INTERNSHIP - Continuous Security by introducing automated security tests
Izegem, Belgium
Televic Rail
With over 30 years of experience in designing, manufacturing and maintaining on-board communication and control systems, Televic Rail is a leading, trusted partner for railway operators and train builders worldwide.
Its Passenger Information Systems and Control Systems are high quality, tailor-made solutions that offer the flexibility, user-friendliness and stability that our clients ask for. Our various types of on-board control systems such as our bogie monitoring systems are innovative yet reliable products which are designed specifically for the railway business.
Trains and trams all around the world are equipped with Televic Rail solutions, from New Zealand to Canada, from China to the United States, from India to Belgium, England and France.
Topic
|
Televic GSP wants to improve the security of embedded systems in Railway environments by introducing (automated) security tests There are security tests which can be executed based on the source code, e.g. * Static Application Security Testing (SAST) tools * Software Composition Analysis (SCA) tools There are security tests which can be executed only when you have a fully configured running system, e.g. * Dynamic Application Security Testing (DAST) tools Currently, Televic GSP has only a limited number of tools for security testing: SonarQube (SAST), Mend/WhiteSource (SCA), Nessus (DAST), nmap (DAST). Some of these tools generate only good results for specific technologies / programming languages (e.g. Linux distributions for OS, C, C++, Java, Python, Containers, scripts, APIs ...). Televic GSP has improved a lot in the automation of the build process for software using technology-specific CI/CD (continuous integration/continuous delivery) pipelines, but want to extend this by automatic security tests (comparable to an automated hacker). Next to this fully-automated pipeline, still some manual system tests are executed which can be extended with security tests. Examples of tools to be added: Fuzz testing, Web Application testing tools, container testing tools, (REST-)API testing tools, password crackers, other security testing tools / penetration testing tools which are commonly used by attackers ... Potential master thesis The goal of this master thesis is to * extend the portfolio of security testing tools with new security tools (mainly FOSS tools and optionally commercial tools) * verify on what technologies / programming languages the tools are useful (low false positive rate) * verify how the tools can be automated and integrated (optionally in the CI/CD pipeline or optionally integrated during manual system tests) * verify if the test results can be integrated in a central database for managing all vulnerabilities (DefectDojo SW) Research part of the master thesis: Tool portfolio based on hacker- and penetration testing tools, evaluate the quality of the tools by doing comparison Implementation part of master thesis: evaluation of tool on different code bases (with different technologies), automate the usage of the tool (CI/CD pipeline, system testing), integration in central vulnerability management system Potential internship The goal of this internship is to find tools which can be executed based on the source code for 1 specific technology to * extend the portfolio of security testing tools with new security tools for 1 technology (mainly FOSS tools and optionally commercial tools) * verify how the tools can be automated and integrated (optionally in the CI/CD pipeline or optionally integrated during manual system tests) If you are interested in this topic, please also register this on the Televic website at: https://www.televic.com/en/careers/internships-and-students so we can confirm the topic is still available. |
Specifics
- Level: Academic Master/Master
- Specialty: Software
- Type of work: Research 30%, Implem. 40%, Experim. 30%
- Location: Televic/In the field
- Type of activities: Experimenting, Implementation, Literature study, Programming
- Number of students: 1 or 2