Cybersecurity in a Devops Environment: From Requirements to Monitoring
暫譯: DevOps 環境中的網路安全:從需求到監控
Sadovykh, Andrey, Truscan, Dragos, Mallouli, Wissam
相關主題
商品描述
This book provides an overview of software security analysis in a DevOps cycle including requirements formalisation, verification and continuous monitoring. It presents an overview of the latest techniques and tools that help engineers and developers verify the security requirements of large-scale industrial systems and explains novel methods that enable a faster feedback loop for verifying security-related activities, which rely on techniques such as automated testing, model checking, static analysis, runtime monitoring, and formal methods.
The book consists of three parts, each covering a different aspect of security engineering in the DevOps context. The first part, "Security Requirements", explains how to specify and analyse security issues in a formal way. The second part, "Prevention at Development Time", offers a practical and industrial perspective on how to design, develop and verify secure applications. The third part, "Protection at Operations", eventually introduces tools for continuous monitoring of security events and incidents. Overall, it covers several advanced topics related to security verification, such as optimizing security verification activities, automatically creating verifiable specifications from security requirements and vulnerabilities, and using these security specifications to verify security properties against design specifications and generate artifacts such as tests or monitors that can be used later in the DevOps process.
The book aims at computer engineers in general and does not require specific knowledge. In particular, it is intended for software architects, developers, testers, security professionals, and tool providers, who want to define, build, test, and verify secure applications, Web services, and industrial systems.
Part I: Security Requirements Engineering
1 Taxonomy of Vulnerabilities, Attacks, and Security Solutions in Industrial PLCs
Eduard Paul Enoiu, Kejsi Biçoku, Cristina Seceleanu, and Michael Felderer
2 Natural Language Processing with Machine Learning for Security Requirements Analysis: Practical Approaches
Andrey Sadovykh, Kirill Yakovlev, Alexandr Naumchev, and Vladimir Ivanov3 Security Requirements Formalization with RQCODE
Andrey Sadovykh, Nan Messe, Ildar Nigmatullin, Sophie Ebersold, Maria Naumcheva, and Jean-Michel Bruel
Part II: Prevention at Development Time
4 Vulnerability Detection and Response: Current Status and New Approaches
Ángel Longueira-Romero, Rosa Iglesias, Jose Luis Flores, and Iñaki Garitano
5 Metamorphic Testing for Verification and Fault Localization in Industrial Control Systems
Gaadha Sudheerbabu, Tanwir Ahmad, Dragos Truscan, and Jüri Vain
6 Interactive Application Security Testing with Hybrid Fuzzing and Statistical Estimators
Ramon Barakat, Jasper von Blanckenburg, Roman Kraus, Fabian Jezuita, Steffen Lüdtke, and Martin A. Schneider
Part III: Protection at Operations
7 CTAM: A Tool for Continuous Threat Analysis and Management
Laurens Sion, Dimitri Van Landuyt, Koen Yskout, Stef Verreydt, and Wouter Joosen
