SlideShare a Scribd company logo

HIS 2017 Peter Ladkin- Rigorous-Assurance Points in Software Development

J
jamieayre

Almost fifty years ago, a dependability crisis in software was noted by an international meeting of computer scientists in Garmisch-Partenkirchen. Stored-program computers were just a couple of decades old. We are now approaching the seventieth anniversary of stored-program computers, and they are ubiquitous. In the half-century since the Garmisch meeting, the technology of software dependability has advanced immeasurably. But much of it remains unused in everyday software development. Like most engineered artifacts, software is built to some purpose. That purpose belongs to the “documentation” of the artifact, as do assurances that the built object is fit for the purpose. The dependability of the software depends essentially upon its purpose, and thereby its documentation. A number of us are concerned that standards for critical software development, for example IEC 61508-3, lag years, even decades, behind the state of the art. In 2010, with the help of some eminent colleagues, I formulated a collection of 26 points at which objective properties of the software and documentation could be rigorously assured using industrially-mature techniques, and often were not. None of them appeared in IEC 61508-3. After seven years of discussion, including further research on industrial maturity commissioned from Bernd Sieker, the German National Committee for functional safety of computer-based systems formulated a proposal to be presented to the IEC for a standards document based on those assurance points. I introduce those techniques in this talk.

Software
1 of 25
Download to read offline
Rechnernetze und Verteilte Systeme Rigorous-Assurance Points in Software Development Peter Bernard Ladkin Bielefeld University and Causalis Limited 17 October 2017 Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 1 / 25
Rechnernetze und Verteilte Systeme Notice These slides accompany a talk, and are not ideal as a standalone guide to material in the talk Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 2 / 25
Rechnernetze und Verteilte Systeme Standards Assumption: standards are important Further assumption: methodological standards can also be important HSE uses adherence to IEC 61508 as the main assurance point that safety-critical systems involving E/E/PE components have been appropriately developed. HSE brings prosecutions in the UK for negligence/gross negligence in the case of accidents with safety-critical systems Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 3 / 25
Rechnernetze und Verteilte Systeme IEC 61508:2010 Current generic standard for software development in safety-critical applications Does not apply to aerospace Does not apply to medical systems Adapted for process plant (IEC 61511 refers to it) “Adapted” for rail control and protection systems (EN 50128) “Adapted” for road vehicles (ISO 26262) Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 4 / 25
Rechnernetze und Verteilte Systeme Cybersecurity? Current events include penetration of various critical systems either with hostile intent; e.g., electricity-supply systems in Ukraine or with apparently-criminal intent; e.g., Equifax data leak or as proof of concept; e.g., remote control of a Jeep; Miller/Valasek Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 5 / 25
Rechnernetze und Verteilte Systeme Cybersecurity in IEC 61508, I “If the hazard analysis identifies that malevolent or unauthorised action, constituting a security threat, as being reasonably foreseeable, then a security threats analysis should be carried out. NOTE 1 For reasonably foreseeable misuse see 3.1.14 of IEC 61508-4. ..... NOTE 3 For guidance on security risks analysis, see IEC 62443 series. NOTE 4 Malevolent or unauthorised action covers security threats.” “Subclause 7.5.2.2 If security threats have been identified, then a vulnerability analysis should be undertaken in order to specify security requirements. NOTE Guidance is given in IEC 62443 series. Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 6 / 25
Rechnernetze und Verteilte Systeme Cybersecurity in IEC 61508, II None of these terms are defined Notice that nothing says you have to do anything. Just analyse. Next edition of IEC 61508? 2020 earliest validity date. Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 7 / 25
Rechnernetze und Verteilte Systeme Cybersecurity in IEC 61511 There is a little more in IEC 61511 (process-plant systems) Mainly concerning access control to systems About two pages total The current standard is brand-new. Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 8 / 25
Rechnernetze und Verteilte Systeme Human Conflicts “Formal methods don’t work!” (reputed: B. Boehm, 1980’s) Many of us, including the top computer scientists and some companies: “yes, they do” Twofold response: “But we can’t learn them” “It costs too much (people, time) for the benefit” This is still a common twofold response 6.5 years after the first version of this slide 8 years after I began this movement in formal standardisation work! In the meantime, Altran UK can discharge >150,000 proof obligations on 0.25M LOC in 15 minutes on a desktop computer Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 9 / 25
Rechnernetze und Verteilte Systeme Some Questions Moral question, then as now: should we any longer be building systems which we don’t guarantee are fit for purpose? Business/social question: why does it (still) “cost too much for the benefit”? Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 10 / 25
Rechnernetze und Verteilte Systeme Down to Brass Tacks Dependable SW does what we want it to do, as far as the system can Do we really know what we want? How do we tell that we know what we want? How do we tell the SW does it? But that also it doesn’t do what we don’t want it to do How do we know what we don’t want? How do we assure ourselves that we know? How do we tell that the SW doesn’t do any of that? Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 11 / 25
Rechnernetze und Verteilte Systeme The “State of the Art” in Standards “7.7.2.7 The validation of safety-related software aspects of system safety shall meet the following requirements: a) testing shall be the main validation method for software; analysis, animation and modelling may be used to supplement the validation activities; b) the software shall be exercised by simulation of:.....” Much of the documentation requirements on software in IEC 61508-3:2010 consists of test plans and what shall be done when tests fail (about 1/3 out of almost 60) It has been well-expressed for 48 years that Testing shows the presence, not the absence of bugs (EWD 1969) Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 12 / 25
