ICSSP 2022 Presentations

This file contains sessions and presentations from the International Conference on Software and Systems Processes (ICSSP) held virtually on May 19-20, 2022.

Sessions and presentations included:

* Conference Welcome, Dr. Paul Nielsen and Anita Carleton
* Keynote - Researching the Intersections: the Value of Interdisciplinarity, Ita Richardson
* Hacking or Engineering - Towards an Extended Entrepreneurial Software Engineering Model, Marco Kuhrmann, Jürgen Münch, and Jil Klünder
* Development & Implementation of Auto Code Merger(ACM) Framework into CI Automation Pipeline, Sunil Kumar Dhar, Smita Basavaraj Kambi, and Asra Naseem
* Privilege Escalation Attack Scenarios on the DevOps Pipeline Within a Kubernetes Environment, Nicholas Pecka, Lofti ben Othmane, and Altaz Valani
* Revelations from an Agile and DevSecOps Transformation in a Large Organization: An Experiential Case Study, Dr. Thomas P. Scanlon and Dr. Jose A. Morales
* Morning Welcome (May 20), Regina Hebig, John Robert, and  Igor Steinmacher
* Tribute to Watts Humphrey, Dr. Paul Nielson
* Defining Frames to Structure Agile Development in Hybrid Settings - A Multi-Case Interview Study, Nils Prenner, Jil Klünder, and Kurt Schneider
* How agile teams make OKRs work, Viktoria Stray, Jan Henrik Gundelsby, Rasmus Ulfsnes, and Nils Brede Moe
* The Corporation as an Artificial Cognitive Entity, Stanley M. Sutton, Jr.
* Change-Oriented Repair Propagation, Luciano Marchezan, Wesley K. G. Assunção, Alexander Egyed, and Roland Kretschmer
* Why doesn’t anyone program anymore?, Dr. Tom Longstaff
* Conference Closing - Key Themes and Takeaways on the Future of Software Engineering, Mark Klein









Keynote - Researching the Intersections The Value of Interdisciplinarity, Ita Richardson

During my career, I have undertaken research on my own and with different groups of people.  Working on my own and within my research team, the research tended to be inward looking, focusing on one topic only.  When researching with other groups, particularly in software process and global software development, the research became more outward focused, as each group brought different knowledge to the work.  Expanding this outward focus, increasingly working with disciplines outside software engineering, has brought a richness to my research, which, I believe, could not have been the case if I had continued with an inward focus.

There is much value to be achieved through doing interdisciplinary research, considering topics where disciplines intersect. We often think of interdisciplinarity as bringing together topics which might be seen as miles apart from each other, an example being healthcare and software engineering. But, I will also discuss interdisciplinarity as it pertains to topics in which the knowledge is more closely aligned, an example being agile methods and global software development.

I will present examples of research from the interdisciplinary environment which has helped to move disciplines forward. During COVID-19, for example, we saw how healthcare changed due to software. Implementation of e-Pharmacy systems could not have happened without prior research on how pharmacy works in practice combined how regulations on security and privacy should be implemented in software. We have a new understanding about how companies are implementing hybrid software processes because of the HELENA project. Apart from the research itself, there is other value achieved from interdisciplinary research - such as working with researchers outside our immediate field and publishing in interdisciplinary venues.

I do recognise that it is not all plain sailing – there are difficulties to be faced. However, my view is that the value outweighs these difficulties. Using successful research stories from recent Lero projects, my argument is that there is value in interdisciplinary research.







Hacking or Engineering - Towards an Extended Entrepreneurial Software Engineering Model, Marco Kuhrmann, Jürgen Münch, and Jil Klünder

Startups play a key role in software-based innovation. They make an important contribution to an economy's ability to compete and innovate, and their importance will continue to grow due to increasing digitalization. However, the success of a startup depends primarily on market needs and the ability to develop a solution that is attractive enough for customers to choose. A sophisticated technical solution is usually not critical, especially in the early stages of a startup. It is not necessary to be an experienced software engineer to start a software startup. However, this can become problematic as the solution matures and software complexity increases. Based on a proposed solution for systematic software development for early-stage startups, in this paper, we present the key findings of a survey study to identify the methodological and technical priorities of software startups. Among other things, we found that requirements engineering and architecture pose challenges for startups. In addition, we found evidence that startups' software development approaches do not tend to change over time. An early investment in a more scalable development approach could help avoid long-term software problems. To support such an investment, we propose an extended model for Entrepreneurial Software Engineering that provides a foundation for future research.







Development & Implementation of Auto Code Merger(ACM) Framework into CI Automation Pipeline, Sunil Kumar Dhar, Smita Basavaraj Kambi, Asra Naseem


Continuous Integration (CI) [1] is one of the most used best practices across industries. It enables industries to streamline reparative work and get better output as result. Automation holds key role In Continuous Integration (CI). With the help of automation, able to find many critical issue on early stage. As critical issues found during the initial stage of development, developer gets more time to fix issue. With the help of automation, quality of the product improved.

