sss ssss rrrrrrrrrrr ssss ss rrrr rrrr sssss s rrrr rrrr ssssss rrrr rrrr ssssssss rrrr rrrr ssssss rrrrrrrrr s ssssss rrrr rrrr ss sssss rrrr rrrr sss sssss rrrr rrrr s sssssss rrrrr rrrrr +===================================================+ +======= Quality Techniques Newsletter =======+ +======= February 2002 =======+ +===================================================+ QUALITY TECHNIQUES NEWSLETTER (QTN) is E-mailed monthly to Subscribers worldwide to support the Software Research, Inc. (SR), TestWorks, QualityLabs, and eValid user communities and other interested parties to provide information of general use to the worldwide internet and software quality and testing community. Permission to copy and/or re-distribute is granted, and secondary circulation is encouraged by recipients of QTN provided that the entire document/file is kept intact and this complete copyright notice appears with it in all copies. Information on how to subscribe or unsubscribe is at the end of this issue. (c) Copyright 2003 by Software Research, Inc. ======================================================================== Contents of This Issue o QWE2002 -- The Reasons Why o Testing Your Web Application: A Quick 10-Step Guide, by Krishen Kota o Cybercrime Guidelines (Forwarded by Jack Grimes) o Special Issue of IBM System Journal on Software Testing and Verification o eValid 3D SiteMaps o Unit Testing by Michael Reidy: A Reader Reaction, by Hans Schaefer o Microsoft Haiku (Forwarded by Jack Grimes) o Software Pioneers Conference (June 2001) o Cypersecurity a Top Priority, by Ariana Eunjung Cha (Forwarded by Jeff Voas) o Symposium on Cyber Security and Trustworthy Software o ICSE Venue Changed o Symmetry (Forwarded by Susan Low) o Workshop on Ubiquitous Web Applications o SQRL Report Abstracts o QTN Article Submittal, Subscription Information ======================================================================== QWE2002 -- The Reasons Why The times are demanding and budgets are carefully managed. You need all the information you can get on how to make the most of your precious resources. QWE2002 is the place to get your questions answered, learn from your peers and take practical solutions back to the job. No need to reinvent the wheel, cause QWE2002 is a combination of hands-on demos from the top Tools and Services Vendors, deep technical education from academics and industry leaders. Take advantage of the Two-Day Expo to do comparative investigation of the latest solutions, in record time, without over-spending your travel budget. It is all there. Having access to the latest information and knowledge will save your company a lot of money on projects in the long run. GENERAL SESSIONS AND TECHNICAL KEYNOTES Featured Keynote Speakers are among the top Academic and Industry Experts. * Dr. Linda Rosenberg, Chief Scientist for Software Assurance, Office of Systems Safety and Missions Assurance at NASA, GSFC: "Independent Verification and Validation Implementation at NASA" * Professor Koenraad Debackere from the KU Leuven: "Organizing for High Tech Innovation" * Mr. Bob Bartlett, Chairman of SIM Group: "Power Testing" * Mr. Rik Nuytten, Channels Marketing Manager at Cisco Systems, Belgium: "Building the Infrastructure for the Future" * Mr. Eric Simmons, Platform Quality Engineer in the Corporate Quality Network Group at Intel Corporation: "From Requirements to Release Criteria" * Mr. Rob Sabourin, Amibug, Canada: "Creating Quality Web Systems" TUTORIALS Over two intensive, hard-working days, we offer 18 pre-conference Tutorials conducted by the foremost experts in their fields. CONFERENCE BROCHURE Download your own copy of the full-color Quality Week Europe 2002 brochure in *PDF format from: <http://www.soft.com/QualWeek/QWE2002/brochure.phtml> REGISTRATION DEALS You have asked and we are coming through for you. Here is SR Institute's contribution to give more buying power to your Euros and Dollars. * Stay at one of the three official Conference Hotels and we'll honor the EARLY BIRD conference fees. The savings in registration fees alone will cover most of the cost of your stay. Simply mark "HOTEL" in the SR Discount Code Box on the registration form. * Register two or more team members at one time and take 10% off the total registration fee. * If you are already registered at full price, you can still add team members at the group discount and save! * If you have four or more team members who wish to attend QWE2002, please contact us about our very, very special big-group discounts. CONFERENCE HOTELS The Sheraton Hotel & Towers in Brussels will host both the Conference and Vendor Expo. Blocks of rooms have been reserved at the Sheraton, as well as at two other hotels, Hotel Le Dome and Hotel President Nord. The two additional hotels are walking distance from The Sheraton. The QWE2002 Conference rates at all three hotels include elaborate buffet breakfast and all taxes. Please contact the Conference hotels directly. Go to: <http://www.soft.com/QualWeek/QWE2002/hotel.phtml> for full details. ======================================================================== Testing Your Web Application A Quick 10-Step Guide by Krishen Kota Interested in a quick checklist for testing a web application? The following 10 steps cover the most critical items that I have found important in making sure a web application is ready to be deployed. Depending on size, complexity, and corporate policies, modify the following steps to meet your specific testing needs. Step 1 - Objectives Make sure to establish your testing objectives up front and make sure they are measurable. It will make your life a lot easier by having written objectives that your whole team can understand and rally around. In addition to documenting your objectives, make sure your objectives are prioritized. Ask yourself questions like "What is most important: minimal defects or time-to-market?" Here are two examples of how to determine priorities: If you are building a medical web application that will assist in diagnosing illnesses, and someone could potentially die based on how correctly the application functions, you may want to make testing the correctness of the business functionality a higher priority than testing for navigational consistency throughout the application. If you are testing an application that will be used to solicit external funding, you may want to put testing the aspects of the application that impact the visual appeal as the highest testing priority. Your web application doesn't have to be perfect; it just needs to meet your intended customer's requirements and expectations. Step 2 - Process and Reporting Make sure that everyone on your testing team knows his or her role. Who should report what to whom and when? In other words, define your testing process. Use the following questions to help you get started: o How will issues be reported? o Who can assign issues? o How will issues be categorized? o Who needs what report and when do they need it? o Are team meetings scheduled in advance or scheduled as needed? You may define your testing process and reporting requirements formally or informally, depending on your particular needs. The main point to keep in mind is to organize your team in a way that supports your testing objectives and takes into account the individual personalities on your team. One size never fits all when dealing with people. Step 3 - Tracking Results Once you start executing your test plans, you will probably generate a large number of bugs, issues, defects, etc. You will want a way to easily store, organize, and distribute this information to the appropriate technical team members. You will also need a way to keep management informed on the status of your testing efforts. If your company already has a system in place to track this type of information, don't try to reinvent the wheel. Take advantage of what's already in place. If your company doesn't already have something in place, spend a little time investigating some of the easy-to-setup online systems such as the one found at <http://www.adminitrack.com>. By using an online system, you can make it much easier on yourself by eliminating the need to install and maintain an off-the-shelf package. Step 4 - Test Environment Set up a test environment that is separate from your development and production environment. This includes a separate web server, database server, and application server if applicable. You may or may not be able to utilize existing computers to setup a separate test environment. Create an explicitly defined procedure for moving code to and from your test environment and make sure the procedure is followed. Also, work with your development team to make sure each new version of source code to be tested is uniquely identified. Step 5 - Unit Testing Unit testing is focused on verifying small portions of functionality. For example, an individual unit test case might focus on verifying that the correct data has been saved to the database when the Submit button on a particular page is clicked. An important subset of unit testing that is often overlooked is range checking. That is, making sure all the fields that collect information from the user, can gracefully handle any value that is entered. Most people think of range checking as making sure that a numeric field only accepts numbers. In addition to traditional range checking make sure you also check for less common, but just as problematic exceptions. For example, what happens when a user enters his or her last name and the last name contains an apostrophe, such as O'Brien? Different combinations of databases and database drivers handle the apostrophe differently, sometimes with unexpected results. Proper unit testing will help rid your web application of obvious errors that your users should never have to encounter. Step 6 - Verifying the HTML Hyper Text Markup Language (HTML) is the computer language sent from your web server to the web browser on your users' computer to display the pages that make up your web application. HTML is theoretically a standard used on the Internet to make it easy for anyone, anywhere to view the information on a website. That may be somewhat true for a static website, but anyone who has been involved in developing a web application knows that HTML is anything but standard. Verifying HTML is simple in concept but can be very time consuming in practice. There are many online and downloadable applications to help in this area such as Website Garage <http://websitegarage.netscape.com>. There are two main aspects of verifying the validity of your HTML. First you want to make sure that your syntax is correct, all your opening and closing tags match, etc. Secondly, you want to verify how your pages look in different browsers, at different screen resolutions, and on different operating systems. Create a profile of your target audience and make some decisions on what browsers you will support, on which operating systems, and at what screen resolutions. In general, the later versions of Microsoft Internet Explorer, version 5.5 and above are very forgiving. If your development team has only been using Internet Explorer 5.5 on high-resolution monitors, you may be unpleasantly surprised when you see your web application on a typical user's computer. The sooner you start verifying your HTML, the better off your web application will be. Step 7 - Usability Testing In usability testing, you'll be looking at aspects of your web application that affect the user's experience, such as: o How easy is it to navigate through your web application? o Is it obvious to the user which actions are available to him or her? o Is the look-and-feel of your web application consistent from page to page, including font sizes and colors? The book, "Don't Make Me Think! A Common Sense Approach to Web Usability" by Steve Krug and Roger Black, provides a practical