SlideShare a Scribd company logo
1 of 41
Work realized by:
₪ Rihab CHBBAH
Application Security Audit
Academic Year : 2015/2016
Plan
• Introduction
• Leoni Wiring
System
Presentation
• Security Software
Development
Part 1
• Security
Testing
Part 2
• Secure
Computing
• Use cases
Part 3
Conclusion
Presentation
 Introduction
 LEONI Wiring System
LEONI -
Presentation
Anthonie Fournier
from Lyon founded
the first workshop
1569
3 succeded
companies merged
into newly
established Leoni
1917
Started to manufacture
cable assemblies
1956
Leoni started its global
expansion by
establishing a wiring
harness plant in Tunisia.
1977
Leoni has acquired the wiring
harness division of the
French automative supplier
Valeo with 88 subsidiaries all
over the world
Tod
ay
Finis
h
Leoni Group
◊ more than 67,000 employees worldwide
◊ Located in many countries : Germany, China, Coria, Egypt, Frenc
Wire & Cable Solutions
◊ more than 8,000 employees
◊ Automotive
Industry & Healthcare
Communication & Infrastructure
Electrical Appliances
Conductor & Copper Solutions
Wiring Systems Division
◊ more than 59,000 employe
◊ Automotive Industry
LEONI Wiring
System Tunisia
Sousse
Mateur Sud & Mateur
 Plant Section MB – Routine
 Plant Section MB – Project-MFA
 Plant Section BMW
 Plant Section A&VW
 Plant Section Supply International
 Plant Section PSA
 Plant Section Fiat/Panda
LEONI Wiring System Tunisia
Information
ManagementInformation
Management
IM - Demand IM – Supply
IM – Information
Technology
IM – International
Services
IM team
assistance
IM CIO Office
IM Center Oganizatio
ɤ IM Service Center North Africa (IM
ɤ IM Service Center Easten Europe
ɤ IM Service Center Americas
ɤ IM Service Center Asia
LEONI Wiring System Tunisia -
IM SC NA
∞ Created in 2005,
∞ 1 Team,
∞ 3 Members (Web Developers)
∞ 14 Teams (IT, System Analysts, IM-Dema
Development, PPS and MES Consulting and as
∞ 65 Members
LEONI Wiring System Tunisia –
IM SC IT Teams
 Security
 Microsoft
 Network & Communication
 Data Center & Private Cloud
The relationship between these levels is based
on client-provider concept.
LEONI Wiring System Tunisia –
IM SC NA IT SecurityTeam
Enterprise solutions
Sophos Enterprise Solutio
∞ Application Control
∞ Device Control
∞ Update Manger
∞ Firewall
LEONI Wiring System Tunisia –
IM SC NA IT SecurityTeam
Sophos Anti-Virus
VARONIS – Folder Access
Rights Audit
SAFEGUARD
Hard Disk Encryption
Generate reports to all
Data owners to check
Access rights of their
own folders
Encrypt Hard Disks
Of Notebooks
Protect machines from
malwares.
Presentation
 Introduction
 LEONI Wiring System
Introduction
Application security is the use of software, hard
and procedural methods to prevent security flaw
in applications and protect them from external t
Part 1
 Security Software Development
Secure Software Development
“The need to consider security and privacy “up front” is a fund
system development. The optimal point to define trustworthin
a software project is during the initial planning stages. This e
requirements allows development teams to identify key milest
and permits the integration of security and privacy in a way th
to plans and schedules. “
-Simplified Implementation of the Microsoft SD
Secure Software Development
By introducing security early in the
development lifecycle, companies are
able to meet their customer demands
for more secure products and
services. And companies can derive
additional benefits such as reduction