Rechnernetze und Verteilte Systeme Problems Amplified by Poor Definitions, I “3.8.1 verification confirmation by examination and provision of objective evidence that the requirements have been fulfilled NOTE In the context of this standard, verification is the activity of demonstrating for each phase of the relevant safety lifecycle (overall, E/E/PE system and software), by analysis, mathematical reasoning and/or tests, that, for the specific inputs, the outputs meet in all respects the objectives and requirements set for the specific phase. Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 13 / 25
Rechnernetze und Verteilte Systeme Problems Amplified by Poor Definitions, I, continued “EXAMPLE Verification activities include reviews on outputs (documents from all phases of the safety lifecycle) to ensure compliance with the objectives and requirements of the phase, taking into account the specific inputs to that phase; design reviews; tests performed on the designed products to ensure that they perform according to their specification; integration tests performed ....... and by the performance of environmental tests.....” ?? Static Analysis ?? (And where is any suggestion that verification activities persist into operational maintenance?) Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 14 / 25
Rechnernetze und Verteilte Systeme Problems Amplified by Poor Definitions, II “3.8.2 validation confirmation by examination and provision of objective evidence that the particular requirements for a specific intended use are fulfilled ..... NOTE 2 Validation is the activity of demonstrating that the safety-related system under consideration, before or after installation, meets in all respects the safety requirements specification for that safety-related system. Therefore, for example, software validation means confirming by examination and provision of objective evidence that the software satisfies the software safety requirements specification.” Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 15 / 25
Rechnernetze und Verteilte Systeme The Core of an Ideal Safety Standard Determine what we don’t want the system to do (Accidents) As completely as possible Provide the assurance that you have everything Determine how it could happen (Hazards) As completely as possible If you go too far, that’s OK Provide the assurance of coverage (completeness) “Apportion” the hazard behavior to the system components (including SW) Show the apportionment covers the hazards For the SW, indeed any component: repeat the above Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 16 / 25
Rechnernetze und Verteilte Systeme Evaluating the Core Let us start at the top. Requirements They should be specified They should be consistent if they are not consistent, they cannot be fulfilled because different domains in a complex system have different expertise, it is not only common but easy to generate conflicting requirements from different domains (cf., Miller-Heimdahl 2006, Harel 2009, reported by M. Jackson in Glinz Festschrift 2012) They should be complete ........ Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 17 / 25
Rechnernetze und Verteilte Systeme Evaluating the Core, continued Requirements, continued ....... They should be complete One meaning of “complete”: specifying exactly which system behaviours are acceptable and which not Another meaning: considering all the circumstances in which the system will operate, and specifying its behaviour in all these circumstances a third meaning: define a “view”, that is, use specific, limited vocabulary to describe system+environment behaviour; show formal completeness (first meaning) with respect to this view; consider many views. Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 18 / 25
Rechnernetze und Verteilte Systeme Completeness of Requirements Requirements completeness, second meaning: considering all the circumstances in which the system will operate, and specifying its behaviour in all these circumstances The second meaning is a usual, practical meaning it is often artificial to limit the system vocabulary in a way that would enable one to address the first meaning the source of most complex critical-system failures Evident since at least Lutz, 1993: “Safety related software errors are shown to arise most commonly from discrepancies between the documented requirements specifications and the requirements needed for correct functioning of the system and misunderstandings of the software’s interface with the rest of the system” Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 19 / 25
Rechnernetze und Verteilte Systeme Completeness of Requirements Recall: 3.8.1 verification confirmation by examination and provision of objective evidence that the requirements have been fulfilled 3.8.2 validation confirmation by examination and provision of objective evidence that the particular requirements for a specific intended use are fulfilled Neither of these address the Lutz phenomenon, the discrepancy between operational circumstances and requirements specification And this in 2017, after nearly a quarter century Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 20 / 25
Rechnernetze und Verteilte Systeme How Do We Do Better? The Waterfall (modified-Royce): SW+doc has four life stages Requirements development and specification Design “Source” code generation: more generally, the intermediate constructed object Object code (linked and loaded) In each of these stages, it is possible using mature mathematical methods to assess objective properties of the software and its documentation. Let us see where. (Yes, I have left out testing) (Yes, I am ignoring maintenance.) Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 21 / 25
Rechnernetze und Verteilte Systeme Assessment Points I Requirements formal specification, suitable for checking consistency check consistency analyse for completeness use restricted language, check first-meaning completeness model checking formal operational-model building and exploration Design formal specification check for consistency (in many cases assured by default) check for implementability: e.g., information-flow analysis Compare design against requirements does the formal design specification implement the formal requirements specification? discrepant formal languages plus interpretation, refinement Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 22 / 25
Rechnernetze und Verteilte Systeme Assessment Points II Generate source code does the source code refine the formal design specification? key: supply-chain issues Development environment Libraries Iterate for as many stages as one has intermediate code Java “source” Java byte code Generate object code does the object code refine the source code? How well is compiler/link/load sequence understood? Consider coding-standards analysis WCET analysis run-time monitoring Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 23 / 25
Rechnernetze und Verteilte Systeme Testing? I have not addressed testing. Despite its “primacy” for validation. Another time, maybe........ Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 24 / 25
Rechnernetze und Verteilte Systeme Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 25 / 25