approach to the topic of usability. I refer to it often, and recommend it highly. In addition to the traditional navigation and look-and-feel issues, Section 508 compliance is another area of importance. The 1998 Amendment to Section 508 of the Rehabilitation Act spells out accessibility requirements for individuals with certain disabilities. For instance, if a user forgets to fill in a required field, you might think it is a good idea to present the user with a friendly error message and change the color of the field label to red or some other conspicuous color. However, changing the color of the field label would not really help a user who has difficulty deciphering colors. The use of color may help most users, but you would want to use an additional visual clue, such as placing an asterisk beside the field in question or additionally making the text bold. For more details, refer to <http://www.section508.gov>. Another great resource that can help analyze your HTML pages for Section 508 compliance can be found at <http://www.cast.org/bobby/>. If you are working with the United States federal government, Section 508 compliance is not only good design, it most likely is a legal requirement. Step 8 - Load Testing In performing load testing, you want to simulate how users will use your web application in the real world. The earlier you perform load testing the better. Simple design changes can often make a significant impact on the performance and scalability of your web application. A good overview of how to perform load testing can be found on Microsoft's Developer Network (MSDN) website at: <http://msdn.microsoft.com/library/default.asp? url=/library/en-us/dnserv/html/server092799.asp> A topic closely related to load testing is performance tuning. Performance tuning should be tightly integrated with the design of your application. If you are using Microsoft technology, the following article is a great resource for understanding the specifics of tuning a web application. <http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dnserv/> html/server03272000.asp People hate to wait for a web page to load. As general rule, try to make sure that all of your pages load in 15 seconds or less. This rule will of course depend on your particular application and the expectations of the people using it. Step 9 - User Acceptance Testing By performing user acceptance testing, you are making sure your web application fits the use for which it was intended. Simply stated, you are making sure your web application makes things easier for the user and not harder. One effective way to handle user acceptance testing is by setting up a beta test for your web application. One article to help you get started planning an effective beta test is: Supercharged Beta Test by Joshua Grossnickle and Oliver Raskin, May 14, 2001 which can be found at: <http://hotwired.lycos.com/webmonkey/01/20/index1a.html?tw=design>. This article points out the critical aspects of setting up a beta test including how to identify beta testers and how to obtain their feedback. The main point to remember in user acceptance testing is to listen to what the people using your web application are saying. Their feedback will be critical to the ultimate success of your web application. Step 10 - Testing Security With the large number of highly skilled hackers in the world, security should be a huge concern for anyone building a web application. You need to test how secure your web application is from both external and internal threats. The security of your web application should be planned for and verified by qualified security specialists. If you think security is a subject that is over-hyped, check out Steve Gibson's account of how a 13 year old hacker took his company's website down for an extended period of time at will. You can find this eye-opening security case study at: <http://grc.com/dos/grcdos.htm> Some additional online resources to help you stay up to date on the latest Internet security issues include: CERT Coordination Center <http://www.cert.org/> Computer Security Resource Center <http://csrc.nist.gov/> After performing your initial security testing, make sure to also perform ongoing security audits to ensure your web application remains secure over time as people and technology change. Testing a web application can be a totally overwhelming task. The best advice I can give you is to keep prioritizing and focusing on the most important aspects of your application and don't forget to solicit help from your fellow team members. By following the steps above coupled with your own expertise and knowledge, you will have a web application you can be proud of and that your users will love. You will also be giving your company the opportunity to deploy a web application that could become a run away success and possibly makes tons of money, saves millions of lives, or slashes customer support costs in half. Even better, because of your awesome web application, you may get profiled on CNN, which causes the killer job offers to start flooding in. Proper testing is an integral part of creating a positive user experience, which can translate into the ultimate success of your web application. Even if your web application doesn't get featured on CNN, CNBC, or Fox News, you can take great satisfaction in knowing how you and your team's diligent testing efforts made all the difference in your successful deployment. (c) Copyright 2001 Krishen Kota. All Rights Reserved. About the Author: Krishen Kota is a 10-year veteran of the information technology consulting industry and is President of AdminiTrack, Inc. <http://www.adminitrack.com>, which provides a web-based issue and defect tracking application designed specifically for professional software development teams. Krishen can be contacted via email at. ======================================================================== Cybercrime Guidelines Forwarded by: Jack Grimes Working