Moderator Factors of Software Security and Performance Verification

Context: Security and performance (S&P) are critical non-functional requirements on software systems. Therefore, verification activities should be included in the development process to identify related defects and avoiding S&P failures after deployment. However, the state of the practice of S&P verification is unclear, challenging academia to offer solutions for real-world problems faced by the S&P verification practitioners. Thus, identifying factors moderating the S&P verification helps software development organizations improve the S&P verification, releasing software that meets security and performance requirements. Objective: To present moderator factors influencing S&P verification activities and actions to promote S&P moderator factors. Method: Multiple case study using qualitative analysis of observational data to identify S&P moderators factors. Literature Rapid Reviews with Snowballing to strengthen confidence in the identified S&P moderators factors. Practitioners Survey to classify the S&P moderator factors regarding their relevance. Results: Identification of eight S&P moderator factors regarding organizational awareness, crossfunctional team, S&P requirements, support tools, verification environment, verification methodology, verification planning, and reuse practices. The literature reviews allowed us to confirm the identified S&P moderator factors and identify a set of actions to promote each of them. A survey with 37 valid participants allowed us to classify the identified S&P moderators factors and their actions relevant to S&P verification activities. Conclusions: The S&P moderator factors can be considered key points in which software development organizations should invest to implement or improve S&P verification activities.

[1]  Kyung-Yong Chung,et al.  Towards virtualized and automated software performance test architecture , 2013, Multimedia Tools and Applications.

[2]  Vahid Garousi,et al.  Worlds Apart: Industrial and Academic Focus Areas in Software Testing , 2017, IEEE Software.

[3]  Avelino Francisco Zorzo,et al.  Evaluating Load Generation in Virtualized Environments for Software Performance Testing , 2011, 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and Phd Forum.

[4]  Tao Xie,et al.  Automated Test Generation for Access Control Policies via Change-Impact Analysis , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[5]  Vidar Kongsli Towards agile security in web applications , 2006, OOPSLA '06.

[6]  Philippe Kruchten,et al.  Towards agile security assurance , 2004, NSPW '04.

[7]  Elaine J. Weyuker,et al.  Experience with Performance Testing of Software Systems: Issues, an Approach, and Case Study , 2000, IEEE Trans. Software Eng..

[8]  Scott Tilley,et al.  Towards an evaluation framework for SOA security testing tools , 2010, 2010 IEEE International Systems Conference.

[9]  Laurie A. Williams,et al.  Incorporating Performance Testing in Test-Driven Development , 2007, IEEE Software.

[10]  Lasse Harjumaa,et al.  Introducing Mitigation Use Cases to Enhance the Scope of Test Cases , 2010, IWSEC.

[11]  Pedro de Alcântara dos Santos Neto,et al.  Reusing Functional Testing in order to Decrease Performance and Stress Testing Costs , 2011, SEKE.

[12]  유창조 Naturalistic Inquiry , 2022, The SAGE Encyclopedia of Research Design.

[13]  Per Håkon Meland,et al.  Security Testing in Agile Web Application Development - A Case Study Using the EAST Methodology , 2010, XP.

[14]  Ali Kashif Bashir,et al.  Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) , 2013, ICIRA 2013.

[15]  Standard Glossary of Software Engineering Terminology , 1990 .

[16]  Jun Luo,et al.  A Performance Testing Tool for Source Code , 2014 .

[17]  Wenming Guo,et al.  A Data-Driven Software Testing Tools Integration System , 2010, 2010 International Conference on Computational Intelligence and Software Engineering.

[18]  Herbert H. Thompson,et al.  Why Security Testing Is Hard , 2003, IEEE Secur. Priv..

[19]  Jan Jürjens Using UMLsec and goal trees for secure systems development , 2002, SAC '02.

[20]  Yves Le Traon,et al.  "Overloaded!" - A Model-Based Approach to Database Stress Testing , 2016, DEXA.