Recommended

Unsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable AppsUnsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable Apps
CAST
 
PERIL LIBRARY
PERIL LIBRARYPERIL LIBRARY
PERIL LIBRARY
Soban Ahmad
 
Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018
Stefan Streichsbier
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security Differently
Aaron Rinehart
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
Aaron Rinehart
 
Using security to drive chaos engineering
Using security to drive chaos engineeringUsing security to drive chaos engineering
Using security to drive chaos engineering
Dinis Cruz
 
Agile Development And Medtech
Agile Development And MedtechAgile Development And Medtech
Agile Development And Medtech
Robert Ginsberg
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 

Recommended

Unsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable AppsUnsustainable Regaining Control of Uncontrollable Apps
Unsustainable Regaining Control of Uncontrollable Apps
CAST
 
PERIL LIBRARY
PERIL LIBRARYPERIL LIBRARY
PERIL LIBRARY
Soban Ahmad
 
Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018
Stefan Streichsbier
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security Differently
Aaron Rinehart
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
Aaron Rinehart
 
Using security to drive chaos engineering
Using security to drive chaos engineeringUsing security to drive chaos engineering
Using security to drive chaos engineering
Dinis Cruz
 
Agile Development And Medtech
Agile Development And MedtechAgile Development And Medtech
Agile Development And Medtech
Robert Ginsberg
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 
OWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringOWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos Engineering
Aaron Rinehart
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
LabSharegroup
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
Aaron Rinehart
 
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONSSECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
ijseajournal
 
6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments
EnergySec
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
Stefan Streichsbier
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
DJ Schleen
 
Rework: Anticipating What May Go Wrong
Rework: Anticipating What May Go WrongRework: Anticipating What May Go Wrong
Rework: Anticipating What May Go Wrong
pedlove
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
Stefan Streichsbier
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
Aaron Rinehart
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six Sigma
EnergySec
 
Itpi metricon 0906a final
Itpi metricon 0906a finalItpi metricon 0906a final
Itpi metricon 0906a final
Gene Kim
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
alexbe
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos Testing
Aaron Rinehart
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-ShivelyProcess_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Curious Geoff (Shively)
 
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos Engineering
Aaron Rinehart
 
Devising an ideal building maintenance strateg1 https://clevair.io/
Devising an ideal building maintenance strateg1 https://clevair.io/Devising an ideal building maintenance strateg1 https://clevair.io/
Devising an ideal building maintenance strateg1 https://clevair.io/
Clevair
 
Software risk management
Software risk managementSoftware risk management
Software risk management
Jose Javier M
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Black Duck by Synopsys
 
Mynd company presentation
Mynd company presentationMynd company presentation
Mynd company presentation
Davide Enrico Arnoldi
 
ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...
ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...
ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...
IJCI JOURNAL
 

More Related Content

What's hot

OWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringOWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos Engineering
Aaron Rinehart
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
LabSharegroup
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
Aaron Rinehart
 
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONSSECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
ijseajournal
 
6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments
EnergySec
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
Stefan Streichsbier
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
DJ Schleen
 
Rework: Anticipating What May Go Wrong
Rework: Anticipating What May Go WrongRework: Anticipating What May Go Wrong
Rework: Anticipating What May Go Wrong
pedlove
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
Stefan Streichsbier
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
Aaron Rinehart
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six Sigma
EnergySec
 
Itpi metricon 0906a final
Itpi metricon 0906a finalItpi metricon 0906a final
Itpi metricon 0906a final
Gene Kim
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
alexbe
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos Testing
Aaron Rinehart
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-ShivelyProcess_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Curious Geoff (Shively)
 
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos Engineering
Aaron Rinehart
 
Devising an ideal building maintenance strateg1 https://clevair.io/
Devising an ideal building maintenance strateg1 https://clevair.io/Devising an ideal building maintenance strateg1 https://clevair.io/
Devising an ideal building maintenance strateg1 https://clevair.io/
Clevair
 
Software risk management
Software risk managementSoftware risk management
Software risk management
Jose Javier M
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Black Duck by Synopsys
 

What's hot (20)

OWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringOWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos Engineering
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
 
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONSSECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
 
6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
 
Rework: Anticipating What May Go Wrong
Rework: Anticipating What May Go WrongRework: Anticipating What May Go Wrong
Rework: Anticipating What May Go Wrong
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six Sigma
 
Itpi metricon 0906a final
Itpi metricon 0906a finalItpi metricon 0906a final
Itpi metricon 0906a final
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos Testing
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-ShivelyProcess_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
 
