Pub Date : 2012-11-16DOI: 10.1049/iet-sen.2011.0138
C. Jin, Shu-Wei Jin, Junmin Ye
The identification of a module's fault-proneness is very important for minimising cost and improving the effectiveness of the software development process. How to obtain the relation between software metrics and a module's fault-proneness has been the focus of much research. One technical challenge to obtain this relation is that there is relevance between software metrics. To overcome this problem, the authors propose a reduction dimensionality phase, which can be generally implemented in any software fault-prone prediction model. In this study, the authors present applications of artificial neural network (ANN) and support vector machine in software fault-prone prediction using metrics. A new evaluation function for computing the contribution of each metric is also proposed in order to adapt to the characteristics of software data. The vital characteristic of this approach is the automatic determination of ANN architecture during metrics selection. Four software datasets are used for evaluating the performance of the proposed model. The experimental results show that the proposed model can establish the relation between software metrics and modules’ fault-proneness. Moreover, it is also very simple because its implementation requires neither extra cost nor expert's knowledge. The proposed model has good performance, and can provide software project managers with trustworthy indicators of fault prone components.
{"title":"Artificial neural network-based metric selection for software fault-prone prediction model","authors":"C. Jin, Shu-Wei Jin, Junmin Ye","doi":"10.1049/iet-sen.2011.0138","DOIUrl":"https://doi.org/10.1049/iet-sen.2011.0138","url":null,"abstract":"The identification of a module's fault-proneness is very important for minimising cost and improving the effectiveness of the software development process. How to obtain the relation between software metrics and a module's fault-proneness has been the focus of much research. One technical challenge to obtain this relation is that there is relevance between software metrics. To overcome this problem, the authors propose a reduction dimensionality phase, which can be generally implemented in any software fault-prone prediction model. In this study, the authors present applications of artificial neural network (ANN) and support vector machine in software fault-prone prediction using metrics. A new evaluation function for computing the contribution of each metric is also proposed in order to adapt to the characteristics of software data. The vital characteristic of this approach is the automatic determination of ANN architecture during metrics selection. Four software datasets are used for evaluating the performance of the proposed model. The experimental results show that the proposed model can establish the relation between software metrics and modules’ fault-proneness. Moreover, it is also very simple because its implementation requires neither extra cost nor expert's knowledge. The proposed model has good performance, and can provide software project managers with trustworthy indicators of fault prone components.","PeriodicalId":13395,"journal":{"name":"IET Softw.","volume":"10 1","pages":"479-487"},"PeriodicalIF":0.0,"publicationDate":"2012-11-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78927999","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-10-22DOI: 10.1049/iet-sen.2011.0199
María Laura Ponisio, P. V. Eck
Measurements have been recognised as vital instruments to improve control in outsourced software development projects. However, project managers are still struggling with the design and implementation of effective measurement programs. One reason for this is that although there is a large body of research literature on metrics, practical guidelines for choosing among concrete measurements are scarce. The authors address this gap between research and practice by synthesising knowledge from frameworks and guidelines presented in the software process improvement (SPI) literature. The contribution comprises a framework that provides a set of measurements (selected from the research literature) for control of software development in cooperative settings, and a set of principles and guidelines for the design of an information infrastructure that provides managers with control information. As implication for research, the authors identify the need to develop new theories of SPI through the lens of inter-organisational networks, and taking into account relevant practices from the world of open-source software development. Also lessons for managers of outsourced software development projects are discussed. The results have been validated via expert interviews and by a panel of experts.
