Periodic Reporting for period 2 - VeriDevOps (VeriDevOps)
Periodo di rendicontazione: 2022-04-01 al 2024-01-31
The total number of software vulnerabilities has grown dramatically since 2002. Furthermore, the average time to close or patch a vulnerability may reach 67 days, which leads to a high threat for organizations and may even threaten human life. That is why elaborated security mechanisms must be properly implemented prior to deployment in order to provide an effective level of protection against threats. In the embedded software domain, security vulnerabilities can cause losses for end-users as well as a drastic increase in costs for both production and maintenance.
VeriDevOps aims at bringing together fast and cost-effective security verification through formal modelling and verification, as well as test generation, selection, execution and analysis capabilities to enable companies to deliver quality systems with confidence in a fast-paced DevOps environment. In addition, the formalization of requirements is still a very human-intensive activity; much information is informally exchanged among the engineers and due to this, most verification activities cannot be automated and need human intervention. We argue that this formalization of security requirements and the creation of environment and system models could increase the product quality, and make the development and operation more efficient and less costly. Thus, the key challenge of the project is to automatically express and manage security requirements in an effective and unambiguous way, such that both engineers and stakeholders have a common understanding of their content.
In order to save time and lower the effort for adjusting the prevention and protection mechanisms,VeriDevOps automates the specification and analysis of requirements with security relevance, testing of system realizations, and the integration of these techniques and tools with current VeriDevops practices in industry: Analysis and formalization of a textual description of security requirements from several sources, automated configuration of trace monitors, automated test generation for attacks based on the formal specification of security requirements, automated design and code checks and methods for threat detection and analysis.
VeriDevOps aims at bringing together fast and cost-effective security verification through formal modelling and verification, as well as test generation, selection, execution and analysis capabilities to enable companies to deliver quality systems with confidence in a fast-paced DevOps environment. In addition, the formalization of requirements is still a very human-intensive activity; much information is informally exchanged among the engineers and due to this, most verification activities cannot be automated and need human intervention. We argue that this formalization of security requirements and the creation of environment and system models could increase the product quality, and make the development and operation more efficient and less costly. Thus, the key challenge of the project is to automatically express and manage security requirements in an effective and unambiguous way, such that both engineers and stakeholders have a common understanding of their content.
In order to save time and lower the effort for adjusting the prevention and protection mechanisms,VeriDevOps automates the specification and analysis of requirements with security relevance, testing of system realizations, and the integration of these techniques and tools with current VeriDevops practices in industry: Analysis and formalization of a textual description of security requirements from several sources, automated configuration of trace monitors, automated test generation for attacks based on the formal specification of security requirements, automated design and code checks and methods for threat detection and analysis.
The project has started with the analysis of the state-of-the-art and definition of the case studies through elicitation of the requirements. As a result, the consortium has conducted an open research workshop with more than 30 participants including external experts in related domains such as requirements extraction, security and verification. This event showed a great interest in the VeriDevOps related areas and provided an opportunity to build a community. The workshop has gathered interest to publish a joint book on the related research topics and industrial practice. Furthermore, for the requirements elicitation the technology provider partners have conducted several experiments. In particular, the partners gather open security requirements datasets to enable natural language processing (NLP) methods for safety and security requirements extraction and classification. In addition, partners analysed and wire-prototyped examples to demonstrate usage of model-based techniques in safety and security properties design and verification. The project partners also investigated formalizing and detecting inconsistencies for safety and security requirements. Finally, the trace analysis examples helped to clarify the requirements on protocol-based anomaly detection. The partners specified complementary case studies covering safety and security aspects in several application contexts such as industrial control systems, industrial IoT and data analytic platforms
VeriDevOps, as a European collaborative research project, enables time gains by automatically translating security requirements to formal specifications. Also, the formal specifications contribute both at operations, as a mean to trace the anomalies, and at development, as an enabler for automated verification. To this extent, we are going to advance the state of the art by tailoring formal verification of security requirements to DevOps and real-world CD pipelines.
Furthermore, our ambition is focused on studying knowledge extraction methods for formalization of the textual description into a security requirement by applying the modern Natural Language Processing models. In vulnerability scanning, we target a system represented by a collection of micro services that will process in real-time a set of events in the environment and outside for detecting an incident or threat. With respect to security incidents, detection and reaction VeriDevOps addresses updating the risk assessment at run-time based on data that is continuously collected through monitoring. VeriDevOps targets to develop specific test generation and selection methods based on formal specifications that can be used for model-based security testing given generic security models.
It has an impact on the European Industry. Indeed, it involves end-users from the beginning, so that the resulting tools are suitable for the needs of the end-users. In order to foster project cooperation among partners and stimulate the incubation of new ideas and technologies.
Furthermore, our ambition is focused on studying knowledge extraction methods for formalization of the textual description into a security requirement by applying the modern Natural Language Processing models. In vulnerability scanning, we target a system represented by a collection of micro services that will process in real-time a set of events in the environment and outside for detecting an incident or threat. With respect to security incidents, detection and reaction VeriDevOps addresses updating the risk assessment at run-time based on data that is continuously collected through monitoring. VeriDevOps targets to develop specific test generation and selection methods based on formal specifications that can be used for model-based security testing given generic security models.
It has an impact on the European Industry. Indeed, it involves end-users from the beginning, so that the resulting tools are suitable for the needs of the end-users. In order to foster project cooperation among partners and stimulate the incubation of new ideas and technologies.