Parisa Elahidoost,Daniel Mendez,Michael Unterkalmsteiner,Jannik Fischbach,Christian Feiler,Jonathan Streit

2024-05-05

Abstract:[Context and motivation]: Understanding and interpreting regulatory norms and inferring software requirements from them is a critical step towards regulatory compliance, a matter of significant importance in various industrial sectors. [Question/ problem]: However, interpreting regulations still largely depends on individual legal expertise and experience within the respective domain, with little to no systematic methodologies and supportive tools to guide this practice. In fact, research in this area is too often detached from practitioners' experiences, rendering the proposed solutions not transferable to industrial practice. As we argue, one reason is that we still lack a profound understanding of industry- and domain-specific practices and challenges. [Principal ideas/ results]: We aim to close this gap and provide such an investigation at the example of the banking and insurance domain. We conduct an industrial multi-case study as part of a long-term academia-industry collaboration with a medium-sized software development and renovation company. We explore contemporary industrial practices and challenges when inferring requirements from regulations to support more problem-driven research. Our study investigates the complexities of requirement engineering in regulatory contexts, pinpointing various issues and discussing them in detail. We highlight the gathered insights and the practical challenges encountered and suggest avenues for future research. [Contribution]: Our contribution is a comprehensive case study focused on the FinTech domain, offering a detailed understanding of the specific needs within this sector. We have identified key practices for managing regulatory requirements in software development, and have pinpointed several challenges. We conclude by offering a set of recommendations for future problem-driven research directions.

Software Engineering

Oleksandr Kosenkov,Parisa Elahidoost,Tony Gorschek,Jannik Fischbach,Daniel Mendez,Michael Unterkalmsteiner,Davide Fucci,Rahul Mohanani

DOI: https://doi.org/10.1016/j.infsof.2024.107622

IF: 3.9

2024-11-13

Information and Software Technology

Abstract:Context: As the diversity and complexity of regulations affecting Software-Intensive Products and Services (SIPS) is increasing, software engineers need to address the growing regulatory scrutiny. We argue that, as with any other non-negotiable requirements, SIPS compliance should be addressed early in SIPS engineering—i.e., during requirements engineering (RE). Objectives: In the conditions of the expanding regulatory landscape, existing research offers scattered insights into regulatory compliance of SIPS. This study addresses the pressing need for a structured overview of the state of the art in software RE and its contribution to regulatory compliance of SIPS. Method: We conducted a systematic mapping study to provide an overview of the current state of research regarding challenges, principles, and practices for regulatory compliance of SIPS related to RE. We focused on the role of RE and its contribution to other SIPS lifecycle process areas. We retrieved 6914 studies published from 2017 (January 1) until 2023 (December 31) from four academic databases, which we filtered down to 280 relevant primary studies. Results: We identified and categorized the RE-related challenges in regulatory compliance of SIPS and their potential connection to six types of principles and practices addressing challenges. We found that about 13.6% of the primary studies considered the involvement of both software engineers and legal experts in developing principles and practices. About 20.7% of primary studies considered RE in connection to other process areas. Most primary studies focused on a few popular regulation fields (privacy, quality) and application domains (healthcare, software development, avionics). Our results suggest that there can be differences in terms of challenges and involvement of stakeholders across different fields of regulation. Conclusion: Our findings highlight the need for an in-depth investigation of stakeholders' roles, relationships between process areas, and specific challenges for distinct regulatory fields to guide research and practice.