{"title":"Metrics-based control in outsourced software development projects","authors":"María Laura Ponisio, P. V. Eck","doi":"10.1049/iet-sen.2011.0199","DOIUrl":"https://doi.org/10.1049/iet-sen.2011.0199","url":null,"abstract":"Measurements have been recognised as vital instruments to improve control in outsourced software development projects. However, project managers are still struggling with the design and implementation of effective measurement programs. One reason for this is that although there is a large body of research literature on metrics, practical guidelines for choosing among concrete measurements are scarce. The authors address this gap between research and practice by synthesising knowledge from frameworks and guidelines presented in the software process improvement (SPI) literature. The contribution comprises a framework that provides a set of measurements (selected from the research literature) for control of software development in cooperative settings, and a set of principles and guidelines for the design of an information infrastructure that provides managers with control information. As implication for research, the authors identify the need to develop new theories of SPI through the lens of inter-organisational networks, and taking into account relevant practices from the world of open-source software development. Also lessons for managers of outsourced software development projects are discussed. The results have been validated via expert interviews and by a panel of experts.","PeriodicalId":13395,"journal":{"name":"IET Softw.","volume":"28 1","pages":"438-450"},"PeriodicalIF":0.0,"publicationDate":"2012-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79050158","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-10-22DOI: 10.1049/IET-SEN.2011.0193
Katarzyna Lukasiewicz, J. Miler
This study presents a method of combining the Scrum methodology with the CMMI maturity model to improve both agility and discipline of software development. First, the authors propose the CMMI-Scrum reference model, which maps Scrum practices onto 123 practices of CMMI staged levels 2 and 3. For 60- of CMMI practices, which are insufficiently covered by Scrum they add new practices that improve discipline while maintaining agility. The practices to improve an actual software development process are selected from the reference model with the P-Sel algorithm based on answers to a questionnaire with 25 single-choice questions. They have applied our approach to processes of two IT companies, where on average 72- of the suggested practices were confirmed, 24.5- were mismatched and 3.5- were rejected.
{"title":"Improving agility and discipline of software development with the Scrum and CMMI","authors":"Katarzyna Lukasiewicz, J. Miler","doi":"10.1049/IET-SEN.2011.0193","DOIUrl":"https://doi.org/10.1049/IET-SEN.2011.0193","url":null,"abstract":"This study presents a method of combining the Scrum methodology with the CMMI maturity model to improve both agility and discipline of software development. First, the authors propose the CMMI-Scrum reference model, which maps Scrum practices onto 123 practices of CMMI staged levels 2 and 3. For 60- of CMMI practices, which are insufficiently covered by Scrum they add new practices that improve discipline while maintaining agility. The practices to improve an actual software development process are selected from the reference model with the P-Sel algorithm based on answers to a questionnaire with 25 single-choice questions. They have applied our approach to processes of two IT companies, where on average 72- of the suggested practices were confirmed, 24.5- were mismatched and 3.5- were rejected.","PeriodicalId":13395,"journal":{"name":"IET Softw.","volume":"2 1","pages":"416-422"},"PeriodicalIF":0.0,"publicationDate":"2012-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79444313","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-10-22DOI: 10.1049/iet-sen.2011.0195
Pádraig O'Leary, Ita Richardson
Process reference models can serve as a tool for simplifying process problem-solving during software development software. In the authors' research project, they developed a process reference model for software product line product derivation. The development was completed in four stages using sources in industry and academia. In this study, the authors discuss their research approach. They include an explanation on how the different stages of the research form a continuum in which the model is continually adjusted, and describe how empirical evidence was used in the development of the reference model through following an evolutionary multi-method research approach. Following a discussion on each research stage, the authors briefly present the evolution of the reference model they have developed, Pro-PD, as an exemplar of their approach. The study contributes to an improved understanding of real world reference model construction. Importantly, the authors also present lessons learned while implementing the approach. This research contributes to the practical implementation of reference model construction guidelines.
