Titulo Estágio
PASSWORD & SECRET MANAGEMENT
Áreas de especialidade
Engenharia de Software
Local do Estágio
The place and duration of the internship shall be flexible enough in order to adjust to the requirements established by the university.
Enquadramento
Passwords are one of the most common methods of authentication there is. Management of passwords,
by itself, is already complex when a single user is responsible for their own password, but, today, people
might be responsible for managing from tenths to hundredths different passwords, each with different
characteristics and sensitivities. A “password” is a type of information usually called a secret, which
means that its value is given by knowing it or not knowing it. Encryption keys and other authentication
secrets, such as those used by machines and services, are other types of secrets, that haven different
usages, characteristics and risks.
The general management of secrets is something already hard for typical users, and gets
overwhelmingly complex within the scope of development, configuration and operation of software
systems. A project might include several different types of secrets: encryption keys, authentication keys
for APIs, administrative passwords for operating systems and devices, even the management of on
memory session IDs or random URL and tokens, all of which can give rise to vulnerabilities if not
managed correctly. In addition, all these different secrets may have to be changed whenever there is
suspicion of compromise (or even proactively, to avoid the risk) and may have different expiration times
depending on the risks that they are subjected to. To complicates matter, all these aspects are
dependent if the secret is personal (i.e. passwords) or not (i.e. authentication secrets and administrative
passwords).
The goal of the internship is to research and document the ways secrets are used within the
development and operation of software systems. It will important that the research focuses on real use
cases of secrets and that the lifecycle, storage and manipulation of secrets is systematized and
documented. This systematization can allow the research for risks associated with the lifecycles and,
therefore, the identification of industry and standards security best practices suggested to mitigate those
risks, along with their drawbacks.
Finally, the student will select one or more of the prevalent use cases that occur in the management of
secrets within CRITICAL Software development projects and propose a practical mitigation to the risks
associated with them. The mitigation can be a solution of any form, which may include processes or
even the acquisition of systems such an Azure Key Vault or other alternatives, open source or not. The
solution should be implemented and tested in real case scenarios, and should also be evaluated, taking
into consideration their usability, security, cost and applicability.
Main Keywords: Cyber Security, Password, Authentication, Encryption keys, Password management,
Secret management
Objetivo
The main goal of this internship is to research and document, in a structured form, the most number of
use cases of secrets management found in development and operation of software systems, including
the configuration of infrastructure components such as backend services, network devices and cloud
elements. As basis, the student should use a sample of real projects and extensive literature research.
The use cases of secret management should be characterized in terms of what kind of lifecycle and
risks are associated with it, and best practices and solutions that are commonly used as mitigation
strategies. The internship should also devise the proposal of a solution for the management of secrets within a typical
development project of CRITICAL Software. The solution may include already available tools, such as Azure
Key Vault, or the proposal and or implementation of other complementary tools, commercial or not.
Plano de Trabalhos - Semestre 1
First Semester:
1. Research, investigate and identify the most common types of secrets and their lifecycle in terms of
their most important characteristics. Include the use cases of secrets in infrastructure (users, devices,
network elements) and cloud (accounts and services), from creation to storage, communication,
replacement and decommissioning [months 1-4]
2. Conduct a survey of the handling approaches used for secret handling taken in CSW projects,
identifying their pros and cons and the risks associated with each management strategy. [months 2-
5]
3. Investigate and document standards and best practices most commonly used to address the risks of
secret management in all phases of software development, including infrastructure, cloud and other
critical assets involved [months 3-6]
4. Write the report. [months 1-6]
Plano de Trabalhos - Semestre 2
Second Semester:
5. Perform a wide search of technical and processual solutions applicable to risks that exist in CRITICAL
projects [months 7-8]
6. Propose and implement one or more solutions to significant selected risks [months 8-9]
7. Evaluate the results in terms of, at least, usability, security, cost and applicability. [months 10-11]
8. Write the final report [months 7-12]
Condições
CRITICAL Software is looking for a student with basic training in computer engineering and who presents
the technical knowledge of software development inherent to the functions to be performed in the context
of the proposed dissertation, no previous professional experience being required.
In selecting the candidate, CRITICAL Software takes into account not only their technical skills but also
their behavioral skills, with the two categories of skills being evaluated with similar importance. It is also
expected that the candidate is motivated to join the training and follow-up program proposed by
CRITICAL Software
In addition, interest, curiosity and will to learn and gain knowledge within the area of cybersecurity is highly
valued.
Observações
MONTHLY REMUNERATIONCRITICAL Software will pay a net monthly remuneration of 450 euros considering a full-time internship
(40h/week) or the proportional value for part time internships.
COMPANY ADVISOR
The internship will be accompanied by an engineer or technical manager from the project, in complementary
to the academic advisory.
CONFIDENTIALITY
The project information shared by CRITICAL Software in the scope of the internship, including technical or
management documents, diagrams, code or any other information must be treated with the maximum
confidentiality. The intern will sign a Non-Disclosure Agreement.APPLICATIONS AND QUESTIONSApplications and questions may be sent to Csw-recruitment csw-recruitment@criticalsoftware.com
Candidates should send CV and motivational letter
Orientador
Afonso Neto
Afonso.Neto@criticalsoftware.com 📩