This book provides an overview of software security analysis in a DevOps cycle including requirements formalisation, verification and continuous monitoring.  It presents an overview of the latest techniques and tools that help engineers and developers verify the security requirements of large-scale industrial systems and explains novel methods that enable a faster feedback loop for verifying security-related activities, which rely on techniques such as automated testing, model checking, static analysis, runtime monitoring, and formal methods. The book consists of three parts, each covering a different aspect of security engineering in the DevOps context. The first part, "Security Requirements", explains how to specify and analyse security issues in a formal way. The second part, "Prevention at Development Time", offers a practical and industrial perspective on how to design, develop and verify secure applications. The third part, "Protection at Operations", eventually introduces tools for continuous monitoring of security events and incidents. Overall, it covers several advanced topics related to security verification, such as optimizing security verification activities, automatically creating verifiable specifications from security requirements and vulnerabilities, and using these security specifications to verify security properties against design specifications and generate artifacts such as tests or monitors that can be used later in the DevOps process. The book aims at computer engineers in general and does not require specific knowledge. In particular, it is intended for software architects, developers, testers, security professionals, and tool providers, who want to define, build, test, and verify secure applications, Web services, and industrial systems.Part I: Security Requirements Engineering 1 Taxonomy of Vulnerabilities, Attacks, and Security Solutions in Industrial PLCsEduard Paul Enoiu, Kejsi Biçoku, Cristina Seceleanu, and Michael Felderer2 Natural Language Processing with Machine Learning for Security Requirements Analysis: Practical ApproachesAndrey Sadovykh, Kirill Yakovlev, Alexandr Naumchev, and Vladimir Ivanov3 Security Requirements Formalization with RQCODEAndrey Sadovykh, Nan Messe, Ildar Nigmatullin, Sophie Ebersold, Maria Naumcheva, and Jean-Michel BruelPart II: Prevention at Development Time 4 Vulnerability Detection and Response: Current Status and New ApproachesÁngel Longueira-Romero, Rosa Iglesias, Jose Luis Flores, and Iñaki Garitano5 Metamorphic Testing for Verification and Fault Localization in Industrial Control SystemsGaadha Sudheerbabu, Tanwir Ahmad, Dragos Truscan, and Jüri Vain6 Interactive Application Security Testing with Hybrid Fuzzing and Statistical EstimatorsRamon Barakat, Jasper von Blanckenburg, Roman Kraus, Fabian Jezuita, Steffen Lüdtke, and Martin A. SchneiderPart III: Protection at Operations7 CTAM: A Tool for Continuous Threat Analysis and ManagementLaurens Sion, Dimitri Van Landuyt, Koen Yskout, Stef Verreydt, and Wouter Joosen8 EARLY: A Tool for Real-Time Security Attack DetectionTanwir Ahmad, Dragos Truscan, and Jüri Vain9 A Stream-Based Approach to Intrusion DetectionSylvain Hallé10 Toward Anomaly Detection Using Explainable AI Manh-Dung Nguyen, Vinh-Hoa La, Wissam Mallouli, Ana Rosa Cavalli, and Edgardo Montes de Ocaweiterlesen