{"title":"Process reference model construction: implementing an evolutionary multi-method research approach","authors":"Pádraig O'Leary, Ita Richardson","doi":"10.1049/iet-sen.2011.0195","DOIUrl":"https://doi.org/10.1049/iet-sen.2011.0195","url":null,"abstract":"Process reference models can serve as a tool for simplifying process problem-solving during software development software. In the authors' research project, they developed a process reference model for software product line product derivation. The development was completed in four stages using sources in industry and academia. In this study, the authors discuss their research approach. They include an explanation on how the different stages of the research form a continuum in which the model is continually adjusted, and describe how empirical evidence was used in the development of the reference model through following an evolutionary multi-method research approach. Following a discussion on each research stage, the authors briefly present the evolution of the reference model they have developed, Pro-PD, as an exemplar of their approach. The study contributes to an improved understanding of real world reference model construction. Importantly, the authors also present lessons learned while implementing the approach. This research contributes to the practical implementation of reference model construction guidelines.","PeriodicalId":13395,"journal":{"name":"IET Softw.","volume":"46 1","pages":"423-430"},"PeriodicalIF":0.0,"publicationDate":"2012-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77572540","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-10-22DOI: 10.1049/iet-sen.2011.0198
M. McHugh, F. McCaffery, Valentine Casey
A recent revision to the European Medical Device Directive (MDD) 2007/47/EC made 14 amendments to the original directive (93/42/EEC). A number of these changes directly affect the development of software for use in healthcare. The most significant change in relation to medical device software development is that stand-alone software is now seen as an active medical device and should be developed following state-of-the-art medical device software development processes. State-of-the-art medical device software processes are understood within the industry as developing software in accordance with IEC 62304 and standards that are aligned with it. This study identifies how changes to the MDD affect medical device software development companies and recommendations are made as to how medical device software development companies can conform to the latest regulatory requirements. Additionally, the study provides an overview of how Medi SPICE is currently being developed to provide organisations with a single point of reference for the practices that should be implemented in order to produce regulatory compliant medical device software.
{"title":"Software process improvement to assist medical device software development organisations to comply with the amendments to the medical device directive","authors":"M. McHugh, F. McCaffery, Valentine Casey","doi":"10.1049/iet-sen.2011.0198","DOIUrl":"https://doi.org/10.1049/iet-sen.2011.0198","url":null,"abstract":"A recent revision to the European Medical Device Directive (MDD) 2007/47/EC made 14 amendments to the original directive (93/42/EEC). A number of these changes directly affect the development of software for use in healthcare. The most significant change in relation to medical device software development is that stand-alone software is now seen as an active medical device and should be developed following state-of-the-art medical device software development processes. State-of-the-art medical device software processes are understood within the industry as developing software in accordance with IEC 62304 and standards that are aligned with it. This study identifies how changes to the MDD affect medical device software development companies and recommendations are made as to how medical device software development companies can conform to the latest regulatory requirements. Additionally, the study provides an overview of how Medi SPICE is currently being developed to provide organisations with a single point of reference for the practices that should be implemented in order to produce regulatory compliant medical device software.","PeriodicalId":13395,"journal":{"name":"IET Softw.","volume":"22 1","pages":"431-437"},"PeriodicalIF":0.0,"publicationDate":"2012-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90407475","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-10-22DOI: 10.1049/iet-sen.2011.0207
M. Garre, E. García-Barriocanal, K. Siakas, M. Sicilia, Sonja Koinig, R. Messnarz, Adrienne Clarke
Corporate social responsibility (CSR) is a set of principles and practices that encourages companies to be responsibile for the impact that their activities have on society. CSR positions are publicly communicated through information usually made available through corporate Web sites. Previous studies have shown that these are heterogeneous in the way they present the companies as socially responsible. This paper reports an exploratory study on these differences and their relation to diverse CSR-related indexes and rankings in a sample of consumer electronic companies that participate in the Greener Electronic Guide. The ISO 26000 standard is used to analyse the core subjects that are explicitly mentioned in corporate Web pages and how they relate to the scores obtained in the mentioned Guide and other rankings and indexes available. Results obtained point out to a positive correlation between environmental issues and overall CSR behaviour, but differences indicate a need for further research. That behaviour in turn appears to be related to how CSR is communicated externally through corporate Web sites to some extent, but differences are also apparent. This may have potential implications for process improvement. Concretely, in that higher levels of transparency in communication may be achieved by aligning common processes with actual CSR actions more closely, including communication processes.
