At IKEA we are building, integrating, and using software to solve complex problems. To fulfill our IKEA vision: “a better everyday life for the many people” we need to make sure that the software we create and use must be safe, for both our customers and co-workers. Creating secure software is essential for the success of any digital company. However, security does not always have the priority it requires and many teams struggles to fit it into their daily work.
There are multiple causes for why we are not building adequately secure software and are some of the perceived problems:
- Security activities are time consuming and limited in impact.
- We cannot automate enough of security.
- On the data we do have, we do not act accordingly.
Cyber Security at IKEA would like to work with two master's thesis student, to explore some of the topics we lie awake at night wondering about.
Automated Security Insights
How do we know if a digital product is secure and if we would know, how would we automate such a judgement. There are several way to assess the security posture of a system, and one of our most commonly used is Threat Modelling. Threat Modelling is a way of doing security analysis through the use of architecture diagrams, which allows you to identify threats and their counter measures. This is an effective activity, although time consuming and requires expert knowledge to be executed efficiently. This creates a high demand for automating and simplifying the activity. Other ways to asses security can be different types of automated security scans, checklists, penetrations test, etc.
We're interested in developing a way to automatically assess the posture of the system, through extrapolating data or create systematic approach to enable this.
To find the right goal is part of the thesis, but here are some suggestion that we think is interesting:
- To develop a rich diagramming language to capture all the details needed for performing automated threat modelling
- Implement an analysis, which given a system's architecture written in the diagramming language automatically generates threats
- Automate validation of mitigations to security findings.
- Analyze threat models across multiple products and identify common architecture, threat and mitigation patterns that would be suitable for developing security templates.
We believe that you are interested and curious about both software and security. To succeed, we think some of the following qualifications are met:
- Software development experience developing some sort of digital product.
- Understanding of software architecture
- Understanding of risk management and the challenges of creating secure software
- An interest in pursuing a career in Cyber Security.