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos Engineering
 
Devising an ideal building maintenance strateg1 https://clevair.io/
Devising an ideal building maintenance strateg1 https://clevair.io/Devising an ideal building maintenance strateg1 https://clevair.io/
Devising an ideal building maintenance strateg1 https://clevair.io/
 
Software risk management
Software risk managementSoftware risk management
Software risk management
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
 

Similar to HIS 2017 Peter Ladkin- Rigorous-Assurance Points in Software Development

Mynd company presentation
Mynd company presentationMynd company presentation
Mynd company presentation
Davide Enrico Arnoldi
 
ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...
ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...
ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...
IJCI JOURNAL
 
CVSS
CVSSCVSS
CVSS
Christian Heinrich
 
Comparitive Analysis of Secure SDLC Models
Comparitive Analysis of Secure SDLC ModelsComparitive Analysis of Secure SDLC Models
Comparitive Analysis of Secure SDLC Models
IRJET Journal
 
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB
 
Requirements of ISO 26262
Requirements of ISO 26262Requirements of ISO 26262
Requirements of ISO 26262
Torben Haagh
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
ICS
 
Agile in MedTech: Essential Best Practices, and How to Support Them
Agile in MedTech: Essential Best Practices, and How to Support ThemAgile in MedTech: Essential Best Practices, and How to Support Them
Agile in MedTech: Essential Best Practices, and How to Support Them
Intland Software GmbH
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CAST
CAST
 
20140121 cisec-safety criticalsoftwaredevelopment
20140121 cisec-safety criticalsoftwaredevelopment20140121 cisec-safety criticalsoftwaredevelopment
20140121 cisec-safety criticalsoftwaredevelopment
CISEC
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
Kaspersky
 
Cost-effective Simulation-based Test Selection in Self-driving Cars Software
Cost-effective Simulation-based Test Selection in Self-driving Cars SoftwareCost-effective Simulation-based Test Selection in Self-driving Cars Software
Cost-effective Simulation-based Test Selection in Self-driving Cars Software
Christian Birchler
 
Hardening as Part of a holistic Security Strategy
Hardening as Part of a holistic Security StrategyHardening as Part of a holistic Security Strategy
Hardening as Part of a holistic Security Strategy
NoCodeHardening
 
Software Architecture: introduction to the abstraction
Software Architecture: introduction to the abstractionSoftware Architecture: introduction to the abstraction
Software Architecture: introduction to the abstraction
Henry Muccini
 
Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013
Vincenzo De Florio
 
Introduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleIntroduction of Secure Software Development Lifecycle
Introduction of Secure Software Development Lifecycle
Rishi Kant
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Luca Moroni ✔✔
 
Safe & Sec Case Patterns (ASSURE 2015)
Safe & Sec Case Patterns (ASSURE 2015)Safe & Sec Case Patterns (ASSURE 2015)
Safe & Sec Case Patterns (ASSURE 2015)
Kenji Taguchi
 

Similar to HIS 2017 Peter Ladkin- Rigorous-Assurance Points in Software Development (20)

Mynd company presentation
Mynd company presentationMynd company presentation
Mynd company presentation
 
ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...
ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...
ENABLING PROTECTION AGAINST DATA EXFILTRATION BY IMPLEMENTING ISO 27001:2022 ...
 
CVSS
CVSSCVSS
CVSS
 
Comparitive Analysis of Secure SDLC Models
Comparitive Analysis of Secure SDLC ModelsComparitive Analysis of Secure SDLC Models
Comparitive Analysis of Secure SDLC Models
 
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
 
Requirements of ISO 26262
Requirements of ISO 26262Requirements of ISO 26262
Requirements of ISO 26262
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 
Agile in MedTech: Essential Best Practices, and How to Support Them
Agile in MedTech: Essential Best Practices, and How to Support ThemAgile in MedTech: Essential Best Practices, and How to Support Them
Agile in MedTech: Essential Best Practices, and How to Support Them
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CAST
 
20140121 cisec-safety criticalsoftwaredevelopment
20140121 cisec-safety criticalsoftwaredevelopment20140121 cisec-safety criticalsoftwaredevelopment
20140121 cisec-safety criticalsoftwaredevelopment
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
 
Cost-effective Simulation-based Test Selection in Self-driving Cars Software
Cost-effective Simulation-based Test Selection in Self-driving Cars SoftwareCost-effective Simulation-based Test Selection in Self-driving Cars Software
Cost-effective Simulation-based Test Selection in Self-driving Cars Software
 
Hardening as Part of a holistic Security Strategy
Hardening as Part of a holistic Security StrategyHardening as Part of a holistic Security Strategy
Hardening as Part of a holistic Security Strategy
 
Software Architecture: introduction to the abstraction
Software Architecture: introduction to the abstractionSoftware Architecture: introduction to the abstraction
Software Architecture: introduction to the abstraction
 
Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013
 
Introduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleIntroduction of Secure Software Development Lifecycle
Introduction of Secure Software Development Lifecycle
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
 
Safe & Sec Case Patterns (ASSURE 2015)
Safe & Sec Case Patterns (ASSURE 2015)Safe & Sec Case Patterns (ASSURE 2015)
Safe & Sec Case Patterns (ASSURE 2015)
 