with industry and law enforcement professionals, CIO Magazine recently published guidelines on responding to and reporting threats or attacks on information systems or data. The guidelines emphasize the importance of reporting incidents in order to identify and prosecute criminals, identify new cyber security threats, and to prevent successful attacks on critical infrastructure and economic systems. The guidelines are intended to facilitate effective law enforcement responses to attacks on private sector computers. The guidelines note that because of the sensitive nature of information security threats, information security officers ("ISOs") are often reluctant to share information with law enforcement or other industry groups. The guidelines recognize this concern, but encourage ISOs to better understand how law enforcement and other government agencies handle a cyber threat report with regard to the impact of an investigation on their business and how law enforcement handles sensitive information. The guidelines outline (i) what elements to include in an information system security plan, (ii) what types of incidents to report, and (iii) when and how to report an incident. To assist in this process, the guidelines include a list of law enforcement contact officials and agencies, including FBI and Secret Service field offices, and include a form to use to report cyber threats. The guidelines are available at <http://www.cio.com/research/security/>. If you have any questions with regard to information security issues, please do not hesitate to contact us at 202-639-7200 or . Thomas P. Vartanian David L. Ansell Robert H. Ledig Washington, D.C. ======================================================================== Special Issue: Software Testing and Verification IBM Systems Journal, Vol. 41, No.1, 2002 (IBM Order No. G321-0144) <http://www.research.ibm.com/journal/sj41-1.html> Editor's Note: The IBM Systems Journal is a very highly respected technical journal that has always reflected the best of IBM's thinking. This special issue on Software Testing and Verification has powerful papers, to be sure, but is important in its own right for the fact that IBM has placed so much emphasis on the topic. -EFM Issue Contents: Message from the Corporate Director, IBM Software Test, Bill Woodworth. Issue Preface, by John J. Ritsko and Marilyn L. Bate. "Software debugging, testing, and verification," by B. Hailpern and P. Santhanamp. "Metrics to evaluate vendor-developed software based on test case execution results," by K. Bassin, S. Biyani, and P. Santhanamp. "Improving software testing via ODC: Three case studies," by M. Butcher, H. Munro, and T. Kratschmerp. "A metric for predicting the performance of an application under a growing workload," by E. J. Weyuker and A. Avritzerp. "Testing z/OS: The premier operating system for IBM's zSeries server," by S. Loveland, G. Miller, R. Prewitt, and M. Shannon. "The STCL test tools architecture," by C. Williams, H. Sluiman, D. Pitcher, M. Slavescu, J. Spratley, M. Brodhun, J. McLean, C. Rankin, and K. Rosengren "Using a model-based test generator to test for standard conformance," by E. Farchi, A. Hartman, and S. S. Pinterp. "Multithreaded Java program test generation," by O. Edelstein, E. Farchi, Y. Nir, G. Ratsa by, and S. Urp. "The Software Testing Automation Framework," by C. Rankinp. "FLAVERS: A finite state verification technique for software systems," by J. M. Cobleigh, L. A. Clarke, and L. J. Osterweil. ======================================================================== eValid 3D-SiteMaps Did you ever look at a WebSite and wonder how it is really structured? Do you wish you could see how individual URLs in your WebSite depend on one another? Did you know that you can draw inferences about WebSite behavior and effectiveness by studying how the WebSite pages interact? Now there's a way to do this, and more! eValid's new 3D-SiteMap charts show the dependence information in a WebSite in a new and highly effective way. The 3D-SiteMap display is generated automatically from eValid Site Analysis data. Each 3D-SiteMap chart shows a collection of URLs and their interdependencies in a 3-dimensional display that can be rotated on two axes (in 3D!), zoomed in and out, and scaled up and scaled down -- all under the mouse control. Live examples of eValid 3D-SiteMaps are given at: <http://www.soft.com/eValid/Promotion/3DSiteMaps/examples.html> Important Note: The three pre-programmed examples total about 600 KBytes so please be patient when downloading the example file. The pictures are worth the short wait! Examples of good and bad WebSite design -- as reflected from the 3D-SiteMaps -- are given at: <http://www.soft.com/eValid/Promotion/3DSiteMaps/good.bad.html> Please contact us at if you would like to qualify for a FREE evaluation copy of eValid Ver. 3.2 that includes this unique and powerful 3D-SiteMap visualization feature. ======================================================================== Unit Testing by Michael Reidy: A Reader's Reaction Mr. Reidy is right: Unit testing is necessary for producing reliable systems. However, I am not sure if his approach will always work and be effective. My experience is that you have to enable developers (designers and coders) to develop their unit tests. These tests should be developed BEFORE coding. A good format is using an Excel spreadsheet. XP, among others, requires that. The unit test should then be automated. This can be done by using test harness tools. (I have no experience with Software Research's tools, but Parasoft, IPL, ATTOL testware and Testwell Oy are suppliers of such tools. Automation is done by analyzing the completed code (which should have been reviewed and checked before, see later) - and generating the necessary stubs and drivers as well as data templates. The spreadsheet data can either be read directly, or be converted. Modern tools allow to regenerate drivers and stubs