In this highly demanding market, requirement changes are very frequent for a product. This directly affects developer code change. Developer has to change their code as per the requirement update. In Test Automation test scripts use developer code directly or indirectly to write their scripts. One of the major drawbacks in CI Automation system is, frequent changes in develop source code, which leads to test code failure and CI build system failure. This reduces productivity of CI Automation system. Therefore, it is very important to update the test automation code as per the developer code at early stage.

To overcome such issues we have developed and implemented a framework, which will automatically change the test code as per the developer changes submitted to their source code. “Auto Code Merger” framework helps in finding updated and deleted objects from developer source code and will make the changes in test automation code automatically.







Privilege Escalation Attack Scenarios on the DevOps Pipeline Within a Kubernetes Environment, Nicholas Pecka, Lofti ben Othmane, and Altaz Valani

Companies are misled into thinking they’ve solved their security issues using a DevSecOps  pipeline. This paper aims to answer the question: Could a continuous integration, delivery, and deployment systems (CI/CD) pipeline be misused to transform a securely developed application insecure? To answer the question, we designed a typical Kubernetes (K8s) CI/CD pipeline as a case study environment and analyzed the applicable threats. Then, we developed four attacks scenario against the case study environment: maliciously abusing the user’s privilege of deploying containers within the K8s cluster, abusing the Jenkins instance to modify files during the CI/CD build phase, modifying the K8s DNS layer to expose an internal IP to external traffic, elevate privileges from a create, read, update, and delete (CRUD) privileges of a low tier account to root privileges. The attacks answer the research question positively: companies should design and use secure software supply chain system (SSCS) and do not expect that using a DevSecOps environment is sufficient to deliver secure software.






Revelations from an Agile and DevSecOps Transformation in a Large Organization: An Experiential Case Study, Dr. Thomas P. Scanlon and Dr. Jose A. Morales

This paper presents the lessons learned, observations, and insights from a 12-month experience observing a software development effort for a large, well-funded, and highly regulated program that adopted Agile and DevSecOps principles during a 12-month iteration of software development. The program was originally set up to use the waterfall software development approach with a traditional earned value (EV) scheme and had completed several iterations of development using this structure. The program then shifted to using a combination of Agile and DevSecOps. In this paper, we describe challenges encountered during this transformation that inhibited realization of some of the benefits associated with Agile and DevSecOps. Largely, these challenges were a result of poor planning, engineering, and communication. We present this advisory account to others undertaking similar DevSecOps and Agile transformations, particularly in large organizations, so that they may better strategize methods to diminish similar shortcomings and increase the odds of a successful transformation.






Tribute to Watts Humphrey, Dr. Paul Nielson

It seems especially fitting to have a tribute to Watts S. Humphrey, as CMU SEI is the host of this year’s ICSSP Conference, the home of the Software Process Program and the software engineering process research program. Watts was known as the "Father of Software Quality." Humphrey, following a long career with IBM, served at the SEI from 1986 until his death in 2010. He dedicated the majority of his career to addressing problems in software development including software quality, programmer motivation and commitment, team process discipline, and how organizations can best support these. During Humphrey's tenure at the SEI, characteristics of best practices at the individual, team, and organizational levels were identified that laid the groundwork for the Personal Software Process, the Team Software Process, the Capability Maturity Model (CMM) for Software and, eventually, CMM Integration (CMMI). In 2005, Humphrey received the National Medal of Technology for his work in software engineering. Dr. Paul Nielsen and Dr. Lee Osterweil will share their tributes of Watts Humphrey and share their experiences and anecdotes of how Watts inspired software engineering engineers and executives worldwide to treat software development as an engineering discipline and adopt software engineering best practices worldwide.

How Capability Maturity Models Transformed Cybersecurity Performance Measurement

The work of Watts Humphrey has a lasting legacy in cybersecurity. In this session Matt Butkovic will explore how the Capability Maturity Model (CMM) concept is employed as a predictive cybersecurity tool. This session includes an overview of several CMM influenced methods; including the Cyber Resilience Review (DHS), the Cybersecurity Capability Maturity Model (DOE), and the Cybersecurity Maturity Model Certification (DoD). 








Defining Frames to Structure Agile Development in Hybrid Settings - A Multi-Case Interview Study, Nils Prenner, Jil Klünder, and Kurt Schneider

Companies often combine agile and plan-based methods to so-called hybrid development approaches to benefit from the advantages of both. Recent research highlights conflicts introduced when combining agile and plan-based approaches in the different phases of the software lifecycle. For example, using both agile and plan-based methods during the requirements engineering of a project requires a decision on how many requirements should be gathered up-front and how many can be gathered during the runtime of a project. These conflicts need to be solved in order to construct a successful development approach. In order to investigate why the conflicts exist, how they are addressed in industry and how they are related to each other, we performed a multi-case interview study with 15 practitioners. Our results reveal that the conflicts exist because companies use plan-based approaches to structure their agile development and define spaces of freedom and flexibility at the same time. From this insight and our results, we derive a theory that shows how companies structure their development stepwise by defining frames.








