The role of process conformance and developers' skills in the context of test-driven development

Fucci, D. (Davide)

26 April 2016

Abstract Modern software development must adapt to demanding schedules while keeping the software at a high level of quality. Agile software development has been adopted in recent years to meet such a need. Test-driven development (TDD) is one practice that has arisen within the agile software development movement that leverages unit tests to develop software in incremental cycles. TDD supporters claim that the practice increases the productivity of the practitioners who employ it, as well as the internal and external quality of the software they develop. In order to validate or refute such claims, the software engineering research community has studied TDD for the last decade; the results of the empirical studies on the effects of TDD have been mostly inconclusive. This dissertation has studied two factors that may impact the manifestation of the claimed effects of TDD on software’s external quality and developers’ productivity: the developers’ conformance to the process (i.e., their ability to follow TDD) and their skills. The research was performed in four phases. In the first phase, the literature was reviewed to identify a set of factors that have been considered to affect TDD. In the second phase, two experiments were executed within academia. A total of 77 students at the University of Oulu, took part in the studies. These experiments investigated the quality of the software, as well as the subject’s productivity with respect to their programming and testing skills. A follow-up study, using data collected during the second experiment, explored the relation between the quality, productivity and the subjects’ process conformance. In the third phase, four industrial experiments, involving 30 professional, were performed. Process conformance and skills were investigated in relation to the TDD’s effects on external quality and productivity. The fourth phase synthesized the evidence gathered in the two previous phases. The results show that TDD is not associated with improvements in external quality, or developers’ productivity. Further, improvements in both external quality and productivity are associated with skills, rather than with the process, at least in the case of professional developers. Hence, process conformance has a negligible impact. The productivity of novice developers, on the other hand, can benefit from the test-first approach promoted by TDD. / Tiivistelmä Modernin ohjelmistokehityksen täytyy mukautua haastaviin aikatauluihin säilyttäen ohjelmistojen korkea laatu. Ketterä ohjelmistokehitys on viime vuosina omaksuttu tähän tarpeeseen ja suuntauksessa on saanut alkunsa testivetoisen kehityksen käytäntö, joka hyödyntää yksikkötestausta ohjelmiston inkrementaalisessa, syklisessä kehityksessä. Testivetoisen kehityksen puolestapuhujat väittävät tämän käytännön lisäävän ohjelmistokehittäjien tuottavuutta sekä ohjelmiston sisäistä ja ulkoista laatua. Ohjelmistotuotannon tutkimusyhteisö on tutkinut testivetoista kehitystä viimeisen vuosikymmenen aikana vahvistaakseen tai kumotakseen nämä väitteet. Empiiriset tutkimukset testivetoisen kehityksen vaikutuksista ohjelmistotuotantoon ovat suurelta osin tuloksettomia. Tämä väitöstyö tutkii kahta tekijää, jotka voivat vaikuttaa testivetoisen kehityksen väitettyjen vaikutusten ilmentymiseen ohjelmiston ulkoisena laatuna ja ohjelmistokehittäjien tuottavuutena: ohjelmistokehittäjien taitoja ja prosessin mukaista toimintaa. Tutkimus toteutettiin neljässä vaiheessa. Ensimmäisessä vaiheessa tehtiin kirjallisuuskatsaus, jolla selvitettiin tekijöitä, joiden on katsottu vaikuttavan testivetoiseen kehitykseen. Toisessa vaiheessa tehtiin Oulun yliopistolla kaksi koetta, joihin osallistui kaikkiaan 77 opiskelijaa. Kokeissa tutkittiin ohjelmiston laadun ja osallistujien tuottavuuden suhdetta heidän ohjelmointi- ja testaustaitoihinsa. Toisen kokeen aikana kerättyä aineistoa hyödynnettiin jatkotutkimuksessa, jossa tarkasteltiin laadun, tuottavuuden ja prosessin mukaisen toiminnan suhdetta. Kolmannessa vaiheessa tehtiin neljä koetta, joihin osallistui 30 ohjelmistoalan ammattilaista. Prosessin mukaista toimintaa ja taitoja tutkittiin suhteessa testivetoisen kehityksen vaikutuksiin ohjelmiston ulkoiseen laatuun ja tuottavuuteen. Neljännessä vaiheessa syntetisoitiin kahden edellisen vaiheen löydökset. Tulokset osoittavat, ettei testivetoinen kehitys liity ulkoisen laadun parantumiseen eikä ohjelmistokehittäjien tuottavuuteen. Parannukset laadussa ja tuottavuudessa liittyvät ennemmin taitoihin kuin prosessiin, ainakin ohjelmistokehityksen ammattilaisten kohdalla. Näin ollen prosessin mukaisella toiminnalla on vähäpätöinen vaikutus. Toisaalta testivetoisen kehityksen suosiman test-first-menettelytavan hyödyntäminen voi edistää aloittelevien ohjelmistokehittäjien tuottavuutta.

