audit and security application
TRANSCRIPT
Work realized by:
₪ Rihab CHBBAH
Application Security Audit
Academic Year : 2015/2016
Plan
• Introduction• Leoni Wiring
System
Presentation
• Security Software Development
Part 1
• Security Testing
Part 2
• Secure Computing• Use cases
Part 3
Conclusion
Presentation Introduction LEONI Wiring System
LEONI - Presentation
Anthonie Fournier from Lyon founded the first workshop
1569
3 succeded companies merged into newly established Leoni
1917
Started to manufacture cable assemblies
1956
Leoni started its global expansion by establishing a wiring harness plant in Tunisia.
1977
Leoni has acquired the wiring harness division of the French automative supplier Valeo with 88 subsidiaries all over the world
Today
Finish
Leoni Group◊ more than 67,000 employees worldwide◊ Located in many countries : Germany, China, Coria, Egypt, French, Tunisia …
Wire & Cable Solutions◊ more than 8,000 employees ◊ Automotive
Industry & Healthcare Communication & Infrastructure Electrical Appliances Conductor & Copper Solutions
Wiring Systems Division◊ more than 59,000 employees ◊ Automotive Industry
LEONI Wiring System Tunisia
Sousse
Mateur Sud & Mateur Nord
Plant Section MB – Routine Plant Section MB – Project-MFA Plant Section BMW Plant Section A&VW Plant Section Supply International
Plant Section PSA Plant Section Fiat/Panda
LEONI Wiring System Tunisia Information ManagementInformation
Management
IM - Demand IM – Supply IM – Information Technology
IM – International Services
IM team assistance IM CIO Office
IM Center Oganizationɤ IM Service Center North Africa (IM SC NA) ɤ IM Service Center Easten Europe ɤ IM Service Center Americas ɤ IM Service Center Asia
LEONI Wiring System Tunisia - IM SC NA
∞ Created in 2005,∞ 1 Team,∞ 3 Members (Web Developers)
∞ 14 Teams (IT, System Analysts, IM-Demand, Development, PPS and MES Consulting and assistance)∞ 65 Members
LEONI Wiring System Tunisia – IM SC IT Teams
Security Microsoft Network & Communication Data Center & Private Cloud
The relationship between these levels is based on client-provider concept.
LEONI Wiring System Tunisia – IM SC NA IT SecurityTeam
Enterprise solutionsSophos Enterprise Solutions∞ Application Control∞ Device Control∞ Update Manger∞ Firewall
LEONI Wiring System Tunisia – IM SC NA IT SecurityTeam
Sophos Anti-Virus
VARONIS – Folder AccessRights Audit
SAFEGUARD Hard Disk Encryption
Generate reports to all Data owners to check Access rights of their own folders
Encrypt Hard Disks Of Notebooks
Protect machines from malwares.
Presentation Introduction LEONI Wiring
System
Introduction
Application security is the use of software, hardware, and procedural methods to prevent security flaws in applications and protect them from external threats.
Part 1 Security Software Development
Secure Software Development
“The need to consider security and privacy “up front” is a fundamental aspect of secure system development. The optimal point to define trustworthiness requirements for a software project is during the initial planning stages. This early definition of requirements allows development teams to identify key milestones and deliverables, and permits the integration of security and privacy in a way that minimizes any disruption to plans and schedules. “
-Simplified Implementation of the Microsoft SDL-
Secure Software Development
By introducing security early in the development lifecycle, companies are able to meet their customer demands for more secure products and services. And companies can derive additional benefits such as reduction in patch maintenance and faster time to remediate.
Part 2 Security Testing
Security Testing is deemed successful when the below attributes of an application are intactAuthenticationAuthorizationAvailabilityConfidentialityIntegrityNon-Repudiation
Security Testing
Goal is to make sure that the system / Application does not have any loopholesOr system fallback
Security Testing
Security Testing
The inclusion of threat analysis & modeling in the SDLC can help to ensure that Applications are being developed with security built-in from the very beginning.
Threat Analysis & modeling allows you to systematically identify and rate the threats that are most likely to affect your system. By identifying and rating threats based on a solid understanding of the architecture and implementation of your application, you can address threats with appropriate countermeasures in a logical order, starting With the threats that present the greatest risk.
Security Testing
Threat modeling accomplishes the following:
Defines the security of an application · Identifies and investigates potential threats and vulnerabilities · Brings justification for security features Identifies a logical thought process in defining the security of a system · Results in finding architecture bugs earlier and more often · Results in fewer vulnerabilities · Creates a set of documents
Security TestingThreat tree
Part 3 Secure Computing Use Cases
Secure Computing
Asset: A system resource.Threat: A potential occurrence, malicious or otherwiseVulnerability: A weakness in some aspect or feature of a system that makes a threat possibleAttack : An action taken by someone or something that harms an asset..Countermeasure: A safeguard that addresses a threat and mitigates risk.
Basic Terminologies
Secure ComputingThreat models
the CIA model is described by its aspects : Confidentiality, Integrity and Availability.
Secure ComputingThreat models
STRIDE model is a system developed by Microsoft for thinking about computer security threats, It provides a mnemonic for security threats in six categories.
The threat categories are: Spoofing of user identity Tampering Repudiation Information disclosure Denial of service (D.o.S) Elevation of privilege
The STRIDE name comes from the initials of the six threat categories listed. It was initially proposed for threat modellng, but is now used more broadly.
Secure ComputingModeling Tools
Microsoft SDL Threat Modeling Tool
Secure ComputingModeling Tools
Threat Analysis & modeling Tool
Part 3 Secure Computing Use Cases
Use Case Sophos Unmanaged machines follow-up tool
"OUlist.txt" contains the list of the sites to follow up,"ContactList. xlsx" file which contains the list of contact persons by site, "Email- Body.txt" to modify the email body, "ExceptionList.xlsx" to add a technical exception.
This application will query the Sophos Database to generate Unmanaged machines in different LEONI sites.
Use Case Sophos Unmanaged machines follow-up tool
Roles
User Roles Service RolesAdministrator SQL Server
Active Directory, .Net Framework, Microsoft Excel,Windows Text file.
Use Case Sophos Unmanaged machines follow-up tool
Data
Use Case Sophos Unmanaged machines follow-up tool
Components
Use Case Sophos Unmanaged machines follow-up tool
Application Use Case
Use Case Sophos Unmanaged machines follow-up tool
Threat Analysis
Attacks◊ Buffer Overflow◊ Cryptanalysis Attacks◊ Denial of Service◊ Network Eavesdropping◊ SQL injection
Threats◊ Threat factor for
Confidentiality◊ Threat factor for
Integrity◊ Threat factor for
Availability
Use Case Sophos Unmanaged machines follow-up tool
Threat Testing
Conclusion
Conclusion
safety is the most paramount aspect considered when developing an application. With that said, safety is increased with the correct security requirements put into place.
Thank you for all your attention !