in patch maintenance and faster time
to remediate.
Part 2
 Security Testing
Security Testing is deemed successful when the below attribut
Authentication
Authorization
Availability
Confidentiality
Integrity
Non-Repudiation
Security Testing
Goal is to make sure that the
Application does not have any
Or system fallback
Security Testing
Security Testing
The inclusion of threat analysis & modeling in the SDLC c
Applications are being developed with security built-in fr
Threat Analysis & modeling allows you to systematically iden
that are most likely to affect your system. By identifying an
a solid understanding of the architecture and implementatio
you can address threats with appropriate countermeasures
With the threats that present the greatest risk.
Security Testing
Threat modeling accomplishes the following:
 Defines the security of an application ·
 Identifies and investigates potential threats an
 Brings justification for security features
 Identifies a logical thought process in defining
 Results in finding architecture bugs earlier and
 Results in fewer vulnerabilities ·
 Creates a set of documents
Security Testing
Threat tree
Part 3
 Secure Computing
 Use Cases
Secure Computing
Asset: A system resource.
Threat: A potential occurrence, malicious or otherwise
Vulnerability: A weakness in some aspect or feature of a syste
Attack : An action taken by someone or something that harm
Countermeasure: A safeguard that addresses a threat and mit
Basic Terminologies
Secure Computing
Threat models
the CIA model is described by its aspects : Confidentiality,
Secure Computing
Threat models
STRIDE model is a system developed by Microsoft for thinking about comp
It provides a mnemonic for security threats in six categories.
The threat categories are:
 Spoofing of user identity
 Tampering
 Repudiation
 Information disclosure
 Denial of service (D.o.S)
 Elevation of privilege
The STRIDE name comes from the initials of the six threat categories listed
It was initially proposed for threat modellng, but is now used more broadly.
Secure Computing
Modeling Tools
Microsoft SDL Threat Modeling Tool
Secure Computing
Modeling Tools
Threat Analysis & modeling Tool
Part 3
 Secure Computing
 Use Cases
Use CaseSophos Unmanaged machines follow-up tool
"OUlist.txt" contains the list of the sites to follo
"ContactList. xlsx" file which contains the list of c
"Email- Body.txt" to modify the email body,
"ExceptionList.xlsx" to add a technical exception
This application will query the Sophos Database to generate Unmanaged ma
Use CaseSophos Unmanaged machines follow-up tool
Roles
User Roles Service Roles
Administrator SQL Server
Active Directory,
.Net Framework,
Microsoft Excel,
Windows Text file.
Use CaseSophos Unmanaged machines follow-up tool
Data
Use CaseSophos Unmanaged machines follow-up tool
Components
Use CaseSophos Unmanaged machines follow-up tool
Application Use Case
Use CaseSophos Unmanaged machines follow-up tool
Threat Analysis
Attacks
◊ Buffer Overflow
◊ Cryptanalysis Attacks
◊ Denial of Service
◊ Network Eavesdropping
◊ SQL injection
Threats
◊ Threat factor for
Confidentiality
◊ Threat factor for
Integrity
◊ Threat factor for
Availability
Use CaseSophos Unmanaged machines follow-up tool
Threat Testing
Conclusion
Conclusion
safety is the most paramount aspect considered when develo
With that said, safety is increased with the correct security
Thank you for all your attenti