More from jamieayre

HIS 2017 Mark Batty-Industrial concurrency specification for C/C++
HIS 2017 Mark Batty-Industrial concurrency specification for C/C++HIS 2017 Mark Batty-Industrial concurrency specification for C/C++
HIS 2017 Mark Batty-Industrial concurrency specification for C/C++
jamieayre
 
HIS 2017 David Oswald- Your car is not a safe box - breaking automotive keyle...
HIS 2017 David Oswald- Your car is not a safe box - breaking automotive keyle...HIS 2017 David Oswald- Your car is not a safe box - breaking automotive keyle...
HIS 2017 David Oswald- Your car is not a safe box - breaking automotive keyle...
jamieayre
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software
jamieayre
 
HIS 2017 Robert Martin- assured software a journey and discussion-final
HIS 2017 Robert Martin- assured software a journey and discussion-finalHIS 2017 Robert Martin- assured software a journey and discussion-final
HIS 2017 Robert Martin- assured software a journey and discussion-final
jamieayre
 
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Device
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted DeviceHIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Device
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Device
jamieayre
 
HIS 2017 Jonathan Pallant- Delivering quality, time after time
HIS 2017 Jonathan Pallant- Delivering quality, time after timeHIS 2017 Jonathan Pallant- Delivering quality, time after time
HIS 2017 Jonathan Pallant- Delivering quality, time after time
jamieayre
 
HIS 2017 Dewi Daniels- bridging the gap between manned and unmanned
HIS 2017 Dewi Daniels- bridging the gap between manned and unmannedHIS 2017 Dewi Daniels- bridging the gap between manned and unmanned
HIS 2017 Dewi Daniels- bridging the gap between manned and unmanned
jamieayre
 
HIS 2017 Roderick chapman- Secure Updates for Embedded Systems
HIS 2017 Roderick chapman- Secure Updates for Embedded SystemsHIS 2017 Roderick chapman- Secure Updates for Embedded Systems
HIS 2017 Roderick chapman- Secure Updates for Embedded Systems
jamieayre
 
AdaCore Paris Tech Day 2016: Jose Ruiz - QGen Tech Update
AdaCore Paris Tech Day 2016: Jose Ruiz - QGen Tech UpdateAdaCore Paris Tech Day 2016: Jose Ruiz - QGen Tech Update
AdaCore Paris Tech Day 2016: Jose Ruiz - QGen Tech Update
jamieayre
 
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...
jamieayre
 
AdaCore Paris Tech Day 2016: Eric Perlade - Verification Solutions
AdaCore Paris Tech Day 2016: Eric Perlade - Verification SolutionsAdaCore Paris Tech Day 2016: Eric Perlade - Verification Solutions
AdaCore Paris Tech Day 2016: Eric Perlade - Verification Solutions
jamieayre
 
AdaCore Paris Tech Day 2016: Elie Richa - Integrated Unit Testing for a Trust...
AdaCore Paris Tech Day 2016: Elie Richa - Integrated Unit Testing for a Trust...AdaCore Paris Tech Day 2016: Elie Richa - Integrated Unit Testing for a Trust...
AdaCore Paris Tech Day 2016: Elie Richa - Integrated Unit Testing for a Trust...
jamieayre
 
AdaCore Paris Tech Day 2016: Pierre-Marie Rodat - Libadalang, New Generation ...
AdaCore Paris Tech Day 2016: Pierre-Marie Rodat - Libadalang, New Generation ...AdaCore Paris Tech Day 2016: Pierre-Marie Rodat - Libadalang, New Generation ...
AdaCore Paris Tech Day 2016: Pierre-Marie Rodat - Libadalang, New Generation ...
jamieayre
 
AdaCore Paris Tech Day 2016: Cyrille Comar - Looking Ahead
AdaCore Paris Tech Day 2016: Cyrille Comar - Looking AheadAdaCore Paris Tech Day 2016: Cyrille Comar - Looking Ahead
AdaCore Paris Tech Day 2016: Cyrille Comar - Looking Ahead
jamieayre
 
AdaCore Paris Tech Day 2016: Fabien Chouteau - Making the Ada Drivers Library
AdaCore Paris Tech Day 2016: Fabien Chouteau - Making the Ada Drivers LibraryAdaCore Paris Tech Day 2016: Fabien Chouteau - Making the Ada Drivers Library
AdaCore Paris Tech Day 2016: Fabien Chouteau - Making the Ada Drivers Library
jamieayre
 
AdaCore Paris Tech Day 2016: Arnaud Chalet - GNAT Pro Roadmap
AdaCore Paris Tech Day 2016: Arnaud Chalet - GNAT Pro RoadmapAdaCore Paris Tech Day 2016: Arnaud Chalet - GNAT Pro Roadmap
AdaCore Paris Tech Day 2016: Arnaud Chalet - GNAT Pro Roadmap
jamieayre
 
AdaCore Paris Tech Day 2016: Jamie Ayre - Market Perspective
AdaCore Paris Tech Day 2016: Jamie Ayre - Market PerspectiveAdaCore Paris Tech Day 2016: Jamie Ayre - Market Perspective
AdaCore Paris Tech Day 2016: Jamie Ayre - Market Perspective
jamieayre
 

