8:30am - 12:30pm, Tutorial T1

More Reliable Software Faster and Cheaper
John D. Musa

Stressed out by competitive pressures to deliver more reliable software faster and cheaper? Want to control the process rather than have it control you? Software reliability engineering (SRE) can help. This unique tutorial will teach you the essentials of how to apply this standard, proven best practice. You can apply it to any system using software and to members of software component libraries. And you can start with the next release.

You will learn how to:

• engineer the "just right" reliability by defining "failure", setting failure intensity objectives, and choosing reliability strategies
• develop operational profiles
• allocate test cases and test time
• apply failure data to guide decisions in reliability growth test and certification test

No prerequisite is required except general familiarity with software project development.

1:30 - 5:30pm, Tutorial T2

CANCELLED

Software Reliability Engineering of Web Site Construction
Dr. Norman F. Schneidewind, Fellow of the IEEE, Professor of Information Sciences, Naval Postgraduate School

Goals of the Tutorial

1. Provide guidelines for developing Web sites that are not limited to considerations of functionality but which consider reliability, availability, maintainability, usability, accessibility, performance, and security, as well.
2. Show how to make tradeoffs among the factors in 1 in order to achieve a balanced approach in Web site development.
3. Present metrics for the factors in 1 so that the attendees can quantify the tradeoffs in 2.
4. Share with the attendees data collected about the factors in 1 from Web site development experiences.
5. Provide a Web site development "lessons learned" to enhance attendee learning.

Benefits for the Attendees
Web site construction is one of the most important activities in today's Internet economy. While a great deal has been written about implementing Web sites, very little has been said about the factors of reliability, availability, maintainability, usability, accessibility, performance, and security, and the tradeoffs that must be made among these factors. Web site applications have unique characteristics that set them apart from traditional applications. Thus, new thinking and models must be developed for Web sites compared to standalone or even local network models. This tutorial will flesh out these issues and tradeoffs and provide the attendees with an approach to Web site development that emphasizes reliability, maintainability, and availability, using practical experience in Web site development as a framework.

8:30am - 12:30pm, Tutorial T3

Testing Object-Oriented Software
Dr. David C. Kung

This tutorial aims to provide a basic coverage of issues relating to testing object-oriented (OO) software and Web applications taking into consideration software reliability. The emphasis is on fundamentals of software testing in general and OO testing in particular. The focus will be on methods and techniques for testing OO software. It is expected that by the end of the tutorial, the audience will gain basic knowledge of software quality assurance, OO software and Web testing problems, test methods and techniques.

Dr. David C. Kung is a professor of Computer Science and Engineering at The University of Texas at Arlington. He has more than 25 years software engineering experience working in academia and industry. He has worked in the area of testing OO software and Web applications since 1992. He has published three books and more than 80 articles and directed projects that developed commercial products for security management, secured computing, and software development.

1:30 - 5:30pm, Tutorial T4

Introduction to Computer Security: Why Security is Really a Software Issue
Dr. Gary McGraw

Abstract
Computer security takes on more importance as commerce becomes e-commerce and business embraces the Net. However, little progress has been made in the security field, especially when vendor technology is considered. Popular press coverage of computer security orbits around basic technology issues such as what firewalls are, when to use the DES encryption algorithm, which anti-virus product is best, or how the latest email-based attack works. The problem is, many security practitioners don't know what the problem is. It's the software! Internet-enabled software applications, especially custom applications, present the most common security risk encountered today, and are the target of choice for real hackers. This talk is all about security risk and how to manage it. The trick is to begin early, know your threats, design for security, and subject your design to thorough objective risk analyses and testing. This talk covers material that technology practitioners, including developers, architects, and academics, can use to avoid security problems and produce more secure systems.

Benefits
This half-day Tutorial will provide coverage of the following

• Defining the security problem
• Aligning security goals and project goals
• Network security
• Firewalls and cryptography
• Risk management
• Performing risk analysis
• Integrating securing into the project lifecycle
• Being proactive: software security
• Code scanning technology
• Common software security risks
• Design versus implementation risks
• Building software security capability
• Open source and security
• Guidelines for building secure software

Upon completion of this tutorial, participants will understand why software security is essential to any organization wishing to proactively address security issues, how to avoid common security problems, and how to design more secure systems.

