Browsing by Author "Larrucea, Xabier"
Now showing 1 - 12 of 12
Results Per Page
Sort Options
Item Automatic Program Repair(2021-07-01) Carver, Jeffrey; Colomo-Palacios, Ricardo; Larrucea, Xabier; Staron, Miroslaw; Tecnalia Research & InnovationFollowing along with the theme of this issue of IEEE Software, this column reports on papers about automatic program repair (APR) from the 35th IEEE/ACM International Conference on Automated Software Engineering (ASE20), the 35th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW20), and the 13th IEEE International Conference on Software Testing, Validation and Verification (ICST20). Feedback or suggestions are welcome. In addition, if you try or adopt any of the practices included in the column, please send us and the authors a note about your experiences.Item Blockchain and Smart Contract Engineering(2020-09-01) Larrucea, Xabier; Pautasso, Cesare; Tecnalia Research & InnovationBlockchains help to build trust among a decentralized network of unknown and untrusted peers who need to agree on a common protocol and trust the correctness and compatibility of the corresponding software implementations. The software engineering discipline cannot ignore this trend, as it fundamentally affects the way software is designed, developed, deployed, and delivered.1 As with the emergence of the Internet, software smart contracts for solving new classes of real-world problems, as opposed to introducing blockchains everywhere, where they may be unnecessary, or provide an inefficient and environmentally unsound solution.4Item Burnable Pseudo-Identity: A Non-Binding Anonymous Identity Method for Ethereum: A Non-Binding Anonymous Identity Method for Ethereum(2021) Gutierrez-Aguero, Ivan; Anguita, Sergio; Larrucea, Xabier; Gomez-Goiri, Aitor; Urquizu, Borja; Tecnalia Research & Innovation; CIBERSEC&DLTThe concept of identity has become one common research topic in security and privacy where the real identity of users must be preserved, usually covered by pseudonym identifiers. With the rise of Blockchain-based systems, identities are becoming even more critical than before, mainly due to the immutability property. In fact, many publicly accessible Blockchain networks like Ethereum rely on pseudonymization as a method for identifying subject actions. Pseudonyms are often employed to maintain anonymity, but true anonymity requires unlinkability. Without this property, any attacker can examine the messages sent by a specific pseudonym and learn new information about the holder of this pseudonym. This use of Blockchain collides with regulations because of the right to be forgotten, and Blockchain-based solutions are ensuring that every data stored within the chain will not be modified. In this paper we define a method and a tool for dealing with digital identities within Blockchain environments that are compliant with regulations. The proposed method provides a way to grant digital pseudo identities unlinked to the real identity. This new method uses the benefits of key derivation systems to ensure a non-binding interaction between users and the information model associated with their identity. The proposed method is demonstated in the Ethereum context and illustrated with a case study.Item Continuous quantitative risk management in smart grids using attack defense trees(2020-08-07) Rios, Erkuden; Rego, Angel; Iturbe, Eider; Higuero, Marivi; Larrucea, Xabier; CIBERSEC&DLT; Tecnalia Research & InnovationAlthough the risk assessment discipline has been studied from long ago as a means to support security investment decision-making, no holistic approach exists to continuously and quantitatively analyze cyber risks in scenarios where attacks and defenses may target different parts of Internet of Things (IoT)-based smart grid systems. In this paper, we propose a comprehensive methodology that enables informed decisions on security protection for smart grid systems by the continuous assessment of cyber risks. The solution is based on the use of attack defense trees modelled on the system and computation of the proposed risk attributes that enables an assessment of the system risks by propagating the risk attributes in the tree nodes. The method allows system risk sensitivity analyses to be performed with respect to different attack and defense scenarios, and optimizes security strategies with respect to risk minimization. The methodology proposes the use of standard security and privacy defense taxonomies from internationally recognized security control families, such as the NIST SP 800-53, which facilitates security certifications. Finally, the paper describes the validation of the methodology carried out in a real smart building energy efficiency application that combines multiple components deployed in cloud and IoT resources. The