{"title":"Analysing the corporate responsibility Web pages of consumer electronics companies: implications for process improvement","authors":"M. Garre, E. García-Barriocanal, K. Siakas, M. Sicilia, Sonja Koinig, R. Messnarz, Adrienne Clarke","doi":"10.1049/iet-sen.2011.0207","DOIUrl":"https://doi.org/10.1049/iet-sen.2011.0207","url":null,"abstract":"Corporate social responsibility (CSR) is a set of principles and practices that encourages companies to be responsibile for the impact that their activities have on society. CSR positions are publicly communicated through information usually made available through corporate Web sites. Previous studies have shown that these are heterogeneous in the way they present the companies as socially responsible. This paper reports an exploratory study on these differences and their relation to diverse CSR-related indexes and rankings in a sample of consumer electronic companies that participate in the Greener Electronic Guide. The ISO 26000 standard is used to analyse the core subjects that are explicitly mentioned in corporate Web pages and how they relate to the scores obtained in the mentioned Guide and other rankings and indexes available. Results obtained point out to a positive correlation between environmental issues and overall CSR behaviour, but differences indicate a need for further research. That behaviour in turn appears to be related to how CSR is communicated externally through corporate Web sites to some extent, but differences are also apparent. This may have potential implications for process improvement. Concretely, in that higher levels of transparency in communication may be achieved by aligning common processes with actual CSR actions more closely, including communication processes.","PeriodicalId":13395,"journal":{"name":"IET Softw.","volume":"22 1","pages":"451-460"},"PeriodicalIF":0.0,"publicationDate":"2012-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88586073","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-10-04DOI: 10.1049/iet-sen.2010.0072
Jianmei Guo, Yinglin Wang, Zheying Zhang, J. Nummenmaa, Nan Niu
Existing product requirements form a rich source for domain requirements analysis in software product lines (SPLs). Most existing domain analysis techniques depend on domain experts’ experience and manual operation to identify the commonalities and variabilities of product requirements. They often demand a high level of manual effort and a large up-front investment, which can present a prohibitive barrier for SPL adoption. This study proposes a model-driven approach to semi-automatically derive domain functional requirements (DFRs) from product functional requirements (PFRs). Based on the linguistic characterisation of a domain's action-oriented concerns, the authors apply Fillmore's semantic framework to functional requirements and define metamodels for PFRs and DFRs. Functional requirements of existing products are constructed as corresponding PFR models. Following the proposed merging and refinement rules, the authors approach automates the transformation from PFR models into DFR models by merging the same or similar PFRs and analysing their commonality and variability. The resulting DFR models can serve as an initial basis of the SPL. The authors demonstrate the authors approach using an example of a home security system (HSS) SPL and give a preliminary evaluation. The authors approach provides a rigorous model-based support for DFRs development and complements existing domain analysis techniques with less time and effort.