More Related Content

What's hot

Audit and security application report
Audit and security application reportAudit and security application report
Audit and security application reportRihab Chebbah
 
Enterprise IT Security Audit | Cyber Security Services
Enterprise IT Security Audit | Cyber Security ServicesEnterprise IT Security Audit | Cyber Security Services
Enterprise IT Security Audit | Cyber Security ServicesAkshay Kurhade
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentAdetula Bunmi
 
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
How To Successfully Defend Against Irc Bots, Compromises, And Information LeaksHow To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
How To Successfully Defend Against Irc Bots, Compromises, And Information LeaksTammy Clark
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information SecuritySARJERAO Sarju
 
Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3MLG College of Learning, Inc
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityElumalai Vasan
 
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...Tonex
 
How To Secure MIS
How To Secure MISHow To Secure MIS
How To Secure MISAaDi Malik
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Security and control in Management Information System
Security and control in Management Information SystemSecurity and control in Management Information System
Security and control in Management Information SystemSatya P. Joshi
 
Cyber Security: Differences between Industrial Control Systems and ICT Approach
Cyber Security: Differences between Industrial Control Systems and ICT ApproachCyber Security: Differences between Industrial Control Systems and ICT Approach
Cyber Security: Differences between Industrial Control Systems and ICT ApproachCommunity Protection Forum
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information systemOnline
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 

What's hot (20)

Audit and security application report
Audit and security application reportAudit and security application report
Audit and security application report
 
Enterprise IT Security Audit | Cyber Security Services
Enterprise IT Security Audit | Cyber Security ServicesEnterprise IT Security Audit | Cyber Security Services
Enterprise IT Security Audit | Cyber Security Services
 
System Security Plans 101
System Security Plans 101System Security Plans 101
System Security Plans 101
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
 
Physical Security
Physical SecurityPhysical Security
Physical Security
 
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
How To Successfully Defend Against Irc Bots, Compromises, And Information LeaksHow To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
 
10. industrial networks safety and security tom hammond
10. industrial networks safety and security   tom hammond10. industrial networks safety and security   tom hammond
10. industrial networks safety and security tom hammond
 
Security and Control Issues in information Systems
Security and Control Issues in information SystemsSecurity and Control Issues in information Systems
Security and Control Issues in information Systems
 
Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
 
How To Secure MIS
How To Secure MISHow To Secure MIS
How To Secure MIS
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)
 
Security and control in Management Information System
Security and control in Management Information SystemSecurity and control in Management Information System
Security and control in Management Information System
 
Cyber Security: Differences between Industrial Control Systems and ICT Approach
Cyber Security: Differences between Industrial Control Systems and ICT ApproachCyber Security: Differences between Industrial Control Systems and ICT Approach
Cyber Security: Differences between Industrial Control Systems and ICT Approach
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information system
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
 

Viewers also liked

Viewers also liked (7)

SYSTEMS AUDIT
SYSTEMS AUDITSYSTEMS AUDIT
SYSTEMS AUDIT
 
Product_Brochure_Sales
Product_Brochure_SalesProduct_Brochure_Sales
Product_Brochure_Sales
 
Personnel Audit: Auditing process
Personnel Audit: Auditing processPersonnel Audit: Auditing process
Personnel Audit: Auditing process
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
 
Network Security
Network SecurityNetwork Security
Network Security
 
Network security
Network security Network security
Network security
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
 

Similar to Application Security Audit for LEONI Wiring System

Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environmentsamiable_indian
 
Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...CSCJournals
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
IRJET- Cross Platform Penetration Testing Suite
IRJET-  	  Cross Platform Penetration Testing SuiteIRJET-  	  Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET Journal
 
CompTIA CySA Domain 3 Security Operations and Monitoring.pptx
CompTIA CySA  Domain 3 Security Operations and Monitoring.pptxCompTIA CySA  Domain 3 Security Operations and Monitoring.pptx
CompTIA CySA Domain 3 Security Operations and Monitoring.pptxInfosectrain3
 
Cyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comCyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comPrescottLunt386
 
Top Cyber Threat Intelligence Tools in 2021.pdf
Top Cyber Threat Intelligence Tools in 2021.pdfTop Cyber Threat Intelligence Tools in 2021.pdf
Top Cyber Threat Intelligence Tools in 2021.pdfinfosec train
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Laura Arrigo
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Processphanleson
 
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUEScompTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUESEMERSON EDUARDO RODRIGUES
 
RAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRhys A. Mossom
 
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxCompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxInfosectrain3
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecIBM Security
 
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxCompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxInfosectrain3
 
Key Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseKey Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseLumension
 
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...Shakeel Ali
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 

Similar to Application Security Audit for LEONI Wiring System (20)

security onion
security onionsecurity onion
security onion
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
IRJET- Cross Platform Penetration Testing Suite
IRJET-  	  Cross Platform Penetration Testing SuiteIRJET-  	  Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
 
CompTIA CySA Domain 3 Security Operations and Monitoring.pptx
CompTIA CySA  Domain 3 Security Operations and Monitoring.pptxCompTIA CySA  Domain 3 Security Operations and Monitoring.pptx
CompTIA CySA Domain 3 Security Operations and Monitoring.pptx
 
Cyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comCyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.com
 
Top Cyber Threat Intelligence Tools in 2021.pdf
Top Cyber Threat Intelligence Tools in 2021.pdfTop Cyber Threat Intelligence Tools in 2021.pdf
Top Cyber Threat Intelligence Tools in 2021.pdf
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
 
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUEScompTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
 
RAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolio
 
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxCompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
 
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxCompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
 
Key Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseKey Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your Enterprise
 
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 

More from Rihab Chebbah

Rédaction de-la-mémoire
Rédaction de-la-mémoireRédaction de-la-mémoire
Rédaction de-la-mémoireRihab Chebbah
 
BYOD - Bring Your Own Device
BYOD - Bring Your Own DeviceBYOD - Bring Your Own Device
BYOD - Bring Your Own DeviceRihab Chebbah
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Rihab Chebbah
 
Simulation d'un réseau Ad-Hoc sous NS2
Simulation d'un réseau Ad-Hoc sous NS2Simulation d'un réseau Ad-Hoc sous NS2
Simulation d'un réseau Ad-Hoc sous NS2Rihab Chebbah
 
Implémentation de la QoS au sein d'un IP/MPLS - Rapport
Implémentation de la QoS au sein d'un IP/MPLS - RapportImplémentation de la QoS au sein d'un IP/MPLS - Rapport
Implémentation de la QoS au sein d'un IP/MPLS - RapportRihab Chebbah
 
Implémentation de la QoS au sein d'un IP/MPLS - Présentation
Implémentation de la QoS au sein d'un IP/MPLS - PrésentationImplémentation de la QoS au sein d'un IP/MPLS - Présentation
Implémentation de la QoS au sein d'un IP/MPLS - PrésentationRihab Chebbah
 
supervision data center
supervision data centersupervision data center
supervision data centerRihab Chebbah
 

More from Rihab Chebbah (9)

Rédaction de-la-mémoire
Rédaction de-la-mémoireRédaction de-la-mémoire
Rédaction de-la-mémoire
 
BYOD - Bring Your Own Device
BYOD - Bring Your Own DeviceBYOD - Bring Your Own Device
BYOD - Bring Your Own Device
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
 
Security testing
Security testingSecurity testing
Security testing
 
Simulation d'un réseau Ad-Hoc sous NS2
Simulation d'un réseau Ad-Hoc sous NS2Simulation d'un réseau Ad-Hoc sous NS2
Simulation d'un réseau Ad-Hoc sous NS2
 
Implémentation de la QoS au sein d'un IP/MPLS - Rapport
Implémentation de la QoS au sein d'un IP/MPLS - RapportImplémentation de la QoS au sein d'un IP/MPLS - Rapport
Implémentation de la QoS au sein d'un IP/MPLS - Rapport
 
Implémentation de la QoS au sein d'un IP/MPLS - Présentation
Implémentation de la QoS au sein d'un IP/MPLS - PrésentationImplémentation de la QoS au sein d'un IP/MPLS - Présentation
Implémentation de la QoS au sein d'un IP/MPLS - Présentation
 
CV Rihab chebbah
CV Rihab chebbahCV Rihab chebbah
CV Rihab chebbah
 
supervision data center
supervision data centersupervision data center
supervision data center
 

Recently uploaded

week 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8  fourth  -  quarter .pptxweek 1 cookery 8  fourth  -  quarter .pptx
week 1 cookery 8 fourth - quarter .pptxJonalynLegaspi2
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...MerlizValdezGeronimo
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY -  GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY -  GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Developmentchesterberbo7
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxGrade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxkarenfajardo43
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQuiz Club NITW
 
Narcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfNarcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfPrerana Jadhav
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxMichelleTuguinay1
 
Multi Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleMulti Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleCeline George
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQuiz Club NITW
 
ClimART Action | eTwinning Project
ClimART Action    |    eTwinning ProjectClimART Action    |    eTwinning Project
ClimART Action | eTwinning Projectjordimapav
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseCeline George
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1GloryAnnCastre1
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 

