AI, Secure Software Engineering and DevSecOps for Cloud Native Applications CLEANSE SaFEWaRe
ID: p-2025-safeware-1
Published on: Monday, 12 May 2025
Deadline for Applications: Thursday, 12 June 2025 at 23:59
Description:
Software Systems are continuously and rapidly evolving, requiring engineers to address increasingly new complex and multi-dimensional aspects. These include for example the integration of Artificial Intelligence (AI), compliance with new and evolving EU Regulations (e.g., EU AI Act, NIS2, GDPR, etc.), and ensuring that systems are secure, ethical and trustworthy.
To meet these demands, current practices in Secure Software Engineering and DevSecOps (Development, Security, and Operations) must be extended to address these new challenges. Especially when considering DevSecOps for Cloud Native Applications, where the attack surface spans multiple layers (e.g., code, container, deployment, orchestrator, etc.). "The purpose and intent of DevSecOps is to build on the mindset that everyone is responsible for security with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required", describes Shannon Lietz, co-author of the "DevSecOps Manifesto".
DevSecOps is an approach to automate the integration of cybersecurity processes at every phase of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery. It represents a natural and necessary evolution in the way development organizations approach security. For Cloud Native Applications, security regards multiple levels (code, container, deployment, orchestrator, etc.) and the approach to introduce security should consider all of them.
Type: Internship + Thesis
Levels: BSc, MSc
Supervisors: Pietro De Matteis (pdematteis@fbk.eu), Luca Piras (l.piras@fbk.eu)
Prerequisites: At least two of the following:
- Programming Languages (e.g., Java, C++, Rust)
- Programming Frameworks (e.g., Spring, Ionic)
- Software security background
- Configuration and Administration of Systems
- Cloud-Native Applications
- Cloud Computing Services (e.g., AWS, Azure)
- Service Oriented Architectures
- Service Orchestration
- Dockers and Kubernetes
Objectives: In this context, one or more of the following activities can be carried on:
- Securing and Monitoring Software Supply Chain in SDLC
- Development of novel techniques for Secure Software Engineering
- Application of AI to DevSecOps as a support for configuration, diagnosing, resolving problems or compliance with Regulations (EU AI Act, NIS2, GDPR, NIST, etc.)
- Development of Trustworthy and Transparent Software Systems
Topics: Cloud Native Applications, DevSecOps, Software Supply Chain, Threat Modeling, AI, Secure Software Engineering, Privacy, Security, Trust
Notes:
- We offer curricular internship (no allowance).
- Multiple positions available. Doing both internship and thesis is recommended but not required (i.e., only internship may be acceptable).
- Exceptional work may lead to co-authored publications in International Conferences or Journals, with support and guidance from academic supervisors.
AI-Powered Threat Modeling ST
ID: p-2025-st-2
Published on: Wednesday, 22 January 2025
Deadline for Applications: Friday, 7 February 2025 at 23:59 Friday, 14 March 2025 at 23:59 (extended)
Description:
As modern systems become increasingly complex, ensuring their security, privacy and resilience requires more advanced approaches to threat modeling. Artificial Intelligence (AI) has emerged as a powerful enabler to automate, enhance, and refine manual security and privacy assessments. By leveraging AI-driven techniques, organizations can identify the threats, vulnerabilities, potential attack vectors and mitigations more efficiently and with higher accuracy. However, the trustworthiness of AI-based threat modeling solutions must also be ensured—both to validate their findings and to mitigate any risks introduced by the AI systems themselves. This internship focuses on developing and evaluating AI-powered methodologies for automated threat modeling in cutting-edge systems such as Digital Identity Wallet and e-voting.
Type: Internship + Thesis
Levels: BSc, MSc
Supervisors: Umberto Morelli (umorelli@fbk.eu), Giada Sciarretta (g.sciarretta@fbk.eu), Amir Sharif (asharif@fbk.eu)
Prerequisites:
- Basic Cybersecurity Knowledge: A foundational understanding of security and privacy principles, threats, and common vulnerabilities.
