US008539437B2

(12) Ulllted States Patent

Finlayson et a].
(54) SECURITY PROCESS MODEL FOR TASKS
WITHIN A SOFTWARE FACTORY

(10) Patent N0.:

(45) Date of Patent:

US 8,539,437 B2
Sep. 17, 2013
green et a1~

7,051,036 B2
7,137,100 B2 *

5/2006 Rosnow et al.

11/2006 Ib t l. ................ .. 717/106

HOW

(75)

IIIVeHIOISI Ronald D- Finlayson, Blythewood, SC

7,152,220 B2 * 12/2006 1112121331111, ,,,,,,,,,,,, ,, 717/101

(US); Naomi M. Mitsumori, San Jose,

7,159,206 B1
, ,

1/2007 Sadhu et al.

CA (US); Francis X. Reddington,

Sarasota FL (Us) 7,318,216 B2
7,337,429 B1

gilihes tal
a ieuxe .

1/2008 Diab
2/2008 P

(73) Assignee: International Business Machines

Corporation, Armonk, NY (US)

7,406,432 B1
*
, ,

7/2008 (2335M

tal.

7,406,453 B2 7,418,443 B2
7,603,653 B2

7/2008 Mundie et al. 8/2008 Yoshimura et al.

( * ) Notice:

Subject to any disclaimer, the term ofthis

-

11 1 t 1
ren e e a. .............. ..

717mm

patent 1s extended or adjusted under 35

U~S-C- 15400133 1453 days-

10/2009 Sundammjan et a1

7,610,575 B2* 10/2009 Sproule ....................... .. 717/103 7,774,747 B2 8/2010 Kayam et a1.

(21) Appl. No.. 11/847,952

(22) Filed:
(65)

(Continued)
OTHER PUBLICATIONS
Stallard et a1.Automated analysis for digital forensic science: Seman

Aug. 30, 2007

Prior Publication D at a

tic integrity checking. Proceedings 19th Annual Computer Security

US 2009/0064322A1 Mar. 5, 2009 Applications Conference, Dec. 2003. pp. 160-167. Retrieved on

[Apr. 30, 2013] Retrieved from the Internet: URL<http://ieeexplore.

(51) Int-CL
G06F 9/44 (2006.01)

ieee.org/Xpls/absiall.jsp?arnumber:1254321>.*
_

G06F 7/04
(52) US. Cl.

(2006.01)
. .

(Con?rmed)

USPC .............. .. 717/101; 717/102; 717/103; 726/4

(58) Field Of Classi?cation Search

jrrfary 2mm? * Tchllly Daos _ h

mm mm * ePeca m _

None See application ?le for complete search history.

(74) Attorney, Agent, or Ftrm *Yudell Is1dore Ng Russell PLLC

(56)

References Cited
U.S. PATENT DOCUMENTS
5,729,749 6,226,784 6,237,020 6,286,104 A B1 B1 B1 3/1998 5/2001 5/2001 9/2001 Ito Holmes et al. Leyrnann et al. Buhle et a1.

(57) ABSTRACT Security for a software factory is provided by detecting a request by a user to utilize the software factory. Upon being
authenticated, the user is granted permission to access spe ci?c areas of the software factory. A log is created of locations in software factory that have been accessed by the user. This log is then utilized in an audit that describes how effective the

6,405,317 B1 *

6/2002 Flenley et a1. .................. .. 726/4

6,516,451 B1 6,519,763 B1 6,662,357 B1

2/2003 Patin 2/2003 Kaufer et al. 12/2003 Bowman-Amuah

software factory is in creating deliverable software.

20 Claims, 25 Drawing Sheets

1600

1602

1604

1606

1606

H
USER
1

R
USER SESSION
AUTHENTICATE 2

x
FACTORY SEClRITY PROCESS

\
AUDIT

AUTHORIZE (Pm/115510115)

LOG TRANSACTIONO

US 8,539,437 B2
Page 2
(56) References Cited
U.S. PATENT DOCUMENTS 7,778,866 B2 8/2010 Hughes
7,810,067 B2 7,823,120 B2 7,853,556 B2
7,865,875 B2*

Retrieved from the Internet:

cfm?id:1141346>.*

URL<http://dl.acm.org/citation.

Software Factory Assembly Methodology and Training Pathways.

