Andy Meneely


Research Topics and Projects

Developer Collaboration and Software Security

Behind every piece of software is a team of people. In large software development projects, no single person can possibly know every aspect of the system, so the team must self-organize into various structures of communication and coordination. Lack of team cohesion, miscommunications, and misguided effort can lead to all kinds of problems, including security vulnerabilities. In my research, I focus on examining the statistical relationships between development team structure and security vulnerabilities.

My findings so far have brought up some interesting associations, as well as some predictive models. I have published a few papers on this topic, and I highly recommend glancing at the abstracts to see what kinds of results I've come across.

Software Metrics Validation

Does "lines of code" really measure software size? How do we know? Software metrics have long been studied, but are often criticized for not being fully "validated". Yet, we need some form of software measurement to perform sound statistical research with both practical and theoretical implications. One of the focuses of my research has been examining the philsophical underpinnings of software metrics validation, such as software metrics validation criteria. Stay tuned for publications, but until then, here are some thought-provoking questions that I study:

  • What is the purpose of metrics: to tell us about the very nature of software, or to satisfy specific business goals? What happens if those two interests are in conflict?
  • How many empirical case studies need to be performed to declare a metric "valid"?
  • If a metric is shown to be a predictor of expensive, post-release defects, does it tell us how we should develop software?
  • If I am proposing a new software metric, how should I demonstrate to the research community that it is a valid metric?

Protection Poker

One project I've been involved in is a new agile practice called "Protection Poker". The goal of this "game" is to provide risk assessment for security vulnerabilities in your project while you are developing your software. More importantly, however, Protection Poker provides a way for development teams to have valuable discussions about security concerns of their product. For more information, check out our paper on this.

ROSE: Repository for Open Source Education

In TA'ing for our undergraduate Software Engineering course, I've learned a lot about what it means to use a real(istic) software project in the classroom. The Repository for Open Source Education is a repository of Open Source projects for instructors to aid in that development.

Test-Driven Development

One of my passions in Computer Science is Test-Driven Development. I use it in my everday development whenever possible, and I try to get my students addicted to it whenever I can, too!

CSEET 2008 Website

This isn't really research, but it is a project. I was the webmaster for the CSEET 2008 website.