More from jamieayre (17)

HIS 2017 Mark Batty-Industrial concurrency specification for C/C++
HIS 2017 Mark Batty-Industrial concurrency specification for C/C++HIS 2017 Mark Batty-Industrial concurrency specification for C/C++
HIS 2017 Mark Batty-Industrial concurrency specification for C/C++
 
HIS 2017 David Oswald- Your car is not a safe box - breaking automotive keyle...
HIS 2017 David Oswald- Your car is not a safe box - breaking automotive keyle...HIS 2017 David Oswald- Your car is not a safe box - breaking automotive keyle...
HIS 2017 David Oswald- Your car is not a safe box - breaking automotive keyle...
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software
 
HIS 2017 Robert Martin- assured software a journey and discussion-final
HIS 2017 Robert Martin- assured software a journey and discussion-finalHIS 2017 Robert Martin- assured software a journey and discussion-final
HIS 2017 Robert Martin- assured software a journey and discussion-final
 
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Device
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted DeviceHIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Device
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Device
 
HIS 2017 Jonathan Pallant- Delivering quality, time after time
HIS 2017 Jonathan Pallant- Delivering quality, time after timeHIS 2017 Jonathan Pallant- Delivering quality, time after time
HIS 2017 Jonathan Pallant- Delivering quality, time after time
 
HIS 2017 Dewi Daniels- bridging the gap between manned and unmanned
HIS 2017 Dewi Daniels- bridging the gap between manned and unmannedHIS 2017 Dewi Daniels- bridging the gap between manned and unmanned
HIS 2017 Dewi Daniels- bridging the gap between manned and unmanned
 
HIS 2017 Roderick chapman- Secure Updates for Embedded Systems
HIS 2017 Roderick chapman- Secure Updates for Embedded SystemsHIS 2017 Roderick chapman- Secure Updates for Embedded Systems
HIS 2017 Roderick chapman- Secure Updates for Embedded Systems
 
AdaCore Paris Tech Day 2016: Jose Ruiz - QGen Tech Update
AdaCore Paris Tech Day 2016: Jose Ruiz - QGen Tech UpdateAdaCore Paris Tech Day 2016: Jose Ruiz - QGen Tech Update
AdaCore Paris Tech Day 2016: Jose Ruiz - QGen Tech Update
 
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...
 
AdaCore Paris Tech Day 2016: Eric Perlade - Verification Solutions
AdaCore Paris Tech Day 2016: Eric Perlade - Verification SolutionsAdaCore Paris Tech Day 2016: Eric Perlade - Verification Solutions
AdaCore Paris Tech Day 2016: Eric Perlade - Verification Solutions
 
AdaCore Paris Tech Day 2016: Elie Richa - Integrated Unit Testing for a Trust...
AdaCore Paris Tech Day 2016: Elie Richa - Integrated Unit Testing for a Trust...AdaCore Paris Tech Day 2016: Elie Richa - Integrated Unit Testing for a Trust...
AdaCore Paris Tech Day 2016: Elie Richa - Integrated Unit Testing for a Trust...
 
AdaCore Paris Tech Day 2016: Pierre-Marie Rodat - Libadalang, New Generation ...
AdaCore Paris Tech Day 2016: Pierre-Marie Rodat - Libadalang, New Generation ...AdaCore Paris Tech Day 2016: Pierre-Marie Rodat - Libadalang, New Generation ...
AdaCore Paris Tech Day 2016: Pierre-Marie Rodat - Libadalang, New Generation ...
 
AdaCore Paris Tech Day 2016: Cyrille Comar - Looking Ahead
AdaCore Paris Tech Day 2016: Cyrille Comar - Looking AheadAdaCore Paris Tech Day 2016: Cyrille Comar - Looking Ahead
AdaCore Paris Tech Day 2016: Cyrille Comar - Looking Ahead
 
AdaCore Paris Tech Day 2016: Fabien Chouteau - Making the Ada Drivers Library
AdaCore Paris Tech Day 2016: Fabien Chouteau - Making the Ada Drivers LibraryAdaCore Paris Tech Day 2016: Fabien Chouteau - Making the Ada Drivers Library
AdaCore Paris Tech Day 2016: Fabien Chouteau - Making the Ada Drivers Library
 
AdaCore Paris Tech Day 2016: Arnaud Chalet - GNAT Pro Roadmap
AdaCore Paris Tech Day 2016: Arnaud Chalet - GNAT Pro RoadmapAdaCore Paris Tech Day 2016: Arnaud Chalet - GNAT Pro Roadmap
AdaCore Paris Tech Day 2016: Arnaud Chalet - GNAT Pro Roadmap
 
AdaCore Paris Tech Day 2016: Jamie Ayre - Market Perspective
AdaCore Paris Tech Day 2016: Jamie Ayre - Market PerspectiveAdaCore Paris Tech Day 2016: Jamie Ayre - Market Perspective
AdaCore Paris Tech Day 2016: Jamie Ayre - Market Perspective
 