Recently uploaded (20)

week 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8  fourth  -  quarter .pptxweek 1 cookery 8  fourth  -  quarter .pptx
week 1 cookery 8 fourth - quarter .pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY -  GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY -  GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Development
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxGrade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
 
Narcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfNarcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdf
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
 
Multi Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleMulti Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP Module
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
 
ClimART Action | eTwinning Project
ClimART Action    |    eTwinning ProjectClimART Action    |    eTwinning Project
ClimART Action | eTwinning Project
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 Database
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1
 
prashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Professionprashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Profession
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 

Application Security Audit for LEONI Wiring System

  • 1. Work realized by: ₪ Rihab CHBBAH Application Security Audit Academic Year : 2015/2016
  • 2. Plan • Introduction • Leoni Wiring System Presentation • Security Software Development Part 1 • Security Testing Part 2 • Secure Computing • Use cases Part 3 Conclusion
  • 4. LEONI - Presentation Anthonie Fournier from Lyon founded the first workshop 1569 3 succeded companies merged into newly established Leoni 1917
  • 5. Started to manufacture cable assemblies 1956 Leoni started its global expansion by establishing a wiring harness plant in Tunisia. 1977
  • 6. Leoni has acquired the wiring harness division of the French automative supplier Valeo with 88 subsidiaries all over the world Tod ay Finis h
  • 7. Leoni Group ◊ more than 67,000 employees worldwide ◊ Located in many countries : Germany, China, Coria, Egypt, Frenc Wire & Cable Solutions ◊ more than 8,000 employees ◊ Automotive Industry & Healthcare Communication & Infrastructure Electrical Appliances Conductor & Copper Solutions Wiring Systems Division ◊ more than 59,000 employe ◊ Automotive Industry
  • 8. LEONI Wiring System Tunisia Sousse Mateur Sud & Mateur  Plant Section MB – Routine  Plant Section MB – Project-MFA  Plant Section BMW  Plant Section A&VW  Plant Section Supply International  Plant Section PSA  Plant Section Fiat/Panda
  • 9. LEONI Wiring System Tunisia Information ManagementInformation Management IM - Demand IM – Supply IM – Information Technology IM – International Services IM team assistance IM CIO Office IM Center Oganizatio ɤ IM Service Center North Africa (IM ɤ IM Service Center Easten Europe ɤ IM Service Center Americas ɤ IM Service Center Asia
  • 10. LEONI Wiring System Tunisia - IM SC NA ∞ Created in 2005, ∞ 1 Team, ∞ 3 Members (Web Developers) ∞ 14 Teams (IT, System Analysts, IM-Dema Development, PPS and MES Consulting and as ∞ 65 Members
  • 11. LEONI Wiring System Tunisia – IM SC IT Teams  Security  Microsoft  Network & Communication  Data Center & Private Cloud The relationship between these levels is based on client-provider concept.
  • 12. LEONI Wiring System Tunisia – IM SC NA IT SecurityTeam Enterprise solutions Sophos Enterprise Solutio ∞ Application Control ∞ Device Control ∞ Update Manger ∞ Firewall
  • 13. LEONI Wiring System Tunisia – IM SC NA IT SecurityTeam Sophos Anti-Virus VARONIS – Folder Access Rights Audit SAFEGUARD Hard Disk Encryption Generate reports to all Data owners to check Access rights of their own folders Encrypt Hard Disks Of Notebooks Protect machines from malwares.
  • 15. Introduction Application security is the use of software, hard and procedural methods to prevent security flaw in applications and protect them from external t
  • 16. Part 1  Security Software Development
  • 17. Secure Software Development “The need to consider security and privacy “up front” is a fund system development. The optimal point to define trustworthin a software project is during the initial planning stages. This e requirements allows development teams to identify key milest and permits the integration of security and privacy in a way th to plans and schedules. “ -Simplified Implementation of the Microsoft SD