8:30am - 12:30pm, Tutorial T5

Software Reliability and Rejuvenation: Modeling and Analysis
Dr. Kishor S. Trivedi
Dr. Kalyanaraman Vaidyanathan

Description
In this tutorial, we will first give an overview of software fault classification and discuss software reliability in the testing/debugging phase. We will also discuss the relatively new efforts in architecture-based software reliability which has the potential of providing software reliability and performance predictions based on individual software components and their interactions. Models for software fault tolerance in the operational phase for different software layers will then be briefly described.

We will then discuss the phenomenon of "software aging" that has been reported in widely used software and also in high-availability and safety-critical systems. To counteract this phenomenon, a proactive technique called ``software rejuvenation'' has been proposed. This essentially involves gracefully terminating an application or a system and restarting it in a clean internal state. We will discuss methods of evaluating the effectiveness of software rejuvenation in operational software systems and determining optimal times to perform rejuvenation. This is done by developing stochastic models which tradeoff the cost of unexpected failures due to software aging with the overhead of proactive fault management. We will then describe measurement-based models which are constructed using workload and resource usage data collected from operating systems over a period of time. The measurement-based models are the first steps towards predicting aging related failures, intended to help development of strategies for software rejuvenation triggered by actual measurements. Finally, we discuss the implementation of a software rejuvenation agent in a major commercial server.

Benefits
At the end of the tutorial, the participants will have gained an understanding of software reliability and fault tolerance, and why software preventive maintenance is very useful. They will be able to apply these techniques in their own systems and study them both through experimental data analysis as well as through analytic models.

1:30 - 5:30pm, Tutorial T6

Introduction to Biometrics Systems Assurance
Dr. Bojan Cukic
Dr. Larry Hornak

Description
Biometrics refers to the automated methods of identifying or authenticating the identity of a living person based on a physical or behavioral characteristic. Unique physical traits, such as fingerprint, face, iris, retina, voice, cardiac or neural signals, or the geometry of the hand can be used.

These methodologies share a standardized approach for enrollment and verification, as well as a set of shared principles driving the application level design and system integration. For example, at enrollment the person offers a live biometrics sample, such as a fingerprint, that is scanned electronically, processed, and stored as a template. This information is then used to confirm the person's identity at a future time. Biometric technologies are suitable for applications that require increased levels of trust in user identities, restricted access controls, reliable evidence trails in transaction processing systems and automated generation of user access logs supporting computer forensics. Current security-centric business computing climate opens the new set of opportunities for the deployment of Biometric technologies. As a consequence, application designers, system users as well as decision and policy makers face an urgent need to understand the advantages and drawbacks of biometric systems, specific testing and performance evaluation techniques capable of exposing performance bottlenecks, novel security related vulnerabilities and performance trade-offs.

If improperly engineered, or if embedded into an improper application environment, the biometric system may prove to be a bad investment. Therefore, one of the goals of the tutorial is to introduce statistical quality and reliability assessment techniques minimizing application failure risks. Test based evaluation of false accept rates (FAR, mistakenly allowing access to an unauthorized individual) and false reject rates (FRR, falsely rejecting access to authorized users) will be presented in detail. Generally, quality assurance problems related to computer authentication have been addressed in the area of dependable computing, but without focusing on the specifics of biometric systems. Based on the understanding of performance limitations and quality issues related to biometric technology, the tutorial will discuss business process requirements that drive the system design. The choice of the specific type of biometrics (fingerprints, iris, hand geometry, etc.) should reflect application requirements, i.e., "the application should not be a slave to an individual biometric technology."

Benefits
As the outcome of this tutorial, students will be able to:

• Understand critical issues in user authentication and the suitable role of biometrics.
• Understand the characteristics of a useful biometric.
• Understand biometric system architectures and subsystems.
• Understand present biometric technologies, their performance and testing practices.
• Be aware of the legal, social, and ethical concerns regarding the application of biometric systems.
• Understand current and future application frameworks.
• Understand business process requirements driving the design and integration of biometrics into large-scale systems.

all rights reserved © 2001,2002,2003, issre2002.org,
Header photo #6 courtesy Annapolis & Anne Arundel
County Conference & Visitors Bureau.