Publiée le 29 mai
Description de l'offre
Requisition ID: 233408
Work Area: Software-Research
Expected Travel: 0 - 10%
Career Status: Student
Employment Type: Limited Full Time
SAP started in 1972 as a team of five colleagues with a desire to do something new. Together, they changed enterprise software and reinvented how business was done. Today, as a market leader in enterprise application software, we remain true to our roots. That’s why we engineer solutions to fuel innovation, foster equality and spread opportunity for our employees and customers across borders and cultures.
SAP values the entrepreneurial spirit, fostering creativity and building lasting relationships with our employees. We know that a diverse and inclusive workforce keeps us competitive and provides opportunities for all. We believe that together we can transform industries, grow economics, lift up societies and sustain our environment. Because it’s the best-run businesses that make the world run better and improve people’s lives.
Maintaining security is a constantly shifting task, and we need to respond with continuous learning and research. The portfolio of SAP Security Research contains those topics that we believe are most important
for SAP’s security future.
SAP’s vision to secure business is built on 3 ideals: Zero-Vulnerability, to harden the software by eliminating vulnerabilities, Defensible Application, to enable the software to identify and prevent attacks, and Zero-Knowledge, to make any theft of data useless through encryption.
Considering these aspects, SAP Security Research covers the following focal areas: Anonymization for Big Data, Secure Internet of Things, Software security analysis, Open-source analysis, Deceptive application, Applied cryptography, Quantum technology, and Machine Learning as enabler for the next generation of security.
Security Research proposes a 6-month internship in its Sophia-Antipolis offices (Mougins, France).
The increasingly large number of vulnerabilities that affect web-based applications has severe consequences. Attackers rely on these flaws to routinely compromise millions of web sites, steal personal and financial data, and penetrate private infrastructures.
To mitigate the Web’s security problems many techniques and tools have been developed over the years. The two major approaches to identify vulnerabilities are static and dynamic application security testing, in short SAST and DAST. SAST requires the source code of the application while DAST requires the application to be up-and-running and ready for active testing. Both approaches feature pro and cons. In general, SAST is subject to false positives (report attacks that are not real attacks) while DAST to false negatives (miss real attacks). Other two approaches are started to be adopted: Interactive application security testing (IAST) and runtime application self-protection security (RASP). IAST approaches have been proposed to apply SAST detection rules not anymore on the entire code, but only on the code traces executed via a testbed of functional tests. A well-known technique used in this context is tainting: sources (e.g., untrusted inputs) are tainted and tracked while executing the code trace; if a tainted input reaches a sync (e.g., critical instructions such as database queries) without any sanitization, then an alert is reported. IAST requires complete ownership of the testing landscape in which IAST agents must be deployed to monitor the execution of the application. In addition, RASP works very similarly to IAST, but rather than being run at testing time, it is done at runtime. A governance (block, notify an admin, etc.) needs to be in place to decide how to handle reported alerts. In general, also IAST and RASP can be subject to false positives and false negatives.
All these limitations, that are well-known in the scientific community, leave critical questions unanswered:
- How can we measure security testing tools?
- Which techniques should be used to best test the security of a specific web application?
- What did the technique really test?
- What could not be tested by this technique and why?
- Can the technique be improved (or can another technique be devised) to do better?
SAP has already in place a secure software development lifecycle aiming at helping SAP developers to build secure software at each step of the software development process, i.e., design, coding, deployment, and maintenance. SAST techniques are routinely used by development teams and DAST techniques are also experimented. A lot of effort is invested by the development team to audit the results obtained with these techniques. Having more accurate techniques as well as knowing better where to focus the remaining resources is critical to provide highly secure applications to customers. For instance, knowing what the used techniques were not capable to cover/test can enable the development team to manually test the fragment of the application that was not covered.
Measuring security testing tools for web applications (e.g., https://www.owasp.org/index.php/Benchmark) is thus a key aspect to contribute to the above limitations and help answering the aforementioned questions. In this specific internship we aim at enabling this measurement by creating dynamic benchmarks representative of specific testability challenges so to measure how a tool perform with respect to each one of these testability challenges.
More specifically, the goals of the internship are as follows:
- Understanding the SAP development process
- Understanding SAST, DAST, IAST, RASP approaches as well as experiencing with concrete tools/techniques
- Studying challenging vulnerabilities (e.g., CSRF and logic flaws)
- Build a meaningful corpus of testability challenges
- Create dynamic benchmarks on top of those testability challenges
- Contribute to experimenting testing tools on dynamic benchmarks so to identify and understand gaps
- (Optional) Investigate, develop and assess solutions to cover some of these gaps
- Documenting the developed software and the overall activities
We expect that 30% of time will be dedicated to research activities, and 70% to development and experiments.
- University Level: Last year of MSc and behind
- Good skills in modelling, analysis and programming (Python, Java)
- Good skills in web technologies (HTTP, HTTPS, server/client-side programming language)
- Security background
- Fluency in English (working languages)
- Good oral and written communication skills
Founded in 1972, SAP has grown to become the world's leading provider of business software solutions. SAP is market leader in enterprise application software. The company is also the fastest-growing major database company. Globally, more than 77% of all business transactions worldwide touch an SAP software system. With more than 347.000 customers in more than 180 countries, SAP includes subsidiaries in all major countries. SAP is the world's largest inter-enterprise software company and the world's third-largest independent software supplier, overall. SAP solutions help enterprises of all sizes around the world to improve customer relationships, enhance partner collaboration and create efficiencies across their supply chains and business operations. SAP employs more than 98.600 people.
Security Research at SAP Labs France, Sophia Antipolis
Based at SAP Labs France Mougins, Security Research Sophia-Antipolis addresses the upcoming security needs, focusing on increased automation of the security life cycle and on providing innovative solutions for the security challenges in networked businesses, including cloud, services and mobile.
WHAT YOU GET FROM US
Success is what you make it. At SAP, we help you make it your own. A career at SAP can open many doors for you. If you’re searching for a company that’s dedicated to your ideas and individual growth, recognizes you for your unique contributions, fills you with a strong sense of purpose, and provides a fun, flexible and inclusive work environment – apply now.
SAP'S DIVERSITY COMMITMENT
To harness the power of innovation, SAP invests in the development of its diverse employees. We aspire to leverage the qualities and appreciate the unique competencies that each person brings to the company.
SAP is committed to the principles of Equal Employment Opportunity and to providing reasonable accommodations to applicants with physical and/or mental disabilities. If you are in need of accommodation or special assistance to navigate our website or to complete your application, please send an e-mail with your request to Recruiting Operations Team (Americas: Careers.NorthAmerica@sap.com or Careers.LatinAmerica@sap.com, APJ: Careers.APJ@sap.com, EMEA: Careers@sap.com).
Successful candidates might be required to undergo a background verification with an external vendor.