Copyright 2006. ObjectBuilders. [retrieved on Apr. 22, 2011].
Retrieved from the Internet: <URL:www.objectbuilders.com/down

10/2010 Kaelicke et a1. 10/2010 Kazakov etal. 12/2010 Swaminathan etal.

1/2011 Hockenberry et al. ..... .. 717/120

loads/SFiMethodologyiWPpdg>.
U.S. Appl. No. 11/735,152, Software Factory Readiness Review,
Non-Final Of?ce Action dated Apr. 29, 2011.

8,141,030 B2
8,141,040 B2
2002/0038449 A1*

3/2012 Finlayson
3/2012 Chaar
3/2002
8/2002

BrykcZynski, Bill,A Survey of Software Inspection Checklists,

ACM, Jan. 1999, p. 82-89.
Keil et al., The In?uence of Checklists and Roles on Software

Green et al. .................... .. 717/1

Paclat ......................... .. 717/102

2002/0095650 A1
2002/0108099 A1*

7/2002 Green et al.

Practitioner Risk Perception and Decision-Making, IEEE, 2006, p.

1-12.

2003/0097650 A1
2003/0106039 A1*

5/2003 Bahrs et al.

6/2003 Rosnow et al. ............. .. 717/100

US Patent No. 7958494, Rapid On-Boarding of a Software Fac

tory, Non-Final Of?ce Action dated Sep. 29, 2010.

US Patent No. 7958494, Rapid On-Boarding of a Software Fac tory, Notice of Allowance dated Feb. 1, 2011. US. Appl. No. 11/735,056, Assembling Work Packets within a Software Factory, Non-Final Of?ce Action dated Dec. 23, 2010. US. Appl. No. 11/735,056, Assembling Work Packets within a Software Factory, Non-Final Of?ce Action dated Jun. 9, 2011.

2003/0158760 2003/0192029 2003/0221184 2004/0010772 2004/0015870

A1 A1 A1 A1 A1

8/ 2003 Kannenberg

10/2003 Hughes
11/2003 Gunjal et al.
1/ 2004 McKenna et al. 1/ 2004 ArbouZov et al.
3/2004
4/2004

2004/0054984 A1 *

Chong et al. ................ .. 717/103

Irani ........................... .. 717/101

2004/0064805 A1
2004/0073886 A1*

4/2004 Sparago et al.

5/2004 7/ 2004 1 1/ 2004 12/ 2004 12/ 2004 5/ 2005 Le Kaelicke et al. Ashley et al. Brown et al. Kayam et al. Robin et al.

US. Appl. No. 11/835,200, Dynamic Routing and Load Balancing

Packet Distribution with a Software Factory, Non-Final Of?ce

2004/0093584 2004/0143811 2004/0229199 2004/0255265 2004/0268296 2005/0114829

A1 A1 A1 A1 A1 A1

Action dated May 26, 2011. US. Appl. No. 1 1/ 735,099, entitled Software Factory Health Moni toring; Non-?nal of?ce action dated Apr. 16, 2012. US. Appl. No. 1 1/ 836,937, entitled Waste Determinants Identi?ca
tion and Elimination Process Model Within a Software Factory Oper

2005/0160395 A1
2005/0166178 A1
2005/0198618 A1*

7/2005 Hughes
7/2005 Masticola et al.
9/2005 Lalonde et al. ............. .. 717/110

ating Environment; Non-?nal of?ce action dated Apr, 18, 2012.

US. Appl. No. 11/735,070, entitled Project Induction in a Software Factory; Non-?nal of?ce action dated Apr. 26. 2012. US. Appl. No. 11/735,086, entitled Work Packet Fomcasting in a Software Factory; Non-?nal of?ce action dated May 18, 2012. US. Appl. No. 11/735,275, entitled Software Factory; Non-?nal of?ce action dated Jun. 5, 2012. US. Appl. No. 11/735,168, entitled Life Cycle ofaWork Packet in a Software Factory; Non-?nal of?ce action dated Jun. 13, 2012. US. Appl. No. 11/735,152, entitled Software Factory Readiness Review; Notice ofAllowance and Fee(s) Due dated Jun. 15. 2012. US. Appl. No. 1 1/ 735,099, entitled Software Factory Health Moni toring; Notice of Allowance dated Jul. 25, 2012. US. Appl. No. 1 1/ 836,937, entitled Waste Determinants Identi?ca tion and Elimination Process Model Within a Software Factory Oper

2005/0216882 A1 2006/0031812 A1 2006/0235732 A1

9/2005 Sundararajan et al. 2/2006 Olson et al. 10/2006 Miller et al.

