1. Requirements Evolution
Drives Software Evolution
Neil
Ernst,
Alexander
Borgida,
John
Mylopoulos
nernst@cs.ubc.ca
-‐
borgida@cs.rutgers.edu
-‐
jm@disi.unitn.it
1
2. The Position
• If
we
don't
know
what,
or
more
importantly,
why
we
are
doing
something,
"how"
we
do
it
is
inconsequential.
• Changing
requirements
are
costly
and
a
major
source
of
software
errors.
• Requirements
drift
from
implementation.
• Lack
of
tool
support
for
requirements
evolution.
• Requirements
are
ultimately
about
business
value.
2
3. Outline
• Other
positions
and
examples
• What
is
a
requirement?
What
is
software
evolution?
• How
can
we
use
requirements
in
SW
Evol?
• One
approach
to
the
problem
• Discussion
questions
3
4. Other researchers agree
• A
challenge
for
software
migration
is
“How
to
ensure
that
the
resulting
system
has
the
desired
quality
and
functionality?”1
• How
to
accommodate
“.
.
.
evolution
of
higher-‐
level
artifacts
such
as
analysis
and
design
models,
software
architectures,
requirement
specifications,
and
so
on.”2
• Agreement
on
importance
of
requirements
re-‐
use
and
requirements
integration
[1] T. Mens. Future Research Challenges in Software Evolution. Presentation to
ERCIM Working Group on Software Evolution, Brussels, 2009.
4 [2] Mens et al. Challenges in Software Evolution, IWPSE/EVOL 2005.
5. Some examples
• Recent
study
on
million
€
government
IT
project1
• 16
months,
4222
person-‐days
of
work,
282
changes
(50%
of
effort)
• 24%
of
changes
at
requirements
phase
• Most
expensive
changes
originate
with
organization
and
strategic
concerns
• Changes
in
solution
domain
very
low
value
[1] S. McGee and D. Greer, “Software Requirements Change Taxonomy:
Evaluation by Case Study,” ICRE, August 2011.
5
6. PCI Data Security Standard
(PCI-DSS)
1. Build
and
Maintain
a
Secure
Network
2. Protect
Cardholder
Data
3. Maintain
a
Vulnerability
Management
Program
4. Implement
Strong
Access
Control
Measures
5. Regularly
Monitor
and
Test
Networks
6. Maintain
an
Information
Security
Policy
6
8. Requirements problems:
Goals, tasks, and assumptions
• Requirements
describe
stakeholder
desires
for
the
new
system
(e.g.,
“protect
cardholder
data”).
• These
desired
states
we
call
goals.
• Goals
are
iteratively
refined
until
operationalized
by
an
implementation
task.
• A
goal
model
defines
a
space
of
alternative
designs
for
satisfying
goals,
constrained
by
domain
assumptions.
The
requirements
problem:
given
a
set
of
goals,
which
tasks
and
assumptions
satisfy
those
goals?1
[1] [1] P. Zave and M. Jackson, “Four Dark Corners of Requirements
Engineering,” TOSEM, vol. 6, pp. 1-30, 1997.
8
9. PCI-DSS model
Increase
revenues
Accept payment Avoid financial
losses and
penalties
Accept credit
Accept cash
card
Use Verifone Use Moneris Be PCI
POS POS compliant
Buy strongbox
Implement only one
primary function per
server
No money for
new servers
Virtualize
Use multiple
server
servers
instances
9
10. PCI-DSS model
Increase
revenues
Accept payment Avoid financial
losses and
penalties
Accept credit
Accept cash
card
Use Verifone Use Moneris Be PCI
POS POS compliant
Buy strongbox
Implement only one
primary function per
server
No money for
new servers
Virtualize
Use multiple
server
servers
instances
9
11. PCI-DSS model
Increase
revenues
Accept payment Avoid financial
losses and
penalties
Accept credit
Accept cash
card
Use Verifone Use Moneris Be PCI
POS POS compliant
Buy strongbox
Implement only one
primary function per
server
No money for
new servers
Virtualize
Use multiple
server
servers
instances
9
12. PCI-DSS model
Increase Goal
revenues
Accept payment Avoid financial
losses and
penalties
Accept credit
Accept cash
card
Use Verifone Use Moneris Be PCI
POS POS compliant
Buy strongbox
Implement only one
primary function per
server
No money for
new servers
Virtualize
Use multiple
server
servers
instances
9
13. PCI-DSS model
Increase
revenues
Accept payment Avoid financial
losses and
penalties
Accept cash
Accept credit
card Refinement
Use Verifone Use Moneris Be PCI
POS POS compliant
Buy strongbox
Implement only one
primary function per
server
No money for
new servers
Virtualize
Use multiple
server
servers
instances
9
14. PCI-DSS model
Increase
revenues
Accept payment Avoid financial
losses and
penalties
Accept credit
Accept cash
card
Use Verifone Use Moneris Be PCI
POS POS compliant
Buy strongbox
Implement only one
primary function per
server
Task No money for
new servers
Virtualize
Use multiple
server
servers
instances
9
15. PCI-DSS model
Increase
revenues
Accept payment Avoid financial
losses and
penalties
Accept credit
Accept cash
card
Use Verifone Use Moneris Be PCI
POS POS compliant
Domain
Buy strongbox
Implement only one
primary function per
assumption
server
No money for
new servers
Virtualize
Use multiple
server
servers
instances
9
16. PCI-DSS model
Increase
revenues
Accept payment Avoid financial
losses and
penalties
Accept credit
Accept cash
card
Use Verifone Use Moneris Be PCI
POS POS compliant
Buy strongbox
Implement only one
primary function per
Alternatives server
No money for
new servers
Virtualize
Use multiple
server
servers
instances
9
17. PCI-DSS model
Increase
revenues
Accept payment Avoid financial
losses and
penalties
Accept credit
Accept cash
card
Use Verifone Use Moneris Be PCI
POS POS compliant
Buy strongbox
Implement only one
primary function per
server
No money for
new servers
Virtualize
Use multiple
server
instances
servers
Conflict
9
18. The requirements evolution problem
• Given
an
existing
solution
Si
which
satisfies
D,
Si
⊢
G,
and
• modified
entities
(δ(G),
δ(D),
δ(S));
• Find
Ŝ
so
that
δ(D),
Ŝ
⊢
δ(G),
such
that
this
satisfies
some
desired
property
π,
relating
Ŝ
to
Si.
