CyberSecurity in a DevOps Environment: From Requirements to Monitoring

CyberSecurity in a DevOps Environment: From Requirements to Monitoring

This book provides an overview of software security analysis in a DevOps cycle including requirements formalisation, verification and continuous monitoring. It presents an overview of the latest techniques and tools that help engineers and developers verify the security requirements of large-scale industrial systems and explains novel methods that enable a faster feedback loop for verifying security-related activities, which rely on techniques such as automated testing, model checking, static analysis, runtime monitoring, and formal methods. The book consists of three parts, each covering a different aspect of security engineering in the DevOps context. The first part, "Security Requirements", explains how to specify and analyse security issues in a formal way. The second part, "Prevention at Development Time", offers a practical and industrial perspective on how to design, develop and verify secure applications. The third part, "Protection at Operations", eventually introduces tools for continuous monitoring of security events and incidents. Overall, it covers several advanced topics related to security verification, such as optimizing security verification activities, automatically creating verifiable specifications from security requirements and vulnerabilities, and using these security specifications to verify security properties against design specifications and generate artifacts such as tests or monitors that can be used later in the DevOps process. The book aims at computer engineers in general and does not require specific knowledge. In particular, it is intended for software architects, developers, testers, security professionals, and tool providers, who want to define, build, test, and verify secure applications, Web services, and industrial systems. This book provides an overview of software security analysis in a DevOps cycle including requirements formalisation, verification and continuous monitoring. It presents an overview of the latest techniques and tools that help engineers and developers verify the security requirements of large-scale industrial systems and explains novel methods that enable a faster feedback loop for verifying security-related activities, which rely on techniques such as automated testing, model checking, static analysis, runtime monitoring, and formal methods. The book consists of three parts, each covering a different aspect of security engineering in the DevOps context. The first part, "Security Requirements", explains how to specify and analyse security issues in a formal way. The second part, "Prevention at Development Time", offers a practical and industrial perspective on how to design, develop and verify secure applications. The third part, "Protection at Operations", eventually introducestools for continuous monitoring of security events and incidents. Overall, it covers several advanced topics related to security verification, such as optimizing security verification activities, automatically creating verifiable specifications from security requirements and vulnerabilities, and using these security specifications to verify security properties against design specifications and generate artifacts such as tests or monitors that can be used later in the DevOps process. The book aims at computer engineers in general and does not require specific knowledge. In particular, it is intended for software architects, developers, testers, security professionals, and tool providers, who want to define, build, test, and verify secure applications, Web services, and industrial systems. Andrey Sadovykh is a senior researcher at Softeam/DocaPoste, part of the French La Poste group. For many years, he has led research activities on model-driven engineering applied to various areas from cyber-physical systems to cloud applications. Recently, his main focus is on requirements engineering with regards to automated analysis of security requirements, lightweight formalisation and validation with automated tests. He is the technical coordinator of the European collaborative research project on cyber security - VeriDevOps. Dragos Truscan is a senior lecturer in Software Engineering at Åbo Akademi University, Finland. He has obtained a doctoral degree from the same university on topics related to model-driven development of programmable protocol processors. Over the last decade his research focused on model-based and ML/AI-based techniques for testing functional and non-functional properties of software intensive systems. The main emphasis of hiswork was on deploying such techniques to industrial settings. Wissam Mallouli is currently the CTO of Montimage, Paris, France. His expertise covers continuous risk management, test and monitoring of critical systems and networks including industrial systems, cloud-based systems, IoT and 4G/5G networks. He is working in several collaborative European research projects and has more than 70 scientific publications at conferences and in journa