Phd Position F - M Quantification Of Security Vulnerabilities Caused By Heavy Code Reuse Through Package Managers And Library Dependencies H/F INRIA
Villeneuve-d'Ascq - 59 CDD- 36 mois
- Bac +3, Bac +4
- Bac +5
- Service public des collectivités territoriales
Les missions du poste
PhD Position F/M Quantification of security vulnerabilities caused by heavy code reuse through package managers and library dependencies
Le descriptif de l'offre ci-dessous est en Anglais
Type de contrat : CDD
Niveau de diplôme exigé : Bac +5 ou équivalent
Fonction : Doctorant
A propos du centre ou de la direction fonctionnelle
The Inria University of Lille centre, created in 2008, employs 360 people including 305 scientists in 15 research teams. Recognised for its strong involvement in the socio-economic development of the Hauts-De-France region, theInria University of Lille centre pursues a close relationship with large companies and SMEs. By promoting synergies between researchers and industrialists, Inria participates in the transfer of skills and expertise in digital technologies and provides access to the best European and international research for the benefit of innovation and companies, particularly in the region.
For more than 10 years, theInria University of Lille centre has been located at the heart of Lille's university and scientific ecosystem, as well as at the heart of Frenchtech, with a technology showroom based on Avenue de Bretagne in Lille, on the EuraTechnologies site of economic excellence dedicated to information and communication technologies (ICT).
Contexte et atouts du poste
The doctoral project is part of the project. IT will BE supervised by Clémentine Maurice and Pierre Laperdrix, both CNRS researcher in the Spirals team.
The objective of the SWHSec project is to explore several of the new possibilities offered by the availability of Software Heritage to blend together the vertical and horizontal approaches to software supply chain security.
The research will BE conducted in the Spirals team.
Mission confiée
Package managers like Maven, npm or Yarn are widely used today to simplify software development. By writing a few lines in a configuration file, a developer can import code from many different projects to build an application. However, any vulnerability in an imported package can compromise the security of an entire application and can even propagate to an entire infrastructure.
Overall, our aim here is to understand the prevalence of vulnerabilities in packages from package managers and see how much impact one vulnerability can cause. By analyzing the code stored by Software Heritage and linking IT to a vulnerability database like Snyk.io, IT will BE possible to understand at a very large scale how package managers can create security vulnerabilities in software around the world.
The first step for the PhD student will BE to build a synthetic state of the art regarding existing empirical studies on the prevalence of flows in open-source package repositories. We will also investigate in detail two known incidents already reported in the past where one single package affected the security of entire applications, like with the event-stream incident in the npm ecosystem or log4j. Another example of compromise in this task is the use of cryptographic libraries where one vulnerable version can compromise the integrity of encrypted connections.
From these first studies, the goal is to explore how we could detect a set of patterns applicable to Software Heritage allowing developers to observe risks in an open source ecosystem. The idea, as far as possible, is to propose a risk metric for each dependency with respect to the security of the global ecosystem.
Principales activités
- Bibliography on software supply chain attacks,
- Propose and implement techniques to understand the effect of a vulnerability in a package on all its dependencies,
- Scientific publications in top international conferences,
- Presentations of the work in national and international conferences, and in project meetings.
Compétences
The ideal candidate will have the following skills :
- Good mastery of English
- Good programming skills and supporting tools.
- Relational skills, e.g., working in a team, effective reporting and communication with all involved stakeholders.
- Sound background in computer science, including machine learning, graphs, and security.
Avantages
- Subsidized meals
- Partial reimbursement of public transport costs
- Leave : 7 weeks of annual leave + 10 extra days off due to RTT (statutory reduction in working hours) + possibility of exceptional leave (sick children, moving home, etc.)
- Possibility of teleworking and flexible organization of working hours
- Professional equipment available (videoconferencing, loan of computer equipment, etc.)
- Social, cultural and sports events and activities
- Access to vocational training
- Social security coverage
Bienvenue chez INRIA
A propos d'Inria
Inria est l'institut national de recherche dédié aux sciences et technologies du numérique. Il emploie 2600 personnes. Ses 215 équipes-projets agiles, en général communes avec des partenaires académiques, impliquent plus de 3900 scientifiques pour relever les défis du numérique, souvent à l'interface d'autres disciplines. L'institut fait appel à de nombreux talents dans plus d'une quarantaine de métiers différents. 900 personnels d'appui à la recherche et à l'innovation contribuent à faire émerger et grandir des projets scientifiques ou entrepreneuriaux qui impactent le monde. Inria travaille avec de nombreuses entreprises et a accompagné la création de plus de 200 start-up. L'institut s'eorce ainsi de répondre aux enjeux de la transformation numérique de la science, de la société et de l'économie.
Hellowork a estimé le salaire pour ce métier à Villeneuve-d'Ascq
Le recruteur n'a pas communiqué le salaire de cette offre mais Hellowork vous propose une estimation (fourchette variable selon l'expérience).
Estimation basée sur les données INSEE et les offres d’emploi similaires.
Estimation basse
35 200 € / an 2 933 € / mois 19,34 € / heureSalaire brut estimé
43 200 € / an 3 600 € / mois 23,74 € / heureEstimation haute
50 000 € / an 4 167 € / mois 27,47 € / heureCette information vous semble-t-elle utile ?
Merci pour votre retour !
- Villeneuve-d'Ascq - 59
- CDD
Créez une alerte
Pour être informé rapidement des nouvelles offres, merci de préciser les critères :
Finalisez votre candidature
sur le site du recruteur
Créez votre compte pour postuler
sur le site du recruteur !
sur le site du recruteur
sur le site du recruteur !
Ces offres pourraient aussi
vous intéresser
Recherches similaires
- Job Ingénieur en informatique industrielle
- Job Industrie
- Job Dunkerque
- Job Lille
- Job Valenciennes
- Job Cambrai
- Job Douai
- Job Maubeuge
- Job Hazebrouck
- Job Tourcoing
- Job Saint-Amand-les-Eaux
- Job Caudry
- Job Technicien de maintenance industrielle
- Job Peintre industriel
- Job Mécanicien industriel
- Job Préparateur méthode
- Job Conseiller technique
- Entreprises Industrie
- Entreprises Ingénieur en informatique industrielle
- Entreprises Villeneuve-d'Ascq
- Job Fonction publique
- Job Collectivités
- Job Fonction publique territoriale
- Job Public
- Job Numérique
- Job Accompagne Villeneuve-d'Ascq
- Job Fonction publique Villeneuve-d'Ascq
- Job Cdd Villeneuve-d'Ascq
- Job Anglais Villeneuve-d'Ascq
- Job Collectivités Villeneuve-d'Ascq
- INRIA Villeneuve-d'Ascq
- INRIA Ingénieur en informatique industrielle
{{title}}
{{message}}
{{linkLabel}}