RT Journal Article
JF IEEE Software
YR
VO 25
IS 1
SP 10
TI Security for the Rest of Us: An Industry Perspective on the Secure-Software Challenge
A1 Konstantin Beznosov,
A1 Brian Chess,
K1 Authentication
K1 Java
K1 Electrical equipment industry
K1 Buffer overflow
K1 Guidelines
K1 Computer security
K1 Industrial control
K1 Access control
K1 Cryptography
K1 Uniform resource locators
K1 security economics
K1 software security
K1 Java security
K1 security requirements
K1 threat modeling
AB While security was once a specialty of interest to only a few programmers, it's now a critical topic for almost all software engineers, project managers, and decision makers. Getting security right is hard because an attacker—having virtually unlimited time—needs to find only one vulnerability in a system to succeed, whereas the defender—constrained in time—must ensure that the system has no weak points. This article provides an introduction into the special issue, which focuses on creating and maintaining secure software by the wide range of developers who constitute the software industry—many who work in domains where cost (both production and maintenance) and time-to-market are the main driving factors. This article is part of a special issue on Security for the Rest of Us.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.18
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.18

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 10
TI Security for the Rest of Us: An Industry Perspective on the Secure-Software Challenge
A1 Brian Chess,
A1 Konstantin (Kosta) Beznosov,
K1 software security
K1 Java security
K1 security requirements
K1 threat modeling
K1 security economics
AB While security was once a specialty of interest to only a few programmers, it's now a critical topic for almost all software engineers, project managers, and decision makers. Getting security right is hard because an attacker—having virtually unlimited time—needs to find only one vulnerability in a system to succeed, whereas the defender—constrained in time—must ensure that the system has no weak points. This article provides an introduction into the special issue, which focuses on creating and maintaining secure software by the wide range of developers who constitute the software industry—many who work in domains where cost (both production and maintenance) and time-to-market are the main driving factors. This article is part of a special issue on Security for the Rest of Us.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.18
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.18

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 46
TI Model-Driven Development in the Enterprise
A1 Axel Uhl,
K1 MDD
K1 model-driven development
K1 software engineering
K1 software tools
AB MDD is a logical evolution of classical programming-language design and compiler construction. It continues the valuable pursuit of abstraction levels adequate for problem domain and runtime platforms. Code-generation and model-transformation frameworks act as compiler construction kits and help bridge the abstraction gap between design-time and runtime languages. This survey of promises and tools highlights what's working and what's missing.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.12
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.12

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 35
TI Cybersecurity Economic Issues: Clearing the Path to Good Practice
A1 Rachel Rue,
A1 Shari Lawrence Pfleeger,
K1 cybersecurity
K1 economics
K1 models
AB Software project managers have limited project resources. Requests for security improvements must compete with other requests, such as for new tools, more staff, and additional testing. Deciding how and whether to invest in cybersecurity protection requires knowing the answer to at least two questions: What is the likelihood of an attack, and what are the likely consequences of an attack? This article explores how answers to these questions have been sought and what obstacles lie in the way of understanding the answers. The authors discuss the need for data available to inform management decisions about cybersecurity investment, then examine models supporting decisions about trade-offs between investment and protection. Finally, they present a framework for comparing and contrasting economic models, so that project managers can make effective decisions about security. This article is part of a special issue on Security for the Rest of Us.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.4
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.4

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 80
TI VIRE: Sailing a Blue Ocean with Value-Innovative Requirements
A1 Jongmoon Baik,
A1 Kwangsin Han,
A1 Sangsoo Kim,
A1 Rick Kazman,
A1 Hoh Peter In,
K1 requirements engineering
K1 customer satisfaction
K1 value innovation
K1 value-based software engineering
AB An effective way for software development organizations to survive in competitive markets is to make competition irrelevant through requirements that create new value. Value-Innovative Requirements Engineering is a novel requirements-engineering process to support this market approach. VIRE is based on the blue-ocean strategy for creating an uncontested new market space that satisfies new customer desires and needs. The VIRE process guides the creation of new value for potential customers, using blue ocean?s ERRC (eliminate, reduce, raise, and create) requirements analysis process as well as quantitative requirements analyses. A case study shows how VIRE created significant new market value.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.27
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.27

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 50
TI Ambiguous Business Value Harms Software Products
A1 Jeff Patton,
K1 business value
K1 user centric
AB Identifying and communicating business goals and metrics are the foundation of a good user-centered design approach.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.2
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.2

