CyberSecurity in a DevOps Environment: From Requirements to Monitoring

This book provides an overview of software security analysis in a DevOps cycle including requirements formalisation, verification and continuous monitoring.  It presents an overview of the latest techniques and tools that help engineers and developers verify the security requirements of large-scale industrial systems and explains novel methods that enable a faster feedback loop for verifying security-related activities, which rely on techniques such as automated testing, model checking, static analysis, runtime monitoring, and formal methods. The book consists of three parts, each covering a different aspect of security engineering in the DevOps context. The first part, "Security Requirements", explains how to specify and analyse security issues in a formal way. The second part, "Prevention at Development Time", offers a practical and industrial perspective on how to design, develop and verify secure applications. The third part, "Protection at Operations", eventually introduces tools for continuous monitoring of security events and incidents. Overall, it covers several advanced topics related to security verification, such as optimizing security verification activities, automatically creating verifiable specifications from security requirements and vulnerabilities, and using these security specifications to verify security properties against design specifications and generate artifacts such as tests or monitors that can be used later in the DevOps process. The book aims at computer engineers in general and does not require specific knowledge. In particular, it is intended for software architects, developers, testers, security professionals, and tool providers, who want to define, build, test, and verify secure applications, Web services, and industrial systems.

Table of Contents:
Part I: Security Requirements Engineering.- 1. A Taxonomy of Vulnerabilities, Attacks, and Security Solutions in Industrial PLCs.- 2. Natural Language Processing with Machine Learning for Security Requirements Analysis - Practical Approaches.- 3. Security Requirements Formalisation with RQCODE.- Part II: Prevention at Development Time.- 4. Vulnerability Detection and Response: Current Status and New Approaches.- 5. Metamorphic Testing for Verification and Fault Localization in Industrial Control Systems.- 6. Interactive Application Security Testing with Hybrid Fuzzing and Statistical Estimators.- Part III: Protection at Operations.- 7. CTAM: a tool for Continuous Threat Analysis and Management.- 8. EARLY - a tool for real-time security attack detection.- 9. A Stream-Based Approach to Intrusion Detection.- 10. Towards Anomaly Detection using Explainable AI. 

About the Author :
Andrey Sadovykh is a senior researcher at Softeam/DocaPoste, part of the French La Poste group. For many years, he has led research activities on model-driven engineering applied to various areas from cyber-physical systems to cloud applications. Recently, his main focus is on requirements engineering with regards to automated analysis of security requirements, lightweight formalisation and validation with automated tests. He is the technical coordinator of the European collaborative research project on cyber security - VeriDevOps. Dragos Truscan is a senior lecturer in Software Engineering at Åbo Akademi University, Finland. He has obtained a doctoral degree from the same university on topics related to model-driven development of programmable protocol processors.  Over the last decade his research focused on model-based and ML/AI-based techniques for testing functional and non-functional properties of software intensive systems. The main emphasis of hiswork was on deploying such techniques to industrial settings. Wissam Mallouli is currently the CTO of Montimage, Paris, France. His expertise covers continuous risk management, test and monitoring of critical systems and networks including industrial systems, cloud-based systems, IoT and 4G/5G networks.  He is working in several collaborative European research projects and has more than 70 scientific publications at conferences and in journals. Ana Rosa Cavalli is emeritus professor and research director of Montimage SME. From 1985 to 1990, she was a researcher in the department Languages and Switch Systems, at CNET (Centre National d'Etudes des Telecommunications), where she worked on software engineering and formal methods. She had been Full Professor at TELECOM SudParis and since 1990 the director of the Software for Networks department. Her research interests are on formal modelling, testing methodologies for active testing and monitoringtechniques, validation of security properties and their application to services and protocols. Cristina Seceleanu is Associate Professor and Docent at Mälardalen University (MDU), Sweden. She is the research leader of the Computer and Data Science research direction, and co-leader of the Formal Modeling and Analysis of Embedded Systems research group at MDU. Her research interests are with formal modelling and verification of real-time, adaptive, and autonomous cyber-physical systems. Her latest work focuses on combining machine learning and model checking for scalable verification of autonomous systems, verification of industrial-scale Simulink models, model-based testing, and formal assurance of 5G-based eHealth systems.  Alessandra Bagnato is a research scientist and Research Responsible at Softeam Software, Docaposte Group. There she leads the Softeam Software Modelio team research activities around innovative model-driven engineering methods. Her main research interests include cloud computing models, services and architectures, software engineering in the context of big data, cyber-physical systems design, security and data privacy.