FSE 2016 Showcase of Software Engineering Best Practices

To meet the always increasing demands for better and faster software produced by better and faster developers, practicing software engineers continually innovate and streamline the processes and tools that they use. This track will feature invited presentations by innovative software engineering practitioners. The aim of the track is to promote a dialogue between those at the forefront of the best of software engineering practice and researchers focusing on changing the direction of software engineering.

The talks for the Showcase:


Making Invisible Things Visible: Tracking Down Known Vulnerabilities at 3000 Companies

Gazi Mahmud, Sonatype

1This year, software development teams around the world are consuming BILLIONS of open source and third-party components. The good news: they are accelerating time to market. The bad news: 1 in 17 components they are using include known security vulnerabilities. In this talk, I will describe what Sonatype, the company behind The Central Repository that supports Apache Maven, has learned from analyzing how thousands of applications use open source components. I will also discuss how organizations like Mayo Clinic, Exxon, Capital One, the U.S. FDA and Intuit are utilizing the principles of software supply chain automation to improve application security and how organizations can balance the need for speed with quality and security early in the development cycle.


Gazi Mahmud is a Senior Data Scientist and Lead Architect at Sonatype where he is responsible for the Technical Vision for innovation and Architecture Design for data pipeline pertinent to component intelligence and Software Supply Chain principles. He has 17 years of experience in Enterprise Software as a Service (SaaS) Architecture, and in Information Retrieval theories and practices across the facets of Big Data ecosystems. He holds an MS in Computer Science and a dual Bachelors degree in Applied Mathematics and Computer Science from University of California, Berkeley.


Developer Workflow at Google

Caitlin Sadowski, Google

2This talk describes the developer workflow at Google, and our use of program analysis, testing, metrics, and tooling to reduce errors when creating and committing changes to source code. Software development at Google has several unique characteristics such as our monolithic codebase and distributed hermetic build system. Changes are vetted both manually, via our internal code review tool, and automatically, via sources such as the Tricorder program analysis platform and our automated testing infrastructure.


Caitlin Sadowski is a Software Engineer in the Developer Infrastructure group at Google. She has worked on a variety of internal developer workflow tools, including tools for reviewing, searching, editing and analyzing source code. She created the Tricorder analysis platform, which analyzes 30k code review changes each workday. She is furthermore the author of several papers related to developer workflow at Google.

Caitlin received her computer science Ph.D. from the University of California at Santa Cruz, where she worked with Cormac Flanagan and Jim Whitehead on a variety of research topics related to Programming Languages, Software Engineering and Human Computer Interaction.


Continuous Mobile Deployment

 Tony Savor, Facebook

3Continuous deployment is the practice of releasing software to production as soon as it is ready in short cycles.  It is getting widespread adoption in industry and has numerous advantages including (i) lower risk because of smaller, more incremental changes, (ii) more rapid feedback from end users, and (iii) better ability for the business to respond to threats such as security.

The frequency of updates of mobile software has traditionally lagged the state of practice of cloud-based services.  For example, changes can be released almost immediately after development for cloud-based services, while mobile versions can be released only periodically — in the case of IOS, every two weeks. This is further complicated by users having the ability to choose when to upgrade, which causes several different releases to remain in production.  There are also hundreds of Android hardware variants, which increases the risk of each release.

Facebook has made significant progress in increasing the frequency of its mobile releases.  We describe the mobile release process and its evolution over time.  For example, the Android release has gone from a release every 8 weeks to every 1 week over a period of 4 years.  We analyzed several software engineering metrics during this period, and for example, found that continuous deployment doesn’t directly affect developer productivity or software quality.  Increasing the frequency of continuous deployment has forced us to improve release and deployment automation,  which reduced developer workload and reduced release related problems. Dog-fooding, the process of having a release used by alpha or beta customers is critical to maintaining release quality.


Tony Savor is an Engineering Director at Facebook where he manages the invention, development and operations of Facebook’s online data storage and access infrastructure — some of the largest of its kind in the world.  Prior he was CTO of OANDA Corporation, managing the engineering of the trading platform processing billions of dollars per day.  He is an Adjunct Professor in the departments of Computer Science and Electrical and Computer Engineering at the University of Toronto, Canada.  Dr. Savor holds a PhD in Computer Engineering from the University of Waterloo, Canada.


Model, Execute, and Deploy: Answering the Hard Questions in End-User Programming

Shan Shan Huang, LogicBlox

4End-user programming, a frequently recurring dream, has thus far eluded large-scale, complex applications. Very real, hard questions stand in the way of its realization. How can its languages and tools support:

  • The development of applications with large data sets and sophisticated computation?
  • The co-development by end-users and professional developers when the complexity of an application demands it?
  • Beyond development, the maintenance, distribution, monitoring, and integration with other applications and services?

We discuss our approach to these questions, as implemented in the LogicBlox Modeler. We discuss its use in developing applications for governments, major financial institutions, and large global retailers. We highlight the essential synergies between Programming Languages, Software Engineering, and Database research to achieve self-service at scale, and present open questions to which we look to the FSE community for inspirations and solutions.


Shan Shan Huang leads a team of engineers at LogicBlox in pursuit of their shared mission: transforming software development from black art to an accessible form of expression for anyone capable of analytical thought. With her colleagues, she is developing a unified programming environment that is at once a database and a language runtime, with a declarative programming model and spreadsheet-like programmability.

Shan Shan has published in areas spanning across programming languages, software engineering, and databases. She maintains her academic ties through research collaborations, services on conference program committees, and speakership at conferences.  Shan Shan received her Ph.D. in Computer Science from Georgia Tech and her B.S in Electrical Engineering and Computer Science from MIT.