{"title":"Model-driven approach to developing domain functional requirements in software product lines","authors":"Jianmei Guo, Yinglin Wang, Zheying Zhang, J. Nummenmaa, Nan Niu","doi":"10.1049/iet-sen.2010.0072","DOIUrl":"https://doi.org/10.1049/iet-sen.2010.0072","url":null,"abstract":"Existing product requirements form a rich source for domain requirements analysis in software product lines (SPLs). Most existing domain analysis techniques depend on domain experts’ experience and manual operation to identify the commonalities and variabilities of product requirements. They often demand a high level of manual effort and a large up-front investment, which can present a prohibitive barrier for SPL adoption. This study proposes a model-driven approach to semi-automatically derive domain functional requirements (DFRs) from product functional requirements (PFRs). Based on the linguistic characterisation of a domain's action-oriented concerns, the authors apply Fillmore's semantic framework to functional requirements and define metamodels for PFRs and DFRs. Functional requirements of existing products are constructed as corresponding PFR models. Following the proposed merging and refinement rules, the authors approach automates the transformation from PFR models into DFR models by merging the same or similar PFRs and analysing their commonality and variability. The resulting DFR models can serve as an initial basis of the SPL. The authors demonstrate the authors approach using an example of a home security system (HSS) SPL and give a preliminary evaluation. The authors approach provides a rigorous model-based support for DFRs development and complements existing domain analysis techniques with less time and effort.","PeriodicalId":13395,"journal":{"name":"IET Softw.","volume":"42 1","pages":"391-401"},"PeriodicalIF":0.0,"publicationDate":"2012-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90494010","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-10-04DOI: 10.1049/iet-sen.2011.0122
Majdi Abdellatief, A. B. Sultan, A. Ghani, M. Jabar
The motivation of this study is to bridge the gap between component providers and component users, especially in the area of component evaluation, using component information flow (CIF) measurement and multidimensional approaches for measurement interpretation. By measuring the design of component-based software systems (CBSS), software designers, testers and maintainers may be able to locate weaknesses in the system design and to estimate the effort required to test as well as the cost of maintenance. This study proposes a CIF based on inter-component flow and intra-component flow. Moreover, a set of metrics based on the CIF was developed to characterise and evaluate the effect of the component design size on the quality of CBSS design. The theoretical evaluation results indicated that the proposed metrics are valid size measures. An application that demonstrates the intuitiveness of the mentioned approach is also presented. Results show that multidimensional analysis of design size appears promising as a means of capturing the quality of the CBSS design in question.
{"title":"Multidimentional size measure for design of component-based software system","authors":"Majdi Abdellatief, A. B. Sultan, A. Ghani, M. Jabar","doi":"10.1049/iet-sen.2011.0122","DOIUrl":"https://doi.org/10.1049/iet-sen.2011.0122","url":null,"abstract":"The motivation of this study is to bridge the gap between component providers and component users, especially in the area of component evaluation, using component information flow (CIF) measurement and multidimensional approaches for measurement interpretation. By measuring the design of component-based software systems (CBSS), software designers, testers and maintainers may be able to locate weaknesses in the system design and to estimate the effort required to test as well as the cost of maintenance. This study proposes a CIF based on inter-component flow and intra-component flow. Moreover, a set of metrics based on the CIF was developed to characterise and evaluate the effect of the component design size on the quality of CBSS design. The theoretical evaluation results indicated that the proposed metrics are valid size measures. An application that demonstrates the intuitiveness of the mentioned approach is also presented. Results show that multidimensional analysis of design size appears promising as a means of capturing the quality of the CBSS design in question.","PeriodicalId":13395,"journal":{"name":"IET Softw.","volume":"6 1","pages":"350-357"},"PeriodicalIF":0.0,"publicationDate":"2012-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90387721","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-10-04DOI: 10.1049/iet-sen.2011.0156
D. Gavalas, M. Kenteris, C. Konstantopoulos, G. Pantziou
This study deals with the problem of deriving personalised recommendations for daily sightseeing itineraries for tourists visiting any destination. The authors' approach considers selected places of interest that a traveller would potentially wish to visit and derives a near-optimal itinerary for each day of visit; the places of potential interest are selected based on stated or implied user preferences. The authors' method enables the planning of customised daily personalised tourist itineraries considering user preferences, time available for visiting sights on a daily basis, opening days of sights and average visiting times for these sights. Herein, the authors propose a heuristic solution to this problem addressed to both web and mobile web users. Evaluation and simulation results verify the competence of the authors' approach against an alternative method.
