Security control specification and formalization in an existing vulnerability management tool

Security Control Specification and Formalization in an existing Vulnerability Management Tool

Réf ABG-127502

Stage master 2 / Ingénieur

Durée: 5 mois

Salaire net mensuel: 554,40 €

Date: 10/12/2024

IRIT, Université de Toulouse

Lieu de travail: Toulouse, Occitanie, France


Champs scientifiques

* Informatique


Mots clés

cybersecurity, model-driven engineering, formal method


Établissement recruteur

The Institut de Recherche en Informatique de Toulouse (IRIT), established in 1990, is a Joint Research Unit (UMR 5505) of the Centre National de la Recherche Scientifique (CNRS), the Institut National Polytechnique de Toulouse (Toulouse INP), the Université Toulouse 3 Paul Sabatier (UT3), the Université Toulouse Capitole (UT Capitole), and the Université Toulouse Jean Jaurès (UT2J). IRIT is one of the largest UMR at the national level, is one of the pillars of research in Occitanie with its 600 members, permanent and non-permanent, and about 100 external collaborators.

Due to its multi-tutorial nature (CNRS, Toulouse Universities), its scientific impact, and its interactions with other fields, the laboratory constitutes one of the structuring forces of the IT landscape and its applications in the digital world, both at regional and national level.

Through its cutting-edge work and dynamics, our unit has been able to define its identity and acquire undeniable visibility, while positioning itself at the heart of changes in local structures: University of Toulouse, as well as the various mechanisms resulting from future investments (LabEx CIMI, IRT Saint-Exupéry, SAT TTT, 3IA ANITI).


Description

The goal of this internship is to explore and develop methodologies for specifying and formalizing security controls and include them into an already-existing vulnerability management tool. As cybersecurity threats become more sophisticated, ensuring that systems are protected requires not only identifying vulnerabilities but also defining and enforcing security controls that mitigate these risks.

The research focuses on integrating security controls into the tool during the architecture design, improving the ability of tools to automatically enforce security measures and ensuring that these controls are formalized to be consistent and measurable.

The challenge lies in defining security controls clearly, ensuring they are formalized in a way that makes them enforceable, and integrating them into the existing vulnerability management tool in a way that allows for automatic reasoning.


Internship Objectives:

1. Security Control Specification:
2. Investigate existing security frameworks (such as NIST SP 800-53, CISA Controls, ISO 27001) to define security control categories and create specifications.
3. Develop a set of security controls targeting common vulnerabilities (e.g., network vulnerabilities, misconfigurations, outdated software).
4. Ensure that the controls are clear, actionable, and measurable to support vulnerability management.


Profil

M2 or equivalent students in Software engineering, or cybersecurity or formal methods


Prise de fonction

Dès que possible

#J-18808-Ljbffr