8 EARLY: A Tool for Real-Time Security Attack Detection
Tanwir Ahmad, Dragos Truscan, and Jüri Vain
9 A Stream-Based Approach to Intrusion Detection
Sylvain Hallé
10 Toward Anomaly Detection Using Explainable AI
Manh-Dung Nguyen, Vinh-Hoa La, Wissam Mallouli, Ana Rosa Cavalli, and Edgardo Montes de Oca
商品描述(中文翻譯)
這本書提供了在 DevOps 週期中進行軟體安全分析的概述,包括需求的形式化、驗證和持續監控。它介紹了幫助工程師和開發人員驗證大型工業系統安全需求的最新技術和工具,並解釋了能夠加快安全相關活動驗證反饋循環的新方法,這些方法依賴於自動化測試、模型檢查、靜態分析、運行時監控和形式化方法等技術。
本書分為三個部分,每個部分涵蓋 DevOps 背景下安全工程的不同方面。第一部分「安全需求」解釋了如何以正式的方式指定和分析安全問題。第二部分「開發階段的預防」提供了如何設計、開發和驗證安全應用程式的實用和工業視角。第三部分「運營階段的保護」最終介紹了持續監控安全事件和事故的工具。總體而言,它涵蓋了與安全驗證相關的幾個高級主題,例如優化安全驗證活動、自動從安全需求和漏洞創建可驗證的規範,以及使用這些安全規範來驗證設計規範的安全屬性並生成可在 DevOps 過程中使用的測試或監控器等工件。
本書的目標讀者是一般的計算機工程師,並不需要特定的知識。特別是,它針對希望定義、構建、測試和驗證安全應用程式、Web 服務和工業系統的軟體架構師、開發人員、測試人員、安全專業人員和工具提供者。
**第一部分:安全需求工程**
**1 工業 PLC 中的漏洞、攻擊和安全解決方案分類**
Eduard Paul Enoiu、Kejsi Biçoku、Cristina Seceleanu 和 Michael Felderer
**2 使用機器學習進行安全需求分析的自然語言處理:實用方法**
Andrey Sadovykh、Kirill Yakovlev、Alexandr Naumchev 和 Vladimir Ivanov
**3 使用 RQCODE 進行安全需求的形式化**
Andrey Sadovykh、Nan Messe、Ildar Nigmatullin、Sophie Ebersold、Maria Naumcheva 和 Jean-Michel Bruel
**第二部分:開發階段的預防**
**4 漏洞檢測與響應:當前狀況與新方法**
Ángel Longueira-Romero、Rosa Iglesias、Jose Luis Flores 和 Iñaki Garitano
**5 用於工業控制系統的驗證和故障定位的變形測試**
Gaadha Sudheerbabu、Tanwir Ahmad、Dragos Truscan 和 Jüri Vain
**6 使用混合模糊測試和統計估計器的互動應用安全測試**
Ramon Barakat、Jasper von Blanckenburg、Roman Kraus、Fabian Jezuita、Steffen Lüdtke 和 Martin A. Schneider
**第三部分:運營階段的保護**
**7 CTAM:持續威脅分析與管理工具**
Laurens Sion、Dimitri Van Landuyt、Koen Yskout、Stef Verreydt 和 Wouter Joosen
**8 EARLY:實時安全攻擊檢測工具**
Tanwir Ahmad、Dragos Truscan 和 Jüri Vain
**9 基於流的入侵檢測方法**
Sylvain Hallé
**10 使用可解釋的 AI 進行異常檢測**
Manh-Dung Nguyen、Vinh-Hoa La、Wissam Mallouli、Ana Rosa Cavalli 和 Edgardo Montes de Oca
作者簡介
Andrey Sadovykh is a senior researcher at Softeam/DocaPoste, part of the French La Poste group. For many years, he has led research activities on model-driven engineering applied to various areas from cyber-physical systems to cloud applications. Recently, his main focus is on requirements engineering with regards to automated analysis of security requirements, lightweight formalisation and validation with automated tests. He is the technical coordinator of the European collaborative research project on cyber security - VeriDevOps.
Dragos Truscan is a senior lecturer in Software Engineering at Åbo Akademi University, Finland. He has obtained a doctoral degree from the same university on topics related to model-driven development of programmable protocol processors. Over the last decade his research focused on model-based and ML/AI-based techniques for testing functional and non-functional properties of software intensive systems. The main emphasis of his work was on deploying such techniques to industrial settings.
Wissam Mallouli is currently the CTO of Montimage, Paris, France. His expertise covers continuous risk management, test and monitoring of critical systems and networks including industrial systems, cloud-based systems, IoT and 4G/5G networks. He is working in several collaborative European research projects and has more than 70 scientific publications at conferences and in journals.
