Application Security Policy and Framework

Develop and implement a framework for the management of information security risks applicable to applications.


The project objective consists of developing and implementing a framework to manage information security risks at the application level. The framework shall cover: a) a specification of the different types of applications (e.g. internet vs. internal application) and delivery models (e.g. internally developed, third party software, software-as-a-service) used by Critical Software and inherent security risks; b) the identification and specification of information security requirements which must be met for each type of application type and delivery model; and c) the methods and tools that shall be used to assess compliance with security requirements and identify and remediate security vulnerabilities during application development, implementation and continuously.
The security requirements shall cover internally defined requirements driven by business needs or based on industry best practices, as well as regulatory requirements with special attention to be given to the European Union (EU) General Data Protection Regulation (GDPR).

▪ T1: Gathering and understanding of application security best practices and recognized frameworks (e.g. OWASP, SANS, COBIT). Understanding of the different types of application architecture used at Critical Software and assessment of the inherent risks applicable to each type.
▪ T2: Develop a corporate application security policy which sets the principles, rules and requirements that must be best during the development and implementation of corporate applications. Develop a testing framework which specifies the methods and tools that shall be used to assess compliance with security requirements and identify and remediate security vulnerabilities during application development, implementation and continuously.

▪ T3: Evaluate technical tools and solutions that can be used to test whether applications comply with security requirements (e.g. security source code scanning, dynamic security scanning) and to continuously detect application security vulnerabilities (e.g. application vulnerability scanning)
▪ T4: For a sample of corporate applications, perform an application vulnerability assessment using tools and/or manual verification; identify security vulnerabilities and propose recommendations to mitigate the vulnerabilities.
▪ T5: Prepare project dissertation.


A Critical Software procura um aluno com formação base de engenharia informática e que apresente os conhecimentos técnicos de desenvolvimento de software inerentes às funções a desempenhar no contexto da dissertação proposta, não sendo exigida qualquer experiência profissional prévia.
Na escolha do candidato, a Critical Software tem em conta, não só as suas competências técnicas como as competências comportamentais, sendo que as duas categorias de competências são avaliadas com uma importância semelhante. Espera-se igualmente que o(a) candidato(a) esteja motivado para integrar o programa formativo e de acompanhamento proposto pela Critical Software.
De salientar que, em contexto de dissertação, o foco das mais-valias que o aluno poderá obter estão associadas à aquisição de conhecimentos científicos e desenvolvimento de competências inerentes à sua integração profissional.
O projeto de Dissertação será orientado por um engenheiro da Critical Software em complementaridade à orientação fornecida pela instituição de ensino. O aluno integrará a equipa tendo acesso a todo o programa formativo, de acompanhamento e de avaliação de desempenho inerente a este programa.


