Hisham M. Haddad

Software Engineering Challenges in Game Development

In Software Engineering (SE), video game development is unique yet similar to other software endeavors. It is unique in that it combines the work of teams covering multiple disciplines (art, music, acting, programming, etc.), and that engaging game play is sought after through the use of prototypes and iterations. With that, game development is faced with challenges that can be addressed using traditional SE practices. The industry needs to adopt sound SE practices for their distinct needs such as managing multimedia assets and finding the “fun” in game play. The industry must take on the challenges by evolving SE methods to meet their needs. This work investigates these challenges and highlights engineering practices to mitigate these challenges.

The State of Metrics in Software Industry

The role of metrics in software quality is well recognized. However, software metrics are yet to be standardized and integrated into development practices across software industry. While process, project, and product metrics share a common goal of contributing to software quality and reliability, utilization of metrics has been at minimum. This work is an effort to bring more attention to software metrics. It examines the practices of metrics in software industry and the experiences of some organizations that have developed, promoted, and utilized variety of software metrics. As various types of metrics are being developed and used, these experiences show evidence of benefits and improvements in quality and reliability.

ProClick: a framework for testing clickjacking attacks in web applications

Clickjacking attacks are an emerging threat on the web. An attacker application presents a User Interface (UI) element of a target application out of context, such as hiding sensitive UI element by making it transparent to the end user. The user is tricked to click on the hidden element out of context. These attacks can cause severe damages such as compromising webcams and posting unintended messages. A large number of websites are still vulnerable to clickjacking and have no minimal protection at the server side (e.g., frame busting, X-Frame-Options header). Further, client-side defense techniques have been ineffective to deal with sophisticated clickjacking attack types and suffer from performance issues. This paper presents a proxy-level framework, ProClick, to detect clickjacking attacks. ProClick examines the content of requests and response pages at the proxy level to detect clickjacking attacks. We evaluate the proposed approach with a set of legitimate and malicious websites. The results indicate that our approach has low false positive and false negative rates. The overhead imposed by the proposed approach is also very negligible.

A Methodological Tool for Asset Identification in Web Applications: Security Risk Assessment

Security risk assessment in Web Engineering is an emerging discipline, where security is given a special attention, allowing software engineers to develop high quality and secure Web-based applications. A preliminary study revealed that asset identification (and evaluation) is an essential phase in risk assessment practices. This phase represents a degree of complexity and is the primary activity in the assessment process. This work focuses on asset identification and contributes to security risk assessment, which is essential part of software security. Specifically, the research goal is to design a methodological tool (instrument) for asset identification in web applications for the purpose of risk assessment. The proposed tool helps identify assets with security risks in web applications. The tool involves direct observations and survey questionnaires as data collection techniques used for this work. The research methodology is based on qualitative and quantitative analysis of a case study that focused on web-based application for Student Opinion Survey Coordination (EOE) developed in Simón Bolívar University, Venezuela. The data analysis required the use of cross-case analysis supported by the software application MAXQDA2007, which helps identify assets according to categories, such as Environment, Software, Hardware, Information and Networks. Under this work, students, faculty, staff, and software developers at Simón Bolívar University have participated in this study.

Security Vulnerabilities and Mitigation Strategies for Application Development

Anticipating and mitigating security threats is critical during software development. This work investigates security vulnerabilities and mitigation strategies to help software developers build secure applications. The work examines common vulnerabilities, and relevant mitigation strategies, from several perspectives, including the input environment used to supply the software with needed data, the internal data and structures used to store and retrieve the data, the algorithms and computations performed on the data, the outputs, and the extensibility and mobile software. Examining software security from these vantage points is the key to understanding the difficulty of producing secure software applications.