2006/0248504 A1
2007/0006161 A1
2007/0124803 A1*

11/2006 Hughes
1/2007 Kuester et al.
5/2007 TaraZ .............................. .. 726/4

2007/0174810 A1

7/2007 Hockenberry et al. ..... .. 717/101

2007/0220479 A1
2008/0046859 2008/0255696 2008/0256390 2008/0256507 2008/0256516 2008/0256529 A1 A1 A1 A1 A1 A1

9/2007 Hughes
2/2008 10/2008 10/2008 10/2008 10/2008 10/2008
11/2008

Velarde et al. Chaar Chaar Chaar Chaar Chaar

Seetharaman et al. ...... .. 717/101

2008/0282219 A1*

ating Environment; Notice of Allowance dated Aug. 2, 2012.

US. Appl. No. 11/ 844,031, entitled System to Monitor and Main tain Barance of Factory Quality Attributes Within a Software Factory

2009/0043622 A1 2009/0055795 A1
2009/0300577 2009/0300586 2010/0017252 2010/0017782 2010/0023918 2010/0023919 2010/0023920 2010/0031090 2010/0031226 2010/0031234 A1 A1 A1 A1 A1 A1 A1 A1 A1 A1

2/2009 Finlayson 2/2009 Finlayson

12/2009 12/2009 1/2010 1/2010 1/2010 1/2010 1/2010 2/2010 2/2010 2/2010 Bernardini et Bernardini et Chaar et al. Chaar et al. Bernardini et Chaar et al. Chaar et al. Bernardini et Chaar et al. Chaar et al. al. al. al. al.

Operating Environment; Final of?ce action dated May 25, 2012. US. Appl. No. 11/735,275, entitled Software Factory; Notice of Allowance dated Sep. 14, 2012. US. Appl. No. 11/735,070, entitled Project Induction in a Software Factory; Final of?ce action dated Sep. 19, 2012. US. Appl. No. 11/735,168, entitled Life Cycle ofaWork Packet in
a Software Factory; Final of?ce action dated Oct. 18, 2012. US. Appl. No. 11/735,086, entitled Work Packet Forecasting in a Software Factory ; Final of?ce action dated Oct. 22, 2012. US. Appl. No. 11/735,168, entitled Life Cycle ofaWork Packet in a Software Factory; Notice of Allowance dated Jan. 4, 2013. US. Appl. No. 11/735,086, entitled Work Packet Forecasting in a Software Factory; Advisory Action dated Jan. 8, 2013.

OTHER PUBLICATIONS
Abbott et al. Automated Recognition of Event Scenarios for Digital Forensics, Proceedings of the 2006 ACM symposium on Applied computing, 2006, pp. 293-300, Retrieved on [Apr. 30, 2013]

* cited by examiner

US. Patent

Sep. 17, 2013

Sheet 2 0f 25

US 8,539,437 B2

( START V202
RECEIVE INPUT, AT A SOFTWARE FACTORY, FROM CLIENT BUSINESS GOVERNANCE BOARD DESCRIBING SOFTWARE NEEDS OF ENTERPRISE CLIENT
f 204

CREATE A PROJECT SOFTWARE PROPOSAL DEFINITION FOR A SOFTWARE f 206 PROJECT THAT MEETS THE SOFTWARE NEEDS OF THE ENTERPRISE CLIENT

INDUCT/REINDUCT THE SOFTWARE PROJECT FOR EVALUATION, QUALIFICATION, SCORING AND CATEGORIZATION

f 205

PARSE SOFTWARE PROJECT INTO MAJOR FUNCTIONAL AREAS r212

OBTAIN WORK PACKETS NEEDED FOR ALL FUNCTIONAL AREAS OF THE SOFTWARE PROJECT

r214

SEND OBTAINED WORK PACKETS TO ASSEMBLY LINE TO CREATE DELIVERABLE r216 CUSTOM SOFTWARE THAT MEETS THE CRITERIA SET FOR THE SOFTWARE PROJECT

