AI-Powered OSS Supply Chain Security Intern

Summary: Nielsen is a company dedicated to providing powerful insights that drive client decisions in the media industry. They are seeking an AI-Powered OSS Supply Chain Security Intern to assess GitLab repositories and build a management infrastructure for identifying OSS packages and their vulnerabilities, particularly in relation to AI-based threats. Responsibilities: - GitLab Repository Analysis: Programmatically scan GitLab repositories to inventory all OSS libraries, frameworks, and dependencies - Usage Verification (Dead Code Identification): Utilize "In Use Analysis" techniques to determine if a vulnerable library is actually called by the application in a production environment, filtering out the "70% noise" of unused code - Threat Intelligence Integration: Auto generate threat intel reports that monitor industry reports (CISA, OWASP, Snyk, etc.) for AI-driven threats identifying new OSS stack vulnerabilities not yet assigned CVSS scores - Infrastructure Automation: Design a sustainable workflow (via GitLab CI/CD or custom scripts) that alerts the security team when a high-risk OSS component is introduced or when a new AI-based exploit is reported for an existing OSS package - Prioritization Engine: Develop a scoring rubric to rank OSS tools for remediation based on production usage, business criticality, and susceptibility to AI-enhanced exploits - The Deliverable: The final product of this internship is the OSS Resilience Management Framework. This must include: The "Active Stack" Inventory: A filtered list of OSS libraries that are verified as active in production environments. AI Threat Heatmap: A report identifying the top 30 OSS tools in our stack that are most vulnerable to emerging AI-based attack patterns. Automated Scanning Pipeline: A GitLab-integrated script or runner that performs periodic "in use" checks and cross-references them against new threat intel. Remediation Roadmap: A prioritized "Hit List" of the first five OSS libraries that require immediate version upgrades or replacement - Examples of Technical Tasks: Dependency Graphing: Using GitLab APIs to map how a library like Log4j or NumPy is nested within multiple internal projects. Call Graph Analysis: Running basic static analysis (SAST) to see if a specific vulnerable function within a library is actually being imported and executed. Automated Threat Feeds: Writing a script to scrape or API-query vulnerability databases for keywords related to "AI-generated exploits" or "LLM-based supply chain attacks." Preferred Qualifications: - Currently pursuing a degree in Software Engineering, Cybersecurity, or Data Science - Comfortable reading and navigating multiple languages (Python, Java, or JavaScript/Node.js) and using Git/GitLab - Ability to correlate external threat intelligence with internal technical data - Understanding of CI/CD pipelines and how to trigger security scans within a development workflow Required Skills: Python, Java, JavaScript, Git, GitLab, CI/CD pipelines, Static Application Security Testing (SAST), Threat Intelligence Integration, Software Supply Chain Security, Dependency Graphing, Call Graph Analysis, Automation Scripting, Analytical Mindset Benefits: Comprehensive health and wellness plans, A 401(k) with a Nielsen company match, A generous paid time off policy, A company-provided vehicle, Discretionary incentive/bonus eligibility