scenario demonstrates the feasibility of the method to not only perform initial quantitative estimations of system risks but also to continuously keep the risk assessment up to date according to the system conditions during operation.Item Enhancing GDPR compliance through data sensitivity and data hiding tools(2021) Larrucea, Xabier; Moffie, Micha; Mor, Dan; Tecnalia Research & InnovationSince the emergence of GDPR, several industries and sectors are setting informatics solutions for fulfilling these rules. The Health sector is considered a critical sector within the Industry 4.0 because it manages sensitive data, and National Health Services are responsible for managing patients’ data. European NHS are converging to a connected system allowing the exchange of sensitive information cross different countries. This paper defines and implements a set of tools for extending the reference architectural model industry 4.0 for the healthcare sector, which are used for enhancing GDPR compliance. These tools are dealing with data sensitivity and data hiding tools A case study illustrates the use of these tools and how they are integrated with the reference architectural model.Item Integrating privacy debt and VSE's software developments(2023-08) Santamaria, Izaskun; Larrucea, Xabier; Fernandez-Gauna, Borja; Fernandez‐Gauna, Borja; SWTWith the advent of regulations protecting users such as the General Data Protection Regulation, security and privacy concerns are playing a new role in small settings such as in very small entities. Their relevance is increasing, and privacy is being considered a Troy horse in software developments. In fact, privacy is a part of software architectural decisions, and they must be considered as a technical debt. The contributions of this paper are the following: a privacy debt definition with a principal and an interest, privacy-related activities to be considered within the ISO/IEC 29110 basic profile, and the use of the net present value within this context. All these contributions help us to integrate privacy debt and VSE's software developments.Item Mass surveillance and technological policy options: Improving security of private communications: Improving security of private communications(2017-02-01) Schuster, Stefan; van den Berg, Melle; Larrucea, Xabier; Slewe, Ton; Ide-Kostic, Peter; Tecnalia Research & Innovation; Digital BaseThe 2013 Snowden revelations ignited a vehement debate on the legitimacy and breadth of intelligence operations that monitor the Internet and telecommunications worldwide. The ongoing invasion of the private sphere of individuals around the world by governments and companies is an issue that is handled inadequately using current technological and organizational measures. This article(1) argues that in order to retain a vital and vibrant Internet, its basic infrastructure needs to be strengthened considerably. We propose a number of technical and political options, which would contribute to improving the security of the Internet. It focuses on the debates around end-to-end encryption and anonymization, as well as on policies addressing software and hardware vulnerabilities and weaknesses of the Internet architectureItem A method for defining a regional software ecosystem strategy: Colombia as a case study: Colombia as a case study(2016-03-01) Larrucea, Xabier; Nanclares, Felix; Santamaria, Izaskun; Tecnalia Research & Innovation; SWTSoftware ecosystems (SECO) have been related to products or to a community of developers around a product. The SECO concept can also be applied to describe regional software ecosystems in which different software companies collaborate in a specific market based on a set of concrete technologies and using a set of capabilities. This paper details a regional SECO concept and a method based on regional endogenous capabilities and country needs to define a SECO strategy. Traditional strategy definition approaches are top-down, whereas this approach is a blended approach that merges bottom-up based on current regional capabilities and top-down based on market and technology trends. This paper presents a large case study performed in 6 regions of Colombia. We conducted 49 interviews and 16 workshops in which 654 attendees participated, and we developed the Colombian ICT national strategic plan based on this approach.Item A Pragmatic Approach for Evaluating and Accrediting Digital Competence of Digital Profiles: A Case Study of Entrepreneurs and Remote Workers: A Case Study of Entrepreneurs and Remote Workers(2021-04-29) Bartolomé, Juan; Garaizar, Pablo; Larrucea, Xabier; ADV_INTER_PLAT; Tecnalia Research & InnovationDuring the last decades, digital competence has become essential at workplace. Nowadays, it is difficult to find a job where no ICT skills are required. At the