TEST CUSTOM SOFTWARE

I218

DELIVER CUSTOM SOFTWARE I220

SUPPORT CUSTOM SOFTWARE r222

END 224

FIG. 2

US. Patent

Sep. 17, 2013

Sheet 3 0f 25

US 8,539,437 B2

5O2

WORK PACKET IS DEFINED

5 r10

ASSEMBLY
LINE

504

WORK PACKET IS ASSEMBLED

520\

r515
MESSAGE

506

WORK PACKET IS ARCHIVED

ASSET REPOSITORY

ASSET MANAGER

508

WORK PACKET IS DISTRIBUTED

WE

OPU% EMawCDKAEU N TR
I

FIG. 5

US. Patent

Sep. 17, 2013

Sheet 4 or 25

US 8,539,437 B2

GOVERNANCE

ARTIFACTS

4T0)
BUSINESS
CONTEXTUAL

ARTIFACTS

404

412)
ARCHITECTURAL _

/
CS
_

414/

ARTIFA T
TEST

416/

ARTIFACTS

PROJECT

418/

ARTIFACTS

420
422/

GOVERNANCE METRICS
~ ~ METRICS

424

SYSTEM IVIETRICS

4B6
FIG. 4

US. Patent

Sep. 17, 2013

Sheet 5 0f 25

US 8,539,437 B2

( START V502
CREATE PACKET DEFINITIONS NEEDED FOR f 504 WORK PACKETS USED IN A DELIVERABLE
I

CALL TEMPLATE NEEDED BY TEMPLATE FOR PACKET DEFINITIONS

I

f506

CALL ARTIFACTS NEEDED BY TEMPLATE FOR PACKET DEFINITIONS

r508

CALL METRICS NEEDED BY TEMPLATE FOR PACKET DEFINITIONS

I

1-510

ASSEMBLE WORK PACKETS USING CALLED TEMPLATE, ARTIFACTS AND METRICS

CID r514
FIG. 5

US. Patent

Sep. 17, 2013

Sheet 6 0f 25

US 8,539,437 B2

602

/
NAME
SECURITY

FUNCT'ON
SECURITY

PO'NTER
Addressl

PROPRIETARY FOR CLIENT?

YES

ORIGINAL DELIVERABLE
Server

COMPONENT NAME(S)
"Standard100

WORK PACKET

(TOW)

password manager

"Integration 101

600

604

/
CODE

FIG. 6A

US. Patent

Sep. 17, 2013

Sheet 7 0f 25

US 8,539,437 B2

US. Patent

Sep. 17, 2013

S heet 8 0f 25

US 8,539,437 B2

DEFINE HEADER COMPONENTS FOR ASSET (E.G., WORK x704 PACKET) HEADER
I

POPULATE HEADER f706 COMPONENTS

I

ARCHIVE WORK PACKET WITH PO|NTERS 1708 TO WORK PACKET HEADER ENTRIES
1

RETRIEVE WORK PACKET IN ACCORDANCE [710 WITH REQUISITE HE ADER COMPONENTS

I

:N: r712

FIG. 7

US. Patent

Sep. 17, 2013

Sheet 9 0f 25

US 8,539,437 B2

@802
f 504 DETERMINE CHOKE-POINTS IN SOFTWARE FACTORY FOR FIRST PROJECT

POPULATE CHECKLIST WITH f806 DETERMINED CHOKE-POINTS

IN RESPONSE TO RECEIPT OF NEW

WORK ORDER, CHECK CHECKLIST

[805

SEND NOT READY MESSAGE TO r516 SOFTWARE FACTORY OPERATIONS

CONFIGURE SOFTWARE FACTORY [512 BASED ON PRIOR PROJECT

US. Patent

Sep. 17, 2013

Sheet 10 0f 25

US 8,539,437 B2

FACTORY PROJECT

CANDIDATE PROJECT

950A
OUT SERVICE INDUCTION

902

IN
FACTORY PROJECT PROPOSAL

SERVICE
REPOSITORY SCORECARD

/
904
910

/
928

SERVICE
\ DEFINITION

RENEDIATION

TEMPLATE

91$
:_|F____________?
I, 3RD PARTY H

SCOR|NG&
CLASSIFICATION
%

SERVICE
ASSESSMENT

I IOONTRAOTORI I

REVIEW

920T!I PROvIDER {I I ____________ _A ' II 3RDPARTY

:IL PROvIDER II
I: vENDOR H

,/~\ '3RD PARTY\\ I, REQUIRED \

\ I,

(sAR) %

CHECKLISTS

i _____________TI :