dynamically whenever the code changes. This test should then be collected in the project library and rerun automatically every time the code is changed. This works in organizations where reliability is necessary. What else? There are the review, and static analysis. Reviewing stuff that is improtant is a common best software practice. Reviews of detailed design and code should be held during the work and after completion. XP gives a good method, using pair programming for continuous reviewing. You may use that without all the other XP techniques. Otherwise you may assign two people for any unit, and require person number 2 to be ready for review immediately (in exchange for someone else being ready to review HER code). Static analysis is done by tools. Such tools exist widespread but are nearly never used. The number of warnings generated is too large, or it is too boring to review them. However, such tools can be tailored, parameters can bet set, and developers may change their code standards over time to prevent dangerous coding practices. This all will reduce the number of false alarms in static analysis. OK, these are my two cents of input. Hans Schaefer Software Test Consulting Reigstad, 5281 Valestrandsfossen, NORWAY <http://home.c2i.net/schaefer/> ======================================================================== Microsoft Haiku (Forwarded by Jack Grimes) In Japan, they have replaced the impersonal and unhelpful Microsoft error messages with haiku poetry, each with only 17 syllables: five in the first line, seven in the second, five in the third. Of course, it is still Microsoft products you're reading about. But aren't these more peaceful? Yesterday it worked. Today it is not working. Windows is like that. Your file was so big. It might be very useful. But now it is gone. The website you seek Cannot be located, but Countless more exist. Chaos reigns within. Reflect, repent and reboot. Order shall return. Aborted effort. Close all that you have worked on. You ask far too much. Windows NT crashed. I am the Blue Screen of Death. No one hears your screams. Stay the patient course. Of little worth is your ire. The network is down. A crash reduces Your expensive computer To a simple stone. You step in the stream, But the water has moved on. This page is not here. Out of memory. We wish to hold the whole sky, But we never will. Having been erased, The document you're seeking Must now be retyped. ======================================================================== Software Pioneers Conference (June 2001) If you, just like me, are constantly looking for a better way to understand the rationale and historical background of past major software development concepts, tools, and methodologies (for example, Structured Programming, Graphical User Interface, PASCAL, Entity-Relationship Modeling, Algebraic Specifications of Abstract Data Types, etc.), now there is a good source of information for you to consider (and it is FREE, for the moment). Nothing is better than the explanation of the historical background and motivations for developing those major software concepts by the persons who invented the concepts themselves. The "Software Pioneers Conference" which was held in Bonn, Germany, in June 28-29, 2001, featured some of the top pioneers in the area of Software and Information Systems and attended by over 1000 software professionals. The presentations by the software pioneers provide rich reading material for those teaching Computer Software- related courses (including Software Engineering, Software Design, Databases, Systems Analysis & Design, Programming Languages, Data Structures, Operating Systems, Algorithms, Computation Theory, etc.). The presentations (video and PDF files) are now available at <http://www.sdm.de/conf2001/index_e.htm>. The following speakers, who have made truly outstanding contributions to this field, spoke at the conference (in alphabetical order): o Friedrich L. Bauer, From the Stack Principle to ALGOL o Rudolf Bayer, B-tree and Relational DBMS (in place of E. F. Codd) o Barry Boehm, Software Economics o Fred Brooks, OS/360 o Peter Chen, Entity-Relationship Modeling, DB, Computer-Aided Software Eng. (CASE) o Ole-Johan Dahl, The Root of Object-Oriented Programming: Simula 67 o Tom DeMarco, Structured Analysis o Edsger W. Dijkstra, From "Goto considered harmful" to Structured Programming o Michael Fagan, Inspections o Erich Gamma, Design Patterns o John Guttag, Algebraic Specifications of Abstract Data Types o C.A.R. Hoare, Software Fundamentals: Assertions and Program Verification o Michael Jackson, Data Structures & Algorithms o Alan Kay, Graphical User Interfaces: Mice and Windows o David L. Parnas, Decomposing Systems into Modules o Niklaus Wirth, Teaching Programming Principles: PASCAL Raj Sharman, Ph. D. JF Seinsheimer Jr Research Faculty A. B. Freeman School of Business, Information Systems Group, Tulane University, New Orleans The unusual announcements from three of the technology industry's most powerful men came just weeks apart. Microsoft Corp. Chairman Bill Gates declared that making his company's software less vulnerable to security breaches would take precedence over adding new features. Oracle Corp.'s Larry Ellison pledged to make his company's database programs "unbreakable." Cisco Systems Inc.'s John Chambers told clients at a private conference that he no longer regarded security enhancements on equipment that directs traffic across the Internet as extras but as necessities. The timing of the announcements was no coincidence. Directly or indirectly, the statements were influenced by an aggressive public awareness campaign orchestrated by Richard A. Clarke, who in October took on the new job of White House cyberspace security adviser. In private meetings with chief executives and in speeches at conferences, Clarke has pushed companies to commit themselves to protecting the online world from attacks by terrorists and other nefarious