same time, there is a lack of ecosystems for adult reskilling in digital competence. Moreover, most of them do not use of a common language and terminology, decreasing the possibilities of being used by a wider public. In addition, the assessment of digital competence cannot be done using simple self-assessment tests, but more complex tools such as simulations or other activities based on real scenarios. Considering this, we designed a performance-based evaluation system following a pragmatic approach based on DigComp framework. We carried out a needs analysis based on expert consultation (63 teleworkers and 82 entrepreneurs) to create an assessment syllabus and implement the assessment modules. Then, we conducted an analysis by experts (n=21) of the relationship between the content of the tests and the construct it was intended to measure. After refinement, the system was piloted by end-users all over Europe (n=525). Results confirmed that DigComp was the most appropriate reference when considering the transversality of digital competence, providing researchers with well-defined clear criteria.Item Reuse of safety certification artefacts across standards and domains: A systematic approach: A systematic approach(2017-02-01) Ruiz, Alejandra; Juez Uriagereka, Garazi; Espinoza, Huascar; de la Vara, Jose Luis; Larrucea, Xabier; Tecnalia Research & Innovation; QuantumReuse of systems and subsystem is a common practice in safety-critical systems engineering. Reuse can improve system development and assurance, and there are recommendations on reuse for some domains. Cross-domain reuse, in which a previously certified product typically needs to be assessed against different safety standards, has however received little attention. No guidance exists for this reuse scenario despite its relevance in industry, thus practitioners need new means to tackle it. This paper aims to fill this gap by presenting a systematic approach for reuse of safety certification artefacts across standards and domains. The approach is based on the analysis of the similarities and on the specification of maps between standards. These maps are used to determine the safety certification artefacts that can be reused from one domain to another and reuse consequences. The approach has been validated with practitioners in a case study on the reuse of an execution platform from railway to avionics. The results show that the approach can be effectively applied and that it can reduce the cost of safety certification across standards and domains. Therefore, the approach is a promising way of making cross-domain reuse more cost-effective in industry.Item Service Level Agreement-based GDPR Compliance and Security assurance in (multi)Cloud-based systems(2019-06-01) Rios Velasco, Erkuden; Iturbe, Eider; Larrucea, Xabier; Rak, Massimiliano; Mallouli, Wissam; Dominiak, Jacek; Muntes, Victor; Matthews, Peter; Gonzalez Moctezuma, Luis; Gonzalez, Luis; Tecnalia Research & Innovation; CIBERSEC&DLTCompliance with the new European General Data Protection Regulation (Regulation (EU) 2016/679) and security assurance are currently two major challenges of Cloud-based systems. GDPR compliance implies both privacy and security mechanisms definition, enforcement and control, including evidence collection. This paper presents a novel DevOps framework aimed at supporting Cloud consumers in designing, deploying and operating (multi)Cloud systems that include the necessary privacy and security controls for ensuring transparency to end-users, third parties in service provision (if any) and law enforcement authorities. The framework relies on the risk-driven specification at design time of privacy and security level objectives in the system Service Level Agreement (SLA) and in their continuous monitoring and enforcement at runtime.Item Survival studies based on ISO/IEC29110: Industrial experiences: Industrial experiences(2018-11) Larrucea, Xabier; Santamaria, Izaskun; Tecnalia Research & Innovation; SWTVery small organizations are suffering when they embark on software process improvement initiatives such as CMMI-DEV or ISO/IEC 15504-5. The ISO/IEC29110 basic profile has been defined as solution for these small companies, and literature related to this standard provides some insights on the potential results and benefits for VSEs. In this sense, two of the topics which have not been deeply studied yet are the survival analysis of VSEs, and an analysis of ISO/IEC29110 basic profile areas. In fact, this paper provides a survival analysis of 90 improvement initiatives, and an analysis of the ISO/IEC29110 basic profile areas. Non-parametric and semi parametric models are used in order to analyse survivability and we analyse project management and software implementation practices defined by ISO/IEC29110 basic profile