What is VeriDevOps?
VeriDevOps brings together fast security verification through formal modelling and verification as well as test generation, selection, execution and analysis capabilities to enable companies to deliver quality systems with confidence in a fast-paced DevOps environment. VeriDevOps brings fast and cost-effective security formal verification and test automation thus significantly improving the DevOps processes. Overall, VeriDevOps is using the results of formal verification of security requirements for test and monitor generation to be used to enhance the feedback mechanisms during development and operation phases.
Which is our goal?
VeriDevOps focuses on addressing the challenges of automation of verification methods and intelligent monitoring for prevention and protection of modern complex industrial systems. The innovation will be enabled by leveraging formal specifications of security requirements automatically generated using Natural Language Processing (NLP) and pattern-based approaches13. Our goal is to provide a way of preventing inconsistencies from propagating into operations and identifying the faults that could be introduced in the requirements
The key challenge of the project is to automatically express and manage security requirements in an effective and unambiguous way, such that both engineers and stakeholders have a common understanding of their content. Once these security requirements are unambiguously specified and decomposed, one needs to verify the compliance of the realizations to required security behavior by formal verification and testing for both protection and prevention means.
DevOps is about fast, flexible system engineering that efficiently integrates development, delivery, and operations, thus aiming at quality deliveries with short cycle time to address ever evolving challenges. Current system development practices are increasingly based on using both off-the-shelf and legacy components which make such systems prone to security vulnerabilities. More often than not, the number of security scenarios to be ensured explodes.
For example, in the embedded software domain, the number of system interactions with the environment that are subject to security attacks is increasing and may result in security vulnerabilities that can cause not only losses for end-users but also drastic increase in production and maintenance costs, especially if iterations are long and feedback comes late. In such cases, traditional security verification approaches do not support continuous feedback loop. As numerous examples show, security is an aspect that has to be addressed holistically from the early phases of the development process and ensured across all phases of the DevOps.
Moreover, security quality attributes are often treated after delivery on the code or infrastructure level with specific patches, while it is generally agreed that those attributes are necessary to be addressed at design level. Since DevOps is promoting frequent software deliveries, verification methods artifacts should be updated in a timely fashion to cope with the pace of the process.
The VeriDevOps project will develop technologies for a smooth and automatic workflow allowing verification of security in VeriDevOps environments. To this end, we will deliver methods and tools that facilitate fast-feedback of verification results in development-operation engineering of industrial systems. VeriDevOps brings together European industrial and academic communities to develop and demonstrate VeriDevOps technologies ranging from processes, methodologies to tools and demonstrators.
VeriDevOps will also establish regular networking with embedded systems/CPS/IoT/cybersecurity communities. Besides that, VeriDevOps will participate in road mapping activities in cooperation with other related projects and testing and security communities. VeriDevOps expects to be able to present a substantial contribution to achieving what we believe are the underlying benefits with regards to the EC targets.