Formality, Agility, Security, and Evolution in Software Development Cody Ronning 2/16/2015.

Formality, Agility, Security, and Evolution in Software Development

Cody Ronning2/16/2015

Outline• Introduction• Challenges of software development• Formal methods• Agile methods• Formal agility• Security• Evolution• Conclusions

2

Introduction

• KU MSIT student• Software engineer at Garmin

• Father of 3 (4)

3


4

Challenges of software development

• Easy or hard? • Easy when small, working alone• When the project, code base, number of

contributors increase -> HARD

5

Challenges of software development

• Complex systems• Requirement changes• Deadlines• Task switching• Changing priorities• External dependencies

6

Preparing for complexity & change

• Experienced software engineer• Software engineering approaches– Modularization– Abstraction– Object orientation

• Most important– Need Structure

7

Structure

• Formal methods• Agile methodology• FM & AM combined

8


9

Formal methods

• Mathematical approach to software development from the requirements specification onward

• Important when safety and security are important

• Can be used to derive a proof (great cost)

10

Aspects of formal methods

• Create models before coding• Use modeling language with fixed grammar– Analogous to converting a word problem into

algebraic notation• Framework for rigorous testing

11

Teaching formal methods

• Learning to read formal specification easier than writing them

• Reading is necessary for entire team • Writing formal requirements require highly

trained people

12


13

Agile methodology

• True agile – Many teams claiming to do agile software

development are only adopting Scrum for project management

– True agile is formally defined• TDD• Refactoring• Pair programming• Simple design

14

Agile development

• Individuals and interactions over process and tools

• Rapid response to change• Requirements and solution evolve together

over time

15

Agile development

• Individuals and interactions over process and tools– The most important resource is the people• Produce better work• More committed to the project

16

Agile development

• Rapid response to change– Quick (next sprint) changes based on customer

feedback

17

Agile development

• Requirements and solution evolve together over time– Documentation comes from story planning and

development

18


19

Formal agility

• Contrasting model? • Use modern tools for re-proof when system is

changed– RODIN– Alloy Analyzer

• Agile developers can benefit from training in formal methods

20

Friends not foes

• Formal methods can’t be avoided– Programming languages have formal semantics– Coding standards are language subsets

• Tools within IDEs have analysis tools that run in the background

• Add value to agile as a sanity check and safety net

21

Formal agile development

• Individuals and interactions over process and tools– Once you have the right people tools and

processes are still important– Most will benefit from tools and processes that

embody wisdom gained by previous projects

22


• Rapid response to change– Formal methods help form better basis for

predicting consequences of major change– When models are adjusted the associated

verification also needs to be redone

23


• Requirements and solution evolve together over time– Ok for smaller shorter projects, especially internal

ones– Multi-year, multi-team, large scale projects benefit

from well defined models to avoid renegotiations

24

Formality adds value to agile

• Testing• Requirements• Refactoring• Documentation

25


26

Security

• Agile development focuses on user stories– Provide “happy path” for testing

• Security preparation is generally not part of the backlog– Stories are to satisfy the customer– Prioritize primary business value first

27

Adding security to agile

• Evil stories– Describe functionality that an attacker would be

able to exploit– Development becomes two dimensional• Implement user stories• Avoid implementing evil stories

• Protection poker– Security risks are quantified by the agile team

28


• Agile principles to propagate security knowledge– Pair programming– Certification– Mandating security review in each sprints

retrospective

29


• Microsoft Secure Development Lifecycle (SDL)• Agile categories– Every sprint• Running automated security-analysis tools• Updating threat model

– Bucket requirements• Response planning

– One-time requirements• Base-line threat model

30


31

Software evolution

• Real software systems continually evolve (or die)– New requirements– New functionalities

32

Software evolution

• Start with formal specification• Iterate with new ideas

33

Formal software evolution

• Project made from formal definition evolve better– New/different people working on maintenance

project– Questions of design or regressions

34


35

Conclusions

• Agile and formal methods can be friends • Project types dictate what part of any

methodology is chosen

36

References

• Bowen, J., Hinchey, M., Janicke, H., Ward, M., & Zedan, H. (2014, Oct). Formality, Agility, Security, and Evolution in Software Development. Computer, IEEE, 47(10), 86-89.

• Black, S.; Boca, P.P.; Bowen, J.P.; Gorman, J.; Hinchey, M., "Formal Versus Agile: Survival of the Fittest," Computer , vol.42, no.9, pp.37,45, Sept. 2009

• P.G. Larsen, J. Fitzgerald, and S. Wolff, “Are Formal Methods Ready for Agility? A Reality Check,” Proc. 2nd Int’l Workshop Formal Methods and Agile Methods (FM+AM 10), vol. P-179, 2010, pp. 13–25.

37

Formality, Agility, Security, and Evolution in Software Development

• Thank you for your time• Questions and feedback are welcome

38

Date post:	23-Dec-2015
Category:	Documents
Upload:	kimberly-spencer
View:	215 times
Download:	0 times

Formality, Agility, Security, and Evolution in Software Development Cody Ronning 2/16/2015.

Documents