Titulo Estágio
PASSWORD & SECRET MANAGEMENT
Local do Estágio
The place and duration of the internship shall be flexible enough in order to adjust to the requirements established by the university.
Enquadramento
Passwords are one of the most common methods of authentication there is. Management of passwords, by itself, is already complex when a single user is responsible for their own password, but, today, people might be responsible for managing from tenths to hundredths different passwords, each with different characteristics and sensitivities. A “password” is a type of information usually called a secret, which means that its value is given by knowing it or not knowing it. Encryption keys and other authentication secrets, such as those used by machines and services, are other types of secrets, that haven different usages, characteristics and risks. The general management of secrets is something already hard for typical users, and gets overwhelmingly complex within the scope of development, configuration and operation of software systems. A project might include several different types of secrets: encryption keys, authentication keys for APIs, administrative passwords for operating systems and devices, even the management of on memory session IDs or random URL and tokens, all of which can give rise to vulnerabilities if not managed correctly. In addition, all these different secrets may have to be changed whenever there is suspicion of compromise (or even proactively, to avoid the risk) and may have different expiration times depending on the risks that they are subjected to. To complicates matter, all these aspects are dependent if the secret is personal (i.e. passwords) or not (i.e. authentication secrets and administrative passwords). The goal of the internship is to research and document the ways secrets are used within the development and operation of software systems. It will important that the research focuses on real use cases of secrets and that the lifecycle, storage and manipulation of secrets is systematized and documented. This systematization can allow the research for risks associated with the lifecycles and, therefore, the identification of industry and standards security best practices suggested to mitigate those risks, along with their drawbacks. Finally, the student will select one or more of the prevalent use cases that occur in the management of secrets within CRITICAL Software development projects and propose a practical mitigation to the risks associated with them. The mitigation can be a solution of any form, which may include processes or even the acquisition of systems such an Azure Key Vault or other alternatives, open source or not. The solution should be implemented and tested in real case scenarios, and should also be evaluated, taking into consideration their usability, security, cost and applicability. Main Keywords: Cyber Security, Password, Authentication, Encryption keys, Password management, Secret management
Objetivo
The main goal of this internship is to research and document, in a structured form, the most number of use cases of secrets management found in development and operation of software systems, including the configuration of infrastructure components such as backend services, network devices and cloud elements. As basis, the student should use a sample of real projects and extensive literature research. The use cases of secret management should be characterized in terms of what kind of lifecycle and risks are associated with it, and best practices and solutions that are commonly used as mitigation strategies. The internship should also devise the proposal of a solution for the management of secrets within a typical development project of CRITICAL Software. The solution may include already available tools, such as Azure Key Vault, or the proposal and or implementation of other complementary tools, commercial or not.
Plano de Trabalhos - Semestre 1
First Semester:1. Research, investigate and identify the most common types of secrets and their lifecycle in terms oftheir most important characteristics. Include the use cases of secrets in infrastructure (users, devices,network elements) and cloud (accounts and services), from creation to storage, communication,replacement and decommissioning [months 1-4]2. Conduct a survey of the handling approaches used for secret handling taken in CSW projects,identifying their pros and cons and the risks associated with each management strategy. [months 2-5]3. Investigate and document standards and best practices most commonly used to address the risks ofsecret management in all phases of software development, including infrastructure, cloud and othercritical assets involved [months 3-6]4. Write the report. [months 1-6]
Plano de Trabalhos - Semestre 2
Second Semester:5. Perform a wide search of technical and processual solutions applicable to risks that exist in CRITICALprojects [months 7-8]6. Propose and implement one or more solutions to significant selected risks [months 8-9]7. Evaluate the results in terms of, at least, usability, security, cost and applicability. [months 10-11]8. Write the final report [months 7-12]
Condições
CRITICAL Software is looking for a student with basic training in computer engineering and who presents the technical knowledge of software development inherent to the functions to be performed in the context of the proposed dissertation, no previous professional experience being required. In selecting the candidate, CRITICAL Software takes into account not only their technical skills but also their behavioral skills, with the two categories of skills being evaluated with similar importance. It is also expected that the candidate is motivated to join the training and follow-up program proposed by CRITICAL Software In addition, interest, curiosity and will to learn and gain knowledge within the area of cybersecurity is highly valued.
Observações
MONTHLY REMUNERATIONCRITICAL Software will pay a net monthly remuneration of 450 euros considering a full-time internship (40h/week) or the proportional value for part time internships. COMPANY ADVISOR The internship will be accompanied by an engineer or technical manager from the project, in complementary to the academic advisory. CONFIDENTIALITY The project information shared by CRITICAL Software in the scope of the internship, including technical or management documents, diagrams, code or any other information must be treated with the maximum confidentiality. The intern will sign a Non-Disclosure Agreement.APPLICATIONS AND QUESTIONSApplications and questions may be sent to Csw-recruitment csw-recruitment@criticalsoftware.com Candidates should send CV and motivational letter
Orientador
Afonso Neto
Afonso.Neto@criticalsoftware.com 📩