Recently uploaded

Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
Peter Muessig
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
Quickdice ERP
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
Rakesh Kumar R
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
Hironori Washizaki
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise EditionWhy Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Envertis Software Solutions
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfRevolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Undress Baby
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
lorraineandreiamcidl
 

Recently uploaded (20)

Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise EditionWhy Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfRevolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
 

HIS 2017 Peter Ladkin- Rigorous-Assurance Points in Software Development

  • 1. Rechnernetze und Verteilte Systeme Rigorous-Assurance Points in Software Development Peter Bernard Ladkin Bielefeld University and Causalis Limited 17 October 2017 Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 1 / 25
  • 2. Rechnernetze und Verteilte Systeme Notice These slides accompany a talk, and are not ideal as a standalone guide to material in the talk Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 2 / 25
  • 3. Rechnernetze und Verteilte Systeme Standards Assumption: standards are important Further assumption: methodological standards can also be important HSE uses adherence to IEC 61508 as the main assurance point that safety-critical systems involving E/E/PE components have been appropriately developed. HSE brings prosecutions in the UK for negligence/gross negligence in the case of accidents with safety-critical systems Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 3 / 25
  • 4. Rechnernetze und Verteilte Systeme IEC 61508:2010 Current generic standard for software development in safety-critical applications Does not apply to aerospace Does not apply to medical systems Adapted for process plant (IEC 61511 refers to it) “Adapted” for rail control and protection systems (EN 50128) “Adapted” for road vehicles (ISO 26262) Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 4 / 25
  • 5. Rechnernetze und Verteilte Systeme Cybersecurity? Current events include penetration of various critical systems either with hostile intent; e.g., electricity-supply systems in Ukraine or with apparently-criminal intent; e.g., Equifax data leak or as proof of concept; e.g., remote control of a Jeep; Miller/Valasek Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 5 / 25
  • 6. Rechnernetze und Verteilte Systeme Cybersecurity in IEC 61508, I “If the hazard analysis identifies that malevolent or unauthorised action, constituting a security threat, as being reasonably foreseeable, then a security threats analysis should be carried out. NOTE 1 For reasonably foreseeable misuse see 3.1.14 of IEC 61508-4. ..... NOTE 3 For guidance on security risks analysis, see IEC 62443 series. NOTE 4 Malevolent or unauthorised action covers security threats.” “Subclause 7.5.2.2 If security threats have been identified, then a vulnerability analysis should be undertaken in order to specify security requirements. NOTE Guidance is given in IEC 62443 series. Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 6 / 25
  • 7. Rechnernetze und Verteilte Systeme Cybersecurity in IEC 61508, II None of these terms are defined Notice that nothing says you have to do anything. Just analyse. Next edition of IEC 61508? 2020 earliest validity date. Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 7 / 25
  • 8. Rechnernetze und Verteilte Systeme Cybersecurity in IEC 61511 There is a little more in IEC 61511 (process-plant systems) Mainly concerning access control to systems About two pages total The current standard is brand-new. Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 8 / 25
  • 9. Rechnernetze und Verteilte Systeme Human Conflicts “Formal methods don’t work!” (reputed: B. Boehm, 1980’s) Many of us, including the top computer scientists and some companies: “yes, they do” Twofold response: “But we can’t learn them” “It costs too much (people, time) for the benefit” This is still a common twofold response 6.5 years after the first version of this slide 8 years after I began this movement in formal standardisation work! In the meantime, Altran UK can discharge >150,000 proof obligations on 0.25M LOC in 15 minutes on a desktop computer Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 9 / 25
  • 10. Rechnernetze und Verteilte Systeme Some Questions Moral question, then as now: should we any longer be building systems which we don’t guarantee are fit for purpose? Business/social question: why does it (still) “cost too much for the benefit”? Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 10 / 25
  • 11. Rechnernetze und Verteilte Systeme Down to Brass Tacks Dependable SW does what we want it to do, as far as the system can Do we really know what we want? How do we tell that we know what we want? How do we tell the SW does it? But that also it doesn’t do what we don’t want it to do How do we know what we don’t want? How do we assure ourselves that we know? How do we tell that the SW doesn’t do any of that? Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 11 / 25
  • 12. Rechnernetze und Verteilte Systeme The “State of the Art” in Standards “7.7.2.7 The validation of safety-related software aspects of system safety shall meet the following requirements: a) testing shall be the main validation method for software; analysis, animation and modelling may be used to supplement the validation activities; b) the software shall be exercised by simulation of:.....” Much of the documentation requirements on software in IEC 61508-3:2010 consists of test plans and what shall be done when tests fail (about 1/3 out of almost 60) It has been well-expressed for 48 years that Testing shows the presence, not the absence of bugs (EWD 1969) Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 12 / 25
  • 13. Rechnernetze und Verteilte Systeme Problems Amplified by Poor Definitions, I “3.8.1 verification confirmation by examination and provision of objective evidence that the requirements have been fulfilled NOTE In the context of this standard, verification is the activity of demonstrating for each phase of the relevant safety lifecycle (overall, E/E/PE system and software), by analysis, mathematical reasoning and/or tests, that, for the specific inputs, the outputs meet in all respects the objectives and requirements set for the specific phase. Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 13 / 25