computer science, information systems, software engineering

Ze Shi Li,Colin Werner,Neil Ernst,Daniela Damian

DOI: https://doi.org/10.1016/j.infsof.2022.106868

IF: 3.9

2022-06-01

Information and Software Technology

Abstract:Context: Complying with privacy regulations has taken on new importance with the introduction of the EU’s General Data Protection Regulation (GDPR) and other privacy regulations. Privacy measures are becoming a paramount requirement demanding software organizations’ attention as recent privacy breaches such as the Capital One data breach affected millions of customers. Software organizations, however, struggle with achieving privacy compliance. In particular, there is a lack of research into the organizational practices and challenges involved in compliance, particularly for small and medium enterprises (SMEs), which represent a sizeable portion of organizations. Many SMEs use a continuous software engineering (CSE) approach, which introduces additional adoption and application challenges. For example, the fast pace of CSE makes it harder for SMEs that are already more resource constrained to prioritize non-functional requirements such as privacy. Objective: This paper aims to fill a gap in the under-researched area of continuous compliance with privacy requirements in practice, by investigating how a continuous practicing SME dealt with GDPR compliance. Method: Using design science, we conducted an in-depth ethnographically informed study over the span of 16 months and iteratively developed two artifacts to help address the organization’s challenges in addressing GDPR compliance. Results: We identified 3 main challenges that our collaborating organization experienced when trying to comply with the GDPR. To help mitigate the challenges, we developed two design science artifacts, which include a list of privacy requirements that operationalized the GDPR principles for automated verification, and an automated testing tool that helps to verify these privacy requirements. We validated these artifacts through close collaboration with our partner organization and applying our artifacts to the partner organization’s system. Conclusions: We conclude with a discussion of opportunities and obstacles in leveraging CSE to achieve continuous compliance with the GDPR. We also highlight the importance of building a shared understanding of privacy non-functional requirements and how risk management plays an important role in an organization’s GDPR compliance.

computer science, information systems, software engineering

Sallam Abualhaija,Marcello Ceci,Lionel Briand

2024-02-17

Abstract:Modern software has been an integral part of everyday activities in many disciplines and application contexts. Introducing intelligent automation by leveraging artificial intelligence (AI) led to break-throughs in many fields. The effectiveness of AI can be attributed to several factors, among which is the increasing availability of data. Regulations such as the general data protection regulation (GDPR) in the European Union (EU) are introduced to ensure the protection of personal data. Software systems that collect, process, or share personal data are subject to compliance with such regulations. Developing compliant software depends heavily on addressing legal requirements stipulated in applicable regulations, a central activity in the requirements engineering (RE) phase of the software development process. RE is concerned with specifying and maintaining requirements of a system-to-be, including legal requirements. Legal agreements which describe the policies organizations implement for processing personal data can provide an additional source to regulations for eliciting legal requirements. In this chapter, we explore a variety of methods for analyzing legal requirements and exemplify them on GDPR. Specifically, we describe possible alternatives for creating machine-analyzable representations from regulations, survey the existing automated means for enabling compliance verification against regulations, and further reflect on the current challenges of legal requirements analysis.

Software Engineering,Artificial Intelligence

Oleksandr Kosenkov,Michael Unterkalmsteiner,Daniel Mendez,Jannik Fischbach

2024-09-11

Abstract:Context: Regulations, such as the European Accessibility Act (EAA), impact the engineering of software products and services. Managing that impact while providing meaningful inputs to development teams is one of the emerging requirements engineering (RE) challenges. Problem: Enterprises conduct Regulatory Impact Analysis (RIA) to consider the effects of regulations on software products offered and formulate requirements at an enterprise level. Despite its practical relevance, we are unaware of any studies on this large-scale regulatory RE process. Methodology: We conducted an exploratory interview study of RIA in three large enterprises. We focused on how they conduct RIA, emphasizing cross-functional interactions, and using the EAA as an example. Results: RIA, as a regulatory RE process, is conducted to address the needs of executive management and central functions. It involves coordination between different functions and levels of enterprise hierarchy. Enterprises use artifacts to support interpretation and communication of the results of RIA. Challenges to RIA are mainly related to the execution of such coordination and managing the knowledge involved. Conclusion: RIA in large enterprises demands close coordination of multiple stakeholders and roles. Applying interpretation and compliance artifacts is one approach to support such coordination. However, there are no established practices for creating and managing such artifacts.

Software Engineering,Computers and Society

Fabiola Moyón,Daniel Méndez Fernández,Kristian Beckers,Sebastian Klepper

DOI: https://doi.org/10.1007/978-3-030-64148-1_5

2021-05-28

Abstract:Integrating security into agile software development is an open issue for research and practice. Especially in strongly regulated industries, complexity increases not only when scaling agile practices but also when aiming for compliance with security standards. To achieve security compliance in a large-scale agile context, we developed S2C-SAFe: An extension of the Scaled Agile Framework that is compliant to the security standard IEC~62443-4-1 for secure product development. In this paper, we present the framework and its evaluation by agile and security experts within Siemens' large-scale project ecosystem. We discuss benefits and limitations as well as challenges from a practitioners' perspective. Our results indicate that \ssafe contributes to successfully integrating security compliance with lean and agile development in regulated environments. We also hope to raise awareness for the importance and challenges of integrating security in the scope of Continuous Software Engineering.