10
19. Increase
revenues
Accept payment Avoid financial
losses and
penalties
Accept credit
Accept cash
card
Use Verifone Use Moneris Be PCI
POS POS compliant
Buy strongbox
Implement only one
primary function per
server
No money for
new servers
Virtualize
Use multiple
server
servers
instances
11
20. Increase
revenues
Accept payment Avoid financial
losses and
penalties
Accept credit
Accept cash
card
Use Verifone Use Moneris Be PCI
POS POS compliant
Buy strongbox
Implement only one
primary function per
server
No money for
new servers
Si Virtualize
Use multiple
server
servers
instances
11
21. Increase
revenues
Accept payment Avoid financial
losses and
penalties
Accept credit
Accept cash
card
Use Verifone Use Moneris Be PCI
POS POS compliant
Buy strongbox
Implement only one
primary function per
Use Secure Hash
server
on CC #
No money for
new servers
Si Virtualize
Use multiple
server
servers
instances
11
22. Increase
revenues
Accept payment Avoid financial
losses and
penalties
Accept credit
Accept cash
card
Use Verifone Use Moneris Be PCI
POS POS compliant
Buy strongbox
Implement only one
primary function per
Use Secure Hash
server
on CC #
No money for
new servers
Si Virtualize
Use multiple
server
servers
instances
New Requirement
11
23. Increase
revenues
Accept payment Avoid financial
losses and
penalties
Accept credit
Accept cash
card
Use Verifone Use Moneris Be PCI
POS POS compliant
Buy strongbox
Implement only one
primary function per
Use Secure Hash
server
on CC #
No money for
new servers
Virtualize
Use multiple
server
servers
instances
New Requirement
11
24. Increase
revenues
Accept payment Avoid financial
losses and
penalties
Accept credit
Accept cash
card
Use Verifone Use Moneris Be PCI
POS POS compliant
Buy strongbox
Implement only one
primary function per
Use Secure Hash
server
on CC #
No money for
new servers
Virtualize
Use multiple
server
servers
Ŝ
instances
New Requirement
11
25. Maintenance implications
• New
implementation
tasks:
• switch
payment
system
providers
• add
secure
hash
function
12
26. Useful properties π
1. Minimal
implementation
effort.
2. Minimal
change
effort
solutions.
3. Maximal
familiarity
solutions.
Si Sa Sb Sc
a b c a c a b c
f g h
d e d f d g
13
27. Useful properties π
1. Minimal
implementation
effort.
2. Minimal
change
effort
solutions.
3. Maximal
familiarity
solutions.
Si Sa Sb Sc
a b c a c a b c
f g h
d e d f d g
13
28. Useful properties π
1. Minimal
implementation
effort.
2. Minimal
change
effort
solutions.
3. Maximal
familiarity
solutions.
Si Sa Sb Sc
a b c a c a b c
f g h
d e d f d g
13
29. Useful properties π
1. Minimal
implementation
effort.
2. Minimal
change
effort
solutions.
3. Maximal
familiarity
solutions.
Si Sa Sb Sc
a b c a c a b c
f g h
d e d f d g
13
30. Useful properties π
1. Minimal
implementation
effort.
2. Minimal
change
effort
solutions.
3. Maximal
familiarity
solutions.
Si Sa Sb Sc
a b c a c a b c
f g h
d e d f d g
13
31. Useful properties π
1. Minimal
implementation
effort.
2. Minimal
change
effort
solutions.
3. Maximal
familiarity
solutions.
Si Sa Sb Sc
a b c a c a b c
f g h
d e d f d g
13
32. Useful properties π
1. Minimal
implementation
effort.
2. Minimal
change
effort
solutions.
3. Maximal
familiarity
solutions.
Si Sa Sb Sc
a b c a c a b c
f g h
d e d f d g
13
33. Implementing the REKB
• Implemented
a
tool
for
answering
these
questions.
• For
case
study,
tell
user
• what
compliance
strategy
to
use
• what
business
goals
will
be
satisfied
• what
changes
are
important
14
34. Discussion questions
1. Is
it
important
to
support
full
traceability?
2. How
do
we
capture
business
objectives
(and
value)
in
software
evolution
tools?
3. Why
has
there
been
relatively
little
focus
on
requirements
in
Software
Evolution?
http://neilernst.net
@neilernst
github.com/neilernst
15