Instant Feedback Loops – for short feedback loops and early quality assurance

Mehraban, Mehrdad

January 2016

Context. In recent years, Software Quality Assurance (SQA) has become a crucial part of software development processes. Therefore, modern software development processes led to an increase in demand for manual and automated code quality assurance. Manual code quality reviews can be a time-consuming and expensive process with varying results. Thus, automated code reviews turn out to be a preferred alternative for mitigating this process. However, commercial and open-source static code analyzer tools often offer deep analysis with long lead time. Objectives. In this thesis work, the main aim is to introduce an early code quality assurance tool, which features a combination of software metrics. The tool should be able to examine code quality and complexity of a telecommunication grade software product such as source code of specific Ericsson product by Ericsson. This tool should encapsulate complexity and quality of a software product with regards to its efficiency, scope, flexibility, and execution time. Methods. For this purpose, the background section of the thesis is dedicated to in-depth research on software metrics included in well-known static code analyzers. Then, development environment, under investigation source code of Ericsson product, and collected software metric for evaluation were presented. Next, according to each software metric’s characteristics, point of interest, and requirement, a set of steps based on a Susman’s action research cycle were defined. Moreover, SWAT, a suitable software analytics toolkit, employed to extract conducted experiment data of each software metric from a static analyzer code named Lizard in order to detect most efficient software metrics. Outcome of conducted experiment demonstrates relationship of selected software metrics with one another. Results. The chosen software metrics were evaluated based on a variety of vital factors especially actual data from number of defects of specific Ericsson product. Highly effective software metrics from investigations in this thesis work were implemented as a new model named hybrid model to be utilized as an early quality assurance. Conclusions. The proposed model, which consist of well-performing software metrics, demonstrate an impressive performance as an early code quality indicator. Consequently, the utilized model in this master thesis could be studied in a future research to further investigate the effectiveness and robustness of this tool an early quality assurance.

Software Quality Assurance

software metrics

static code analyzer

Ericsson

Lizard and SWAT.

Enhancing CryptoGuard's Deployability for Continuous Software Security Scanning

Frantz, Miles Eugene

21 May 2020

The increasing development speed via Agile may introduce overlooked security steps in the process, with an example being the Iowa Caucus application. Verifying the protection of confidential information such as social security numbers requires security at all levels, providing protection through any connected applications. CryptoGuard is a static code analyzer for Java. This program verifies that developers do not leave vulnerabilities in their application. The program aids the developer by identifying cryptographic misuses such as hard-coded keys, weak program hashes, and using insecure protocols. In my Master thesis work, I made several important contributions to improving the deployability, accessibility, and usability of CryptoGuard. I extended CryptoGuard to scan source and compiled code, created live documentation, and supported a dual cloud and local tool-suite. I also created build tool plugins and a program aid for CryptoGuard. In addition, I also analyzed several Java-related surveys encompassing more than 50,000 developers and reported interesting current practices of real-world software developers. / Master of Science / Throughout the rise of software development, there has been an increase in development speed with developers embracing methodologies that use higher rates of changes, such as Agile. Since Agile naturally addresses "problems of rapid change", this also increases the likelihood of insecure and vulnerable coding practices. Though consumers depend on various public applications, there can still be failures throughout the development process in applications such as the Iowa caucus application. It was determined the Iowa cacus application development teams' repository credentials (API key) was left within the application itself. API keys provide the credential to be able to directly interact with server systems, and if left unguarded can be easily exploited. Since the Iowa cacus application was released publicly, malicious actors (other people looking to exploit the application) may have already discovered this credential. Within our team we have created CryptoGuard, a program to analyze applications to detect cryptographic issues such as an API key. Creating it with scalability in mind, it was created to be able to scan enterprise code at a reasonable speed. To ensure its use within companies, we have been working on extending and enhancing the work to the current needs of Java developers. Verifying the current Java landscape, we investigated three different companies and their developer ecosystem surveys that are publicly available. Amongst these companies are; JetBrains, known for their Integrated Development Environments (IDE, or application to help write applications) and their own programming language, Snyk, known for their public security platform and anti-virus capability, and Jakarta EE, which is the new platform for the enterprise version of Java. Throughout these surveys, we accumulate more than 50,000 developers' responses, spanning various countries, company experience, and ages. With their responses amalgamated, we enhance CryptoGuard to be available to as many developers and their requests as possible.First, CryptoGuard is enhanced to scan a projects source code. After that, ensuring our project is hosted by a cloud service, we actively are extending our project to the Security Assurance Marketplace (SWAMP). Funded by the DHS, SWAMP not only supplies a public cloud for developers to use, but a local download option to scan a program within the user's own computer. Next, we create a plugin for two most used build tools, Gradle and Maven. Then to ensure CryptoGuard can be have reactive aide, CryptoSoule is created to aide minimal interface aide. Finally utilizing a live documentation service, an open source documentation website was created to provide working examples to the community.

Cryptoguard

Static-Code Analyzer

Java

Deployment Grade

Gradle

Maven

Java 8

Java 7

Java 11

Probabilistic Analysis of Quality of Service

Kaowichakorn, Peerachai

January 2013

Current complex service systems are usually comprised of many other components which are often external services performing particular tasks. The quality of service (QoS) attributes such as availability, cost, response time are essential to determine usability and eciency of such system. Obviously, the QoS of such compound system is dependent on the QoS of its components. However, the QoS of each component is naturally unstable and di erent each time it is called due to many factors like network bandwidth, workload, hardware resource, etc. This will consequently make the QoS of the whole system be unstable. This uncertainty can be described and represented with probability distributions. This thesis presents an approach to calculate the QoS of the system when the probability distributions of QoS of each component are provided by service provider or derived from historical data, along with the structure of their compositions. In addition, an analyzer tool is implemented in order to predict the QoS of the given compositions and probability distributions following the proposed approach. The output of the analyzer can be used to predict the behavior of the system to be implemented and to make decisions based on the expected performance. The experimental evaluation shows that the estimation is reliable with a minimal and acceptable error measurement.

QoS Analysis

Probabilistic Analysis

Code Analyzer

Service-Oriented System

Computer Sciences

Datavetenskap (datalogi)

Probability Theory and Statistics

Sannolikhetsteori och statistik

Software Engineering

Programvaruteknik

Generátor zefektivňující tvorbu a udržovatelnost single-page aplikací / Single-Page Application Generator for Improving Maintainabilty

Ďurčanský, Norbert

January 2019

This diploma thesis deals with developing generator for single-page applications. Before developing the application it was necessary to identify problem areas that prevent the development and describe tools that make it easy to create, test, maintain, and deploy single-page applications. Based on the obtained information, the generator Create Sbspa is designed and implemented to efficiently create single-page applications and help to eliminate development problems. It generates configuration and code from semantic templates. The generator is available through a user interface that splits the templates into the groups by applicability. The generator was designed with the need for simplicity and clarity to enable efficient integration with new features. This work also includes design and implementation of the example app which shows features and benefits of the generator.