Software Engineering

Shabnam Hassani,Mehrdad Sabetzadeh,Daniel Amyot,Jain Liao

2024-04-23

Abstract:As software-intensive systems face growing pressure to comply with laws and regulations, providing automated support for compliance analysis has become paramount. Despite advances in the Requirements Engineering (RE) community on legal compliance analysis, important obstacles remain in developing accurate and generalizable compliance automation solutions. This paper highlights some observed limitations of current approaches and examines how adopting new automation strategies that leverage Large Language Models (LLMs) can help address these shortcomings and open up fresh opportunities. Specifically, we argue that the examination of (textual) legal artifacts should, first, employ a broader context than sentences, which have widely been used as the units of analysis in past research. Second, the mode of analysis with legal artifacts needs to shift from classification and information extraction to more end-to-end strategies that are not only accurate but also capable of providing explanation and justification. We present a compliance analysis approach designed to address these limitations. We further outline our evaluation plan for the approach and provide preliminary evaluation results based on data processing agreements (DPAs) that must comply with the General Data Protection Regulation (GDPR). Our initial findings suggest that our approach yields substantial accuracy improvements and, at the same time, provides justification for compliance decisions.

Software Engineering

Nadzeya Kiyavitskaya,Nicola Zeni,Travis D. Breaux,Annie I. Antón,James R. Cordy,Luisa Mich,John Mylopoulos

DOI: https://doi.org/10.1007/978-3-540-87877-3_13

2008-01-01

Abstract:Government regulations are increasingly affecting the security, privacy and governance of information systems in the United States, Europe and elsewhere. Consequently, companies and software developers are required to ensure that their software systems comply with relevant regulations, either through design or re-engineering. We previously proposed a methodology for extracting stakeholder requirements, called rights and obligations, from regulations. In this paper, we examine the challenges to developing tool support for this methodology using the Cerno framework for textual semantic annotation. We present the results from two empirical evaluations of a tool called “Gaius T.” that is implemented using the Cerno framework and that extracts a conceptual model from regulatory texts. The evaluation, carried out on the U.S. HIPAA Privacy Rule and the Italian accessibility law, measures the quality of the produced models and the tool’s effectiveness in reducing the human effort to derive requirements from regulations.

Florian Angermeir,Jannik Fischbach,Fabiola Moyón,Daniel Mendez

2024-08-01

Abstract:Context: Continuous Software Engineering is increasingly adopted in highly regulated domains, raising the need for continuous compliance. Adherence to especially security regulations -- a major concern in highly regulated domains -- renders Continuous Security Compliance of high relevance to industry and research. Problem: One key barrier to adopting continuous software engineering in the industry is the resource-intensive and error-prone nature of traditional manual security compliance activities. Automation promises to be advantageous. However, continuous security compliance is under-researched, precluding an effective adoption. Contribution: We have initiated a long-term research project with our industry partner to address these issues. In this manuscript, we make three contributions: (1) We provide a precise definition of the term continuous security compliance aligning with the state-of-art, (2) elaborate a preliminary overview of challenges in the field of automated continuous security compliance through a tertiary literature study, and (3) present a research roadmap to address those challenges via automated continuous security compliance.

Software Engineering

Giedre Sabaliauskaite,Annabella Loconsole,Emelie Engström,Michael Unterkalmsteiner,Björn Regnell,Per Runeson,Tony Gorschek,Robert Feldt

DOI: https://doi.org/10.1007/978-3-642-14192-8_14

2023-07-24

Abstract:[Context and motivation] When developing software, coordination between different organizational units is essential in order to develop a good quality product, on time and within budget. Particularly, the synchronization between requirements and verification processes is crucial in order to assure that the developed software product satisfies customer requirements. [Question/problem] Our research question is: what are the current challenges in aligning the requirements and verification processes? [Principal ideas/results] We conducted an interview study at a large software development company. This paper presents preliminary findings of these interviews that identify key challenges in aligning requirements and verification processes. [Contribution] The result of this study includes a range of challenges faced by the studied organization grouped into the categories: organization and processes, people, tools, requirements process, testing process, change management, traceability, and measurement. The findings of this study can be used by practitioners as a basis for investigating alignment in their organizations, and by scientists in developing approaches for more efficient and effective management of the alignment between requirements and verification.

