quinta-feira, 24 de maio de 2018

Notes on the RE PhD Course - University of Trento - Class: RE Methodologies - Angelo Susi

Notes on the RE Course - Requirements Engineering Methodologies - 

*while Angelo projected the Day4 slides

The Spiral Model (Boehm 86, 88) is a very well-known iterative model. The interesting thing he wants to highlight is Risk Analysis.

We talked about some examples regarding data protection. For instance, many emails are coming now asking us to click a link in the email (a well-known major source of problem!) to confirm the new policies of different sources, complying with the new European Policy for data protection. So in the end, such policy is inducing a strange behavior on companies and end users. It seems that nobody has performed risk analysis.

He also mentioned the fact that such model inaugurated the software evolution concept connected to software maintenance.

Relying on a risk assessment expert for knowing how to proceed is a good practice.

The Rational Unified Process has been proposed by the Rational company in an attempt to start with business analysis (Inception phase).

I reminded the students that this process was actually empowered by this very popular case tool in the 90s, called Rational Rose. This was a UML modeling tool, which also generated Java code. Angelo complemented saying that besides the emphasis on business modeling, for the first time, somebody allowed software production from start to end (including code automatic generation).

"RUP is a process framework, but unlike ISO 12207, it comes not empty, but prepopulated with a wealth of guidance, methods, techniques, templates, and examples, out of which a concrete process can be instantiated. RUP can actually support an organization that is trying to achieve CMM Level-2 and Level-3" (from the slides)

RUP's emphasized the development of a standard development process.

---

There was an interesting discussion regarding Open Source.

Student A said "Open means that you have open access to knowledge, not that you have unrestricted use of the artifact (i.e. code)."

Angelo reminded us that there are different Open Source models. The problem with OS models is attributing responsibility. Who is liable if something goes wrong?

RISK ANALYSIS IS ESSENTIAL HERE!

Student B said Red Hat, the biggest Linux distributor, gives you the license to contribute, and you can even earn money for producing some enhancements. However, regarding the kernel, this license  does not allowed you to publish any enhancements. This company is worth billions in the marked, so you can trust it.

This is what a lot of CEOs of big organizations take into account to hire OS services.

*I do not agree that you can trust it based on the market value! : ) At least for end users, we must be aware that we give lots of access to big companies, but I am willing to give the same access to small companies, provided that they provide me with useful service that eases my life. It is not a solution for the problem, of course. It is just awareness

Student A joked: for a solution, please read the books by Mauro Corona, who lives in the mountains, with no technology whatsoever!

Angelo: sometimes governments go into OS community to influence them to add new requirements to the software so that it accounts for some ethical issues that allow such government to use the developed software in hospitals or other sensitive environments.

Interesting reference on OS licenses: Roberto di Cosmo.

---

*back to the slides - still on Open Source:
Walter Scacchi (U California, 2003) is one of the most important researchers in OS Communities.

There are several communication tools that support OS communities (threaded discussions, newsgroups, email etc.) and .

There is a high degree of informality: to-do-lists, FAQs, communities' website, bug reports, bug database tracking (E.g. Bugzilla) etc.

Agile Methodologies

*interesting slide comparing agile vs. standard approaches.

Scrum
Requirements are expressed like user stories, following simple templates such as:
As a <role>, I can <activity> so that <business value>

Dynamic System Development Method is an agile method, a bit heavier than Scrum, but that tries to improve Scrum in some points. It may work for some domains.

Such methodologies may completely change the company's power structure. The new roles agile methods propose prevents some people to be recognized as, for instance, analyst (or another kind of) expert in the common sense. This may lead to some resistance from the personnel.

*interesting slide on a REFSQ paper that presents examples of how companies use agile methodologies.

Microservices inaugurate a different perspective on software development. For one micro service, there are different experts involved AT THE SAME TIME, thus there is no division of roles by development phase or activity, as before. See the work of Luciano Baresi, already referenced in the previous post.

quarta-feira, 23 de maio de 2018

Notes on the RE PhD Course - University of Trento - Class: Requirements Prioritization - Angelo Susi

Notes on the RE Course - Requirements Prioritization  

*while Angelo projected the Day3 slides for recap

Luciano Baresi – micro-services (pieces of code that are very good for Agile Team Development – they have a precise goal – not the same of micro-goal, simply precise)
Here is one of his interesting papers

For that to work, you need:
-      Reliable information/documentation about the micro-service
-      Well-developed interface to enable interconnection.

