Evolutionary Improvements of Quality Attributes: Performance in Practice

Agile , Architecture , Architecture Tradeoff Analysis Method (ATAM) , Quality Attribute Workshop No Comments »

By Neil Ernst 
Member of the Technical Staff 
Software Solutions Division

This post is co-authored by Stephany Bellomo

Neil ErnstContinuous delivery practices, popularized in Jez Humble’s 2010 bookContinuous Delivery, enable rapid and reliable software system deployment by emphasizing the need for automated testing and building, as well as closer cooperation between developers and delivery teams. As part of the Carnegie Mellon University Software Engineering Institute's (SEI) focus on Agile software development, we have been researching ways to incorporate quality attributes into the short iterations common to Agile development. We know from existing SEI work on Attribute-Driven DesignQuality Attribute Workshops, and the Architecture Tradeoff Analysis Method that a focus on quality attributes prevents costly rework. Such a long-term perspective, however, can be hard to maintain in a high-tempo, Agile delivery model, which is why the SEI continues to recommend an architecture-centric engineering approach, regardless of the software methodology chosen. As part of our work in value-driven incremental delivery, we conducted exploratory interviews with teams in these high-tempo environments to characterize how they managed architectural quality attribute requirements (QARs). These requirements—such as performance, security, and availability—have a profound impact on system architecture and design, yet are often hard to divide, or slice, into the iteration-sized user stories common to iterative and incremental development. This difficulty typically exists because some attributes, such as performance, touch multiple parts of the system. This blog post summarizes the results of our research on slicing (refining) performance in two production software systems. We also examined the ratcheting (periodic increase of a specific response measure) of scenario components to allocate QAR work.


The Latest Published Research from the SEI

Agile , Insider Threat No Comments »

By Douglas C. Schmidt
Principal Researcher

Douglas C. SchmidtAs part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in assuring software reliabilityfuture architecturesAgile software teamsinsider threat, and HTML5. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website. 


Performance of Compiler-Assisted Memory Safety Checking

Secure Coding No Comments »

By David Keaton
Senior Researcher
CERT Secure Coding Initiative

David KeatonAccording to a 2013 report examining 25 years of vulnerabilities (from 1998 to 2012), buffer overflow causes 14 percent of software security vulnerabilities and 35 percent of critical vulnerabilities, making it the leading cause of software security vulnerabilities overall. As of July 2014, the TIOBE index indicates that the C programming language, which is the language most commonly associated with buffer overflows, is the most popular language with 17.1 percent of the market. Embedded systems, network stacks, networked applications, and high-performance computing rely heavily upon C. Embedded systems can be especially vulnerable to buffer overflows because many of them lack hardware memory management units. This blog post describes my research on the Secure Coding Initiative in the CERT Division of the Carnegie Mellon University Software Engineering Institute to create automated buffer overflow prevention.


Systems Engineering in Defense and Non-Defense Industries

Systems Engineering No Comments »

By Joseph Elm
Program Integration Manager
Software Solutions Division

Joseph ElmIn today’s systems it’s very hard to know where systems end and software begins. Software performs an integrating function in many systems, often serving as the glue interconnecting other system elements. We also find that many of the problems in software systems have their roots in systems engineering, which is an interdisciplinary field that focuses on how to design and manage complex systems over their life cycles. For that reason, staff at the Carnegie Mellon University Software Engineering Institute (SEI) often conduct research in the systems engineering realm. Process frameworks, architecture development and evaluation methods, and metrics developed for software are routinely adapted and applied to systems. Better systems engineering supports better software development, and both support better acquisition project performance. This blog post, the latest in a series on this research, analyzes project performance based on systems engineering activities in the defense and non-defense industries.


Principles of Big Data Systems: You Can’t Manage What You Don’t Monitor

Big Data No Comments »

By Ian Gorton 
Senior Member of the Technical Staff 
Software Solutions Division

Ian Gorton The term big data is a subject of much hype in both government and business today. Big data is variously the cause of all existing system problems and, simultaneously, the savior that will lead us to the innovative solutions and business insights of tomorrow. All this hype fuels predictions such as the one from IDC that the market for big data will reach $16.1 billion in 2014, growing six times faster than the overall information technology  market, despite the fact that the “benefits of big data are not always clear today,” according to IDC. From a software-engineering perspective, however, the challenges of big data are very clear, since they are driven by ever-increasing system scale and complexity. This blog post, a continuation of my last post on the four principles of building big data systems, describes how we must address one of these challenges, namely, you can’t manage what you don’t monitor. 


A Taxonomy for Managing Operational Cybersecurity Risk

OCTAVE , Risk No Comments »

By James Cebula
Senior Member of the Technical Staff
SEI CERT Division

This blog post was also co-authored by Lisa Young.

James CebulaOrganizations are continually fending off cyberattacks in one form or another. The  2014 Verizon Data Breach Investigations Report, which included contributions from SEI researchers, tagged 2013 as "the year of the retailer breach." According to the report, 2013 also witnessed “a transition from geopolitical attacks to large-scale attacks on payment card systems.” To illustrate the trend, the report outlines a 12-month chronology of attacks, including a January “watering hole” attack on the Council on Foreign Relations website followed in February by targeted cyber-espionage attacks against The New York Times and The Wall Street Journal. The well-documented Target breach brought 2013 to a close with the theft of more than 40 million debit and credit card numbers. This blog post highlights a recent research effort to create a taxonomy that provides organizations a common language and set of terminology they can use to discuss, document, and mitigate operational cybersecurity risks.


The Changing Relationship of Systems and Software in Satellites: A Case Study

Systems Engineering 2 Comments »

By Sarah Sheard
Member of the Technical Staff 
Software Solutions Division

Sarah Sheard The role of software within systems has fundamentally changed over the past 50 years. Software’s role has changed both on mission-critical DoD systems, such as fighter aircraft and surveillance equipment, and on commercial products, such astelephones and cars. Software has become not only the brain of most systems, but the backbone of their functionality. Acquisition processes must acknowledge this new reality and adapt. This blog posting, the second in a series about the relationship of software engineering (SwE) and systems engineering (SysE), shows how software technologies have come to dominate what formerly were hardware-based systems. This posting describes a case study: the story of software on satellites, whose lessons can be applied to many other kinds of software-reliant systems.  


HTML5 for Mobile Software Applications at the Edge

Handheld Devices 2 Comments »

By Grace Lewis 
Principal Investigator, Edge-Enabled Tactical Systems
Software Solutions Division

Grace Lewis Many warfighters and first responders operate at what we call “the tactical edge,”  where users are constrained by limited communication connectivity, storage availability, processing power, and battery life.  In these environments, onboard sensors are used to capture data on behalf of mobile applications to perform tasks such as face recognition, speech recognition, natural language translation, and situational awareness. These applications then rely on network interfaces to send the data to nearby servers or the cloud if local processing resources are inadequate. While software developers have traditionally used native mobile technologies to develop these applications, the approach has some drawbacks, such as limited portability. In contrast, HTML5 has been touted for its portability across mobile device platforms, as well an ability to access functionality without having to download and install applications. This blog post describes research aimed at evaluating the feasibility of using HTML5 to develop applications that can meet tactical edge requirements.