parties. "There is . . . a growing consensus in government and industry that we can no longer continue praising the emperor's new clothes," Clarke said in an interview this week. "There is a willingness to admit that there are vulnerabilities and it is not inconceivable that they will be used against us in a way that could be very damaging to the economy." Clarke's push is part of a government- wide effort to improve cybersecurity and to better coordinate the efforts of bureaucracies and corporations. Just yesterday, the House passed a bill that would allocate $880 million over five years to computer-security research. And a coalition of companies in partnership with the federal government announced a National Cybersecurity Campaign to teach home and small-business computer users how to safeguard their machines. Over the past few months Clarke has drawn up his own ambitious agenda, which includes: * Creating an Underwriters Laboratory-type place to test software security. * Establishing a priority cell-phone system for law enforcement and medical personnel. * Creating a "reverse 911," or multimedia emergency broadcasting service, to send alerts to people in specific areas on land lines, cell phones or computers. * Establishing ties with cybersecurity experts in other countries to coordinate investigations. * Setting up a government-run Internet called GovNet. Clarke successfully lobbied for an increase from $2.7 billion in fiscal year 2002 to $4 billion in 2003 for government-computer security. His office has created task forces of major Internet service providers, router manufacturers and security experts in and out of government to develop a plan to protect the basic infrastructure of the Internet. Their proposals are due in April. Clarke is still assembling a staff. He has filled only half of the 16 jobs. The staff so far is a mix of national security officials, businessmen and technical geeks. Howard Schmidt, the former head of computer security for Microsoft, started in late January as Clarke's deputy. Roger Cressey, a career public servant who has worked on anti-terrorism efforts in Israel, Somalia and the Balkans, is the chief of staff. Also in the office are Paul Kurtz, a longtime National Security Council staffer specializing in international relations; Steve Poizner, a former Silicon Valley entrepreneur; and Marcus Sachs, a retired army officer who is better known for being part an elite group of hackers that helped the government neutralize the "Code Red" and "Nimda" worms. Clarke is emphasizing that government agencies and other interests talk and share information. "I see that office as having its greatest effect by bringing together resources that already exist and making them go in the same direction," said Allen Paller, director of research for the SANS Institute, a computer-security think tank in Bethesda. The various government agencies in charge of cybersecurity will come together under one roof this month at the old Y2K initiative headquarters at 18th and G Street. The Commerce Department's Critical Infrastructure Assurance Office and the FBI's National Infrastructure Protection Center outreach operations -- two groups known for past turf battles -- will join Clarke's staff. There has already been some awkwardness. While Tom Ridge's Office of Homeland Security has taken the lead in issuing alerts about physical threats, it has always been the FBI's job to let the public know about viruses, worms, hacks and other things that threaten the online world. And the mission of Clarke's office overlaps greatly with the Commerce Department's critical infrastructure unit. The groups have temporarily resolved the issues by making sure that Clarke's office is informed when the FBI issues alerts and by appointing John Tritak, director of the Commerce Department unit, as a high-ranking member of the critical infrastructure protection board that Clarke oversees. Clarke spent much of his first 100 days in office making the rounds of technology companies. Many corporate executives expected feel-good pep talks about how government and industry could work hand-in-hand to prevent cyber attacks. Instead, Clarke and his staff brought binders full of research papers raising questions about security vulnerabilities. They were not above coaxing or bullying the business officials with threats of regulation and appeals to patriotism. "No vendor wants to appear like they are not being patriotic or responsive to real concerns about security breaches or flaws now and I think Mr. Clarke is very effective at using that to push them to make changes," said Catherine A. Allen, the chief executive of the technology group for the Financial Services Roundtable, which represents the chief executives of some of the nation's largest companies. Microsoft spokesman Jim Dessler said while the company chose on its own to redirect its software development efforts, "it came in the backdrop of an increased emphasis in security that has been put forward by those in government such as Clarke." Mary Ann Davidson, chief security officer at Oracle, said that since Sept. 11 federal officials have made many people realize that perhaps "the most frightening type of attack is one that's launched in cyberspace to bring down our critical infrastructures." "To get these companies to put their money where their mouths have been for years, that is a major victory for his office," said Gilman Louie, who heads In-Q-Tel, the high-tech venture fund financed by the Central Intelligence Agency. But even as they praise his aggressiveness, some question Clarke's priorities. His proposal to create GovNet has been criticized by many experts as impractical and costly. His partnership approach to get industry to do things voluntarily has clashed with the opinions of groups such as the National Academy of Sciences, which recently put out a report that said new liability laws are the answer. Eugene Spafford, director of