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 8
TI Morality and the Software Architect
A1 Grady Booch,
K1 architecture
K1 building
K1 software development
K1 ethics
K1 code of ethics
AB Should software architects have a professional code of ethics? There is a moral dimension to developing software, another force to consider when engineering a reasonably optimal software-intensive solution.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.13
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.13

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 91
TI No Silver Bullet: Software Engineering Reloaded
A1 Steven Fraser,
A1 Dennis Mancl,
K1 software engineering
K1 project management
K1 information technology and systems
K1 computing
K1 organizational impact
K1 software design
K1 complexity
K1 silver bullet
K1 Frederick Brooks
AB Twenty years after Frederick P. Brooks' "No Silver Bullet: Essence and Accidents of Software Engineering," first appeared in IEEE Computer in April 1987 (following its 1986 publication in Information Processing, ISBN 0444-7077-3), a celebratory panel was held at the 22nd International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 2007) to discuss whether his premise held that the complexity of software was not accidental. Panelists discussed how the "hopes for silver," which included high-level language advances, object-oriented programming, artificial intelligence, expert systems, and great designers, evolved over the past 20 years and the paper's influence on the software engineering community. Participants included Steve Fraser (Cisco Research), Fred Brooks (Univ. of North Carolina at Chapel Hill), David Parnas (Univ. of Limerick), Linda Northrop (Software Eng. Inst.), Aki Namioka (Cisco Systems), Dave Thomas (Bedarra Research), Ricardo Lopez (Qualcomm), and Martin Fowler (ThoughtWorks).
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.14
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.14

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 52
TI Are You Done Yet?
A1 J.B. Rainsberger,
A1 Johanna Rothman,
K1 project management
K1 project scheduling
AB The single biggest wedge between programmer and manager is arguing over the schedule. Johanna Rothman provides a manager?s perspective on how programmers and managers can collaborate effectively.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.3
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.3

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 78
TI Rational Metaprogramming
A1 Diomidis Spinellis,
K1 metaprogramming
K1 functional programming
K1 templates
K1 generative programming
AB Metaprogramming takes place when programs manipulate other programs. It is a powerful but tricky technique that can lead to unmaintainable code and bugs. None of the many current approaches to metaprogramming is mature. An ideal solution would use the same language for programming and metaprogramming. The language would be based on a small set of familiar programming constructs, and its compile-time objects would be first class citizens guaranteed to be syntactically correct and valid.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.15
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.15

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 20
TI Security Requirements for the Rest of Us: A Survey
A1 Per H?kon Meland,
A1 Inger Anne T?ndel,
A1 Martin Gilje Jaatun,
K1 Software engineering
K1 requirements elicitation
K1 security requirements
AB Information security requirements are important in all software engineering projects, not only to ensure the correct level of security in the end product but also to avoid implementing security solutions that turn out to be a bad fit. This article compares methods for eliciting and describing security requirements in software development projects, from the viewpoint of developers without extensive security skills. As the authors argue, all software projects need a well-balanced amount of security awareness from the beginning. This article is part of a special issue on Security of the Rest of Us.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.19
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.19

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 43
TI Emotional Requirements
A1 David Callele,
A1 Kevin Schneider,
A1 Eric Neufeld,
K1 requirements
K1 game design
K1 emotional requirements
K1 specification
AB Imagine that you're a software developer working on a video game. One morning, your boss comes in and says, "Make sure the new game is fun or we're all out of a job! Our last game just got savaged by the reviewers!" Now, what can you as a developer do to help make this happen? Like a movie director instructing the technical crew on implementing nuanced set design, lighting, sound, and acting, a game development team must work together to implement the game designer's vision. We introduced emotional requirements to assist game developers with this task. Just as with functional requirements, emotional requirements have attributes that you must describe and model, and those attributes sometimes require careful balancing.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.5
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.5

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 60
TI Agile Requirements Engineering Practices: An Empirical Study
A1 Balasubramaniam Ramesh,
A1 Lan Cao,
K1 requirements engineering
K1 agile software development
AB An analysis of data from 16 software development organizations reveals seven agile requirements-engineering practices, along with their benefits and challenges. These practices include face-to-face communication, iterative RE, extreme prioritization, constant planning, prototyping, test-driven development, and reviews and tests.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.1
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.1

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 54
TI Tests and Requirements, Requirements and Tests: A M?bius Strip
A1 Robert C. Martin,
A1 Grigori Melnik,
K1 acceptance testing
K1 requirements engineering
K1 executable specification
K1 FIT
K1 Framework for Integrated Testing
K1 FitNesse
AB Writing acceptance tests early is a requirements-engineering technique that can save businesses time and money and help them better respond to change. An equivalence hypothesis states that concrete requirements blend with acceptance tests so that you should be able to specify and verify system behavior using tests. Several examples in the FIT (Framework for Integrated Testing) demonstrate the approach.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.24
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.24

