August 9, 2010—The following technical reports and technical notes were published recently by the Software Engineering Institute. For the latest SEI technical reports and papers, see http://www.sei.cmu.edu/library/reportspapers.cfm.
Robert M. Flowe; Mark Kasunic; Mary M. Brown; Paul L. Hardin, III; James McCurley; David Zubrow, & William Anderson
The challenges program managers encounter in attempting to deliver programs on time and on budget are well substantiated. A significant driver of the turbulence experienced by acquisition programs today is the transformation to joint capabilities. This report describes a series of ongoing research efforts, sponsored by the Office of the Secretary of Defense (OSD), that investigated the role of interdependence in the acquisition of major defense acquisition programs.
The overall goal of the research was to identify, quantify, and assess the degree of programmatic and constructive interdependence and to assess the effects of interdependence on program risk. A number of important findings and noteworthy insights were discovered as programs were examined in light of their interdependencies with other programs. The results indicate that an expanded definition of interdependencies along with the incorporation of network analysis tools may provide important insights into program performance in a joint capability arena.
Ashwini Bijwe (Carnegie Mellon University) & Nancy R. Mead
As software systems become more distributed and complex, maintaining privacy of data and ensuring data integrity remain challenges for software practitioners. Developing such systems not only poses technical challenges but also demands compliance with privacy laws. Engineering precise privacy requirements is an important step in building these software systems. This technical note explores the use of a disciplined approach to identifying privacy requirements, primarily how the Security Quality Requirements Engineering (SQUARE) process, which was developed for security requirements engineering, can be adapted for privacy requirements engineering in software development.
Watts S. Humphrey, Timothy A. Chick, William Nichols, & Marsha Pomeroy-Huff
The Team Software Process Body of Knowledge (TSP BOK) was drafted to define the fundamental knowledge and skills that set TSP-trained individuals apart from other software professionals. It helps individual practitioners to assess and improve their own skills, provides employers with an objective baseline for assessing the process improvement skills and capabilities of their development team members, and guides academic institutions that want to incorporate TSP into their software and other engineering courses or curricula. The TSP BOK also facilitates the development of TSP certification programs that are based on a well-established standard set of knowledge and skills.
James McCurley & Dennis Goldenson
This report describes results from two recent surveys conducted by the Software Engineering Institute (SEI) to collect information about the measurement and analysis activities of software systems development organizations. Representatives of organizations appraised at maturity levels 4 and 5 completed the survey in 2008. Using a variant of the same questionnaire in 2009, certified high maturity lead appraisers described the organizations that they had most recently coached or appraised for the achievement of similar high maturity levels. The replies to both surveys were generally consistent even though the two groups are often thought to be quite different. The results of the surveys suggest that the organizations understood and used CMMI-based process performance modeling and related aspects of measurement and analysis a great deal. Both the organizational respondents in 2008 and the appraisers in 2009 reported that process performance models were useful for the organizations.
The respondents in both surveys also judged process performance modeling to be more valuable in organizations that understood and used measurement and analysis activities more frequently and provided organizational resources and management support. In addition, results from the 2009 survey of lead appraisers indicate that organizations that achieved their appraised high maturity level goals also found measurement and analysis activities more useful than those organizations that did not achieve their targets.
Mary Ann Lapham, Ray C. Williams, Charles (Bud) Hammons, Daniel Burton, & Fred Schenker
This report explores the questions: Can Agile be used in the DoD environment? If so, how? Lessons learned from actual DoD programs that have employed and are employing Agile are provided as well as information gleaned from the myriad articles and books available on Agile. While this report does not pretend to cover every paper or thought published about Agile in the DoD world, it provides an overview of some challenges in using Agile; an overview of how some programs have addressed these challenges; and some additional recommendations on dealing with these challenges. The intended audience is policy makers, program office staff, and software development contractors who are contemplating proposing the use of Agile software development methods.
It is the hope of the authors that this paper stimulates discussion about and appropriate adoption of Agile in the DoD world. We hope to obtain further data so that our list of considerations can be updated and expanded for use by all practitioners.
Timothy A. Chick, Robert Cannon, Jim McHale, William Nichols, Marsha Pomeroy-Huff, Jefferson Welch, & Alan Willett
This guidebook is designed to explain the steps for becoming an SEI-Certified Team Software Process (TSP) Coach or SEI-Certified TSP Mentor Coach, with emphasis on guiding individuals through the mentoring process. This guidebook defines the structure and format of the mentor and provisional coach relationship, and explains the process steps and evaluation criteria for becoming an SEI-Certified TSP Coach or Mentor Coach.
Julie B. Cohen, Bonnie Troup (The Aerospace Corporation), & Henry Ouyang (The Aerospace Corporation)
The Department of Defense (DoD) is increasingly acquiring complex systems that use commercial software to meet many of the systems' functional requirements. If the commercial software is a truly commercial product and will not be modified (for example, a commercial antivirus program), then for most systems, data rights do not become an issue. However, when the commercial software is based on proprietary software that is not available as a standard commercial product or will be modified such that the end product is no longer commercially available or is different from the standard commercial product (for example, a adding program specific capabilities to a database program), the DoD must consider what data rights are necessary.
Fred Long, Dhruv Mohindra, Robert C. Seacord, & David Svoboda
An essential element of secure coding in the Java programming language is well-documented and enforceable coding standards. Coding standards encourage programmers to follow a uniform set of guidelines determined by the requirements of the project and organization, rather than by the programmer's familiarity or preference. Once established, these standards can be used as a metric to evaluate source code (using manual or automated processes).
The CERT Oracle Secure Coding Standard for Java provides guidelines for secure coding in the Java programming language. The goal of these guidelines is to eliminate insecure coding practices and undefined behaviors that can lead to exploitable vulnerabilities. Applying this standard will lead to higher quality systems that are robust and more resistant to attack.
This report documents the portion of those Java guidelines that are related to concurrency.
Hal Burch, Fred Long, Raunak Rungta, Robert C. Seacord, & David Svoboda
This report describes a managed string library for the C programming language. Many software vulnerabilities in C programs result from the misuse of manipulation functions for standard C strings. Programming errors common to string-manipulation logic include buffer overflow, truncation errors, string termination errors, and improper data sanitization. The managed string library provides mechanisms to eliminate or mitigate these problems and improve system security. The CERT Program, which is part of the Carnegie Mellon Software Engineering Institute, provides a proof-of-concept implementation of the managed string library on its Secure Coding webpages.
Robert J. Ellison & Carol Woody
Complexity and change are pervasive in the operational environments of today's organizations. Organizational and technological components that must work together may be created, managed, and maintained by different entities around the globe. The ability of these independently developed pieces to effectively work together after they are built and integrated is uncertain and problematic. The way technology is applied by people to address an operational need must also be understood. Survivability of the organization depends on the capabilities of the people, actions, and technology that compose the operational process to work together to achieve operational effectiveness. A team of Carnegie Mellon University Software Engineering Institute (SEI) software engineers built the Survivability Analysis Framework (SAF) to examine the elements of an operational process and evaluate the survivability and effectiveness of the linkage among roles, dependencies, constraints, and risks to achieve critical operational capabilities. The SAF and the benefits achieved in its pilot use are described in this report.
For more information
Please tell us what you
think with this short
(< 5 minute) survey.