{"title":"Web application for recommending personalised mobile tourist routes","authors":"D. Gavalas, M. Kenteris, C. Konstantopoulos, G. Pantziou","doi":"10.1049/iet-sen.2011.0156","DOIUrl":"https://doi.org/10.1049/iet-sen.2011.0156","url":null,"abstract":"This study deals with the problem of deriving personalised recommendations for daily sightseeing itineraries for tourists visiting any destination. The authors' approach considers selected places of interest that a traveller would potentially wish to visit and derives a near-optimal itinerary for each day of visit; the places of potential interest are selected based on stated or implied user preferences. The authors' method enables the planning of customised daily personalised tourist itineraries considering user preferences, time available for visiting sights on a daily basis, opening days of sights and average visiting times for these sights. Herein, the authors propose a heuristic solution to this problem addressed to both web and mobile web users. Evaluation and simulation results verify the competence of the authors' approach against an alternative method.","PeriodicalId":13395,"journal":{"name":"IET Softw.","volume":"26 1","pages":"313-322"},"PeriodicalIF":0.0,"publicationDate":"2012-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77125499","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-10-04DOI: 10.1049/iet-sen.2011.0084
Lwin Khin Shar, Hee Beng Kuan Tan
Cross site scripting (XSS) vulnerability is mainly caused by the failure of web applications in sanitising user inputs embedded in web pages. Even though state-of-the-art defensive coding methods and vulnerability detection methods are often used by developers and security auditors, XSS flaws still remain in many applications because of (i) the difficulty of adopting these methods, (ii) the inadequate implementation of these methods, and/or (iii) the lack of understanding of XSS problem. To address this issue, this study proposes a code-auditing approach that recovers the defence model implemented in program source code and suggests guidelines for checking the adequacy of recovered model against XSS attacks. On the basis of the possible implementation patterns of defensive coding methods, our approach extracts all such defences implemented for securing each potentially vulnerable HTML output. It then introduces a variant of control flow graph, called tainted-information flow graph, as a model to audit the adequacy of XSS defence artefacts. The authors evaluated the proposed method based on the experiments on seven Java-based web applications. In the auditing experiments, our approach was effective in recovering all the XSS defence features implemented in the test subjects. The extracted artefacts were also shown to be useful for filtering the false-positive cases reported by a vulnerability detection method and helpful in fixing the vulnerable code sections.
{"title":"Auditing the XSS defence features implemented in web application programs","authors":"Lwin Khin Shar, Hee Beng Kuan Tan","doi":"10.1049/iet-sen.2011.0084","DOIUrl":"https://doi.org/10.1049/iet-sen.2011.0084","url":null,"abstract":"Cross site scripting (XSS) vulnerability is mainly caused by the failure of web applications in sanitising user inputs embedded in web pages. Even though state-of-the-art defensive coding methods and vulnerability detection methods are often used by developers and security auditors, XSS flaws still remain in many applications because of (i) the difficulty of adopting these methods, (ii) the inadequate implementation of these methods, and/or (iii) the lack of understanding of XSS problem. To address this issue, this study proposes a code-auditing approach that recovers the defence model implemented in program source code and suggests guidelines for checking the adequacy of recovered model against XSS attacks. On the basis of the possible implementation patterns of defensive coding methods, our approach extracts all such defences implemented for securing each potentially vulnerable HTML output. It then introduces a variant of control flow graph, called tainted-information flow graph, as a model to audit the adequacy of XSS defence artefacts. The authors evaluated the proposed method based on the experiments on seven Java-based web applications. In the auditing experiments, our approach was effective in recovering all the XSS defence features implemented in the test subjects. The extracted artefacts were also shown to be useful for filtering the false-positive cases reported by a vulnerability detection method and helpful in fixing the vulnerable code sections.","PeriodicalId":13395,"journal":{"name":"IET Softw.","volume":"56 1","pages":"377-390"},"PeriodicalIF":0.0,"publicationDate":"2012-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85776426","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: