Titulo Estágio
Fuzzing for Security
Local do Estágio
Coimbra
Enquadramento
When thinking about security in the context of software development, so many ideas may arise about the different kinds of security activities that should be performed to develop software in a secure way (e.g., security requirements specification, threat modelling, secure coding, security testing). All those activities should not be seen as something isolated but as part of software development processes. Security is inherently one of the most important aspects in the software development processes, therefore it should be considered since the beginning until the end of the development cycle. Usage secure development processes is key to develop secure and high-quality software.
At Critical Software, we are permanently working on improving the protection our own infrastructure and developing software which follows the best security practices and standards. One of the most important security activities is related with security testing, where different types of testing may be adopted, such as Static Application Security Testing (SAST), Software Composition Analysis (SCA), Dynamic Application Security Testing (DAST), and Penetration Testing. The goal of this internship is to explore DAST practices, more specifically Fuzz Testing and its usage for software security testing.
Objetivo
The internship is composed by three different stages. The goal of the first stage is to analyse what Fuzz testing is, how is it relevant for the security of the systems being developed and survey the state-of-the-art tools and practices. As a result of this stage, it is expected a complete understanding of what fuzz testing is it application in a security context, as well as a list of the relevant tools and practices being used in the industry. The main purpose of this first stage is to build a strong base of knowledge in the topic.
The goal of the second stage is to analyse the different tools and practices identified, listing the pros and cons of each one, and comparing them through different criteria. The expected output of this stage is a complete matrix with this evaluation.
Finally, the goal of the third stage is to validate the evaluation made in the previous stage, selecting the best tools and practices and implementing and testing them in real projects.
Plano de Trabalhos - Semestre 1
- Studying, reading, and writing the state of the art about Fuzzing and it security applications [result: state of the art, months 1-4]
- Identifying and studying existing fuzz testing tools and practices [result: evaluation matrix with different fuzz testing tools and practices, months 2-6]
- Identifying the best tools and practices to be implemented [results: list of tools and practices, months 5-6]
- Defining the implementation plan [result: implementation plan, months 5-6]
- Writing the internship proposal [result: internship proposal, months 2-6]
Plano de Trabalhos - Semestre 2
- Setting up the development environment [result: development environment, month 7]
- Implementing the selected fuzz testing tools and practices [result: fuzz testing tools deployed, months 7-9]
- Testing the different solutions [result: test results, months 7-10]
- Writing the internship report [result: internship report, months 10-12]
Condições
Monthly Remuneration
Critical Software will pay a net monthly remuneration of 450 euros considering a full-time internship (40h/week) or the proportional value for part time internships.
Observações
Confidentiality
The project information shared by Critical Software in the scope of the internship, including technical or management documents, diagrams, code or any other information must be treated with te maximum confidentiality. The intern will sign a Non-Disclosure Agreement.
Orientador
José Filipe Abranches Lages Lopes da Costa
jose.f.costa@criticalsoftware.com 📩