Internships

Open Calls

This page lists the internship projects currently available in the Center for Cybersecurity of Fondazione Bruno Kessler (FBK).

Procedure

  1. Application: submit your application for the internship project you are interested in using the designated online form and providing the required information. Make sure to apply before the specified deadline. You are advised not to apply to more than two projects at the same time.
  2. Selection: project supervisors will review the applications and choose the most suitable candidate. If needed, they may request an oral interview during the selection process. Each project is evaluated independently.
  3. Results: once the selection process is complete, all applicants (both selected and not selected) will be notified of the outcome for the specific project.

For general inquiries, you can email internships-cs@fbk.eu. If you have specific questions about a project, please reach out to the project supervisor directly.

Please note that applications sent via email will not be considered.

Projects are listed starting with those that have the earliest submission deadlines.

xBOM based approach for Software Supply Chain Security in SDLC CLEANSE SaFEWaRe

ID: p-2025-cleanse-1

Published on: Friday, 8 August 2025

Deadline for Applications: Monday, 8 September 2025 at 23:59 Wednesday, 29 October 2025 at 23:59 (extended)

Description:

According to a Gartner research [1], Software Supply Chain attacks present serious security, compliance, and operational challenges for organizations, with estimated costs expected to rise from $46 billion in 2023 to $138 billion by 2031.
A Software Bill of Materials (SBOM) is a critical component in modern software supply chain security. It provides a detailed inventory of all software components, libraries, and dependencies used in an application. By integrating SBOMs throughout the Software Development Life Cycle (SDLC), organizations can proactively identify vulnerabilities, ensure compliance, and enhance transparency [2].
One of the standard to describe a bill of material in a machine-readable format is CycloneDX (CDX) [3], developed by the Open Worldwide Application Security Project(OWASP) [4] community. CycloneDX extends the concept of Bill of Material also to other components (xBOM) [5]: Cryptography, Configuration and Deployment, AI/Machine Learning and so on.
The focus of the Internship (and Thesis) is to explore the xBOM approach in SDLC phases to improve Security linked to the Software Supply Chain.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Pietro De Matteis (pdematteis@fbk.eu), Luca Piras (l.piras@fbk.eu)

Prerequisites:

  • Knowledge of programming languages (i.e., Python, Typescript, Java) would be highly advantageous.
  • Basic knowledge of LLM, Generative AI, AI Agents, Agentic AI would be a plus.

Objectives: Multiple topics, for multiple positions, are available to explore the xBOM approach for Security:

  • Software Bill Of Material (SBOM)
  • Software as a Service Bill of Materials (SaaSBOM)
  • Cryptography Bill of Materials (CBOM)
  • Vulnerability Exploitability Exchange (VEX)
  • AI/Machine Learning Bill of Materials (AI/ML-BOM)
The objectives will be declined and detailed to the specific topic.

Topics: Bill Of Material, SBOM, SaaSBOM, CBOM, VEX, AI/ML-BOM, Software Supply Chain Security, SDLC, CI/CD

Notes: Multiple positions available.

References:

  • [1] Leader's Guide to Software Supply Chain Security • Link
  • [2] A First Appraisal of NIS2 and CRA Compliance Leveraging Open Source Tools • Link
  • [3] CycloneDX: The International Standard for Bill of Materials (ECMA-424) • Link
  • [4] OWASP • Link
  • [5] CycloneDX v1.6: Now an Ecma International Standard • Link

Evaluating and Enhancing Data Anonymization Techniques for Sensitive Data SaFEWaRe ST

ID: p-2025-st-7

Published on: Wednesday, 10 September 2025

Deadline for Applications: Friday, 10 October 2025 at 23:59

Description:

This internship and thesis project focuses on the study, development, and evaluation of data anonymization techniques applied to sensitive datasets intended for artificial intelligence (AI) applications. The work will address the dual challenge of preserving privacy while ensuring data remains sufficiently rich for AI model training [1, 2], in strict compliance with European regulations such as the GDPR [3]. The activity will involve surveying and classifying existing anonymization libraries and tools, such as [4, 5], both open-source and proprietary, based on their privacy models, technical features, and suitability for AI pipelines. Depending on the student’s interests, the project can be customized to emphasize:

  • Research: investigating novel privacy-preserving methods or metrics;
  • Development: integrating anonymization workflows into AI data preparation pipelines;
  • Evaluation: designing and executing rigorous test scenarios to measure anonymity and data utility in AI contexts.
This project provides the opportunity to acquire hands-on experience in privacy technologies, AI data engineering, and regulatory compliance.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Roberto Carbone (carbone@fbk.eu), Eleonora Marchesini (emarchesini@fbk.eu), Luca Piras (l.piras@fbk.eu)

Prerequisites:

  • Knowledge of programming languages (i.e., Python, Typescript, Java) would be highly advantageous.
  • Basic knowledge of AI, Large Language Models (LLMs), and Machine Learning (ML).

Objectives:

  • Survey and classify anonymization libraries suitable for data used in AI, distinguishing open-source and proprietary solutions.
  • Analyze GDPR requirements and other applicable privacy regulations for compliance in AI data processing.
  • Implement anonymization workflows tailored to the needs of AI training datasets.
  • Develop test protocols to evaluate re-identification risk, privacy metrics, and data utility for AI performance.
  • Run experiments on synthetic or de-identified datasets to compare methods.
  • Produce recommendations for best practices, tool selection, and workflow integration.

Topics: Data Anonymization, AI Data Preparation, GDPR Compliance

References:

  • [1] Senanayake, J., Kalutarage, H., Petrovski, A., Piras, L. and Al-Kadri, M.O., 2024. Defendroid: Real-time Android code vulnerability detection via blockchain federated neural network with XAI. Journal of Information Security and Applications, 82, p.103741. • Link
  • [2] Im, E., Kim, H., Lee, H., Jiang, X., & Kim, J. H. (2024). Exploring the tradeoff between data privacy and utility with a clinical data analysis use case. BMC medical informatics and decision making, 24(1), 147. • Link
  • [3] Piras, L. et al. DEFeND DSM: A Data Scope Management Service for Model-Based Privacy by Design GDPR Compliance. In Int. Conf. on Trust, Privacy and Security in Digital Business (TrustBus). Springer, 2020. • Link
  • [4] Satori • Link
  • [5] SecuPi • Link

Validating TLS Implementations via Bytestream Parsing ST

ID: p-2025-st-8

Published on: Thursday, 2 October 2025

Deadline for Applications: Wednesday, 15 October 2025 at 23:59

Description:

Since its first version was published as an RFC in 1999, Transport Layer Security (TLS) has rapidly become the de facto standard for providing confidentiality and integrity to communications exchanged in an unsecured environment. While there exist multiple implementations (e.g., OpenSSL, GnuTLS, rusttls) that allow system administrators to easily deploy a webserver, there does not exist a practical way to verify their conformance with the RFCs they are based on, nor to verify whether an actual stream of traffic is behaving in an anomalous way.
The primary objective of this internship is to elevate the TRL (Technology Readiness Level) of an internal, and still unpublished, open-source tool able to parse and validate TLS 1.3 bytestreams. The tool will serve as the baseline for future researches, so its ongoing development and the required effort will be adjusted depending on the profile of the candidate (e.g., bachelor/master and inclination on specific topics).
At the end of the internship (and thesis) period, the selected candidate will possess an in-depth knowledge on bytestream analysis techniques, on a related network security protocol, and on applied research methodologies.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Riccardo Germenia (rgermenia@fbk.eu)

Prerequisites:

  • Knowledge of network protocol (e.g. Intro2CNS or Networking courses)
  • Experience with Python 3 development
  • Optional experience with traffic interception and analysis

Objectives:

  • Improvement of the current state of an unpublished research tool
  • Familiarization and study of network security protocols functioning and their structure
  • Leverage the finalized tool to perform a conformance analysis against established libraries

Topics: Research tool, Bytestream analysis, Conformance tests, Network anomalies

Notes: The project's scope will be adjusted to accommodate the number of available credits, making it suitable for both bachelor and master students. However, due to the need for future-proof and reusable results, access to the thesis period is dependent on an assessment performed on (and during) the internship period.