Purdue University's Center for Education and Research in Information Assurance and Security, said Clarke should spend more of his energy on getting federal computer systems up to par. "They are starting in the wrong place," Spafford said. "If I were out in industry I would find it unpersuasive to be told that I have to spend a lot of money on new security without some indication that government has done it first." Forwarded by Jeffrey Voas, Co-founder and Chief Scientist, Cigital, . ======================================================================== Symposium on Cyber Security and Trustworthy Software Friday, March 15, 2002 Stevens Institute of Technology Hoboken, New Jersey, USA This symposium brings together researchers and practitioners, in government, academia and industry, to discuss problems and possible solutions in cyber security, both for e-commerce and for homeland security. A particular emphasis of the symposium is to bring together those interested in communications security and in end-to-end security. Further information is available at the web site: <http://guinness.cs.stevens- tech.edu/~dduggan/Public/NJITES/symposium.html> Here is the lineup: * AM Keynote: "The Case for Language-Based Security," by Fred Schneider, Cornell University. * "Decentralized Mechanism for Distributed Access Control," by Naftaly Minsky, Rutgers University. * "Java, Access Control and Static Analysis," by David Naumann, Stevens Institute of Technology. * "Security Protocols for Wireless Computing," by Susanne Wetzel, Stevens Institute of Technology. * PM Keynote: "Network Security," by Steve Bellovin, AT&T Laboratories. * "Fault Tolerance, Security and Programming Languages," by Dominic Duggan, Stevens Institute of Technology. * "Formal Analysis of Security Protocols in a Concurrent Logical Framework," by David Walker, Princeton University. * "Intrusion Detection in Wireless Networks," by Constantine Manikopoulos, New Jersey Institute of Technology. ======================================================================== ICSE Venue Changed With regret, the ICSE 2002 organizers, in consultation with the ICSE steering committee, have decided to move ICSE 2002 from the originally planned Buenos Aires, Argentina venue to Orlando, Florida, USA. The conference dates, May 19-25, 2002, remain the same. You are no doubt aware of the recent events in Argentina. We believe that any risk to ICSE attendees as a result of these events is much less than the impression given by news reports and that most likely, the situation will stabilize by May. In addition, we acknowledge that no location is entirely without risk, as we were sadly reminded in September. However, many participants in ICSE must make travel arrangements far in advance of the conference and we must consider perceptions as well as actual risks. After polling as many as possible of those involved and the full ICSE steering committee, we have concluded that many ICSE attendees do not feel sufficiently confident to commit to traveling to Buenos Aires at this time. We all looked forward to ICSE in Buenos Aires. The exceptional group of local organizers meant we were certain of a successful conference. We deeply regret the need to relocate ICSE 2002. We look forward to future conference opportunities in Buenos Aires, which despite temporary setbacks remains a wonderful place to visit and the home of a considerable amount of world-class software research. Given adequate time, we would have preferred to move to another location in South America. The extremely short lead time and the difficulty of making arrangements for a major conference such as ICSE dictated relocation to Orlando, Florida, USA. We are fortunate to have obtained excellent conference facilities at the Marriot hotel, with favorable room rates and without a change to the conference dates. Although Buenos Aires would have been preferable, we have every reason to be believe that ICSE 2002 in Orlando with its excellent technical program will be a rewarding experience for attendees. We look forward to seeing you there. For additional information visit: <http://www.icse- conferences.org/2002/> The ICSE 2002 Executive Committee: Will Tracz, General Chair Jeff Magee, Program Co-Chair Michal Young, Program Co-Chair ======================================================================== Symmetry Interesting little tidbit-doesn't really have any meaning, but may be of interest. As the clock ticks over from 8:01PM on Wednesday, February 20th, 2002, time will (for sixty seconds only) read in perfect symmetry. To be more precise: 20:02, 20/02, 2002. It is an event which has only ever happened once before, and is something which will never be repeated. The last occasion that time read in such a symmetrical pattern was long before the days of the digital watch (or the 24-hour clock): 10:01AM, on January 10, 1001. And because the clock only goes up to 23.59, it is something that will never happen again. Forwarded to QTN by Susan Low. ======================================================================== Workshop on Ubiquitous Web Applications Keynote Address by Roy Fielding <http://www.uwaproject.org/workshop> July 1-2, 2002 Siemens Forum Vienna Vienna, Austria In the near future, an increasing number of Web applications will become "ubiquitous" i.e., delivered to a veriety of devices and communication channels, an will often be targeted to inexpert users. Their quality - in terms of customised behaviour and effectiveness of their development/maintainance lifcecycle - may be threatened by the current inability to properly design them. The UWA project aims at defining a set of methodologies, notations, and tools to tackle the main forseen problems in the design of such applications. These include the definition of proper concepts and languages for describing their behaviour, the ability of tracking correlations among their different components, and the capability of correlating their requirements to design and implementation. In order to address the need for standards in design and documents notation, the project defined suitable extensions to the Unified Modeling Language (UML). The workshop hosts presentations and tutorials about requirements elicitation, design, and customisation of ubiquitous Web applications. The presentations are targeted at technology and product managers, designers and developers, from both academia and industry. The workshop is also supported by leading personalities from the industrial and research communities, who will be presenting the state of art in the fields of context awareness (Tom Gross, Frauenhofer Institute, Germany), e-Services (Fabio Casati, Hewlett- Packard Labs, Palo Alto, USA), and the future of the Web (Roy Fielding, Chairman of the Apache Software Foundation, USA). Key topics addressed by this workshop are: * Design of Web-based applications * Context awareness * Design methods * Ubiquity and multi-channel delivery * Requirements for ubiquitous Web-based applications * Customisation * e-Services Contact: Andrea Savigni, Ph.D. Research Fellow, Department of Computer Science University College London, UK <http://www.cs.ucl.ac.uk/staff/A.Savigni/> ======================================================================== SQRL Report Abstracts The web address for downloading reports is: <http://www.cas.mcmaster.ca/SERG/serg.publications.html> SQRL Report No. 2: Hierarchical Interface-based Supervisory Control: AIP Example for Parallel Case, By: R.J. Leduc, M. Lawford, and W.M. Wonham In this report we present a large manufacturing example (7.01 x 10^21 states) that uses the Hierarchical Interface-based Supervisory Control method. We discuss the application of our method to the Atelier Inter-etablissement de Productique (AIP), a highly automated manufacturing system. We describe the system, and our supervisor design, closing by discussing the results of successfully applying our method to show that the system is nonblocking and that our supervisors are controllable. This example demonstrates that our method can be applied to interesting systems of realistic complexity that were previously far beyond our means. SQRL Report No. 3, Model of Concurrency in Object-Oriented Databases, By: Daniela Rosu The most commonly used model for concurrency control in traditional database systems represents transactions as streams of partially ordered operations that are scheduled for execution by a central or distributed transaction manager. The various scheduling strategies are proved correct by using the serializability theory. This theory, in its classical form, operates successfully on systems with at (non-nested) transactions but is unable to represent conveniently complex (nested) computations, inherent to the object-oriented paradigm. This report presents a more general model for transaction management which permits nested computations and a technique for proving the correctness of the schedules designed by the concurrency control mechanism. All objects in the database are assumed to have their own concurrency control mechanisms that schedule the operations local to the objects according to the order devised by the central transaction manager. The classical serializability theory is extended with an abstract model for computations allowing for arbitrary operations and nondeterministic programs. ======================================================================== ------------>>> QTN ARTICLE SUBMITTAL POLICY <<<------------ ======================================================================== QTN is E-mailed around the middle of each month to over 9000 subscribers worldwide. To have your event listed in an upcoming issue E-mail a complete description and full details of your Call for Papers or Call for Participation to . QTN's submittal policy is: o Submission deadlines indicated in "Calls for Papers" should provide at least a 1-month lead time from the QTN issue date. For example, submission deadlines for "Calls for Papers" in the March issue of QTN On-Line should be for April and beyond. o Length of submitted non-calendar items should not exceed 350 lines (about four pages). Longer articles are OK but may be serialized. o Length of submitted calendar items should not exceed 60 lines. o Publication of submitted items is determined by Software Research, Inc., and may be edited for style and content as necessary. DISCLAIMER: Articles and items appearing in QTN represent the opinions of their authors or submitters; QTN disclaims any responsibility for their content. TRADEMARKS: eValid, STW, TestWorks, CAPBAK, SMARTS, EXDIFF, STW/Regression, STW/Coverage, STW/Advisor, TCAT, and the SR logo are trademarks or registered trademarks of Software Research, Inc. All other systems are either trademarks or registered trademarks of their respective companies. ======================================================================== -------->>> QTN SUBSCRIPTION INFORMATION <<<-------- ======================================================================== To SUBSCRIBE to QTN, to UNSUBSCRIBE a current subscription, to CHANGE an address (an UNSUBSCRIBE and a SUBSCRIBE combined) please use the convenient Subscribe/Unsubscribe facility at: <http://www.soft.com/News/QTN-Online/subscribe.html>. As a backup you may send Email direct to as follows: TO SUBSCRIBE: Include this phrase in the body of your message: subscribe TO UNSUBSCRIBE: Include this phrase in the body of your message: unsubscribe Please, when using either method to subscribe or unsubscribe, type the exactly and completely. Requests to unsubscribe that do not match an email address on the subscriber list are ignored. QUALITY TECHNIQUES NEWSLETTER Software Research, Inc. 1663 Mission Street, Suite 400 San Francisco, CA 94103 USA Phone: +1 (415) 861-2800 Toll Free: +1 (800) 942-SOFT (USA Only) Fax: +1 (415) 861-9801 Email: qtn@sr-corp.com Web: <http://www.soft.com/News/QTN-Online>