Center for Cybersecurity

Internships

Open Calls

This page lists the internship projects currently available in the Center for Cybersecurity of Fondazione Bruno Kessler (FBK).

Procedure

  1. Application: submit your application for the internship project you are interested in using the designated online form and providing the required information. Make sure to apply before the specified deadline. You are advised not to apply to more than two projects at the same time.
  2. Selection: project supervisors will review the applications and choose the most suitable candidate. If needed, they may request an oral interview during the selection process. Each project is evaluated independently.
  3. Results: once the selection process is complete, all applicants (both selected and not selected) will be notified of the outcome for the specific project.

For general inquiries, you can email internships-cs@fbk.eu. If you have specific questions about a project, please reach out to the project supervisor directly.

Please note that applications sent via email will not be considered.

Projects are listed starting with those that have the earliest submission deadlines.

Automatic Security Testing Tool for Identity Management Protocols CLEANSE ST

ID: p-2024-st-8

Published on: Friday, 18 October 2024

Deadline for Applications: Monday, 18 November 2024 at 23:59

Description:

Identity Management (IdM) protocols are the protocols supporting Single-Sign On (SSO) which is an authentication schema allowing the user to access different services using the same set of credentials. Two of the most known IdM protocols are SAML 2.0 SSO and OAuth 2.0/OpenID Connect. Several solutions for corporations like Google, Meta (Facebook) and for Public Administration like eIDAS and SPID are based on IdM protocols. We propose improving the tool to extend its capabilities by designing and implementing new features.

Levels: BSc, MSc

Supervisors: Andrea Bisegna (a.bisegna@fbk.eu), Roberto Carbone (carbone@fbk.eu)

Prerequisites: Preferably basic knowledge of Java.

Objectives:

  • Literature Review (guidelines and best practices)
  • Ethical analysis
  • Risk Assessment

Topics: Identity Management protocols, Attack patterns, Penetration testing

Notes: Multiple positions available.

Digital Identity Wallet Solution Threat Analysis and Compliance Review ST

ID: p-2024-st-7

Published on: Friday, 11 October 2024

Deadline for Applications: Monday, 11 November 2024 at 23:59 Monday, 25 November 2024 at 23:59 (extended)

Description:

In an increasingly digital world, the security of personal and sensitive information is paramount. Digital identity wallets have emerged as a convenient and secure solution for individuals to manage and control their personal identity data, enabling seamless interactions across various online services. However, ensuring the robust security of these wallets is of utmost importance to prevent potential breaches and unauthorized access. This internship project focuses on:

  • Extending a set of already identified threats using well-known threat modeling frameworks (e.g., OWASP and STRIDE).
  • Performing a security analysis on the available open-source Wallet Solutions in the wild to check their implementation against the set of identified threats using both manual (static source code analysis) and automatic tools.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Amir Sharif (asharif@fbk.eu), Giada Sciarretta (g.sciarretta@fbk.eu)

Time frame: We would like the applicant to start as soon as possible with the internship; the period for the thesis is then negotiateable.

Prerequisites:

  • Basic understanding of cybersecurity principles.
  • Pre-knowledge of the OpenID Connect protocol is a plus.
  • Strong analytical and problem-solving skills.
  • Knowledge of STRIDE framework and OWASP threat modeling procedures (prior experience is a plus).
  • Pre-knowledge of Android OS and Android application development is a plus.
  • Ability to review code for security vulnerabilities, understanding how certain coding practices might introduce security risks.

Objectives:

  • To extend the current threat analysis for a digital identity wallet system considering the newly introduced sources by the European Commission and/or in state of the art by utilizing the STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) framework and the OWASP (Open Web Application Security Project) threat modeling procedures. Therefore at the end of this phase, you will provide a more complete list that is updated with the latest literature.
  • Performing a security analysis on the available open-source Wallet Solutions in the wild to check their implementation against the set of identified threats. This provides us with a general overview of adopting potential mitigations, identifies the missing ones and additionally provides an overview of their solution compliance with the eIDAS 2.0 regulations.

Topics: Digital Identity Wallet, Threat Modeling, Security Analysis, Static code analysis, Dynamic code analysis, Compliance

DevSecOps for Cloud Native Applications CLEANSE

ID: p-2024-cleanse-3

Published on: Saturday, 12 October 2024

Deadline for Applications: Tuesday, 12 November 2024 at 23:59 Thursday, 12 December 2024 at 23:59 (extended)

Description:

"The purpose and intent of DevSecOps is to build on the mindset that everyone is responsible for security with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required," describes Shannon Lietz, co-author of the "DevSecOps Manifesto."
DevSecOps (development, security, and operations) is an approach to automate the integration of cybersecurity processes at every phase of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery. It represents a natural and necessary evolution in the way development organizations approach security.
For Cloud Native Applications, security regards multiple levels (code, container, deployment, orchestrator, etc.) and the approach to introduce security should consider all of them.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisor: Pietro De Matteis (pdematteis@fbk.eu)

Objectives: In this context, multiple topics are available to explore:

  • Software Supply Chain
  • Threat Modeling
  • AI applied to the DevSecOps (as tool, as support for configuration or for diagnosing and resolving problems)

Topics: Cloud Native Applications, DevSecOps, Software Supply Chain, Threat Modeling, AI

Notes: Multiple positions available. Doing both internship and thesis is recommended but not required (i.e., only internship may be acceptable).