[21]  Franz Wotawa,et al.  PURITY: A Planning-based secURITY Testing Tool , 2015, 2015 IEEE International Conference on Software Quality, Reliability and Security - Companion.

[22]  Daniela Cruzes,et al.  Myths and Facts About Static Application Security Testing Tools: An Action Research at Telenor Digital , 2018, XP.

[23]  Rosziati Ibrahim,et al.  A review of threat modelling and its hybrid approaches to software security testing , 2015 .

[24]  Elisa Bertino,et al.  Challenges of Testing Web Services and Security in SOA Implementations , 2007, Test and Analysis of Web Services.

[25]  Jose Moreira,et al.  Independent Security Testing on Agile Software Development: A Case Study in a Software Company , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[26]  Andreas L. Opdahl,et al.  Capturing Security Requirements through Misuse Cases , 2001 .

[27]  Antonia Bertolino,et al.  Software Testing Research: Achievements, Challenges, Dreams , 2007, Future of Software Engineering (FOSE '07).

[28]  M. Pitman Qualitative Research Design: An Interactive Approach , 1998 .

[29]  Rebecca Oostdyk,et al.  Modeling and performance considerations for automated fault isolation in complex systems , 2010, 2010 IEEE Aerospace Conference.

[30]  Seyed-Hassan Mirian-Hosseinabadi,et al.  Integrating software development security activities with agile methodologies , 2008, 2008 IEEE/ACS International Conference on Computer Systems and Applications.

[31]  Wouter Joosen,et al.  On the secure software development process: CLASP, SDL and Touchpoints compared , 2009, Inf. Softw. Technol..

[32]  Petr Tuma,et al.  Unit testing performance with Stochastic Performance Logic , 2017, Automated Software Engineering.

[33]  Wenhua Wang,et al.  Detecting vulnerabilities in C programs using trace-based testing , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[34]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[35]  Gilles Grimaud,et al.  Integrated Security Verification and Validation: Case Study , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[36]  Antonín Steinhauser,et al.  Utilizing Performance Unit Tests To Increase Performance Awareness , 2015, ICPE.

[37]  Oscar Nierstrasz,et al.  How Do Software Architects Specify and Validate Quality Requirements? , 2014, ECSA.

[38]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[39]  Xiaohong Yuan,et al.  A case study on web application security testing with tools and manual testing , 2013, 2013 Proceedings of IEEE Southeastcon.

[40]  N. Lowe,et al.  A critical review of visual analogue scales in the measurement of clinical phenomena. , 1990, Research in nursing & health.

[41]  Laurie A. Williams,et al.  Protection Poker: The New Software Security "Game"; , 2010, IEEE Security & Privacy.

[42]  Daniela Damian,et al.  The Lack of Shared Understanding of Non-Functional Requirements in Continuous Software Engineering: Accidental or Essential? , 2020, 2020 IEEE 28th International Requirements Engineering Conference (RE).

[43]  Abdelaziz Mamouni,et al.  A Comparative Study of Software Testing Techniques , 2017, NETYS.

[44]  Yves Roudier,et al.  Static Code Analysis for Software Security Verification: Problems and Approaches , 2014, 2014 IEEE 38th International Computer Software and Applications Conference Workshops.

[45]  Daniela Damian,et al.  Continuously Managing NFRs: Opportunities and Challenges in Practice , 2021, ArXiv.

[46]  Martin Gilje Jaatun,et al.  Security Requirements for the Rest of Us: A Survey , 2008, IEEE Software.

[47]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[48]  Gustav Boström,et al.  Security Engineering and eXtreme Programming: An Impossible Marriage? , 2004, XP/Agile Universe.

[49]  Daniela Soares Cruzes,et al.  Threats to Validity in Empirical Software Security Research , 2017 .

[50]  Franz Wotawa,et al.  Security Testing Based on Attack Patterns , 2014, 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation Workshops.