Ana Rosa Cavalli is emeritus professor and research director of Montimage SME. From 1985 to 1990, she was a researcher in the department Languages and Switch Systems, at CNET (Centre National d'Etudes des Telecommunications), where she worked on software engineering and formal methods. She had been Full Professor at TELECOM SudParis and since 1990 the director of the Software for Networks department. Her research interests are on formal modelling, testing methodologies for active testing and monitoring techniques, validation of security properties and their application to services and protocols.
Cristina Seceleanu is Associate Professor and Docent at Mälardalen University (MDU), Sweden. She is the research leader of the Computer and Data Science research direction, and co-leader of the Formal Modeling and Analysis of Embedded Systems research group at MDU. Her research interests are with formal modelling and verification of real-time, adaptive, and autonomous cyber-physical systems. Her latest work focuses on combining machine learning and model checking for scalable verification of autonomous systems, verification of industrial-scale Simulink models, model-based testing, and formal assurance of 5G-based eHealth systems.
Alessandra Bagnato is a research scientist and Research Responsible at Softeam Software, Docaposte Group. There she leads the Softeam Software Modelio team research activities around innovative model-driven engineering methods. Her main research interests include cloud computing models, services and architectures, software engineering in the context of big data, cyber-physical systems design, security and data privacy.
作者簡介(中文翻譯)
安德烈·薩多維克(Andrey Sadovykh)是Softeam/DocaPoste的高級研究員,該公司是法國La Poste集團的一部分。多年來,他一直領導應用於從網路物理系統到雲端應用的模型驅動工程研究活動。最近,他的主要焦點是需求工程,特別是自動化安全需求分析、輕量級形式化和自動化測試的驗證。他是歐洲合作研究項目VeriDevOps的技術協調員,該項目專注於網路安全。
德拉戈斯·特魯斯坎(Dragos Truscan)是芬蘭阿博學院(Åbo Akademi University)軟體工程的高級講師。他在同一所大學獲得了與可編程協議處理器的模型驅動開發相關的博士學位。在過去十年中,他的研究集中在基於模型和機器學習/人工智慧的技術,用於測試軟體密集系統的功能性和非功能性屬性。他的工作主要強調將這些技術部署到工業環境中。
維薩姆·馬盧利(Wissam Mallouli)目前是法國巴黎Montimage的首席技術官(CTO)。他的專業涵蓋持續風險管理、關鍵系統和網路的測試與監控,包括工業系統、雲端系統、物聯網和4G/5G網路。他參與多個歐洲合作研究項目,並在會議和期刊上發表了70多篇科學論文。
安娜·羅莎·卡瓦利(Ana Rosa Cavalli)是Montimage SME的名譽教授和研究主任。從1985年到1990年,她在CNET(法國國家電信研究中心)的語言與交換系統部門擔任研究員,專注於軟體工程和形式方法。她曾擔任TELECOM SudParis的正教授,自1990年以來擔任網路軟體部門的主任。她的研究興趣包括形式建模、主動測試和監控技術的測試方法論、安全性屬性的驗證及其在服務和協議中的應用。
克里斯蒂娜·塞切萊亞努(Cristina Seceleanu)是瑞典馬拉達倫大學(Mälardalen University, MDU)的副教授和講師。她是計算機與數據科學研究方向的研究領導者,也是MDU嵌入式系統形式建模與分析研究小組的共同領導者。她的研究興趣在於實時、自適應和自主網路物理系統的形式建模與驗證。她最新的工作專注於結合機器學習和模型檢查,以實現自主系統的可擴展驗證、工業規模Simulink模型的驗證、基於模型的測試以及5G基礎的電子健康系統的形式保證。
亞歷山德拉·巴尼亞托(Alessandra Bagnato)是Softeam Software、Docaposte集團的研究科學家和研究負責人。在那裡,她領導Softeam Software Modelio團隊的研究活動,專注於創新的模型驅動工程方法。她的主要研究興趣包括雲計算模型、服務和架構、大數據背景下的軟體工程、網路物理系統設計、安全性和數據隱私。
