This week it’s a quick wrap-up of recent content on SearchSoftwareQuality.com before I head out for the weekend. Jenn Lent shows us the places where automation falls short of the hype. Jan Stafford shows us a couple of Agile success stories. But first, let’s look at some of the things application security expert Dan Cornell has been up to.
It’s been a good week for Dan Cornell, application security researcher. Cornell’s open source project ThreadFix recently won funding from the U.S. Department of Homeland Security (DHS) to explore hybrid analysis mapping. That story won him a place among our Change Agents this week. This on top of Cornell’s regular answers to pressing application security questions. This week he explained how to keep enterprise applications safe in the cloud and gives us his view on open source versus commercial security tools.
Cornell’s research in hybrid analysis mapping is interesting because, if successful, it could potentially open the door to integrating just about every security testing tool – including most of the security tools that haven’t even been built yet. Right now, according to Cornell, most tools for testing the security of software code fall into two buckets. On one side there are static tools that run over the source code and look for weaknesses. On the other are dynamic tools that analyze code while it’s running.
Cornell said it’s relatively easy to aggregate and normalize results from tools that are all in one bucket or all in the other, but hybrid analysis mapping is more tricky. Meaning integrating three static analysis tools is fine and so is integrating five dynamic tools, but if you try and match one static tool with one dynamic tool you’re going to run into problems. Cornell said his ThreadFix project is already “doing crude approximations of hybrid analysis, [but] now we have the opportunity to find very sophisticated ways to do it.”
And that should be good for everyone, not just the Cyber Security folks in the DHS. According to Kevin Greene, a major player in DHS efforts to fund successful software assurance research, “All of our efforts are focused on improving the techniques and methods used in testing and evaluating software systems for security flaws. Producing better performing tools improves the adoption rate of these tools by developers, providing support for innovation in software quality assurance tools – which then improves software development activities in general.”
While that might sound a little bit like a trickle-down effect, many of the DHS software projects have open source aspects to them that make the benefits readily accessible to the greater software development community. For example, Greene hopes a successful hybrid analysis mapping project will soon be added to the DHS SoftWare Assurance MarketPlace(SWAMP).
But it’s not just the Dan Cornell show on SearchSoftwareQuality this week. We also got some Quality Time with Jenn Lent and Jan Stafford.
Read the article for details, but Lent’s four reasons automation falls short include the following:
- Automation projects are software development products.
- Automated testing success requires manual testing mastery.
- Automating tests is not tacking automation onto existing tests.
- Autopilot sets in when testers expect automation to take over.
I should note that Lent isn’t arguing against using automation. It’s often a necessary part of delivering working software faster, and that fact is only getting more true. Lent is pointing out common problems that development teams face right now in their automation efforts. This is just the bumps in the road, though, not reasons to abandon automating.
Stafford’s success stories come from enterprise giant HP Software and the relatively tiny King County Library System. HP’s Raziel Tabib presented at Agile 2013 on a collaboration tool that his team developed and then worked into the HP Software product line. Basically, it’s a reporting tool that provides custom dashboards for everyone, not just the managers. By tailoring their automated analytics to developers, testers, project managers, and everyone else I don’t have time to list, HP created high visibility which decreased the need for individual players to explain what they did and increased their ability to plan what they want to do.
The King County Library, meanwhile, recently made its first forays into Agile development. Moving from the open source Evergreen Project to a commercial service provider, KCLS IT director Jed Moffit was able to turn the slow and stodgy development efforts around. According to Moffit, the trick was getting the librarians [read users] to buy into the Agile feedback loop.
I guess that’s the news in brief for this week. So until next time, remember that the breakfast cookie is the most important cookie of the day.