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 88
TI Inspecting the History of Inspections: An Example of Evidence-Based Technology Diffusion
A1 Carolyn Seaman,
A1 Forrest Shull,
K1 software inspections
AB Inspections are among the most mature and best-studied practices in software engineering. People, especially when they bring objective viewpoints, are among the most powerful tools for finding problems in systems. The inspection process mitigates the fact that, although the human brain is powerful, relying on it has drawbacks. It's interesting to look at how such a practice catches on among busy professionals.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.7
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.7

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 13
TI Java Insecurity: Accounting for Subtleties That Can Compromise Code
A1 Charlie Lai,
K1 Java
K1 code design
K1 programming paradigms
K1 security and privacy protection
AB Java developers commonly follow numerous coding guidelines—such as minimizing accessibility, creating copies of mutable inputs, and preventing the unauthorized construction of sensitive classes—to ensure that their programs are safe. Various subtleties related to each guideline could lead to unexpected behavior, and ultimately to security vulnerabilities. Java developers can safely account for these subtleties to prevent attacks. This article is part of a special issue on Security for the Rest of Us.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.9
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.9

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 4
TI So Many Languages, So Little Time
A1 Hakan Erdogmus,
K1 object-oriented language
K1 functional language
K1 dynamic language
K1 and domain-specific language
AB What's up and coming in the programming language arena? A rudimentary analysis of the 200+ sessions' titles and abstracts at OOPSLA 07 (22nd Int'l Conf. Object-Oriented Programming, Systems, Languages, and Applications) provides a rough idea of what's happening with object-oriented, functional, dynamic, and domain-specific languages.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.20
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.20

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 68
TI Managing Agile Project Requirements with Storytest-Driven Development
A1 Rick Mugridge,
K1 requirements
K1 requirements specification
K1 design
K1 storytest
K1 agile development
K1 test-driven development
AB Agile project teams aim to include both business and development personnel, emphasizing direct communication over written requirements documents. Rather than trying to understand all of a system?s detailed requirements before development, they carry out high-level release planning and then drive small development increments in cycles of one or two weeks. Doing so avoids many of the potential problems in traditional, phased software development approaches and accepts that changes are inevitable. Storytest-driven development brings requirements and automated testing ideas and practices together to support this agile process. The author describes this development approach and how its concrete examples can clarify and communicate business rules, aid agile team discussions, and facilitate team members? understanding of the concepts at the heart of the business needs. Such examples are executable, serving a secondary role as automated tests.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.11
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.11

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 76
TI Valuing Design Repair
A1 Rebecca J. Wirfs-Brock,
K1 antipattern
AB While a style guide typically covers good practices—what to do and what to avoid —an antipattern is somewhat more ambitious. It seeks to explain how good intentions can go awry and suggest meaningful ways to repair broken systems. The point isn't so much to say "do this" or "avoid doing that" as to suggest ways to prevent a problem or to skillfully apply a set of corrective actions.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.26
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.26

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 28
TI Threat Modeling: Diving into the Deep End
A1 Tim Baeten,
A1 Jeffrey A. Ingalsbe,
A1 Nancy R. Mead,
A1 Louis Kunimatsu,
K1 threat modeling
K1 risk assessment
K1 DREAD
K1 threat analysis
K1 risk management
AB Ford Motor Company is introducing threat modeling on strategically important IT applications and business processes. The objective is to support close collaboration between the IT security group and its internal business customers in analyzing threats and better understanding risk. For this purpose, a core group of security personnel have piloted Microsoft?s Threat Analysis and Modeling process and tool on a dozen targets. This article discusses this process, along with the challenges and successes of its ongoing deployment in the organization. This article is part of a special issue on Security of the Rest of Us.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.25
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.25

RT Journal Article
JF IEEE Software
YR 2008
VO 25
IS
SP 95
TI Intuition's Role in Decision Making
A1 Robert L. Glass,
K1 software engineering
K1 intuition
K1 software estimation
K1 decision making
AB Intuition might be a better decision-making approach for software engineering than you suppose.
PB IEEE Computer Society, [URL:http://www.computer.org]
SN 0740-7459
LA English
DO 10.1109/MS.2008.8
LK http://doi.ieeecomputersociety.org/10.1109/MS.2008.8