Internship Vulnerable web application development for cybersecurity training at SAP F/H

WHAT WE OFFER Our company culture is focused on helping our employees enable innovation by building breakthroughs together. How? We focus every day on building the foundation for tomorrow and creating a workplace that embraces differences, values flexibility, and is aligned to our purpose-driven and future-focused work. We offer a highly collaborative, caring team environment with a strong focus on learning and development, recognition for your individual contributions, and a variety of benefit options for you to choose from. Apply now! PURPOSE AND OBJECTIVES Cyber-attacks can disrupt and cause considerable financial and reputational damage to even the most resilient organizations. If an organization suffers a cyber-attack, it stands to lose assets, reputation and business, and potentially face regulatory fines and litigation. Most cyber-attacks are automated, indiscriminate and evolve at an alarming rate. Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from damage or unauthorized access from cyber-attacks. Ensuring cybersecurity requires coordinated efforts throughout the development lifecycle of products. An important element in this lifecycle is Security Testing. Security Testing reveals flaws in the security mechanisms of products during development and helps prevent attacks such as SQL injection, XSS, DoS. Within the Tools team, the Security Testing and Open Source team enables SAP development teams to build secure software by providing a service for automated source code scans complemented by other test methods, such as dynamic checks, fuzzing, and penetration testing. This automated security analysis of potentially large software products allows to detect and eliminate security flaws at an early stage in the development cycle before the products are shipped to SAP customers. The team also provides central education and consulting to develop security awareness in SAP and help development teams make effective use of these tools. Finally, the team carries out research projects in white spot areas and develop its own security testing tools for specific configurations that are not well supported by standard static analysis tools (SAST) or dynamic analysis tools (DAST). Our strengths rely on an international and multicultural team. The team is made up of highly skilled and passionate individuals who together bring many years of experience from various areas of application security. We are looking for a passionate and collaborative intern with a hands-on mindset. INTERNSHIP TOPIC The internship will take place in the context of the security testing training delivered in SAP worldwide. With this internal training for SAP developers, each SAP trainee learns: which testing tools to use, how to use the tools and when to test. The goal of this training is to present an overview of the security testing and open source software security strategy. It will give any SAP developer best practices and recommendations to follow. Each trainee will be trained with Static Application Testing Tools (Fortify, Checkmarx, Coverity), Open Source Vulnerability Scan tools (SVM, Blackduck, Whitesource), Dynamic Application Testing Tools (Daster, Zap). The goal is to have one single vulnerable application able to be tested by all the previous static tools: the several tools will be able to test different parts based on the programming languages they support (for example, Fortify for Java Code Scan, Cx for Javascript code scan, etc.) Then, the Security Testing and Open Source Software Security team has developed its own vulnerable application, SAPGoat store is a vulnerable application to learn the types of security vulnerabilities that exist and how to detect them with the testing tools. The application is an online shop with vulnerabilities available like challenges on the website. It has various components: * Store, a vulnerable shop written in Java Spring (Backend) and UI5 (Javacript framework for frontend) * Backoffice, the back office of the shop, written in JavaScript * Mobile Store, a mobile application (multi OS) with the same functionalities than the Store * Mobile Backoffice, an Android mobile application with the same functionalities than the back office * Payment module in C The main tasks of the internship will be to: * Ramp-up on Security Testing and OpenTools (Static and Dynamic) * Continue developing our own vulnerable web application, SAPGoat and its different components * Improve the payment modules * Improve the mobile store * Investigate how the Open Source Vulnerability Scan tools like Whitesource, Black Duck and SVM will behave with SAPGoat store, * Add new components with some vulnerabilities able to be detected by Open Source Vulnerability Scan * Document and update the training material with the new components * Provide support to the technical coordination of the infrastructure for the trainings. The training is now put on a E-Learning Platform, the intern may have to update this platform with new security testing and open source software security tools producing videos and other types of material like quizz, challenges. At the end, the student will gain skills in Security Testing areas and also get a good visibility of the SAP Secure SDL (Software Development Lifecycle). The web vulnerable application will be directly used by trainees during the training. The intern will be directly in contact with experts from the areas (pentester, static and dynamic tools experts, and tools consultants). The intern/apprentice will have the opportunity: * To discuss with security experts and she/he will gain expertise in the area of Static Application Security Testing tools, Open Source Vulnerability Scans Tools and Dynamic Application Security Testing Tools. * To be fully part of a Security Team in SAP and improve her/his knowledge in Security * To work mainly on devops tasks, however she/he will have the opportunity to tackle diverse type of tasks (like support, testing, design and communication about the Security Testing training). You should bring * Development skills * Devops skills * Knowledge in Security or really strong interest in the domain You will learn * Applied Security * Security Testing Tools * SAP Secure SDL * Hackers’ techniques Plus * Contact with security experts (pentesters, static and dynamic tools experts, and tools consultants) * High visibility of the work (the application will be used in the training and will be consumed by 30 000+ d developers) * Diversity of tasks (development, devops, support, design) * Work with a great team in a nice location (Sophia-Antipolis/south of France) CANDIDATE PROFILE The ideal candidate will have/be: * Very good technical/development skills * Knowledge in JavaScript, Node.js, Java, HTML, Python * Willingness and proven ability to quickly acquire development proficiency in new technologies * Fluent in English (working language) * Good oral and written communication skills * Knowledge in Docker and Nagios is a plus * Knowledge in Security is a plus * Knowledge on video making software is a plus We are SAP SAP innovations help more than 400,000 customers worldwide work together more efficiently and use business insight more effectively. Originally known for leadership in enterprise resource planning (ERP) software, SAP has evolved to become a market leader in end-to-end business application software and related services for database, analytics, intelligent technologies, and experience management. As a cloud company with 200 million users and more than 100,000 employees worldwide, we are purpose-driven and future-focused, with a highly collaborative team ethic and commitment to personal development. Whether connecting global industries, people, or platforms, we help ensure every challenge gets the solution it deserves. At SAP, we build breakthroughs, together. Our inclusion promise SAP’s culture of inclusion, focus on health and well-being, and flexible working models help ensure that everyone – regardless of background – feels included and can run at their best. At SAP, we believe we are made stronger by the unique capabilities and qualities that each person brings to our company, and we invest in our employees to inspire confidence and help everyone realize their full potential. We ultimately believe in unleashing all talent and creating a better and more equitable world. SAP is proud to be an equal opportunity workplace and is an affirmative action employer. We are committed to the values of Equal Employment Opportunity and provide accessibility accommodations to applicants with physical and/or mental disabilities. If you are interested in applying for employment with SAP and are in need of accommodation or special assistance to navigate our website or to complete your application, please send an e-mail with your request to Recruiting Operations Team: Americas: Careers.NorthAmerica@sap.com or Careers.LatinAmerica@sap.com, APJ: Careers.APJ@sap.com, EMEA: Careers@sap.com. EOE AA M/F/Vet/Disability: Qualified applicants will receive consideration for employment without regard to their age, race, religion, national origin, ethnicity, age, gender (including pregnancy, childbirth, et al), sexual orientation, gender identity or expression, protected veteran status, or disability. Successful candidates might be required to undergo a background verification with an external vendor. Requisition ID:328176 | Work Area: Software-Design and Development | Expected Travel: 0 - 10% | Career Status: Student | Employment Type: Intern |