Abstract Testing software product lines represents a challenging task mainly because there are many derivable products. To facilitate this issue, multiple solutions were developed to reduce the number of products that are tested while maintaining a good percentage of coverage. However, the order of testing products has received little consideration. The purpose of this research is twofold: first, to replicate the results of a previous study (which uses two specific metrics for prioritization, namely, Variability Coverage & Cyclomatic Complexity - VC&CC, and Coefficient of Connectivity-Density - CoC), and second, to investigate two new metrics to be used as prioritization criteria (Ratio of Variability - RoV, and Flexibility of Configuration - FoC). The APFD (Average Percentage of Faults Detected) metric is used to evaluate the results obtained. In the investigation, a set of 9 feature models with various numbers of features, grouped in three intervals, was used. The results show that the original findings are confirmed for all feature models used. Regarding the new criteria used, FoC and RoV outperformed the CoC metric in 6 out of 9 cases, and also obtained the best results in 3 out of 9 cases. In the other 6 out of 9 cases the VC&CC criterion obtained the best results.

Effective test case generation is crucial for ensuring software correctness, whereas generating high-coverage test suites efficiently remains a challenge. Graph transformations provide a formal way to specify and analyse software systems by modeling system operations as transformation rules and constructing a state-based representation of system behavior. Model-based testing (MBT) often uses model checking over this representation to discover execution paths that satisfy certain test requirements. However, such approaches suffer from severe scalability issues due to the rapid growth of the state space and the high computational cost of exhaustive exploration. While optimization-based approaches mitigate these issues by exploring a reduced portion of the state space, they still struggle to scale effectively. MBT approaches using graph transformation faces the same scalability and often face additional challenges due to the richer structural complexity of graph-based models. However, apart from the behavioral information derived from state transitions, graph transformation systems also encode explicit structural relationships between states and transformation rules. These structural characteristics can be used to define and evaluate test objectives. To exploit this, we propose a novel approach based on deep reinforcement learning to generate test suites for systems specified through graph transformations. We use the reward/penalty mechanism of reinforcement learning to optimize the selection of moves within the state space, enabling the generation of test cases based on prior decisions. Our goal is to achieve greater coverage of test objectives while minimizing the size of the test cases. The method has been implemented in GROOVE, an open-source toolset for designing and model checking graph transformation systems. Experimental results on well-known case studies demonstrate that our approach achieves higher coverage with reduced computational cost compared to state-of-the-art techniques.

Abstract The more critical infrastructures (CIs) being digitized, the more vulnerable they are regarding cyber security attacks. Digitisation-leveraging technologies in the Internet of Things (IoT) and Cyber-Physical Systems (CPS) have been largely adopted for CIs, along with the Digital Twin (DT) paradigm. However, the distributed and heterogeneous nature of IoT or CPS poses significant challenges in safeguarding against diverse attack surfaces, including physical devices, network infrastructures, and third-party integration. To tackle these challenges, we propose an AI-driven DT-based security orchestration automation and response framework (SOAR4BC). Gathering system contexts from the DT in combination with security intelligence from the security tools gives us a holistic context for SOAR, which has not been seen in the existing approaches. We leverage this holistic context into the decision-making core, which utilizes advanced algorithms, like deep reinforcement learning, to generate adaptation recommendations based on incident alerts, risk assessments, and system state observations. By rigorously evaluating tampered data and distributed denial of service (DDoS) scenarios, we validate the SOAR4BC framework’s efficacy in handling security incidents leveraging digital twin environments. We further demonstrate real-world applicability through false-data injection and DoS attacks on an operational electric-vehicle charging testbed, confirming the practical effectiveness of SOAR4BC in securing critical infrastructures. Together, these results establish SOAR4BC as a robust and explainable AI-driven SOAR framework that advances the use of digital twins for cybersecurity in IoT and CPS ecosystems, offering actionable contributions for both research and industrial deployment.

Practitioners and researchers continuously focus on developing automation strategies to cope with the exponentially demanding need for the timely deployment of software projects in tight release schedules. Such automation techniques include Infrastructure-as-Code (IaC) and the DevOps and DevSecOps cycles. Recent studies investigated generative AI (GenAI) for generating infrastructure as code scripts. However, no studies have focused on using GenAI to generate IaC scripts based on DevSecOps stage artifacts. Different IaC tools serve varied purposes, requiring specific infrastructure setups for different project stages. We envision GenAI models leveraging artifacts from each DevSecOps stage to create and refine IaC scripts. We trust our approach to have an impact on practitioners to leverage it as an automatic copilot for infrastructure design and deployment, and for researchers to build on our vision and future empirical validation.

Android apps collecting data from users must comply with legal frameworks to ensure data protection. This requirement has become even more important since the implementation of the General Data Protection Regulation (GDPR) by the European Union in 2018. Moreover, with the proposed Cyber Resilience Act on the horizon, stakeholders will soon need to assess software against even more stringent security and privacy standards. Effective privacy assessments require collaboration among groups with diverse expertise to function effectively as a cohesive unit. This paper presents an interview-based study (N=16) exploring the challenges these experts encounter during privacy assessments and their views on automation as potential support. To ground the discussion, we use Assessor View, a prototype developed for this work that integrates static analysis to extract privacy-relevant information directly from Android Application Packages (APKs), as a research probe. Its design provides dedicated views for both technical and non-technical stakeholders, enabling reflection on how automation can enhance assessment practice. Our study identifies key challenges in conducting privacy assessments, including knowledge and communication gaps between experts, the privacy–innovation trade-off, delayed involvement of privacy professionals, and the lack of source code analysis-based tools. The user study conducted alongside the interviews reveals that the GDPR warnings and guidance provided by Assessor View are valuable to Data Protection Officers and privacy experts, and its design is particularly well suited for these stakeholders. Overall, our findings indicate that Assessor View represents a significant step toward improving communication between legal and technical experts and automating privacy assessments.