audit and security application

Work realized by:

₪ Rihab CHBBAH

Application Security Audit

Academic Year : 2015/2016

Plan

• Introduction• Leoni Wiring

System

Presentation

• Security Software Development

Part 1

• Security Testing

Part 2

• Secure Computing• Use cases

Part 3

Conclusion

Presentation Introduction LEONI Wiring System

LEONI - Presentation

Anthonie Fournier from Lyon founded the first workshop

1569

3 succeded companies merged into newly established Leoni

1917

Started to manufacture cable assemblies

1956

Leoni started its global expansion by establishing a wiring harness plant in Tunisia.

1977

Leoni has acquired the wiring harness division of the French automative supplier Valeo with 88 subsidiaries all over the world

Today

Finish

Leoni Group◊ more than 67,000 employees worldwide◊ Located in many countries : Germany, China, Coria, Egypt, French, Tunisia …

Wire & Cable Solutions◊ more than 8,000 employees ◊ Automotive

Industry & Healthcare Communication & Infrastructure Electrical Appliances Conductor & Copper Solutions

Wiring Systems Division◊ more than 59,000 employees ◊ Automotive Industry

LEONI Wiring System Tunisia

Sousse

Mateur Sud & Mateur Nord

Plant Section MB – Routine Plant Section MB – Project-MFA Plant Section BMW Plant Section A&VW Plant Section Supply International

Plant Section PSA Plant Section Fiat/Panda

LEONI Wiring System Tunisia Information ManagementInformation

Management

IM - Demand IM – Supply IM – Information Technology

IM – International Services

IM team assistance IM CIO Office

IM Center Oganizationɤ IM Service Center North Africa (IM SC NA) ɤ IM Service Center Easten Europe ɤ IM Service Center Americas ɤ IM Service Center Asia

LEONI Wiring System Tunisia - IM SC NA

∞ Created in 2005,∞ 1 Team,∞ 3 Members (Web Developers)

∞ 14 Teams (IT, System Analysts, IM-Demand, Development, PPS and MES Consulting and assistance)∞ 65 Members

LEONI Wiring System Tunisia – IM SC IT Teams

Security Microsoft Network & Communication Data Center & Private Cloud

The relationship between these levels is based on client-provider concept.

LEONI Wiring System Tunisia – IM SC NA IT SecurityTeam

Enterprise solutionsSophos Enterprise Solutions∞ Application Control∞ Device Control∞ Update Manger∞ Firewall

LEONI Wiring System Tunisia – IM SC NA IT SecurityTeam

Sophos Anti-Virus

VARONIS – Folder AccessRights Audit

SAFEGUARD Hard Disk Encryption

Generate reports to all Data owners to check Access rights of their own folders

Encrypt Hard Disks Of Notebooks

Protect machines from malwares.

Presentation Introduction LEONI Wiring

System

Introduction

Application security is the use of software, hardware, and procedural methods to prevent security flaws in applications and protect them from external threats.

Part 1 Security Software Development

Secure Software Development

“The need to consider security and privacy “up front” is a fundamental aspect of secure system development. The optimal point to define trustworthiness requirements for a software project is during the initial planning stages. This early definition of requirements allows development teams to identify key milestones and deliverables, and permits the integration of security and privacy in a way that minimizes any disruption to plans and schedules. “

-Simplified Implementation of the Microsoft SDL-

Secure Software Development

By introducing security early in the development lifecycle, companies are able to meet their customer demands for more secure products and services. And companies can derive additional benefits such as reduction in patch maintenance and faster time to remediate.

Part 2 Security Testing

Security Testing is deemed successful when the below attributes of an application are intactAuthenticationAuthorizationAvailabilityConfidentialityIntegrityNon-Repudiation

Security Testing

Goal is to make sure that the system / Application does not have any loopholesOr system fallback

Security Testing

Security Testing

The inclusion of threat analysis & modeling in the SDLC can help to ensure that Applications are being developed with security built-in from the very beginning.

Threat Analysis & modeling allows you to systematically identify and rate the threats that are most likely to affect your system. By identifying and rating threats based on a solid understanding of the architecture and implementation of your application, you can address threats with appropriate countermeasures in a logical order, starting With the threats that present the greatest risk.

Security Testing

Threat modeling accomplishes the following:

Defines the security of an application · Identifies and investigates potential threats and vulnerabilities · Brings justification for security features Identifies a logical thought process in defining the security of a system · Results in finding architecture bugs earlier and more often · Results in fewer vulnerabilities · Creates a set of documents

Security TestingThreat tree

Part 3 Secure Computing Use Cases

Secure Computing

Asset: A system resource.Threat: A potential occurrence, malicious or otherwiseVulnerability: A weakness in some aspect or feature of a system that makes a threat possibleAttack : An action taken by someone or something that harms an asset..Countermeasure: A safeguard that addresses a threat and mitigates risk.

Basic Terminologies

Secure ComputingThreat models

the CIA model is described by its aspects : Confidentiality, Integrity and Availability.

Secure ComputingThreat models

STRIDE model  is a system developed by Microsoft for thinking about computer security threats, It provides a mnemonic for security threats in six categories.

The threat categories are: Spoofing of user identity Tampering Repudiation Information disclosure Denial of service (D.o.S) Elevation of privilege

The STRIDE name comes from the initials of the six threat categories listed. It was initially proposed for threat modellng, but is now used more broadly.

Secure ComputingModeling Tools

Microsoft SDL Threat Modeling Tool

Secure ComputingModeling Tools

Threat Analysis & modeling Tool

Part 3 Secure Computing Use Cases

Use Case Sophos Unmanaged machines follow-up tool

"OUlist.txt" contains the list of the sites to follow up,"ContactList. xlsx" file which contains the list of contact persons by site, "Email- Body.txt" to modify the email body, "ExceptionList.xlsx" to add a technical exception.

This application will query the Sophos Database to generate Unmanaged machines in different LEONI sites.

Use Case Sophos Unmanaged machines follow-up tool

Roles

User Roles Service RolesAdministrator SQL Server

Active Directory, .Net Framework, Microsoft Excel,Windows Text file.

Use Case Sophos Unmanaged machines follow-up tool

Data

Use Case Sophos Unmanaged machines follow-up tool

Components

Use Case Sophos Unmanaged machines follow-up tool

Application Use Case

Use Case Sophos Unmanaged machines follow-up tool

Threat Analysis

Attacks◊ Buffer Overflow◊ Cryptanalysis Attacks◊ Denial of Service◊ Network Eavesdropping◊ SQL injection

Threats◊ Threat factor for

Confidentiality◊ Threat factor for

Integrity◊ Threat factor for

Availability

Use Case Sophos Unmanaged machines follow-up tool

Threat Testing

Conclusion

Conclusion

safety is the most paramount aspect considered when developing an application. With that said, safety is increased with the correct security requirements put into place.

Thank you for all your attention !