Software Engineering

Joschka A. HüllmannKariko KimathiPauline WeritzIndustrial Engineering and Business Information Systems,University of Twente,Enschede,The NetherlandsJoschka A. Hüllmann is assistant professor of Information Systems at the University of Twente in the Netherlands. His research addresses the interface between the development and organizational use of management information systems and their impact on work and the workplace. He is a recognized expert in the analysis and theorizing of digital traces. The results of his research have been published in IEEE Transactions,Information Technology & People,Deutscher Wirtschaftsdienst,and in the proceedings of all leading information systems conferences. Before his academic career,Joschka Hüllmann worked as a software developer in the fields of renewable energies and public transport.Kariko Kimathi is a master's student in Business Information Technology at the University of Twente,with a specialization in Data Science & Business. Through work experience at a leading telecommunications company and a top management consultancy he has developed an understanding of agile practices in large enterprises,a topic that is central to his current research. His interest in data science is complemented by a passion for entrepreneurship. He aims to apply analytical rigor to innovative business strategies.Pauline Weritz is an assistant professor for Organizational Behavior,Change Management,and Consultancy in the Industrial Engineering and Business Information Systems Section at the University of Twente in the Netherlands. She completed her Ph.D. (cum laude) at Ramon Llull University in Spain and has been a visiting researcher at Boston College. With her background in Psychology and Management,Pauline's research focuses on the interface of Organizational Behavior and Information Systems. Her work has been published in journals such as the European Journal of Information Systems,Information Systems Journal,and Business Strategy and the Environment.

DOI: https://doi.org/10.1080/10580530.2024.2349886

2024-05-10

Information Systems Management

Abstract:While agile project management offers benefits such as faster time to market and improved collaboration, scaling it to larger projects presents challenges, particularly in safety-critical industries. This research provides insights into the resistance to agile adoption due to regulatory constraints and other barriers. The findings contribute to information systems literature by identifying four challenges (organizational, technological, behavioral, regulatory) and complementing solutions to show how large-scale agile can work in safety-critical industries.

computer science, information systems

Ville T. Heikkilä,Maria Paasivaara,Casper Lasssenius,Daniela Damian,Christian Engblom

DOI: https://doi.org/10.1007/s10664-016-9491-z

IF: 3.762

2017-01-10

Empirical Software Engineering

Abstract:In a large organization, informal communication and simple backlogs are not sufficient for the management of requirements and development work. Many large organizations are struggling to successfully adopt agile methods, but there is still little scientific knowledge on requirements management in large-scale agile development organizations. We present an in-depth study of an Ericsson telecommunications node development organization which employs a large scale agile method to develop telecommunications system software. We describe how the requirements flow from strategy to release, and related benefits and problems. Data was collected by 43 interviews, which were analyzed qualitatively. The requirements management was done in three different processes, each of which had a different process model, purpose and planning horizon. The release project management process was plan-driven, feature development process was continuous and implementation management process was agile. The perceived benefits included reduced development lead time, increased flexibility, increased planning efficiency, increased developer motivation and improved communication effectiveness. The recognized problems included difficulties in balancing planning effort, overcommitment, insufficient understanding of the development team autonomy, defining the product owner role, balancing team specialization, organizing system-level work and growing technical debt. The study indicates that agile development methods can be successfully employed in organizations where the higher level planning processes are not agile. Combining agile methods with a flexible feature development process can bring many benefits, but large-scale software development seems to require specialist roles and significant coordination effort.

computer science, software engineering

Lucas Franke,Huayu Liang,Sahar Farzanehpour,Aaron Brantly,James C. Davis,Chris Brown

2024-06-21

Abstract:Background: Governments worldwide are considering data privacy regulations. These laws, e.g. the European Union's General Data Protection Regulation (GDPR), require software developers to meet privacy-related requirements when interacting with users' data. Prior research describes the impact of such laws on software development, but only for commercial software. Open-source software is commonly integrated into regulated software, and thus must be engineered or adapted for compliance. We do not know how such laws impact open-source software development. Aims: To understand how data privacy laws affect open-source software development. We studied the European Union's GDPR, the most prominent such law. We investigated how GDPR compliance activities influence OSS developer activity (RQ1), how OSS developers perceive fulfilling GDPR requirements (RQ2), the most challenging GDPR requirements to implement (RQ3), and how OSS developers assess GDPR compliance (RQ4). Method: We distributed an online survey to explore perceptions of GDPR implementations from open-source developers (N=56). We further conducted a repository mining study to analyze development metrics on pull requests (N=31462) submitted to open-source GitHub repositories. Results: GDPR policies complicate open-source development processes and introduce challenges for developers, primarily regarding the management of users' data, implementation costs and time, and assessments of compliance. Moreover, we observed negative perceptions of GDPR from open-source developers and significant increases in development activity, in particular metrics related to coding and reviewing activity, on GitHub pull requests related to GDPR compliance. Conclusions: Our findings motivate policy-related resources and automated tools to support data privacy regulation implementation and compliance efforts in open-source software.

