Lodewijk Bergmans, Senior Researcher, SIG, The Netherlands


How would you present the project?

We are confronted daily with the failures and challenges of developing and maintaining software, which plays an increasingly important role in our lives. It might lead one to think that the software industry has not evolved at all in the past 50 years. But if you take a quick look under the hood, even the simplest software applications we are creating today are performing a huge amount of (mostly invisible) instructions, for example to realize networking, or graphical user interfaces, where eventually each pixel on the screen has to be controlled by software, e.g. while we are scrolling and zooming and punching the screen with our fingers. 

The fact that a single developer can realize this –mostly hidden– complex behavior is only feasible by reusing software developed by others. In fact, today there are really large ecosystems of software libraries, mostly provided for free as open-source software, that power our software development industry: virtually no software is developed without using some third-party libraries (which are, by the way, invisible to the end-user). 

This huge success of the software industry does come with some challenges and risks: not only are application developers relying on third-party software that they do not fully comprehend, these libraries typically make use of other third-party software libraries as well, which furthers the lack of understanding and control of an application developer. This ecosystem of libraries is not static, but evolving all the time, both for enhancing features, and for keeping up with the world, such as addressing newly discovered security vulnerabilities.

The end goal of FASTEN is to enhance the control that application developers have over properties and risks of software libraries they use, powered by a deep analysis of the inner workings of these libraries. 

What is your role in the project

SIG is leading Workpackage 3,“Security, Quality and Risk.” In this workpackage, the focus is on exploiting the fine-grained information that the FASTEN tooling delivers about an ecosystem of libraries for better, more accurate analysis of both the quality and the risks of software systems

To illustrate this, consider the picture below, which illustrates how FASTEN can more accurately determine whether a system is affected by –in this example– a security vulnerability: On the left hand side, a model of dependencies at the library level will signal a vulnerability issue for the system, since the system depends (indirectly) on a library that contains a vulnerability. On the right hand side, the more fine-grained FASTEN model shows this dependency in more detail, and detects that the system will not actually use the vulnerable part of that library: the more advanced, fine-grained model can deliver more accurate insights.


What key innovation are you bringing or helping to develop

At SIG, our core business is to analyze the quality and risks of software systems (and use the results of such analyses to provide well-founded advice to our customers). To this extent, we have developed methods that can measure, either fully or partially automated, software qualities such as maintainability, security, reliability and performance efficiency. 

The combination of these analysis techniques and the FASTEN toolset provides exciting opportunities to extend our understanding of the libraries (including the indirectly used libraries) and external systems it depends on; since these clearly influence the quality and risks of the system. Some of our challenges to achieve this are: (1) what are the best strategies to aggregate and propagate the findings for a library across the eco-system? This will also vary, depending on the type of property. (2) How can we build analysis methods that will scale to the size of the FASTEN eco-system, and (3) How can we make our analysis and aggregation techniques robust to the inherent uncertainties that are due to imprecise heuristics and the ever-changing environment?

Addressing these challenges is not only important for delivering useful, actionable insights on a software system or entire ecosystem, but also as building blocks that apply to analyzing large-scale software landscapes in general.

A word about yourself and your organization

I am a researcher at Software Improvement Group (SIG), based at our Amsterdam headquarters. SIG is an advisory firm that helps organizations to improve the health and security of their software applications. SIG combines its proprietary tools and benchmark data with its consultants’ expertise to help organizations measure, evaluate and improve code quality - whether they’re building, buying or operating software. Besides the tools for analyzing source code and other development artefacts, SIG uses a benchmark (the largest in the industry with more than 20 billion lines of code across more than 260 technologies) to evaluate an organization’s IT assets on maintainability, scalability, reliability, complexity, security, privacy and other factors. 

The SIG research department has been part of SIG since the company’s inception in 2000 as a spin-off of the Dutch Center for Mathematics and Informatics (CWI). Dr. Magiel Bruntink is our Head of Research. SIG has always maintained strong connections with scientific research, working closely with international research organizations, academic and industrial partners. SIG researchers are working to make the company services more innovative, by adopting and experimenting with state-of-the-art technologies, and inventing new ones where necessary. The context of the research can be long-term innovations, improving the current tools and methods of SIG, or directly helping our clients with new and innovative solutions.