agile software development

controlled experiment

developers’ productivity

developers’ skills

external software quality

process conformance

quasi-experiment

test-driven development

ketterä ohjelmistokehitys

kontrolloitu koe

näennäiskoe

ohjelmistokehittäjien taidot

ohjelmistokehittäjien tuottavuus

ohjelmiston ulkoinen laatu

prosessin mukainen toiminta

testivetoisen kehitys

Är roligt alltid bättre? : En kvalitativ studie om gamifications påverkan på inlärning av informationssäkerhet

Toll, Malin, Klermyr, Tilde

January 2022

Idag bearbetas, hanteras och lagras mer information än någonsin tidigare digitalt via IT. Detta medför ökade krav på IT-säkerhet. Ett vanligt problem inom IT-säkerhet är den mänskliga faktorn. För ett företag är det därför av stor vikt att utbilda sina anställda inom IT-säkerhet. Tidigare forskning visar att gamification (att använda spel-element i system eller applikationer som inte är spel) inom utbildning kan visa på goda resultat inom utbildning om det används på rätt sätt. Denna studie intresserar sig för att undersöka om gamification kan underlätta upplärning av IT-säkerhet jämfört med traditionell upplärning. Studiens fokus är att undersöka hur djup kunskap upplärningen ger via ett gamifierat verktyg kontra ett textdokument som innehåller samma information. Detta undersöks med hjälp av ett kvasiexperiment, där hälften av deltagarna får upplärning via gamification och hälften via text, som följs upp av semistrukturerade intervjuer. / Today, more information is processed, handled and stored digitally via IT than ever before. This, in turn, leads to increased requirements for IT security. A common problem in IT security is the human factor. For a company, it is therefore of great importance to train its employees in IT security. Previous research shows that gamification (using game elements in systems or applications that are not games) in education can yield good results in education if used correctly. The interest of this study is to examine and compare if gamification can facilitate the training of IT security compared to traditional training. The focus of the study is to investigate what depth of knowledge the learning provides using a gamified tool against a text document containing the same information. This is investigated with the help of a quasi-experiment, where half of the participants receive training via gamification and half via text, which is followed up by semi-structured interviews.

Hotspot

gamification

IT-security

learning

SOLO-taxonomy

quasi-experiment

semi-structured interviews

Hotspot

gamification

informationssäkerhet

upplärning

SOLO-taxonomi

kvasiexperiment

semistrukturerade intervjuer

Information Systems, Social aspects

Software Supply Chain Security: Attacks, Defenses, and the Adoption of Signatures

Taylor R Schorlemmer (14674685)

27 April 2024

<p dir="ltr">Modern software relies heavily on third-party dependencies (often distributed via public package registries), making software supply chain attacks a growing threat. Prior work investigated attacks and defenses, but only taxonomized attacks or proposed defensive techniques, did not consistently define software supply chain attacks, and did not provide properties to assess the security of software supply chains. We do not have a unified definition of software supply chain attacks nor a set of properties that a secure software supply chain should follow.</p><p dir="ltr">Guaranteeing authorship in a software supply chain is also a challenge. Package maintainers can guarantee package authorship through software signing. However, it is unclear how common this practice is or if existing signatures are created properly. Prior work provided raw data on registry signing practices, but only measured single platforms, did not consider quality, did not consider time, and did not assess factors that may influence signing. We do not have up-to-date measurements of signing practices nor do we know the quality of existing signatures. Furthermore, we lack a comprehensive understanding of factors that influence signing adoption.</p><p dir="ltr">This thesis addresses these gaps. First, we systematize existing knowledge into: (1) a four-stage supply chain attack pattern; and (2) a set of properties for secure supply chains (transparency, validity, and separation). Next, we measure current signing quantity and quality across three kinds of package registries: traditional software (Maven Central, PyPI), container images (Docker Hub), and machine learning models (Hugging Face). Then, we examine longitudinal trends in signing practices. Finally, we use a quasi-experiment to estimate the effect that various factors had on software signing practices.</p><p dir="ltr">To summarize the findings of our quasi-experiment: (1) mandating signature adoption improves the quantity of signatures; (2) providing dedicated tooling improves the quality of signing; (3) getting started is the hard part — once a maintainer begins to sign, they tend to continue doing so; and (4) although many supply chain attacks are mitigable via signing, signing adoption is primarily affected by registry policy rather than by public knowledge of attacks, new engineering standards, etc. These findings highlight the importance of software package registry managers and signing infrastructure.</p>

System and network security

Empirical software engineering

software supply chain

signing

software signing

digital signature

cybersecurity

software supply chain attack

cryptography

quasi experiment

empirical software engineering

provenance

package registry

software reuse