  • 14. Rechnernetze und Verteilte Systeme Problems Amplified by Poor Definitions, I, continued “EXAMPLE Verification activities include reviews on outputs (documents from all phases of the safety lifecycle) to ensure compliance with the objectives and requirements of the phase, taking into account the specific inputs to that phase; design reviews; tests performed on the designed products to ensure that they perform according to their specification; integration tests performed ....... and by the performance of environmental tests.....” ?? Static Analysis ?? (And where is any suggestion that verification activities persist into operational maintenance?) Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 14 / 25
  • 15. Rechnernetze und Verteilte Systeme Problems Amplified by Poor Definitions, II “3.8.2 validation confirmation by examination and provision of objective evidence that the particular requirements for a specific intended use are fulfilled ..... NOTE 2 Validation is the activity of demonstrating that the safety-related system under consideration, before or after installation, meets in all respects the safety requirements specification for that safety-related system. Therefore, for example, software validation means confirming by examination and provision of objective evidence that the software satisfies the software safety requirements specification.” Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 15 / 25
  • 16. Rechnernetze und Verteilte Systeme The Core of an Ideal Safety Standard Determine what we don’t want the system to do (Accidents) As completely as possible Provide the assurance that you have everything Determine how it could happen (Hazards) As completely as possible If you go too far, that’s OK Provide the assurance of coverage (completeness) “Apportion” the hazard behavior to the system components (including SW) Show the apportionment covers the hazards For the SW, indeed any component: repeat the above Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 16 / 25
  • 17. Rechnernetze und Verteilte Systeme Evaluating the Core Let us start at the top. Requirements They should be specified They should be consistent if they are not consistent, they cannot be fulfilled because different domains in a complex system have different expertise, it is not only common but easy to generate conflicting requirements from different domains (cf., Miller-Heimdahl 2006, Harel 2009, reported by M. Jackson in Glinz Festschrift 2012) They should be complete ........ Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 17 / 25
  • 18. Rechnernetze und Verteilte Systeme Evaluating the Core, continued Requirements, continued ....... They should be complete One meaning of “complete”: specifying exactly which system behaviours are acceptable and which not Another meaning: considering all the circumstances in which the system will operate, and specifying its behaviour in all these circumstances a third meaning: define a “view”, that is, use specific, limited vocabulary to describe system+environment behaviour; show formal completeness (first meaning) with respect to this view; consider many views. Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 18 / 25
  • 19. Rechnernetze und Verteilte Systeme Completeness of Requirements Requirements completeness, second meaning: considering all the circumstances in which the system will operate, and specifying its behaviour in all these circumstances The second meaning is a usual, practical meaning it is often artificial to limit the system vocabulary in a way that would enable one to address the first meaning the source of most complex critical-system failures Evident since at least Lutz, 1993: “Safety related software errors are shown to arise most commonly from discrepancies between the documented requirements specifications and the requirements needed for correct functioning of the system and misunderstandings of the software’s interface with the rest of the system” Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 19 / 25
  • 20. Rechnernetze und Verteilte Systeme Completeness of Requirements Recall: 3.8.1 verification confirmation by examination and provision of objective evidence that the requirements have been fulfilled 3.8.2 validation confirmation by examination and provision of objective evidence that the particular requirements for a specific intended use are fulfilled Neither of these address the Lutz phenomenon, the discrepancy between operational circumstances and requirements specification And this in 2017, after nearly a quarter century Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 20 / 25
  • 21. Rechnernetze und Verteilte Systeme How Do We Do Better? The Waterfall (modified-Royce): SW+doc has four life stages Requirements development and specification Design “Source” code generation: more generally, the intermediate constructed object Object code (linked and loaded) In each of these stages, it is possible using mature mathematical methods to assess objective properties of the software and its documentation. Let us see where. (Yes, I have left out testing) (Yes, I am ignoring maintenance.) Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 21 / 25
  • 22. Rechnernetze und Verteilte Systeme Assessment Points I Requirements formal specification, suitable for checking consistency check consistency analyse for completeness use restricted language, check first-meaning completeness model checking formal operational-model building and exploration Design formal specification check for consistency (in many cases assured by default) check for implementability: e.g., information-flow analysis Compare design against requirements does the formal design specification implement the formal requirements specification? discrepant formal languages plus interpretation, refinement Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 22 / 25
  • 23. Rechnernetze und Verteilte Systeme Assessment Points II Generate source code does the source code refine the formal design specification? key: supply-chain issues Development environment Libraries Iterate for as many stages as one has intermediate code Java “source” Java byte code Generate object code does the object code refine the source code? How well is compiler/link/load sequence understood? Consider coding-standards analysis WCET analysis run-time monitoring Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 23 / 25
  • 24. Rechnernetze und Verteilte Systeme Testing? I have not addressed testing. Despite its “primacy” for validation. Another time, maybe........ Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 24 / 25
  • 25. Rechnernetze und Verteilte Systeme Peter Bernard Ladkin (Bielefeld/Causalis) Rigorous-Assurance Points in Software Development 17 October 2017 25 / 25