Date post: | 23-Dec-2015 |
Category: |
Documents |
Upload: | kimberly-spencer |
View: | 215 times |
Download: | 0 times |
Formality, Agility, Security, and Evolution in Software Development
Cody Ronning2/16/2015
Outline• Introduction• Challenges of software development• Formal methods• Agile methods• Formal agility• Security• Evolution• Conclusions
2
Introduction
• KU MSIT student• Software engineer at Garmin
• Father of 3 (4)
3
Outline• Introduction• Challenges of software development• Formal methods• Agile methods• Formal agility• Security• Evolution• Conclusions
4
Challenges of software development
• Easy or hard? • Easy when small, working alone• When the project, code base, number of
contributors increase -> HARD
5
Challenges of software development
• Complex systems• Requirement changes• Deadlines• Task switching• Changing priorities• External dependencies
6
Preparing for complexity & change
• Experienced software engineer• Software engineering approaches– Modularization– Abstraction– Object orientation
• Most important– Need Structure
7
Structure
• Formal methods• Agile methodology• FM & AM combined
8
Outline• Introduction• Challenges of software development• Formal methods• Agile methods• Formal agility• Security• Evolution• Conclusions
9
Formal methods
• Mathematical approach to software development from the requirements specification onward
• Important when safety and security are important
• Can be used to derive a proof (great cost)
10
Aspects of formal methods
• Create models before coding• Use modeling language with fixed grammar– Analogous to converting a word problem into
algebraic notation• Framework for rigorous testing
11
Teaching formal methods
• Learning to read formal specification easier than writing them
• Reading is necessary for entire team • Writing formal requirements require highly
trained people
12
Outline• Introduction• Challenges of software development• Formal methods• Agile methods• Formal agility• Security• Evolution• Conclusions
13
Agile methodology
• True agile – Many teams claiming to do agile software
development are only adopting Scrum for project management
– True agile is formally defined• TDD• Refactoring• Pair programming• Simple design
14
Agile development
• Individuals and interactions over process and tools
• Rapid response to change• Requirements and solution evolve together
over time
15
Agile development
• Individuals and interactions over process and tools– The most important resource is the people• Produce better work• More committed to the project
16
Agile development
• Rapid response to change– Quick (next sprint) changes based on customer
feedback
17
Agile development
• Requirements and solution evolve together over time– Documentation comes from story planning and
development
18
Outline• Introduction• Challenges of software development• Formal methods• Agile methods• Formal agility• Security• Evolution• Conclusions
19
Formal agility
• Contrasting model? • Use modern tools for re-proof when system is
changed– RODIN– Alloy Analyzer
• Agile developers can benefit from training in formal methods
20
Friends not foes
• Formal methods can’t be avoided– Programming languages have formal semantics– Coding standards are language subsets
• Tools within IDEs have analysis tools that run in the background
• Add value to agile as a sanity check and safety net
21
Formal agile development
• Individuals and interactions over process and tools– Once you have the right people tools and
processes are still important– Most will benefit from tools and processes that
embody wisdom gained by previous projects
22
Formal agile development
• Rapid response to change– Formal methods help form better basis for
predicting consequences of major change– When models are adjusted the associated
verification also needs to be redone
23
Formal agile development
• Requirements and solution evolve together over time– Ok for smaller shorter projects, especially internal
ones– Multi-year, multi-team, large scale projects benefit
from well defined models to avoid renegotiations
24
Formality adds value to agile
• Testing• Requirements• Refactoring• Documentation
25
Outline• Introduction• Challenges of software development• Formal methods• Agile methods• Formal agility• Security• Evolution• Conclusions
26
Security
• Agile development focuses on user stories– Provide “happy path” for testing
• Security preparation is generally not part of the backlog– Stories are to satisfy the customer– Prioritize primary business value first
27
Adding security to agile
• Evil stories– Describe functionality that an attacker would be
able to exploit– Development becomes two dimensional• Implement user stories• Avoid implementing evil stories
• Protection poker– Security risks are quantified by the agile team
28
Adding security to agile
• Agile principles to propagate security knowledge– Pair programming– Certification– Mandating security review in each sprints
retrospective
29
Adding security to agile
• Microsoft Secure Development Lifecycle (SDL)• Agile categories– Every sprint• Running automated security-analysis tools• Updating threat model
– Bucket requirements• Response planning
– One-time requirements• Base-line threat model
30
Outline• Introduction• Challenges of software development• Formal methods• Agile methods• Formal agility• Security• Evolution• Conclusions
31
Software evolution
• Real software systems continually evolve (or die)– New requirements– New functionalities
32
Software evolution
• Start with formal specification• Iterate with new ideas
33
Formal software evolution
• Project made from formal definition evolve better– New/different people working on maintenance
project– Questions of design or regressions
34
Outline• Introduction• Challenges of software development• Formal methods• Agile methods• Formal agility• Security• Evolution• Conclusions
35
Conclusions
• Agile and formal methods can be friends • Project types dictate what part of any
methodology is chosen
36
References
• Bowen, J., Hinchey, M., Janicke, H., Ward, M., & Zedan, H. (2014, Oct). Formality, Agility, Security, and Evolution in Software Development. Computer, IEEE, 47(10), 86-89.
• Black, S.; Boca, P.P.; Bowen, J.P.; Gorman, J.; Hinchey, M., "Formal Versus Agile: Survival of the Fittest," Computer , vol.42, no.9, pp.37,45, Sept. 2009
• P.G. Larsen, J. Fitzgerald, and S. Wolff, “Are Formal Methods Ready for Agility? A Reality Check,” Proc. 2nd Int’l Workshop Formal Methods and Agile Methods (FM+AM 10), vol. P-179, 2010, pp. 13–25.
37
Formality, Agility, Security, and Evolution in Software Development
• Thank you for your time• Questions and feedback are welcome
38