Titulo Estágio
Software Composition Analysis (Sca) as a Measure to Reduce Cyber Supply Chain Risk
Áreas de especialidade
Engenharia de Software
Sistemas de Informação
Local do Estágio
Coimbra
Enquadramento
Modern software is assembled using third-party and open-source components, glued together in complex and unique ways, and integrated with original code to provide the desired functionality. Third-party (including commercially licensed, proprietary, and “source available” software) along with open-source components provide the necessary building blocks that allow organizations to deliver value, improve quality, reduce risk and time-to-market. The benefits of open source are many. However, by using open-source components, organizations ultimately take responsibility for code they did not write.
Software Composition Analysis (SCA) is the process of identifying potential areas of cyber security risk from the use of third-party and open-source software and hardware components. Using SCA, development teams can quickly track and analyze any open-source component brought into a project. SCA tools can discover all related components, their supporting libraries, and their direct and indirect dependencies. SCA tools can also detect software licenses, deprecated dependencies, as well as vulnerabilities and potential exploits. The scanning process generates a bill of materials (BOM), providing a complete inventory of a project’s software assets. SCA’s value is the security, speed, and reliability it offers. Manual tracking of open-source code is no longer sufficient; it simply can’t keep up with the sheer amount of open source. And the increasing prevalence of cloud-native applications and more-complex applications make robust and dependable SCA tools a necessity.
In this internship proposal, the goal is to help Critical Software implement and consistently use SCA tools, integrated with the DevSecOps process and tools.
Main Keywords: Cyber Security, Supply Chain Risk, Open Source Risk, Vulnerability Management, Software Composition Analysis, SCA
Main Technologies: Maven (Java), NPM (Javascript), NuGet (.NET), Pypi (Python), Jenkins
Objetivo
The main goal of this internship is to implement and integrate into the current Continuous Delivery (CD) process, a Software Composition Analysis solution, that allows the identification and reduction of risk in the software supply chain.
The solution shall track usage of libraries and frameworks, applications, containers, operating systems, firmware, hardware, and services across all projects. Bringing vulnerable components to light with support for multiple sources of vulnerability intelligence including the National Vulnerability Database (NVD), Sonatype OSS Index, NPM Advisories, and VulnDB from Risk Based Security.
Plano de Trabalhos - Semestre 1
The first semester comprises the following stages:
- Reading and Writing the State of the Art about SCA [result: state of the art, months 1-4]
- Identifying and studying existing SCA solutions [result: SCA solutions list, months 1-2]
- Studying a SCA platform selected by Critical Software [result: platform characteristic, months 1-2]
- Defining the implementation plan [result: architecture and implementation plan, months 3-6]
- Writing the internship proposal [result: internship proposal, months 2-6]
Plano de Trabalhos - Semestre 2
The second semester comprises the following stages:
- Setting up the Development/Test environment [result: Development Environment, month 7]
- Implementing the SCA Solution and Integration with CD tools [result: SCA platform deployed, months 7-9]
- Testing the SCA solution [result: test results, months 10-11]
- Writing the internship report [result: internship report, months 11-12]
Condições
Monthly Remuneration
Critical Software will pay a net monthly remuneration of 450 euros considering a full-time internship (40h/week) or the proportional value for part time internships.
Observações
Confidentiality
The project information shared by Critical Software in the scope of the internship, including technical or management documents, diagrams, code or any other information must be treated with te maximum confidentiality. The intern will sign a Non-Disclosure Agreement.
Orientador
José Filipe Abranches Lages Lopes da Costa
jose.f.costa@criticalsoftware.com 📩