Titulo Estágio
2025/26_N32 Secure Coding with Tests Automation
Local do Estágio
Altice Labs
Enquadramento
Ensuring secure software development is a key challenge, especially as applications become more complex and security requirements evolve.While many organizations already implement generic security testing with SAST, SCA, and DAST, there is often a gap in automating securityvalidations based on well-established security standards, such as OWASP Application Security Verification Standard (ASVS), OWASP SecureCoding Practices, and NIST Secure Software Development Framework (SSDF).
By leveraging test automation, organizations can validate secure coding practices programmatically and ensure compliance with securitystandards without relying solely on manual security reviews. Automated security checks embedded within development workflows can proactivelyenforce best practices, validate compliance with standard security requirements, and detect security misconfigurations early.
Objetivo
The main goal of this project is to enhance secure coding practices at Altice Labs by gathering state-of-the-art best practices and developingautomated security validation mechanisms that enforce security requirements dynamically throughout the development lifecycle.
The project will focus on:
Automating security validations based on standards like OWASP ASVS, OWASP Secure Coding Practices, and NIST SSDF.
Developing automated test scripts to validate key security requirements (e.g., authentication, access control, session management).
Integrating security validation tests into CI/CD pipelines for continuous security enforcement.
Generating reports and feedback for developers to ensure compliance with secure coding best practices.
Additionally, this project may include exploring AI-assisted security validation techniques to improve detection accuracy and reduce falsepositives
Plano de Trabalhos - Semestre 1
Research and document best practices concerning secure coding and security validations, based on OWASP ASVS and similar standards,identifying validations possible to automate and creating guidelines for developers.
Analyze existing security analysis processes at Altice Labs.
Write a Interim Report
Plano de Trabalhos - Semestre 2
Develop security validation automation scripts to test for common vulnerabilities (e.g., authentication flaws, session management, insecureAPI calls).
Integrate security validation scripts into CI/CD workflows of an AlticeLabs project to enforce security requirements automatically andevaluate their effectiveness.
Write a final report summarizing results, challenges, and recommendations.
Condições
Integração no Programa GENIUS Investigação da Inova-Ria.
Entidade Promotora: Inova-Ria
Entidade de acolhimento: Altice Labs
Com possibilidade de integrar uma Bolsa de Investigação - Programa GENIUS - durante a realização do projeto de Dissertação - Integração numa equipa de I&D na Empresa Altice Labs .
Valor de bolsa de acordo com tabelas da FCT (ver pdf em (www.Inova-Ria.pt).
Período de realização de acordo com o enquadramento da Universidade.
• Horário: De acordo com enquadramento da Universidade
• Formato: (a combinar na entrevista)
• Meios: atribuição de um PC portátil e acessos à rede Interna da Altice Labs
• Kit de Acolhimento
• Onboarding nas equipas da Altice Labs, com atribuição de um tutor full-time
• Possibilidade de participar em todas as iniciativas de partilha de conhecimento ou de entretenimento levadas a cabo pela Altice Labs
• Possibilidade de entrada nos quadros da empresa
Os alunos interessados deverão enviar para genius@inova-ria.pt ao cc Dra Regina Maia Sacchetti (963618710).
• Curriculum Vitae;
• Disciplinas realizadas até ao momento com médias; simples documento eletrónico, que poderá obter no portal académico .
Processo de Seleção: Entrevista Inova-Ria - PROGRAMA GENIUS na qual fará parte o Orientador do projeto de forma a esclarecer a temática envolvida.
Observações
Aspetos Inovadores
Security validation automation based on recognized standards (e.g., OWASP ASVS).
Integration of security validation into automated testing pipelines (unit, integration, and end-to-end tests).
Security policy enforcement via automated compliance checks.
Ferramentas a utilizar
Security test automation frameworks (e.g., Cucumber, Playwright, apickli, OWASP ZAP)
GitHub Actions
Referências Bibliográficas
https://owasp.org/www-project-application-security-verification-standard/
https://csrc.nist.gov/publications/detail/sp/800-218/final
https://cheatsheetseries.owasp.org/
https://cheatsheetseries.owasp.org/IndexASVS.html
https://www.iso.org/standard/27001
https://www.youtube.com/watch?v=EZs5W8-mt_I
Orientador
Mafalda Guimarães Nunes
mafalda-g-nunes@alticelabs.com 📩