- Familiarity with Threat Modeling: Prior knowledge of frameworks like STRIDE or LINDDUN is advantageous.
- Programming Skills: Comfort with Python programming language for AI model development or integration.
Objectives:
The main objectives of this internship project are as follows:
-
Extend Traditional Threat Modeling
- Investigate how AI can augment well-known frameworks (e.g., STRIDE, LINDDUN) by automatically discovering threats, analyzing complex data, and flagging potential vulnerabilities.
- Investigate and propose mechanisms to mitigate potential biases or errors introduced by the AI in identifying threats.
-
Implementation and Tooling
- Investigate available AI-based security tools and evaluate their performance in realistic scenarios.
- Integrate or prototype new AI modules, focusing on trustworthiness, accuracy, and usability in real-world environments.
Topics: Threat Modeling, LLMs, STRIDE, LINDDUN
Context-free grammar for TLS validation ST
ID: p-2025-st-4
Published on: Wednesday, 12 March 2025
Deadline for Applications: Wednesday, 26 March 2025 at 23:59
Description:
Since its first version was published as an RFC in 1999, Transport Layer Security (TLS) has rapidly become the de facto standard for providing confidentiality and integrity to communications exchanged in an unsecured environment. While there exist multiple implementations (e.g., OpenSSL, GnuTLS, rusttls) that allow system administrators to easily deploy a webserver, there does not exist a practical way to verify their compliance with the RFCs they are based on. The primary objective of this internship is to write a context-free grammar able to parse TLS messages and check if they comply with the expected structure.
Type: Internship + Thesis
Levels: BSc, MSc
Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Riccardo Germenia (rgermenia@fbk.eu)
Prerequisites:
- Experience with formal grammars (e.g. LFC course)
- Basic knowledge of the TLS protocol (e.g. Intro2CNS or Networking course)
Objectives: Creation of a CFG (context-free grammar) for TLS 1.3
Topics: Research tool, Context-free grammar, Packet analysis, TLS vulnerabilities
Notes: The project's scope will be adjusted to accommodate the number of available credits, making it suitable for both bachelor and master students. However, due to the need for future-proof and reusable results, access to the thesis period is dependent on an assessment performed on (and during) the internship period.
LLM-powered Privacy Threat Modeling ST
ID: p-2025-st-3
Published on: Thursday, 20 February 2025
Deadline for Applications: Thursday, 20 March 2025 at 23:59
Description:
The rapid evolution of Large Language Models (LLMs) has unlocked new possibilities for applying artificial intelligence across a wide range of fields, including privacy engineering. As modern applications increasingly handle sensitive user data, safeguarding privacy has become more critical than ever. To ensure robust data protection, potential threats must be identified and addressed early in the development process. Privacy threat modeling frameworks like LINDDUN offer structured approaches for uncovering these risks, yet they often require significant manual effort, expert knowledge, and detailed system information—making the process time-intensive and reliant on thorough analysis. To address these challenges, at Security and Trust unit of the Center for Cybersecurity, we introduced and developed PILLAR (Privacy risk Identification with LINDDUN and LLM Analysis Report), a new tool that implements and automates the LINDDUN framework through LLM integration to streamline and enhance privacy threat modeling. PILLAR automates key parts of the LINDDUN process, such as generating DFDs from unstructured textual inputs (e.g. system descriptions), eliciting privacy threats, and risk-based threat prioritization.
The primary objective of this internship is to conduct state-of-the-art research on privacy threat modeling, in particular, LLM-based approaches emphasizing how LLMs can be leveraged to automate and enhance these processes. The results will be employed to integrate AI agent concepts into PILLAR.
