CETIC

60. Security Micro-Assessment

Christophe PONSARD — 2009-03-28T17:48:15Z

The security micro evaluation is used to evaluate security maturity and help companies to prioritize security investments needed to cover security. This very light assessment can be repeated on a regular basis (every 6/8 month) and clearly underline the improvement and maturity evolution. Practically

Service

Do you want to quickly analyse the current status of security in your organization? Do you want to identify your strengths and weaknesses? Do you want to improve your security practices with a quick ROI?

We provide a lightweight global assessment of security practices in terms of security organization and security practices

As a result we highlight the current strengths and weaknesses and identify practical improvement solutions. This micro-assessment can also be used to analyze some practices in much more details.

40. Software Development Effort Estimation

Christophe PONSARD — 2009-03-28T17:38:22Z

Producing accurate estimation of software development effort is a challenge with a high impact on the project organization and schedule. Currently, it still often relies on past experience.

Expertise

CETIC has developed an expertise in this area based on the COSMIC 3.0, one one of the largely used methods of sizing software estimation. COSMIC 3.0 is based on objective criteria and rules allowing repetitiveness of measures. The method is applicable early in the software lifecycle, already at specifications level and it is completely independent of software development technologies and methods.

Services

The following effort estimation services are provided:
Functional size, effort and cost estimation for sizing internal development or as part of a invitation to tender process
Training IT companies in software functional size and development effort estimation

Success stories

Successful effort estimation a wide-scale web application for a European commission administration and a modular application to be used jointly by five Belgian federal and regional parliaments

10. Requirements Engineering

Christophe PONSARD — 2009-03-28T17:31:04Z

In the context of a software system, Requirements engineering (RE) is the process of discovering its purpose by identifying stakeholders and their needs, by documenting these in a form that can be analysed, communicated, and subsequently implemented. RE plays a critical and fundamental role within the software development process. Several studies have shown that it is one of the most critical success factors for on-schedule and within budget delivery of software projects. In today's global development environment, it remains more important than ever to “get the requirements right”.

Expertise

CETIC has developed a strong expertise in RE covering the whole spectrum of methods and application contexts, from lightweight methods combining structured templates and graphical (UML-based) notations to rigorous models that enable a model-engineering approach with deep verification and validation at requirements time. CETIC expertise especially relies on the use of goal-oriented methodologies developed at UCL and for which CETIC is actively maintaining and developing tool support (FAUST project).

Services

CETIC is actively helping enterprises in field related to requirements engineering by:
Improving RE practices through the audit of current RE process, the delivery of specific training, the development of company-tuned templates and coaching on concrete projects.
Assessing the quality requirements documents, identifying areas of problems (ambiguities, incompleteness, inconsistencies, etc.) and defining acceptance plan.
Conducting requirements analysis and producing precise requirements documents in a specific context, typically as part of an invitation to tender process.
Helping in the selection of an adequate solution based on functional and non-functional requirements, possibly also as part of evaluation of tenders.
Formal modelling at early stage and specific verification and validation activities, possibly as support for certification.

Success story

In 2008, CETIC has performed a complete analysis of a complex access control system for seven Belgian parliaments at regional and federal levels. This mission covered a full requirements analysis based on goals and UML use cases, high level and detailed architectural design and comparative technology analysis.

30. Code quality assessment

Christophe PONSARD — 2009-03-28T17:28:58Z

While process quality is an enabling condition for delivery quality products, measuring product quality is required. A number of key characteristics to check at code level are maintainability and evolvability.

Expertise

CETIC had adapted a metrics-based approach and integrated tools for performing precise code level measurements. The approach allows to generate clear reports allowing project managers or developers to easy interpret the results relying on pertinent diagrams. These help in the decision making process and suggest improvements that can be quickly undertaken.

Typical question that can be answered are the following:
What is the quality of this code?
Is it worth maintaining or should (a part of) it be redeveloped?
Is this component trustful?
Does this third-party application respect our standard quality requirements?
What part of this code requires in-depth testing?

Service

Code analysis is proposed in a variety of contexts such as:
Continuous code assessment during project development to assess delivery maturity
Internal assessment of code subject to evolution or legacy code
External quality assessment of the delivery quality in a client-provider relationship
Validation of maturity of open-source components (see also CELLAVI)

The direct customer benefits are the reduction of development time through a continuous evaluation of quality, the reduction of maintenance costs by strategic decision making about bad parts, improved confidence in the code quality and a supported decision process.

The code analysis relies on third party parsers and currently integrates support for Java, Delphi, C, C++ and C#.

Success Stories

Many code audit analysis have been carried out, especially in a public sector context for the French Community Parliament (evaluation of open-source components, assessment of newly developed components) and software editors (e.g. in CRM domain).

50. Common Criteria Consultancy Services

Corentine Biron — 2009-03-24T14:16:03Z

CETIC has developed expertise in assessing the security of computer systems according to ISO / IEC 15408 also known as Common Criteria.

This assessment is not an official one; the belgian state having not yet adopted a certification scheme, Belgian companies are forced to use foreign assessment centers to obtain a Common Criteria validation certificate. CETIC's consulting provides assistance in producing the various documentation and test plans needed to obtain a CC certification.

The services offered at this stage consist in the preparation of protection profiles and security target and in an initial assessment of the security target. In addition to these activities, CETIC also offers static code analysis techniques to help reduce vulnerabilities.

Protection profile definition support: CETIC assists companies defining protection profiles by helping them in drafting the constituting elements: introduction, security problem, objectives and requirements.

Security target support: CETIC assists companies writing their security targets. Elements considered are identical to protection profiles except a supplementary section concerning the summary of evaluation target.

Security Target Evaluation support: CETIC proceed to an informal evaluation of the security target in order to identify missing elements and problem and to improve the whole quality of the security target.

Vulnerabilities inspection: CETIC performs static code analysis to detect potential errors or vulnerabilities in the applicative code.

OWPL Assessment

Simon ALEXANDRE — 2006-03-07T11:25:18Z

OWPL Model has been designed with respect to the particular context of small businesses so that it could help them to improve their software practices accordingly. SME and VSE can not afford a lot of resources to assess and improve their processes. Therefore SME need a process improvement framework that can be deployed with a small set of resources and cost with a quick ROI. The OWPL model aims at assisting SMEs in their Software Process Improvement (SPI). Hence it provides SMEs and small public organizations with very simplified adequate models to initiate SPI approaches.

Existing Approaches

In fact, standard models like CMM were initially designed for bigger structures. So, they should be, more or less deeply, tailored and/or adapted to very small organizations like our target SMEs. The first reason is the cost of an evaluation process (+/ 25000$) and its duration (+/- 8 month) which are disproportional to the available resources. In addition, the maturity level our target SMEs would get according a general assessment model like CMM, would be very low. Brodman and Johnson show that a great number of process improvement plans based on the CMM encountered problems and that an important rate of those problems (53%) were related to the size. The success of a CMM process improvement plan actually grows with the number of people having software process in charge.

Structure of OWPL Model

The OWPL model has been designed with respect to the particular context of small businesses so that it could help them to improve their software practices accordingly. This model is based on the prior hypothesis that a key issue of success in any company lies on well-defined goals which should be structured on a hierarchical way depending on their level of operability (strategic vs. operational). This means that the company is the one that really defines its processes and the related objectives according to the business strategy.

The structure of OWPL model involves processes, practices and success factors (see Figure below). It defines 10 processes (requirements management, project planning, project tracking and oversight, development, documentation, testing, configuration management, subcontractors management, quality management, and experience capitalization process), each decomposed into a number of practices (from 3 to 12). It is also supported by success factors. The OWPL processes are issued from SPICE and CMM ones by assemblage and simplification. Each of the above processes is assigned a general goal in accordance with the organization's defined objectives. It involves a number of practices and is supported by a number of success factors. Each practice is defined by its goal, its inputs and outputs, the resources assigned to support it and its weight. This last attribute is an indicator of the importance of the practice for the whole process improvement.

Success factors are general requirements related to the environment of the process. Those factors determine the processes effective success. They correspond in fact to CMM Common Features, or to SPICE Attributes and include organizational, management, technical and human resources factors.

Questionnaires, Tools & Templates

The OWPL Model is supported by a complete suite including: questionnaires, tool and template to perform an assessment of processes, practices and success factors.

The entire assessment suite is available at an affordable price.

Download OWPL Model

Download a copy of the OWPL Model

Micro Assessment

Simon ALEXANDRE — 2006-03-07T08:59:13Z

Most of the big companies are now aware of quality matters and invest time and money in improving their products and services. Some of them have created their own reference models but most are using standard models developed by international organizations. The models that are now available can be applied to almost any field of industry: there are software improvement models for every particular life cycle or type of product. The most well-known and widespread software quality standards are CMM (Software Engineering Institute, Carnegie Mellon University) and SPICE (ISO/IEC 15504).

What about Small Structures?

However, those available models are rather unusable for very small businesses as they are much too complicated and too expensive to implement. Therefore, taking previous experience with small companies into account, we have decided to look for a solution to that problem and have implemented a software improvement approach that can be used by very small development structures (from 1 to 50 people in charge of software development).

At the first stage, a very simplified questionnaire called the Micro-Assessment is used to collect information about the current software practices in small structures and to make people sensitive to the importance of software quality aspects. This questionnaire covers six key axes selected as the most pertinent and the most prior to the targeted organizations on basis of former experience with SME evaluation. These axes are Quality assurance, Customers management, Subcontractors management, development & Project management, Product management, and Training and Human Resources management. The Micro-Assessment concerns one person in the evaluated organization. This person must either have sufficient knowledge of software quality matters or already be in charge of software quality.

This very light assessment can be repeated on a regular basis (every 6/8 month) and clearly underline the improvement or status quo among key axes.

Micro-Assessment in practice

Interest : you want to quickly analyse the current status of software practices in your organization? You want to identify your strengths and weaknesses? You want to improve your software practices with a quick ROI?

Goals : Global assessment of software practices in terms of :

- Quality assurance

- Customers management

- Subcontractors management

- Development & Project management

- Product management

- Training and Human Resources management

Results obtained from the Micro-Assessment :

Results highlight current strengths and weaknesses and identify practical improvement solutions.
The Micro-Assessment can also be used to analyze some practices in much more details.

Practical Information :

Phone Call <= 1 hour List of open questions covering the six key axes

Results analysis Results are analysed by CETIC Software Quality Team by using a rigourous analysis matrix.

Report - 15-20 pages Summary of each axe ; Strengths/Weaknesses ; Opportunity/Risks; Conclusions

Graphical representation of results 2 graphs (See images below),

Follow-up Micro-Assessment can be reproduced on a regular basis to monitor software practices improvement

Confidentiality : All collected informations are kept confidential. Results are only communicated to the contact person in the company. Publicated statistics by CETIC are completely anonymous.

Our expertise

The software quality team have apply Micro Evaluation in more than 50 companies.

Interested ?

Some questions? Interested by this approach? Please contact us by email or by phone +32(0)71 919 818.

Phone Call <= 1 hour	List of open questions covering the six key axes
Results analysis	Results are analysed by CETIC Software Quality Team by using a rigourous analysis matrix.
Report - 15-20 pages	Summary of each axe ; Strengths/Weaknesses ; Opportunity/Risks; Conclusions
Graphical representation of results	2 graphs (See images below),
Follow-up	Micro-Assessment can be reproduced on a regular basis to monitor software practices improvement