Title: SQA
1SQA Reuse
Katerina Goseva-Popstojanova, WVUAaron Wilson,
NASA IVVKalynnda Berens Richard Plastow,
GRCJoanne Bechta Dugan, UVaDavid Gilliam JPL
2Projects
- Real-time Linux Evaluations
- Kalynnda Berens Richard Plastow, GRC
- Performability of Web-based applications
- Katerina Goseva-Popstojanova, WVU
- Reducing Software Security Risk through an
Integrated Approach, David Gilliam John Powel,
JPL - Software Assurance of Web-based Applications
- Tim Kurtz, GRC
- Software Quality Safety Assessment Using
Bayesian Belief Networks, Joanne Bechta Dugan, UVa
3- Performance benchmarking on flight-like hardware
- RTLinux (free version) V3.2 pre3
- RTLinux Pro (commercial) V2.0
- RTAI V24.1.11
- Linux 2.6.7 Kernel (future)
- Jaluna (future)
- RTLinux and RTAI are
- Stable
- Support many processors
- Require a learning curve
4Which Real-Time Linux is best?
5Web measurement and modeling framework
User session characterization
Web access log analysis
Realistic workload
Session layer (user view)
Performance model
Software/hardware resource utilization
Service layer (software architectural view)
Performability model
Application hardware resource monitoring
System layer (deployment view)
Software/hardware failure/recovery characterizatio
n
Reliability/ availability model
Resource layer (hardware device view)
Web error log analysis
Request-based and session-based error
characterization
6Cost effective way to improve quality
10-35 of the total number of errors are due to
only 3 files Fixing the errors with the highest
frequency of occurrence is the most cost
effective way to improve Web quality
7Reducing Software Security Risk Through an
Integrated Approach
NASA
- Software Vulnerabilities Expose IT Systems and
Infrastructure to Security Risks - Goal Reduce Security Risk in Software and
Protect IT Systems, Data, and Infrastructure - Security Training for System Engineers and
Developers - Software Security Checklist for end-to-end life
cycle - Software Security Assessment Instrument (SSAI)
- Security Instrument Includes
- Model-Based Verification
- Property-Based Testing
- Security Checklist
- Vulnerability Matrix
- Collection of security tools
8Womb-to-Tomb Process
- Coincides with Organizational Polices and
Requirements - Security Risk Mitigation Process in the Software
Lifecycle - Software Lifecycle Integration
- Training
- Software Security Checklist
- Phase 1
- Provide instrument to integrate security as a
formal approach to the software life cycle - Requirements Driven
- Phase 2
- External Release of Software
- Release Process
- Vulnerability Matrix NASA Top 20
- Security Assurance Instruments
- Early Development Model Checking / FMF
- Implementation Property Based Testing
- Security Assessment Tools (SATs)
- Description of available SATs
- Pros and Cons of each and related tools with web
sites - Notification Process when Software or Systems are
De-Commissioned / Retired
9Software Assurance of Web-based Applications
- How should NASA SA assure web-based applications?
- Solution
- Implement the same types of controls on web-apps
development that are used on other types of
software development - Audit and review projects web-app development
activities using a set of checklists - Pilot the guidebook/checklists
- Deliverables
- Best Practices guidebook
- Checklists
10GETR Decision
Software Quality Safety Assessment Using BBN
11BBN model of Software Development Process
12Technology Readiness Level
Reducing software security risk
Web performability
Software Quality Safety
13Brief description of the field
- Quality attributes reliability, performance,
security, maintainability, and reusability - Techniques
- Testing property testing, performance testing
- Real system, real workload
- Analysis Modeling model checking, statistical
probabilistic analysis, BBN - Process product
14Potential benefits
- Improved decision support, prioritization, better
allocation of resources - Better product in a cost effective way through
integrated approaches - Increased fidelity without increasing complexity
15Directions
- Increased coordination through unified approaches
- Infusion of improved techniques into current
processes - Improving the state of practice
16Why
- Potential benefits to NASA
- Fewer mission failures
- Reduced complexity
- Greater reuse of software artifacts and process
improvements - Transference of best practices and lessons
learned
17Why not
- Standard traps
- There is no silver bullet
- Teaching to the test
- Deadline vs. quality driven development
- Tunnel vision
- Dependencies on hardware and OS
- Poor documentation and quality of data
18Who is using this technology
- NASA projects that are using this technology
- Security checklist at JPL
- RT Linux Pro at Glenn
- Web performability at NASA IVV
- Web-based process assurance at Glenn
- Seal of Approval Process for PRA tools at NASA HQ
- Other projects outside of NASA that are using
these tools/approaches - Web performability at LDCSEE
- Formal security verification at Patchlink
19Questions/Issues
- Reliability, availability, performance, security
- Integrated approaches needed
- What are the interactions tradeoffs?
- Process product
- Better, Cheaper, Faster
- Can we have it all?
- Should we pick (any) two?