The Software and System Engineering (SSE) department is actively helping enterprises to reach higher quality standards both for their IT development process and for the resulting software-based products.
Objectives/Missions
More than ever, adequate methods and tools are required to master the software development processes from the requirements to the delivery, to measure the quality of the resulting products, to estimate the effort of internal and external development, and to comply with certification criteria, especially related to security and safety. Direct customer benefits are reduced development time through a continuous evaluation of quality, reduced maintenance costs by strategic decision making about bad parts, improved confidence in the code quality, and a supported decision process. CETIC relies on CEIQS and masters a number of leader software tools and methods helping in assessing the security and safety of code, and in the writing of specific certification documents.
Requirements engineering
CETIC has developed strong expertise in RE (*) covering the whole spectrum of methods and application contexts. The related expertise especially relies on the use of advanced goal-oriented methodologies, as highlighted in the DEPLOY project http://www.cetic.be/article841.html.
(*) Requirements Engineering (RE) is the first and utmost important stage of software development, aiming at defining user’s needs, and translating them into functional requirements. It is not to say that this first step is highly critical, and it implies well and extended documented documents. Studies show that 2/3 of IT development projects are facing delays and under-budgetting.
Process quality
A number of process-related services are available to assess the maturity of the software process, to plan software quality improvements at an adequate pace, and to address specific needs. CETIC has developed strong expertise in process quality and in related standard such as CMMI (*) and SPICE ; we also have simplified them to serve SMES (**) (*)Capability Maturity Model Integration (CMMI) is a process improvement approach that provides organizations with the essential elements of effective processes that ultimately improve their performance. CMMI can be used to guide process improvement across a project, a division, or an entire organization (**)
Micro-assessment, carried out in one day, provides a risk based evaluation and proposes concrete recommendations for improvement. It can be repeated on a regular basis (e.g. every 6 months) to monitor progress.
OWPL (http://www.cetic.be/article393.html) provides a more detailed assessment and more precise recommendations without being too resource consuming. It can open the way to future CMMI or SPICE certification. OWPL is specifically aimed at SME’s, with limited complexity, low process maturity level..
A security micro-assessment highlights current security strengths and weaknesses and identifies practical improvement solutions. It can also focus on specific practices.
Product quality(*)
CETIC has adapted a metrics-based approach for performing precise code level measurements, namely through its Quality Cockpit platform available in SaaS mode. http://test................ and through other tools like Cast www. Cast…., for specific language coverage in larger systems. CETIC helps its customers (**) :
To better manage software quality within an organization
To identify critical application code components and to request corrective intervention
To enhance software factory performance
With applied knowledge, customized to customer’s needs
(*) While process quality is an enabling condition for delivering quality products, it is necessary to measure product quality. Key characteristics to check at code level are maintainability and evolvability.
(**) Our expertise is dedicated to various customers : on the one hand, IT development teams or services companies willing to perform continuous internal code assessment. On the other hand, direct customers may also use CETIC Quality Cockpit, for a high-level monitoring and a supported decision-process.
Development effort estimation
The accurate characterisation of a software development effort is a challenge with a high impact on the project organisation and schedule. Currently, it often relies on past experience. CETIC has developed expertise in this area based on COSMIC, a widely used method for estimating software size. (*)
(*) The COSMIC function point estimation is based on objective criteria and rules and helps in the sizing of a new development, giving view on functional size, effort and cost estimation. This is also backed with benchmarks on International databanks (ISBG) ; this enables to produce an internal project DB over time. The method is applicable early in the Development lifecycle, and at the specifications level. It is completely independent of software development technologies and methods.
Certification
Security
Certification is often required in a number of industrial domains (*) as a condition to access a market or is imposed by regulatory bodies. CETIC is actively developing expertise and experience in those fields. CETIC also masters a number of leading software tools, like FORTIFY (**) helping in assessing the security and safety of code, and in the writing of specific certification documents. CETIC provides excellent support related to security certification (***) and safety (****).
(*) Security critical products like smart cards or firewalls can be subject to the Common Criteria (ISO/IEC 15408). In safety critical domains a number of safety standards are also required such as DO-178B (aeronautics) and Cenelec 50126/8/9 (railways). In other areas, more generic standards (IEC61508) can apply
(**) Fortify is one of the industry’s most proven, accurate, and effective application lifecycle security, and source code analysis tools.
(***) Related to security certification, CETIC can
perform security risks analysis and assess the return on investment of corrective actions.
perform advanced security analysis of code based on tools like Fortify.
help to prepare to Common Criteria certification by guiding in the writing and reviewing of protection profiles or security targets.
(****)Related to safety, CETIC can:
provide expertise regarding the generic IEC-61508 standard and domain specific specialisations.
perform advanced safety analysis of code based on tools like Polyspace.