Integrated Collections: Approach to Software Component Reuse

Software reuse has yet to offer well-defined methodologies and mature technologies for developing applications with reuse. Implementing a successful reuse initiative to realize the perceived benefits of reuse requires initial investment that makes the cost of reuse prohibitive for many organizations. The most common form of reusable assets is source code. In some estimates, domain-specific components represent up to 65% of the application size. One approach to effective reuse practices focus on domain-specific components. This work investigates software reuse practices and presents an integrated approach to component-based development to motivate domain-specific component reuse with emphasis on source code artifacts. The approach defines collections of reusable components that are integrated into the development environment. The concept of generic interface is also utilized to define a wrapper interface mechanism to manage and control the interfacing of reusable collections with applications in the domain of interest. The approach is mainly based on programming effort and does not require additional effort dealing with the managerial and organizational aspects of implementing comprehensive reuse initiatives

Towards a model of student success in programming courses

Since the birth of computer science some 40 years ago, educators and researchers alike have struggled with improving student success, particularly in the introductory programming courses, which often have a very high failure rate. Although many researchers have studied how and why students succeed in programming courses, no research to date has analyzed multiple variables simultaneously to develop an integrated model of student success. Rather, the research has been fragmented and non-cumulative, with researchers studying hundreds of different variables, under different conditions, and reaching different conclusions. Educators are faced with the arduous task of developing interventions and pedagogical techniques based on a plethora of seemingly important variables. In this work, we begin to bring together previous research to develop a model of student success based on theoretical reasoning. The proposed model identifies variables in three categories: individual, organizational, and demographic.

Information Theoretic Anomaly Detection Framework for Web Application

Intrusion Detection System (IDS) is a popular approach to detect attacks in web applications. Signature-based IDS may not know all possible attack signatures in advance, thus a complementary anomaly-based IDS is deployed to and detect new attacks. In this paper, we propose an anomaly detection approach that utilizes three measures: cross entropy for parameter, value, and data type. The measures are intended to compare the deviation between learned request profiles and a new web request. To reduce the number of incorrect detections, we consider requests accessing similar resource paths to learn entropy parameters value. We evaluate this approach by generating log datasets from a large scale web application (Content Management System). The initial results show that the proposed approach can detect all malicious web requests and demonstrate lower false positive rates. It outperformed when comparing two other approaches: length of parameter value and Mahalanobis Distance.

Content Provider Leakage Vulnerability Detection in Android Applications

Although much research effort has focused on Android malware detection, very little attention has been given to implementation-level vulnerabilities. This paper focuses on Content Provider Leakage vulnerability that can be exploited by viewing or editing sensitive data through malware. We present a new technique for detecting content provider leakage vulnerability. We propose Kullback-Leibler Divergence (KLD) as a measure to detect the content provider leakage vulnerability. In particular, our contribution includes the development of a set of elements and mapping the elements to programming principles for secure implementation of content provider classes. These elements are captured from the implementation to form the initial population set. The population set is used to measure the divergence of a newly implemented application with content provider to identify potential vulnerabilities. We also apply a back-off smoothing technique to compute the KLD value. We implement a java prototype tool to evaluate a set of content provider implementations to show the effectiveness of the proposed approach. The initial results show that by choosing an appropriate threshold level, KLD is an effective method for detecting content provider leakage vulnerability.

Minimum-sized Positive Influential Node Set selection for social networks: Considering both positive and negative influences

Social networks are important mediums for spreading information, ideas, and influences among individuals. Most of existing research work focus on understanding the characteristics of social networks, investigating spreading information through the “word of mouth” effect of social networks, or exploring social influences among individuals and groups. However, most of existing work ignore negative influences among individuals or groups. Motivated by alleviating social problems, such as drinking, smoking, gambling, and influence spreading problems (e.g., promoting new products), we take both positive and negative influences into consideration and propose a new optimization problem, named the Minimumsized Positive Influential Node Set (MPINS) selection problem, to identify the minimum set of influential nodes, such that every node in the network can be positively influenced by these selected nodes no less than a threshold θ. Our contributions are threefold. First, we propose a new optimization problem MPINS, which is investigated under the independent cascade model considering both positive and negative influences. Moreover, we claim that MPIMS is NP-hard. Subsequently, we present a greedy approximation algorithm to address the MPINS selection problem. Finally, to validate the proposed greedy algorithm, extensive simulations are conducted on random Graphs representing small and large size networks.