Sk3pper

Security Engineer

Hi! My name is Andrea Bissoli and this is my personal web page where I will post my blog articles, notes and my personal career path.

I am passionate about computer science and prone to fully understand how things work by asking myself “why?” and “how?”. I like to expand my knowledge both theoretically and through practical activities. I find creative solutions to problems and write code to implement them. My work experience includes:

  • Engineering: I gather everything related to engineering, being curious to comprehend the workings of every intricate detail, explore novel solutions, and embrace the creative aspects;
  • IT: Coding and everything that is related to computer technology.
  • Security: In recent years, I developed an interest and competence in cybersecurity, working on information security projects, security by design, writing secure code and training for hardware and software security testing.

Recent Posts

Hero Image
Exploring Hidden Vulnerabilities in Legacy Docker Versions: Lessons from CVE-2024–21626

The content of this article is for educational and research use only. The information provided must not be implemented in a real-world environment, and no responsibility is assumed for any consequences resulting from its application in a real-world scenarios. You are responsible for any risks arising from any behavior not related to the above scope. 1. Introduction 1.1 Why this article? During my analysis about CVE-2024–21626 I discovered some interesting thing in old legacy runc components (that is not mentioned in the security advisory GHSA-xr7r-f8xq-vfvv).

    Friday, November 8, 2024 | 5 minutes Read
    Hero Image
    Playing with Unicorn framework [1]

    The main purposes of this article it is to learn what is unicorn engine, how to install it and understand the main features. Recall general CPU architecture basic concepts and how memory is used and organized by the operating system when a program is running. How to setup a project starting from a skeleton and in the end real examples to understand APIs and different scenarios where it is possible to use the unicorn engine.

      Friday, June 21, 2024 | 13 minutes Read
      Hero Image
      Playing with CVE-2024-21626

      The content of this article is for educational and research use only. The information provided must not be implemented in a real-world environment, and no responsibility is assumed for any consequences resulting from its application in a real-world scenarios. You are responsible for any risks arising from any behavior not related to the above scope. Related Article While investigating CVE-2024–21626, I discovered an overlooked vulnerability in older versions of Docker and runC.

        Friday, May 17, 2024 | 17 minutes Read
        Show More

        Experiences

        1
        ZTE Cybersecurity Lab

        October 2023 - Present

        Rome (Italy)

        The ZTE Cybersecurity Lab in Italy focuses on security testing and support for the regional markets. It serves as a collaborative platform between ZTE and various institutions, universities, and stakeholders for capacity building and knowledge transfer, including a partnership with the CNIT (National Interuniversity Consortium for Telecommunications) for technical research and testing supervision.

        Security Engineer

        October 2023 - Present

        Responsibilities:
        • Perform cyber security assessment of ZTE products.
        • Identify, analyze, and assess technical and organizational cyber security vulnerabilities. Document and report penetration test results to stakeholders.
        • Study and employ cutting-edge security technology, tools and vulnerabilities.
        Konica Minolta Global R&D

        February 2021 - July 2023

        Rome (Italy)

        The Cyber Security R&D team performs applied security research and prototyping, as well as shaping the adoption of best practices and new technologies.

        Cyber Security Engineer

        February 2021 - July 2023

        Responsibilities:
        • Analysis of methodologies, design and implementation of prototype solutions for security risk management and cyber deception area;
        • Propose and investigate innovative approaches or technologies in the field of cyber security;
        • Be up-to-date with cyber security trends and cutting-edge technologies;
        2
        3
        UniCredit Services

        November 2019 - February 2021

        Verona (Italy)

        UniCredit Services provides ICT applications aimed at developing, implementing and managing the solutions for different core areas

        DevOps Engineer

        November 2019 - February 2021

        Responsibilities:
        • Design, implementation, deployment, monitoring and troubleshooting of banking applications.
        • Implementation of monitoring automation, identification of performance bottlenecks and troubleshooting of issues, discovery and resolution of applications bugs with Splunk.
        • Management of applications production release cycles.
        TIM S.p.A

        August 2018 - September 2021

        Rome (Italy)

        Cyber Security Analyst at the Security Operations Center TIM. Collaboration in the Incident Handling Backbone Team.

        Cyber Security Analyst

        August 2018 - September 2021

        Responsibilities:
        • Security incidents handling in the TIM backbone network;
        • On call duties for critical environments handling security incidents outside of business hours.
        • Software developer for automation of SOC activities.
        4
        5
        High school "Louis Pasteur"

        September 2016 - June 2017

        Rome (Italy)

        Teacher in an extracurricular course of “programming techniques” addressed to students of the scientific high school biennium.

        Teacher

        September 2016 - June 2017

        Responsibilities:
        • Didactic planning
        • Frontal lessons
        • Parent interviews
        • Tests and evaluations of students’ skills

        Skills

        Courses & Certifications

        Offsec Certified Professional (OSCP)
        Maldev Academy
        Offensive Hardware Security Training

        Publications

        Authentication as a service based on shamir secret sharing
        2021 IEEE International Symposium on Computer Science and Intelligent Controls Nov. 2021
        Andrea Bissoli Fabrizio d'Amore

        The paper presents a solution for securing password-based authentication using Shamir’s $(k,n)$ threshold scheme, where $n$ password-derived secrets (shares) are created, and $k\leq n$ shares are necessary and sufficient for reconstructing the password. The solution is information-theoretically secure, with each share stored on a different host (Shareholder), requiring an attacker to compromise $k$ Shareholders to reconstruct the secret. To resist compromising the coordinating server (Dealer), the authors define a variant of Shamir’s scheme where the abscissas are unknown to the Dealer and Shareholders, making reconstruction impossible even if they are compromised. The authors have designed protocols for registration and authentication, analyzed scenarios with partially/totally compromised Dealer and/or Shareholders, and developed a prototype demonstrating the correct, effective, and efficient operation of the proposed method, providing a feasibility study for future cloud-based “authentication-as-a-service” implementations.

        Authentication Shamir Secret Sharing Authentication as a service Application security
        Details

        Education

        Sapienza University of Rome
        Oct 2012 - May 2018
        B.Sc. and M.Sc. in Computer Science, Cyber security
        CGPA (VL): 4 (110 cum laude) out of 4 (110)