Type: Internship + Thesis
Levels: BSc, MSc
Supervisor: Majid Mollaeefar (mmollaeefar@fbk.eu)
Time frame: Preferably from April
Prerequisites:
- Cybersecurity knowledge
- Basic knowledge of Large Language Models and Agentic AI
- Experience with Python
- English Language
Objectives:
- Extending PILLAR's capabilities
- Integrating AI Agent concept within the threat modeling process
- Add new features to PILLAR
Topics: Threat Modeling, Privacy Engineering, Large Language Models, AI Agents
References:
Packet stream analysis for TLS compliance ST
ID: p-2025-st-1
Published on: Monday, 20 January 2025
Deadline for Applications: Thursday, 20 February 2025 at 23:59 Friday, 28 February 2025 at 23:59 (extended)
Description:
Since its first version was published as an RFC in 1999, Transport Layer Security (TLS) has rapidly become the de facto standard for providing confidentiality and integrity to communications exchanged in an unsecured environment. While there exist multiple implementations (e.g., OpenSSL, GnuTLS, rusttls) that allow system administrators to easily deploy a webserver, there does not exist a practical way to verify their compliance with the RFCs they are based on.
To ensure that a TLS deployment is configured correctly, (inter)national cybersecurity agencies such as US’ NIST and Italian’s AgID/ACN periodically issue technical guidelines that describe a set of requirements able to mitigate known vulnerabilities and ensure an adequate security level. These guidelines presume that security issues are only due to an incorrect configuration while, in reality, problems may also arise from an incorrectly developed TLS libraries that generate messages which do not comply with the related RFCs.
The primary objective of this internship is to perform a technical review of the available software able to analyze raw network packets, validate their content and which structure is used by the protocol. The results will be employed in a process that aims to develop a new tool that can verify, analyze, and execute TLS connections. This tool will be used to assess the compliance of TLS libraries and related deployments.
Type: Internship + Thesis
Levels: BSc, MSc
Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Riccardo Germenia (rgermenia@fbk.eu)
Prerequisites:
- Basic knowledge of the TLS protocol
- Basic knowledge of network analysis tools (e.g., Wireshark)
- Basic knowledge of design patterns and software engineering
- Basic experience with JavaScript
- Experience with Python 3 development
- Experience with formal grammars
Objectives:
- Study of the TLS protocol and its inner workings
- Perform a literature review on the state-of-the-art in terms of tools, listing their features, applicability and scope
- Creation of a CFG (context-free grammar) for TLS 1.3
Topics: Research tool, Compliance analysis, Packet analysis, TLS misconfiguration
Notes: The project's scope will be adjusted to accommodate the number of available credits, making it suitable for both bachelor and master students. However, due to the need for future-proof and reusable results, access to the thesis period is dependent on an assessment performed on (and during) the internship period.
References:
Validation of post-quantum algorithms in OpenSSL ALEPH ST
ID: p-2025-st-5
Published on: Friday, 11 April 2025
Deadline for Applications: Friday, 9 May 2025 at 23:59 Sunday, 15 June 2025 at 23:59 (extended)
Description:
OpenSSL is a software library initially released in 1998 that implements SSL and TLS protocols. Its usage provides secure communications over networks, and it has steadily become the de facto standard for the integration of TLS in webservers. With its latest release (v3.5), OpenSSL has deployed three PQC algorithms: ML-KEM (FIPS 203) for key exchange, ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) as signature methods.
The primary objective of this internship is to compare the algorithms’ implementation and validate the design choices performed during the design phase, investigating for common implementation flaws and possible side-channel attacks.
Type: Internship + Thesis
Level: MSc
Supervisors: Riccardo Longo (rlongo@fbk.eu), Salvatore Manfredi (smanfredi@fbk.eu)
Time frame: The internship period will begin in the middle of July, or later if preferred.
Prerequisites:
- Experience with C
- Basic knowledge of the TLS protocol (e.g. Intro2CNS or Networking course)
- Advanced Programming of Cryptographic Methods course (or equivalent)
Objectives: Use the NIST reference implementations to validate the PQC algorithms implemented in OpenSSL
Topics: Post-quantum cryptography, OpenSSL, TLS, Implementation validation
References: