A popular form of software reuse involves linking open source software (OSS) libraries hosted on centralized code repositories, such as Maven or PyPI. Developers only need to declare dependencies to external libraries, and automated tools make them available to the workspace of the project. As recent events such as the LeftPad incident, which led to hundreds of thousands of websites to stop working, and the Equifax data breach, which led to a leak of hundreds of thousands of credit card numbers, have demonstrated, dependencies on networks of external libraries can introduce to projects significant operational and compliance risks as well as difficult to assess security implications. Solving these problems would boost the efficiency and production quality of software development companies by allowing them to reuse OSS code with confidence, covering a large untapped potential. To address this situation, the FASTEN project introduces fine-grained, method-level, tracking of dependencies on top of existing dependency management networks. Specifically, the project will introduce a service that tracks dependencies at the method call-graph level and performs sophisticated analyses of i) security vulnerability propagation, ii) licensing compliance, and iii) dependency risk profiles. To facilitate adoption, FASTEN will bring those analyses to the hands of developers by integrating the analysis service to popular package managers, for the Java, C, and Python programming languages. The project consortium comprises world-leading experts on ecosystem analysis, graph processing, and software risk and compliance assessment, along with established OSS community integrators and managers.

Release early, release often. Such is the mantra of IT giants like Twitter or Netflix. Pioneers in the engineering of applications that run in the cloud now routinely perform hundreds of code updates per day in what has become a thrust of continuous delivery around the clock. This stunning agility is a decisive competitive edge. It cuts time-to-market and hikes revenue. Behind the feat lies DevOps. This powerful development methodology brings high degrees of automation at all steps of construction and deployment. DevOps has gained more traction in the USA than in Europe and concern is raised that European companies may be “missing the train”. Their disinclination is thought to reflect a different cultural attitude toward risk. Indeed, a hasty deployment may propagate a regression bug into production due to lack of sufficient testing. Fear of breaking things is all the more justified as testing in DevOps mostly relies on manual effort. Leveraging advanced research in automatic test generation, STAMP aims at pushing automation in DevOps one step further through innovative methods of test amplification. It will reuse existing assets (test cases, API descriptions, dependency models), in order to generate more test cases and test configurations each time the application is updated. Acting at all steps of development cycle, it will bring amplification services at unit level, configuration level and production stage. STAMP will raise confidence and foster adoption of DevOps by the European IT industry. The project gathers 3 academic partners with strong software testing expertise, 5 software companies (in: e-Health, Content Management, Smart Cities and Public Administration), and an open source consortium. This industry-near research addresses concrete, business-oriented objectives. All solutions are open source and developed as microservices to facilitate exploitation, with a target at TRL 6.