[51]  Markku Oivo,et al.  Documentation of Quality Requirements in Agile Software Development , 2020, EASE.

[52]  B. Mazur,et al.  CONJECTURE , 2004, Synthese.

[53]  S. Tilley,et al.  A Research Agenda for Testing SOA-Based Systems , 2008, 2008 2nd Annual IEEE Systems Conference.

[54]  Bengt Carlsson,et al.  Identification and Evaluation of Security Activities in Agile Projects , 2013, NordSec.

[55]  Xavier Franch,et al.  A survey on quality attributes in service-based systems , 2015, Software Quality Journal.

[56]  Richard Baskerville,et al.  Integrating Security into Agile Development Methods , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[57]  Yu David Liu,et al.  A Programming Model for Sustainable Software , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[58]  Achim D. Brucker,et al.  Deploying Static Application Security Testing on a Large Scale , 2014, Sicherheit.

[59]  Rayford B. Vaughn,et al.  An empirical study of industrial security-engineering practices , 2002, J. Syst. Softw..

[60]  Daniela Cruzes,et al.  A Perception of the Practice of Software Security and Performance Verification , 2018, 2018 25th Australasian Software Engineering Conference (ASWEC).

[61]  Byoungju Choi,et al.  Performance testing based on test-driven development for mobile applications , 2009, ICUIMC '09.

[62]  Zhan-wei Hui,et al.  Comparison of SETAM with security use case and security misuse case: A software security testing study , 2012, Wuhan University Journal of Natural Sciences.

[63]  Philipp Stephanow,et al.  Towards Continuous Security Certification of Software-as-a-Service Applications Using Web Application Testing Techniques , 2017, 2017 IEEE 31st International Conference on Advanced Information Networking and Applications (AINA).

[64]  Richard F. Paige,et al.  Agile development of secure web applications , 2006, ICWE '06.

[65]  Dianxiang Xu,et al.  Security test generation using threat trees , 2009, 2009 ICSE Workshop on Automation of Software Test.

[66]  Per Runeson,et al.  Guidelines for conducting and reporting case study research in software engineering , 2009, Empirical Software Engineering.

[67]  Weiyi Shang,et al.  Empirical study on the discrepancy between performance testing results from virtual and physical environments , 2018, Empirical Software Engineering.

[68]  Cesare Pautasso,et al.  Towards Holistic Continuous Software Performance Assessment , 2017, ICPE Companion.

[69]  Frank Maurer,et al.  A Tool for Automated Performance Testing of Java3D Applications in Agile Environments , 2007, International Conference on Software Engineering Advances (ICSEA 2007).

[70]  Claes Wohlin,et al.  Guidelines for snowballing in systematic literature studies and a replication in software engineering , 2014, EASE '14.

[71]  Daniela Cruzes,et al.  How is Security Testing Done in Agile Teams? A Cross-Case Analysis of Four Software Teams , 2017, XP.

[72]  Sven Türpe Security Testing: Turning Practice into Theory , 2008, 2008 IEEE International Conference on Software Testing Verification and Validation Workshop.

[73]  Avelino Francisco Zorzo,et al.  Generation of Scripts for Performance Testing Based on UML Models , 2011, International Conference on Software Engineering and Knowledge Engineering.

[74]  D. Moher,et al.  A scoping review of rapid review methods , 2015, BMC Medicine.

[75]  Anju Bansal A Comparative Study of Software Testing Techniques , 2014 .

[76]  Jerome A. Rolia,et al.  VATS: Virtualized-Aware Automated Test Service , 2008, 2008 Fifth International Conference on Quantitative Evaluation of Systems.

[77]  Gergely Eberhardt,et al.  MEFORMA Security Evaluation Methodology - A Case Study , 2016, PECCS.

[78]  A. Singhal,et al.  Integration Analysis of Security Activities from the Perspective of Agility , 2012, 2012 Agile India.