1 / 38

Formality, Agility, Security, and Evolution in Software Development

Formality, Agility, Security, and Evolution in Software Development. Cody Ronning 2/16/2015. Outline. Introduction Challenges of software development Formal methods Agile methods Formal agility Security Evolution Conclusions. Introduction. KU MSIT student Software engineer at Garmin

williamst
Download Presentation

Formality, Agility, Security, and Evolution in Software Development

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formality, Agility, Security, and Evolution in Software Development Cody Ronning 2/16/2015

  2. Outline • Introduction • Challenges of software development • Formal methods • Agile methods • Formal agility • Security • Evolution • Conclusions

  3. Introduction • KU MSIT student • Software engineer at Garmin • Father of 3 (4)

  4. Outline • Introduction • Challenges of software development • Formal methods • Agile methods • Formal agility • Security • Evolution • Conclusions

  5. Challenges of software development • Easy or hard? • Easy when small, working alone • When the project, code base, number of contributors increase -> HARD

  6. Challenges of software development • Complex systems • Requirement changes • Deadlines • Task switching • Changing priorities • External dependencies

  7. Preparing for complexity & change • Experienced software engineer • Software engineering approaches • Modularization • Abstraction • Object orientation • Most important • Need Structure

  8. Structure • Formal methods • Agile methodology • FM & AM combined

  9. Outline • Introduction • Challenges of software development • Formal methods • Agile methods • Formal agility • Security • Evolution • Conclusions

  10. Formal methods • Mathematical approach to software development from the requirements specification onward • Important when safety and security are important • Can be used to derive a proof (great cost)

  11. Aspects of formal methods • Create models before coding • Use modeling language with fixed grammar • Analogous to converting a word problem into algebraic notation • Framework for rigorous testing

  12. Teaching formal methods • Learning to read formal specification easier than writing them • Reading is necessary for entire team • Writing formal requirements require highly trained people

  13. Outline • Introduction • Challenges of software development • Formal methods • Agile methods • Formal agility • Security • Evolution • Conclusions

  14. Agile methodology • True agile • Many teams claiming to do agile software development are only adopting Scrum for project management • True agile is formally defined • TDD • Refactoring • Pair programming • Simple design

  15. Agile development • Individuals and interactions over process and tools • Rapid response to change • Requirements and solution evolve together over time

  16. Agile development • Individuals and interactions over process and tools • The most important resource is the people • Produce better work • More committed to the project

  17. Agile development • Rapid response to change • Quick (next sprint) changes based on customer feedback

  18. Agile development • Requirements and solution evolve together over time • Documentation comes from story planning and development

  19. Outline • Introduction • Challenges of software development • Formal methods • Agile methods • Formal agility • Security • Evolution • Conclusions

  20. Formal agility • Contrasting model? • Use modern tools for re-proof when system is changed • RODIN • Alloy Analyzer • Agile developers can benefit from training in formal methods

  21. Friends not foes • Formal methods can’t be avoided • Programming languages have formal semantics • Coding standards are language subsets • Tools within IDEs have analysis tools that run in the background • Add value to agile as a sanity check and safety net

  22. Formal agile development • Individuals and interactions over process and tools • Once you have the right people tools and processes are still important • Most will benefit from tools and processes that embody wisdom gained by previous projects

  23. Formal agile development • Rapid response to change • Formal methods help form better basis for predicting consequences of major change • When models are adjusted the associated verification also needs to be redone

  24. Formal agile development • Requirements and solution evolve together over time • Ok for smaller shorter projects, especially internal ones • Multi-year, multi-team, large scale projects benefit from well defined models to avoid renegotiations

  25. Formality adds value to agile • Testing • Requirements • Refactoring • Documentation

  26. Outline • Introduction • Challenges of software development • Formal methods • Agile methods • Formal agility • Security • Evolution • Conclusions

  27. Security • Agile development focuses on user stories • Provide “happy path” for testing • Security preparation is generally not part of the backlog • Stories are to satisfy the customer • Prioritize primary business value first

  28. Adding security to agile • Evil stories • Describe functionality that an attacker would be able to exploit • Development becomes two dimensional • Implement user stories • Avoid implementing evil stories • Protection poker • Security risks are quantified by the agile team

  29. Adding security to agile • Agile principles to propagate security knowledge • Pair programming • Certification • Mandating security review in each sprints retrospective

  30. Adding security to agile • Microsoft Secure Development Lifecycle (SDL) • Agile categories • Every sprint • Running automated security-analysis tools • Updating threat model • Bucket requirements • Response planning • One-time requirements • Base-line threat model

  31. Outline • Introduction • Challenges of software development • Formal methods • Agile methods • Formal agility • Security • Evolution • Conclusions

  32. Software evolution • Real software systems continually evolve (or die) • New requirements • New functionalities

  33. Software evolution • Start with formal specification • Iterate with new ideas

  34. Formal software evolution • Project made from formal definition evolve better • New/different people working on maintenance project • Questions of design or regressions

  35. Outline • Introduction • Challenges of software development • Formal methods • Agile methods • Formal agility • Security • Evolution • Conclusions

  36. Conclusions • Agile and formal methods can be friends • Project types dictate what part of any methodology is chosen

  37. References • Bowen, J., Hinchey, M., Janicke, H., Ward, M., & Zedan, H. (2014, Oct). Formality, Agility, Security, and Evolution in Software Development. Computer, IEEE, 47(10), 86-89. • Black, S.; Boca, P.P.; Bowen, J.P.; Gorman, J.; Hinchey, M., "Formal Versus Agile: Survival of the Fittest," Computer , vol.42, no.9, pp.37,45, Sept. 2009 • P.G. Larsen, J. Fitzgerald, and S. Wolff, “Are Formal Methods Ready for Agility? A Reality Check,” Proc. 2nd Int’l Workshop Formal Methods and Agile Methods (FM+AM 10), vol. P-179, 2010, pp. 13–25.

  38. Formality, Agility, Security, and Evolution in Software Development • Thank you for your time • Questions and feedback are welcome

More Related