Izegem , Belgium
With over 30 years of experience in designing, manufacturing and maintaining on-board communication and control systems, Televic Rail is a leading, trusted partner for railway operators and train builders worldwide.
Its Passenger Information Systems and Control Systems are high quality, tailor-made solutions that offer the flexibility, user-friendliness and stability that our clients ask for. Our various types of on-board control systems such as our bogie monitoring systems are innovative yet reliable products which are designed specifically for the railway business.
Trains and trams all around the world are equipped with Televic Rail solutions, from New Zealand to Canada, from China to the United States, from India to Belgium, England and France.
Televic GSP is looking for a new CI/CD (continuous integration/continuous delivery) pipeline to replace the current technology (Jenkins). One of the criteria is to make it possible for developers to create more secure Software and use the CI/CD pipeline as a tool to implement Continuous Security.
The goals of this thesis is to
1. Study and Evaluate existing technologies for CI/CD pipelines which would allow to improve security (Literature study)
2. Research, integrate and/or implement security tools in the pipeline as security stages (Proof of concept)
3. Enable central management of security vulnerabilities
For the study and evaluation of existing technologies, both commercial (e.g. GitLab, GitHub, CloudBees CI, CircleCI, Azure DevOps…) and FOSS (Free and open-source software, e.g. Jenkins) pipelines can be taken into account. Some commercial pipelines provide already good capabilities for adding security stages by integration of external security tools (e.g. https://github.com/marketplace?category=security&type=actions). The goal is to evaluate the advantages and limitations of the different options (e.g. commercial tools: what is available with limited effort vs FOSS: how much customization / maintenance is needed for integration of everything)
The security tools (commercial and FOSS) which need to be added to the pipeline as separate security stages should help as quality gates for the security of the software. Depending on the technologies (WebApplications, APIs, C/C++, Java applications, docker containers, Linux Debian OS, Linux Yocto OS …) other tools will be needed. Type of tools which could be integrated in the pipeline: Static Application Security Testing (SAST) tools (e.g. SonarQube…), Software Composition Analysis (SCA) tools (e.g. WhiteSource…) and maybe Dynamic Application Security Testing (DAST) tools (e.g. Nessus, OpenVAS, nmap…), depending on the technology and what is possible in the pipelines. Based on used technologies in Televic GSP, tools need to be selected and integrated in the pipelines by implementing security stages. Televic GSP has licenses on the commercial tools SonarQube, WhiteSource and Nessus.
For the management of all the vulnerabilities, reports of multiple tools need to be combined to create security reports / dashboards of systems, applications, operating systems, products, projects… This will help in active monitoring of vulnerabilities. For this, Televic GSP has deployed an open source vulnerability management tool (OWASP Defectdojo) which collects all the reports of the security tools in the security stages of the pipeline. Integration of security tools towards the DefectDojo api (and potential extensions) has to be implemented and evaluated.
- Level: Academic Master/Master
- Specialty: Software
- Type of work: Research 50%, Implem. 40%, Experim. 10%
- Location: Televic/University
- Type of activities: Implementation, Literature study, Programming
- Number of students: 1 or 2