Machine Learning + Software Engineering Researcher in the project “Fine-Grained Analysis of Software Ecosystems as Networks” (FASTEN)
Project duration: 2 years
Start date: 2020
This position offers the unique opportunity to progress your research career in a challenging industrial context, focusing on innovation and pragmatic solutions for software improvement, while still maintaining scientific standards of quality. The Software Improvement Group has research at its core, with a dedicated research team hosting several PhD and Postdoc researchers, several active collaborations with academic partners, and plenty of colleagues with PhD degrees. The FASTEN project asks for a rich skillset: software engineering expertise combined with machine learning and/or statistical techniques, scientific curiosity and proficiency, the ability to publish, and the drive to integrate research results into daily practice. In this position you will be creating the next-gen software risk analysis models and tools, which will have a lasting impact on software development practice.
SIG gives technology leaders the visibility they need to address current software problems and prevent future ones from ever happening. Drawing on proprietary methods and decades of expertise, SIG helps organisations fundamentally improve the security and performance of the enterprise applications that support every aspect of their businesses.
SIG operates a unique software evaluation laboratory governed by the Quality Management System as required by the ISO/IEC 17025 international standard for testing and calibration laboratories. The only organisation in the world certified by TÜViT for Trusted Product Maintainability, SIG is headquartered in Amsterdam with regional offices in the Nordics, Belgium, Germany and Greece. SIG serves companies in Europe, the United States, and Asia.
About the FASTEN project
A popular form of software reuse involves linking open source software (OSS) libraries hosted on centralised code repositories, such as Maven or PyPI. Developers only need to declare dependencies to external libraries, and automated tools make them available to the workspace of the project. As recent events such as the leftpad incident, which led to hundreds of thousands of websites to stop working, and the Equifax data breach, which led to a leak of hundreds of thousands of credit card numbers, have demonstrated, dependencies on networks of external libraries can introduce to projects significant operational and compliance risk as well as difficult to assess security implications. Solving these problems would boost the efficiency and production quality of software development companies by allowing them to reuse OSS code with confidence, covering a large untapped potential.
To address this situation, the FASTEN project introduces fine-grained, method-level, tracking of dependencies on top of existing dependency management networks. Specifically, the project will introduce a service that tracks dependencies at the method call-graph level and performs sophisticated analyses of i) security vulnerability propagation, ii) licensing compliance, and iii) dependency risk profiles. To facilitate adoption, FASTEN will bring those analyses to the hands of developers by integrating the analysis service to popular package managers, for the Java, C, and Python programming languages.
The project consortium consists of Delft University of Technology, Athens Univ. of Economics and Business, Universit à degli studi di Milano, XWiki SAS, Endocode AG, Software Improvement Group, and OW2.
SIG Work Package
SIG is leading the work package titled “Security, Quality and Risk”, which will focus on exploiting the FASTEN techniques for better, more accurate analysis of both the quality and the risks of software systems: a key element in translating the technical achievements of FASTEN to better insights for software development organisations. This work package will develop a method for aggregating properties of libraries and software components. This aggregation can benefit from FASTEN results in two ways: (1) it can be more accurate and insightful by using the detailed insights about the dependencies in software (2) In addition to conventional quality and risk measurements, such as maintainability metrics previously developed and used by SIG. In this work package we will also collect and aggregate the insights from change impact analysis, and compliance work packages, to come up with overall risk profiles of software systems and/or individual libraries.
As an ML+SE Researcher you will be providing SIG’s contribution to the FASTEN project. This consists of both conceptual and applied research in the intersection of the machine learning and software engineering research fields, aiming for concrete innovations within the company. You will be tasked e.g. with creating new conceptual risk models regarding quality and security based on the FASTEN dependency networks, prototyping ML and/or statistical solutions, performing validation studies, generating exploitation ideas, and helping drive integration with the company’s existing software stack.
You will be part of the Research team at SIG’s Amsterdam office, where you will participate in team activities, get coaching from senior staff, and have day-to-day interaction opportunities with the consulting and software development branches within the company.