Software Engineering

Guillaume Nguyen,Manon Knockaert,Michael Lognoul,Xavier Devroey

2024-12-05

Abstract:While procedures prevail on the European market for the greater good of its citizens, it might be daunting when trying to introduce a product, whether innovative or not. In the current world, Cyber-Physical Systems (CPSs) are ubiquitous in our daily lives. Cars can provide intrusive assistance as they can brake or turn wheels on their own, buildings are getting smarter to optimize energy consumption, smart cities are emerging to facilitate information sharing and orchestrate the response to emergency situations, etc. As the presence of such tools will grow in the coming years and people will rely even more on CPSs, we certainly need to ensure that they are safe and reliable for users or everybody else, which is why regulations are so important. However, compliance should not act as a barrier to new actors coming to the European market. Nor should it prevent current actors from keeping systems deemed compliant when introduced while obsolete at the time they are used. While the individual elements we point out might not bring novelty in the various research areas we cover (EU policies, requirements engineering, business engineering, and software engineering), this paper identifies the challenges related to building and testing a CPS with respect to applicable laws and discusses the difficulty of automating the response to those challenges, such as finding a relevant legal text, paying for mentioned materials or identifying the level of compliance to a legal text. Our analysis of the holistic context when considering the compliance testing of CPS provides an overview enabling more effective decision-making as well.

Software Engineering,Computers and Society,Systems and Control

Hugo A. López,Thomas T. Hildebrandt

2024-10-14

Abstract:Digitalization efforts often face a key challenge: business processes must not only be efficient in achieving their goals but also adhere to legal regulations. Business process compliance refers to aligning processes with these regulations. Numerous frameworks have been developed to address this, with the earliest dating back to 1981. This study focuses on rigorous frameworks using formal methods to verify or ensure compliance. We conducted a systematic literature review (SLR) on process compliance frameworks based on formal models. Our goal was to assess the current state of research on process model compliance and identify gaps and opportunities for future work. Starting with 5018 candidate studies from 1981 to the establishment of GDPR, we selected 46 primary studies. These frameworks were categorized by their phases, the languages used for processes and compliance, and their reasoning techniques. We also examined their practical applicability, the case studies they were tested on, the types of users involved, and the skills needed for compliance. Also, we assessed the maturity of each framework. Our findings reveal strong consensus around verification techniques as central to process compliance, though there is less agreement on the earlier and later phases of compliance. Model checking is the dominant technique, but the compliance and process languages have evolved. Most frameworks are still conceptual with prototype implementations, often failing to account for compliance professionals like legal experts or law changes. In conclusion, there is a need for comprehensive empirical studies to better understand the anatomy and maturity of regulatory compliance frameworks, and for robust evaluation methods to benchmark these frameworks. This review offers valuable insights for researchers and practitioners in process compliance.

Software Engineering

Jan-Philipp Steghöfer,Eric Knauss,Jennifer Horkoff,Rebekka Wohlrab

DOI: https://doi.org/10.48550/arXiv.1911.12590

2019-11-28

Software Engineering

Abstract:Automotive companies increasingly adopt scaled agile methods to allow them to deal with their organisational and product complexity. Suitable methods are needed to ensure safety when developing automotive systems. On a small scale, R-Scrum and SafeScrum are two concrete suggestions for how to develop safety-critical systems using agile methods. However, for large-scale environments, existing frameworks like SAFe or LeSS do not support the development of safety-critical systems out of the box. We, therefore, aim to understand which challenges exist when developing safety-critical systems within large-scale agile industrial settings, in particular in the automotive domain. Based on an analysis of R-Scrum and SafeScrum, we conducted a focus group with three experts from industry to collect challenges in their daily work. We found challenges in the areas of living traceability, continuous compliance, and organisational flexibility. Among others, organisations struggle with defining a suitable traceability strategy, performing incremental safety analysis, and with integrating safety practices into their scaled way of working. Our results indicate a need to provide practical approaches to integrate safety work into large-scale agile development and point towards possible solutions, e.g., modular safety cases. Keywords: Scaled Agile, Safety-Critical Systems, Software Processes, R-Scrum, SafeScrum