How agile teams make OKRs work, Viktoria Stray, Jan Henrik Gundelsby, Rasmus Ulfsnes, and Nils Brede Moe

Today, many large software projects allow project members to work from anywhere, which has changed how project members coordinate their work and align towards the same goals. Objectives and Key Results (OKRs) is a goal-setting framework applied in such distributed settings that has received relatively little attention from researchers. This research aimed to investigate how OKRS is used in agile projects. We interviewed team members and analyzed documents, including a survey. The results of our study provide both enabling and limiting situations that make team members' utilization of the framework easier or more difficult. We found that OKRs aided knowledge sharing and improved transparency between teams. We present strategies used by agile team members to overcome challenges and maximize the benefits of using a goal-setting framework. An important takeaway from our research is that projects that employ OKRs must support project participants, especially in defining key outcomes that align and encourage teams toward a common goal.








The Corporation as an Artificial Cognitive Entity, Stanley M. Sutton, Jr.

The purpose of this paper is to advance the idea that corporations can be regarded as artificial cognitive entities. Viewed as black boxes, corporations can be seen as widely and frequently regulated, regarded, and active in the same ways as conscious, thinking human beings. Viewed as white boxes, corporations can be seen to incorporate structures and functions analogous to those in the human mind that give rise to awareness and cognition, and they may possess other features that contribute to the realization of cognition in ways not found in humans. While there are certainly differences between humans and corporations in the basis and expression of cognition, the study of cognition in corporations is interesting and instructive and can be pursued as a field of inquiry in its own right.

The relevance of software and systems process to corporate cognition is fundamental. Put directly, cognition is a process and corporate cognition is programmable. Thus, what we know from software engineering, process programming, and software and systems process engineering should be directly applicable to the programming (broadly construed) of corporate cognitive systems. An assessment framework such as CMMI (perhaps with a grounding on key cognitive process areas) should remain broadly applicable to corporate cognitive processes and should serve as a guide to applying best practices in an organization.

The study of corporations as artificial cognitive entities should lead to results of scientific interest and practical consequence in many areas, including codification and quantification of measures of corporate cognition, better understanding of corporate cognitive mechanisms, identification of best cognitive practices for corporations, broadening of the discipline of cognitive science, and opportunities for synergism with artificial intelligence applications in corporations. The results may be broadly applicable in society in areas of regulation; investing; employment; business contracting, mergers, and acquisitions; and with respect to ESG (Environmental, Social, and Governance) concerns.








Change-Oriented Repair Propagation, Luciano Marchezan, Wesley K. G. Assunção, Alexander Egyed, and Roland Kretschmer

Repairing software models may be a laborious task as the number of alternatives that must be considered by engineers can be large. This is more evident in collaborative environments where the stream of changes applied to models from different engineers is constant and unanticipated. These changes can cause multiple inconsistencies that must be fixed while preserving the changes applied. Performing this task, however, is not trivial as analyzing the changes and the possible large amount of repair alternatives requires time and effort. In this work, we present an approach that aids this repair process by analyzing the stream of changes (i.e. history of changes) while exploring repair alternatives alongside their side effects. The approach generates repairs for inconsistencies identified in the model. These repairs are explored by simulating their execution while re-analyzing the model to find potential new inconsistencies created. Then, new repairs are generated to fix these new inconsistencies. This cycle repeats until the model reaches a consistent state or until repairs can no longer be generated. The approach also analyzes conflicts between repairs and changes. This analysis can give valuable information to engineers regarding how each repair alternative would impact their models and may conflict with changes as well as other repairs. We evaluated our approach in a set of 11 UML models that contain a history of changes. Our findings show how our approach can be applied in a variety of models with a different number of model elements and inconsistencies within a reasonable amount of time.





Why doesn’t anyone program anymore?, Dr. Tom Longstaff

We make a horrible fundamental assumption in our software engineering research and engineering when we assert that the primary focus of software process is designing, creating, reviewing, and integrating code. For modern integrated development environments (IDEs) and any real systems, this is not the case. We use higher-level abstractions around the functions and processes we want to achieve, identify prior art (in open-source repositories and other existing libraries) that fills the individual needs of these abstractions, and tweak/integrate this prior art into our new software system. Thus, the most important skill of a software engineer is not programming; rather, it involves identifying existing software and that matches functionality we need and reusing/refactoring this software to the largest extent possible.

At the SEI, we focus on software solutions, artificial intelligence (AI), and cyber security as our three defining areas of expertise and contribution. As the development world shifts from team-oriented programming to team-oriented repurposing, we feel it is essential to understand the attributes of each of these three areas in any modern software system. Modern development processes (e.g., DevSecOps), incorporation of machine learning and other AI techniques, and assurance that the resulting system is trustworthy—all are about understanding how quality attributes combine in existing repurposed systems and how we must limit unintended consequences of using these systems. By understanding the repurposed system’s quality attributes and their possible consequences for system behavior, we can limit or avoid deploying a system that is untrustworthy, brittle, unpredictable, and unusable.

This keynote will explore options that use quality attributes of existing systems as the primary abstraction needed to move beyond programming to modern software process. The integration of machine learning and refactoring to the design of new software systems will be shown to center around the mapping of required attributes to those offered by existing systems and point to how human-machine teaming for software design may evolve.