Release Plan– 

*The PhD work by Azevedo, C. seems to be of particular interest.

We must apply algorithms that are agnosticto the problems. The same algorithms that exist for so many years (e.g. genetic algorithms, markov chain based algorithms etc.) may be used to solve new problems. 
These algorithms are sensible to small changes, so you must FIRST understand the problem. 

In terms of agnostic algorithms, the human intuition works like this: the algorithms give you the RIGHT QUESTIONS to ask the stakeholders to find out the information you need.

What to do about the consistency of human information? People may lie, ignore or be bound by ethics not to disclose some information. Angelo says that there are existing decision-making algorithms that enable consistency check using mathematics.

Pareto Optimality in multi criteria

*send to Angelo the reference by … at CIbSE 2018

Interesting discussion on the kinds of approaches to solve the problem: kinds of algorithms and the tradeoff human automated vs. human assisted.

Very interesting slide on RE Prioritization Works in Literature 

Setting requirements with actual measures 

Characteristics of requirement B (on slide): 
-      Title
-      Description
-      Cost of implementation
-      Risk
-      Value for stakeholder

In practice, there is only partial knowledge about each requirement. In company A, for e.g. there are written requirements (text-based) in a worksheet and for 1 requirement in 20, there is an information given by the manager, e.g. “high risk”.

Analytic Hierarchy Process 
Very interesting decision-making algorithm;
Angelo explained it really well!

*Rank Boost (Freund, Iyer, Shapire and Singer 1998) – according to Angelo, a very well-written paper. I found a 2003 paper of this group.

Very interesting Machine learning algorithm  (named CBRank) by Angelo, Anna and Paolo Avesani. Paper on Transaction of Software Engineering 2013. A previous version was published in the RE Conference. 

To learn, the ML algorithm (named CBRank) compares its own results to rankings done by users (called domain knowledge in the algorithm). The principle was combining machine and human-based knowledge.

Disadvantage(according to a Mirheidari): linear learning. With a new/updated domain knowledge, you must of course update the pair sampling. However, you must wait for the system to learn, because it only works well after lots (let’s say 100) iterations.
*Angelo replies: ok, but we can also change the algorithm, which is an old one. However, if you read the 1998 paper, you will see that they talked about user feedback already at that moment.

*Mirheidari presentation in the class:
Paper about detecting problems in decision-making regarding security.
Categorization of over 100 works
Ref: Seyed Ali Mirheidari, Sajjad Arshad, Rasool Jalili. Alert Correlation Algorithms: A Survey and Taxonomy In: CSS

Similarity algorithms
Knowledge-based algorithms
1)   Pre-requisite and consequence
2)   Scenario
Statistical-based algorithms

They discussed advantages and disadvantages of these works based on 5 metrics that are related to their work:
-      Algorithm capability
-      Algorithm accuracy
-      Algorithm computation power
-      Required KB
-      Algorithm extendibility and flexibility.

*After the survey, he designed a hybrid approach to maximize the probability of finding the attack.

Another good survey (Seyed says even better than his): Alert correlation survey: framework and techniques. Sadoddin and Ghorbani (2006) Alert correlation survey: framework and techniques at PTS'06

Empirical Study
Angelo made a very good description of their empirical study to validate CBRank. 

Search-based approach - Angelo explained an approach based on Interactive Genetic Algorithm (IGA).

In this algorithm, an individual is a complete rank of requirements.

Getting information from the user works by restricting the population (in other words, increasing the number of constraints). An important point here is to minimize bothering the user, while also taking from her the right kind of information that will make the algorithm better (better means faster, more accurate and having less conflict).

The Production of individuals phase may also work well to generate test cases for the algorithm.

After the production of individuals, you may have conflicted individuals and this is made explicit, so that we may ask the users preferences regarding such conflict.