Barco is market leader in digital projection and imaging technology in different niche markets. Barco’s solutions include on prem devices, which are often running embedded firmware.
This firmware is specifically designed in-house to minimize footprint and optimize performance with focus from the early stages on security and privacy.
Furthermore a lot of open source components are integrated in the embedded firmware images. Integrating open source components has the advantage of integrating mature functionality which is continuously maintained and improved by the community, though on the other hand introduces risks related to license compliance and security.
Every open source component is released with a license, which is a legal and binding contract between the author and the user of a software component.
It specifies how the software component can be used and what are the implications to other software components it is interacting with.
Integrating an open source component in the wrong way could introduce risks like e.g. the obligation to disclose your own source code, which is often not the desired scenario.
Next to the license risk also a security risk is introduced by integrating open source components. On a regular basis vulnerabilities are disclosed in popular open source components, which could lead to a compromise of a solution integrating the vulnerable component.
Therefore it is extremely important to monitor the used open source components for both license and security risks through the lifetime of a solution.
For this specific internship we are looking for a student who can develop a service which can verify based on a provided list of open source components with metadata (version, license, applied patches, ) which vulnerabilities are present in a specific firmware image and indicate to which version should be upgraded to mitigate.
A backend service should daily verify with the National Vulnerability Database if the used open source components are vulnerable or not.
Via a frontend UI a dashboard should be offered to an authenticated user, displaying the security status of all open source components in a specific firmware version.
First focus is on covering the security risks, a nice add-on would be to also display license risks, based on pre-defined internal policy (what is allowed and what is not allowed)