Internship : Automated framework for SAST Testability patterns F/M

WHAT WE OFFER Our company culture is focused on helping our employees enable innovation by building breakthroughs together. How? We focus every day on building the foundation for tomorrow and creating a workplace that embraces differences, values flexibility, and is aligned to our purpose-driven and future-focused work. We offer a highly collaborative, caring team environment with a strong focus on learning and development, recognition for your individual contributions, and a variety of benefit options for you to choose from. Apply now! ABOUT US (TEAM) Maintaining security is a constantly shifting task, and we need to respond with continuous learning and research. The portfolio of SAP Security Research contains those topics that we believe are most important for SAP’s security future. SAP’s vision to secure business is built on 3 ideals: ZERO-VULNERABILITY, to harden the software by eliminating vulnerabilities, DEFENSIBLE APPLICATION, to enable the software to identify and prevent attacks, and ZERO-KNOWLEDGE, to make any theft of data useless through encryption. Considering these aspects, SAP Security Research covers the following focal areas: Anonymization for Big Data, Secure Internet of Things, Software security analysis, Open-source analysis, Deceptive application, Applied cryptography, Quantum technology, and Machine Learning as enabler for the next generation of security. PURPOSE AND OBJECTIVES This internship is based in the SAP Labs France Research Lab, in Sophia-Antipolis. The work will be performed in the context of the Research Program “SAP Security Research”, under the Web Security topic. This topic aims at detecting and preventing vulnerabilities on software systems, with a special focus on web applications The goal of the internship is to develop an automated framework for our SAST testability patterns. In a recent research work on PHP and JavaScript, we demonstrated that the problem of false negatives for SAST should not be under-estimated. We provided experimental evidence that SAST tools cannot analyze more than 30 lines of codes in real applications without encountering some difficult-to-understand code fragments. We captured these challenging code fragments in a catalog of testability patterns (TPs), measured SAST tools against these TPs, created discovery rules for these TPs and manually discovered them in real applications, and devised a few transformations for some TPs to remove challenges from the applications making them more testable for SAST tools. All these operations were performed with a significant amount of manual effort. To cope with this, we started developing an automated framework for TPs. In this internship, we want to complete that framework, by maturing the existing features and adding the missing ones, e.g., a transformation module to automate refactoring of TPs whenever possible. The work also requires devising transformations for those TPs that still do not have one as well as creating new TPs, if new code challenges are experienced. EXPECTATIONS AND TASKS Some of the tasks to be addressed shall include: * Understanding the SAP development process * Understanding SAST as well as experiencing with concrete tools/techniques * Understanding challenging vulnerabilities (e.g., XSS) and their detection in application code * Understanding the corpus of testability patterns so far created for PHP and JavaScript * Enriching testability patterns with transformation rules where needed * Continuing the development of our automated framework for testability patterns (Python, docker, …) * Contributing to experiment our framework on real selected SAP applications * Documenting the developed software and the overall activities We expect that 70% of time will be dedicated to development and 30% to research activities. PROFILE/EDUCATION/SKILLS AND COMPETENCIES * University Level: Last year of MSc in Computer Science or beyond * Good skills in modelling, analysis and programming (Python, PHP, JavaScript) * Good skills in web technologies (HTTP, HTTPS, server/client-side programming language) * Security background * Fluency in English (working languages) * Good oral and written communication skills * Capacity to write documents in English, ability to synthesize PROFESSIONAL EXPERIENCE * None required We are SAP SAP innovations help more than 400,000 customers worldwide work together more efficiently and use business insight more effectively. Originally known for leadership in enterprise resource planning (ERP) software, SAP has evolved to become a market leader in end-to-end business application software and related services for database, analytics, intelligent technologies, and experience management. As a cloud company with 200 million users and more than 100,000 employees worldwide, we are purpose-driven and future-focused, with a highly collaborative team ethic and commitment to personal development. Whether connecting global industries, people, or platforms, we help ensure every challenge gets the solution it deserves. At SAP, we build breakthroughs, together. Our inclusion promise SAP’s culture of inclusion, focus on health and well-being, and flexible working models help ensure that everyone – regardless of background – feels included and can run at their best. At SAP, we believe we are made stronger by the unique capabilities and qualities that each person brings to our company, and we invest in our employees to inspire confidence and help everyone realize their full potential. We ultimately believe in unleashing all talent and creating a better and more equitable world. SAP is proud to be an equal opportunity workplace and is an affirmative action employer. We are committed to the values of Equal Employment Opportunity and provide accessibility accommodations to applicants with physical and/or mental disabilities. If you are interested in applying for employment with SAP and are in need of accommodation or special assistance to navigate our website or to complete your application, please send an e-mail with your request to Recruiting Operations Team: Americas: Careers.NorthAmerica@sap.com or Careers.LatinAmerica@sap.com, APJ: Careers.APJ@sap.com, EMEA: Careers@sap.com. EOE AA M/F/Vet/Disability: Qualified applicants will receive consideration for employment without regard to their age, race, religion, national origin, ethnicity, age, gender (including pregnancy, childbirth, et al), sexual orientation, gender identity or expression, protected veteran status, or disability. Successful candidates might be required to undergo a background verification with an external vendor. Requisition ID:320149 | Work Area: Software-Design and Development | Expected Travel: 0 - 10% | Career Status: Student | Employment Type: Intern |