\\ w //
\~
100

924?; PRODUCT I:

.I_:::::::_'

H SUPPORT II

FIG. 9

US. Patent

Sep. 17, 2013

Sheet 11 0125

US 8,539,437 B2

C
\

8 \A W. B \\ \O C% 9

C H E W. 9 .b

\\\
\ \

CAI|

\O _|
/

m H/ / C/
/
/

/PM / KU 9

\MW

\
\ \ \ \

/ /, n0 B
/ /

/
/ /

\
\

\
\

PRE-QUALIFYING QUESTIONS
1002

FIG.1OA

US. Patent

Sep. 17, 2013

Sheet 12 0125

US 8,539,437 B2

1007A

/
Leading Indicator

PK Leading lndicatorilD

Leading lndicatoriDesc
FK1 Evaluation RuleilD

Checklist Category PK ChecklistiCategoryilD

f1OO5A
10055

ChecklistiCategoryiDescription

/
_ Question

10075
Evauation Rule

checkl'st
PK ChecklistilD
I

PK QuestionilD
__
Questiion

ChecklsLDesC
FK1 ChecklistiCategoryilD

FK1 ChecklistilD
l

Evaluation RuleilD Evaluation RuleiDesc

ParentiChecklistilD
FK2 Template ilD Answer

1085c

PK Answer_lD
Answerjlag
FK1 QuestionilD FK2 Evaluation RuleilD

REMEDY

PK Remedy_lD

RemedyiDesc
FK1 Evaluation RuleilD

1004

10050

\
1007c

FIG. 105

US. Patent

Sep. 17, 2013

Sheet 13 0f 25

US 8,539,437 B2

US. Patent

Sep. 17, 2013

Sheet 16 0f 25

US 8,539,437 B2

START

I014

PRESENT INITIAL CHECKLIST r1016 BASED ON PROJECT CATEGORY

I

RECEIVE ANSWERS TO 1-1018 QUESTIONS IN CHECKLIST

DO RECEIVED ANSWERS PROMPT A PRESENTATION OF A NEW CHECKLIST?

I020

USING PREVIOUSLY STORED QUESTIONS, PRESENT A022

A DYNAMICALLY GENERATED NEW CHECKLIST THAT |S BASED ON RECEIVED ANSWERS
I

EVALUATE ANSWERS TO NEW CHECKLIST f1024

T BASED ON CONTEXTUAL REFERENCE AND

NATURE OF THE OUESTIONING OBJECTIVES

I028

FIG. IOE

US. Patent

Sep. 17, 2013

Sheet 17 0f 25

US 8,539,437 B2

1102a

1102b

1lO\2c

100

/
Cache DB

% Metric DB %
-

Audit DB

xx Portal Portal

1120

m m

i x ,

U :ESEQPTW | l}. m1 qm

8 mm 4 6

FIG. 11

US. Patent

Sep. 17, 2013

Sheet 18 0f 25

US 8,539,437 B2

START
I

I202

DEFINE WORK

[1204

PACKETS
I

TRACK WHEN AND WHERE THE WORK fI206 PACKETS ARE SENT IN SOFTWARE FACTORY
I

TRACK THE PULLING OF ANY ARTIFACTS BY THE WORK PACKETS

I

fI208

IVIONITOR ANY ON-GOING CHANGES OF WORK 1-1210 ACTIVITIES CONTAINED IN THE WORK PACKETS
DETERIVIINE IF EXECUTION OF WORK PACKETS CONFORIVIS 1-1212 WITH GOVERNANCE GUIDELINES FOR SOFTWARE FACTORY

TRACK ARCHITECTURAL COIVIPLIANCE OF SOFTWARE FACTORY

TRACK QUALITY IVIETRICS (COMPLETION

RATES, SOFTWARE DEFECTS, RISKS, ISSUES)

ASSOCIATED WITH WORK PACKET EXECUTION

fI2I6

SEND IVIONITORED INFORMATION TO DASHBOARD

END 1220

FIG. 12