLC: underfunded security controls, imprecise requirements, insecure architecture, software bugs (i.e., injection vulnerabilities), inadequate testing, misconfigured production environments, and unreliable maintenance. The proposed framework provides cybersecurity mitigation techniques for each stage of the SDLC, such as leveraging security-oriented design patterns, secure coding policies (i.e., input validation and authentication protocols), robust testing (i.e., penetration testing and code review), and continuous monitoring after deployment. The implementation of these measures leads to a significant risk reduction in the overall organizational security posture. The framework is a formalized end-to-end approach to secure software development by embedding security throughout the cycle. Embedding security as a part of the process versus an afterthought at every stage of the cycle creates a risk reduction impact. This integrated approach also provides organizations with the opportunity to foresee and mitigate events earlier in the cycle, along with general compliance mandates (i.e., GDPR, HIPAA, and PCI-DSS), to provide more resilient, trustworthy software systems.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"38 1","pages":""},"PeriodicalIF":1.8,"publicationDate":"2025-12-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145887710","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Exploring the Relationship Between Trait Emotional Intelligence and Performance in the Context of SME Software Engineering","authors":"Ibad Ullah,&nbsp;Nasir Rashid,&nbsp;Sheraz Babar,&nbsp;Naeem Iqbal","doi":"10.1002/smr.70076","DOIUrl":"https://doi.org/10.1002/smr.70076","url":null,"abstract":"<div>\u0000 \u0000 <p>In software-based small- and medium-sized enterprises (SMEs), enhancing individual performance (IP) of employees, particularly software engineers, is essential for organizational growth. Rather than relying on general strategies, firms increasingly focus on specific personal and professional factors influencing productivity. Trait emotional intelligence (Trait EI), including key dimensions like motivation, stress tolerance, and optimism, has emerged as a significant predictor of IP. In parallel, digital competence (DComp) has become indispensable due to the rapid evolution of technological systems. Employees with higher digital skills are better equipped to manage digital tools and adapt to innovations, leading to improved efficiency. Additionally, social support (SS) within organizations from supervisors, peers, and team members has been shown to enhance job satisfaction, engagement, and overall output. Despite growing interest, current literature lacks empirical frameworks that integrate these constructs in the SME software sector. This study proposes and validates a conceptual model to investigate the influence of Trait EI on software engineers' IP, with DC and SS serving as mediating factors. The findings offer practical implications for developing emotional and DC within tech-driven SMEs to foster performance and growth.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"38 1","pages":""},"PeriodicalIF":1.8,"publicationDate":"2025-12-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145887582","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"PathCovAVTest: Testing for Violations of Autonomous Driving Systems Based on Path Coverage of Traffic Regulation Scenarios","authors":"Chunyan Xia,&nbsp;Song Huang,&nbsp;Yuchen Xia,&nbsp;Qiang Sun,&nbsp;Meishu Luo,&nbsp;Ziyi Zhao","doi":"10.1002/smr.70066","DOIUrl":"https://doi.org/10.1002/smr.70066","url":null,"abstract":"<div>\u0000 \u0000 <p>Autonomous vehicles play a crucial role in alleviating traffic congestion and eliminating traffic accidents. To ensure the safety and reliability of autonomous driving systems, comprehensive testing must be conducted before their deployment on public roads. Currently, testing methods primarily focus on simple scenarios involving safety violations, generating test cases based on traffic accident and traffic regulation violation scenarios. However, under complex traffic environments and driving conditions, the automatic generation of traffic regulation violation test cases to identify regulatory violations by autonomous vehicles remains insufficiently explored. In response, we propose a method for testing violations by autonomous vehicles—PathCovAVTest—which generates violation scenarios through traffic regulation scenario models to evaluate both safety violations and traffic regulation violations of the autonomous driving system. First, we design a fitness function for a genetic algorithm based on a Petri net–based traffic regulation scenario model. This function considers the safety of collisions between autonomous vehicles and other traffic participants, as well as the similarity between vehicle trajectory paths and path state sequences. The evolutionary process then produces test cases that represent traffic regulations, aimed at uncovering violations by autonomous vehicles. Simulation experiments conducted on Baidu Apollo, an industrial-grade platform, demonstrate that PathCovAVTest can effectively identify 16 types of violations committed by autonomous vehicles. Furthermore, compared with baseline methods, PathCovAVTest detects more traffic regulation violations by autonomous driving systems and improves the efficiency of generating unique violation scenarios.</p>\u0000 </div>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"38 1","pages":""},"PeriodicalIF":1.8,"publicationDate":"2025-12-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145842964","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}