Titulo Estágio
2024/25_N15 Secure Software Development Lifecycle - SSDLC
Local do Estágio
Altice Labs
Enquadramento
Security is an important part of any application that comprises critical functionality or personal/sensitive data. Recent cyber attacks (such as MOVEit and AT&T attacks) and the approval of more strict regulations (like the European GDPR and the NIS2 Directive) put tremendous pressure on the need for various industries to ascertain the security of their products and services. Security applies at every phase of the software development life cycle (SDLC), starting from the requirements gathering stage to the deployment and maintenance of the application. It includes educating developers on the best secure coding practices and available frameworks for security, conducting an architecture risk analysis at the start, considering security when
planning and building test cases, and using tools for automated security tests on the CI/CD pipeline. With dedicated effort, security issues can be addressed in the SDLC pipeline well before deployment to production. This reduces the risk of finding security vulnerabilities in an application and minimizes the impact when they are found.
Objetivo
The main goal of this project is to improve the secure software development lifecycle methodology currently recommended at Altice Labs. Some work has already been done regarding the comparison and selection of open-source tools for static analysis, dependency analysis, and dynamic analysis.
This project should continue that work, by adding to the comparison open-source tools for interactive analysis and commercial tools for static analysis,dependency analysis, dynamic analysis, and interactive analysis. Additionally, this project should establish effective rules to be applied in Altice Labs CI/CD pipelines as security gates, taking into account the selected tools' inputs and outputs. The proposed tools and security gates should then be applied to an Altice Labs application CI/CD pipeline.
Plano de Trabalhos - Semestre 1
Review the selected tools for CI/CD security;
Research, compare, and select new promising open-source tools for interactive analysis;
Research, compare, and possibly select commercial tools for CI/CD security;
Define rules to be applied in CI/CD pipelines as security gates, considering Altice Labs' needs;
Write a report
Plano de Trabalhos - Semestre 2
Test the selected tools and defined rules in the context of an Altice Labs application;
Write a final report with the main findings of the project.
Condições
Integration in Inova-Ria's GENIUS Research Program.
Promoting Entity: Inova-Ria
Host organization: Altice Labs
With the possibility of joining a Research Grant - GENIUS Program - during the completion of the dissertation project - Integration into an R&D team at Altice Labs.
The value of the grant is in accordance with the FCT tables (see pdf at (www.Inova-Ria.pt).
Period according to the University's framework.
- Timetable: According to university framework
- Format: hybrid or remote (to be arranged)
- Means: allocation of a laptop PC and access to the Altice Labs internal network
- Welcome Kit
- Onboarding in the Altice Labs teams, with the assignment of a full-time tutor
- Possibility of taking part in all the knowledge-sharing or entertainment initiatives carried out by Altice Labs
- Possibility of joining the company's staff
Interested students should send genius@inova-ria.pt to cc Dr. Regina Maia Sacchetti (963618710).
- Curriculum Vitae;
- Subjects taken so far with averages; simple electronic document, which you can obtain from the academic portal.
Selection process: Inova-Ria - GENIUS PROGRAM interview in which the project supervisor will take part in order to clarify the issues involved.
Translated with DeepL.com (free version)
Observações
Aspetos Inovadores
Software supply chain security;
CI/CD pipeline security;
Automated validation of security best practices in modern architectures (e.g., Kubernetes).
Ferramentas a utilizar
GitHub and GitHub Actions;
CI/CD Security Tools (SAST, SCA, DAST, IAST).
Referências Bibliográficas
https://www.trio.dev/blog/secure-sdlc
https://www.hackedu.com/blog/what-is-the-s-sdlc-or-secure-sdlc
https://books.google.pt/books?id=HmtgEAAAQBAJ&lpg=PT161&dq=Dagda%20containers%20notifications&hl=pt-
PT&pg=PA1#v=onepage&q&f=false
https://www.synopsys.com/blogs/software-security/integrating-automated-ast-tools/
Competências Chave Requeridas
Security knowledge, more specifically regarding DevSecOps and security in the CI/CD pipeline;
Critical thinking;
Good communication skills.
Orientador (nome e e-mail)
Mafalda Nunes - mafalda-g-nunes@alticelabs.com
Paulo Vieira - paulo-m-vieira@alticelabs.com
Para concorrer podes enviar a tua candidatura, envia e-mail para o Programa GENIUS: genius@inova-ria.pt
Orientador
Mafalda Nunes
mafalda-g-nunes@alticelabs.com 📩