Shabnam Hassani

2024-04-27

Abstract:This research explores the application of Large Language Models (LLMs) for automating the extraction of requirement-related legal content in the food safety domain and checking legal compliance of regulatory artifacts. With Industry 4.0 revolutionizing the food industry and with the General Data Protection Regulation (GDPR) reshaping privacy policies and data processing agreements, there is a growing gap between regulatory analysis and recent technological advancements. This study aims to bridge this gap by leveraging LLMs, namely BERT and GPT models, to accurately classify legal provisions and automate compliance checks. Our findings demonstrate promising results, indicating LLMs' significant potential to enhance legal compliance and regulatory analysis efficiency, notably by reducing manual workload and improving accuracy within reasonable time and financial constraints.

Software Engineering,Artificial Intelligence

Tiago Espinha Gasiba,Kristian Beckers,Santiago Suppan,Filip Rezabek

DOI: https://doi.org/10.48550/arXiv.2101.02100

2021-01-06

Software Engineering

Abstract:Teaching industry staff on cybersecurity issues is a fundamental activity that must be undertaken in order to guarantee the delivery of successful and robust products to market. Much research attention has been devoted to this topic over the last years. However, the research which has been done has not focused on developing secure code in industrial environments. In this paper we take a look at the constraints and requirements for delivering a training, by means of cybersecurity challenges, that covers secure coding topics from an industry perspective. Using requirements engineering, we aim at understanding the design requirements for such challenges. Along the way, we give details on our experience of delivering cybersecurity challenges in an industrial setting and show the outcome and lessons learned. The proposed requirements for cybersecurity challenges geared towards software developers in an industrial environment are based on systematic literature review, interviews with security experts from the industry and semi-structured evaluation of participant feedback.

Nan Zhang,Rami Bahsoon,Nikos Tziritas,Georgios Theodoropoulos

2023-10-11

Abstract:Engineering regulatory compliance in complex Cyber-Physical Systems (CPS), such as smart warehouse logistics, is challenging due to the open and dynamic nature of these systems, scales, and unpredictable modes of human-robot interactions that can be best learnt at runtime. Traditional offline approaches for engineering compliance often involve modelling at a higher, more abstract level (e.g. using languages like SysML). These abstract models only support analysis in offline-designed and simplified scenarios. However, open and complex systems may be unpredictable, and their behaviours are difficult to be fully captured by abstract models. These systems may also involve other business goals, possibly conflicting with regulatory compliance. To overcome these challenges, fine-grained simulation models are promising to complement abstract models and support accurate runtime predictions and performance evaluation with trade-off analysis. The novel contribution of this work is a Digital Twin-oriented architecture for adaptive compliance leveraging abstract goal modelling, fine-grained agent-based modelling and runtime simulation for managing compliance trade-offs. A case study from smart warehouse logistics is used to demonstrate the approach considering safety and productivity trade-offs.

Systems and Control

Chen Zhi,Shuiguang Deng,Jianwei Yin,Min Fu,Hai Zhu,Yuanping Li,Tao Xie

DOI: https://doi.org/10.1109/apsec48747.2019.00028

2019-01-01

Abstract:To assure high software quality for large-scale industrial software systems, traditional approaches of software quality assurance, such as software testing and performance engineering, have been widely used within Alibaba, the world's largest retailer, and one of the largest Internet companies in the world. However, there still exists a high demand for software quality assessment to achieve high sustainability of business growth and engineering culture in Alibaba. To address this issue, we develop an industrial solution for software quality assessment by following the GQM paradigm in an industrial setting. Moreover, we integrate multiple assessment methods into our solution, ranging from metric selection to rating aggregation. Our solution has been implemented, deployed, and adopted at Alibaba: (1) used by Alibaba's Business Platform Unit to continually monitor the quality for 60+ core software systems; (2) used by Alibaba's R&D Efficiency Unit to support group-wide quality-aware code search and automatic code inspection. This paper presents our proposed industrial solution, including its techniques and industrial adoption, along with the lessons learned during the development and deployment of our solution.