  • 18. Secure Software Development By introducing security early in the development lifecycle, companies are able to meet their customer demands for more secure products and services. And companies can derive additional benefits such as reduction in patch maintenance and faster time to remediate.
  • 20. Security Testing is deemed successful when the below attribut Authentication Authorization Availability Confidentiality Integrity Non-Repudiation Security Testing Goal is to make sure that the Application does not have any Or system fallback
  • 22. Security Testing The inclusion of threat analysis & modeling in the SDLC c Applications are being developed with security built-in fr Threat Analysis & modeling allows you to systematically iden that are most likely to affect your system. By identifying an a solid understanding of the architecture and implementatio you can address threats with appropriate countermeasures With the threats that present the greatest risk.
  • 23. Security Testing Threat modeling accomplishes the following:  Defines the security of an application ·  Identifies and investigates potential threats an  Brings justification for security features  Identifies a logical thought process in defining  Results in finding architecture bugs earlier and  Results in fewer vulnerabilities ·  Creates a set of documents
  • 25. Part 3  Secure Computing  Use Cases
  • 26. Secure Computing Asset: A system resource. Threat: A potential occurrence, malicious or otherwise Vulnerability: A weakness in some aspect or feature of a syste Attack : An action taken by someone or something that harm Countermeasure: A safeguard that addresses a threat and mit Basic Terminologies
  • 27. Secure Computing Threat models the CIA model is described by its aspects : Confidentiality,
  • 28. Secure Computing Threat models STRIDE model is a system developed by Microsoft for thinking about comp It provides a mnemonic for security threats in six categories. The threat categories are:  Spoofing of user identity  Tampering  Repudiation  Information disclosure  Denial of service (D.o.S)  Elevation of privilege The STRIDE name comes from the initials of the six threat categories listed It was initially proposed for threat modellng, but is now used more broadly.
  • 29. Secure Computing Modeling Tools Microsoft SDL Threat Modeling Tool
  • 30. Secure Computing Modeling Tools Threat Analysis & modeling Tool
  • 31. Part 3  Secure Computing  Use Cases
  • 32. Use CaseSophos Unmanaged machines follow-up tool "OUlist.txt" contains the list of the sites to follo "ContactList. xlsx" file which contains the list of c "Email- Body.txt" to modify the email body, "ExceptionList.xlsx" to add a technical exception This application will query the Sophos Database to generate Unmanaged ma
  • 33. Use CaseSophos Unmanaged machines follow-up tool Roles User Roles Service Roles Administrator SQL Server Active Directory, .Net Framework, Microsoft Excel, Windows Text file.
  • 34. Use CaseSophos Unmanaged machines follow-up tool Data
  • 35. Use CaseSophos Unmanaged machines follow-up tool Components
  • 36. Use CaseSophos Unmanaged machines follow-up tool Application Use Case
  • 37. Use CaseSophos Unmanaged machines follow-up tool Threat Analysis Attacks ◊ Buffer Overflow ◊ Cryptanalysis Attacks ◊ Denial of Service ◊ Network Eavesdropping ◊ SQL injection Threats ◊ Threat factor for Confidentiality ◊ Threat factor for Integrity ◊ Threat factor for Availability
  • 38. Use CaseSophos Unmanaged machines follow-up tool Threat Testing
  • 40. Conclusion safety is the most paramount aspect considered when develo With that said, safety is increased with the correct security
  • 41. Thank you for all your attenti

Editor's Notes

  1. Good morning, today we will present the fruit of work during the internship, we will begin our presentation with an organized plan
  2. the presentation will be devised in several parts as demonstrated in the following plan. we will begin with the company presentation where I did my internship then we will develop the subject "audit and security application" starting with an introduction then we will define the security software development and present some techniques to test this security. for better undrestanding, we will specify useful technical terms then we will explain the main work
  3. Beginning with Leoni wiring system presentation
  4. Leoni was founde in 1569 by anthonie fourrier who was born in lyon france, many yeas later 3 succeeded companies merged into newly established Leoni
  5. In 1956 leoni started manufacturing cable assemblies. Thereupon, leoni started its global expansion by establishing a wiring harness plant in Tunisia,
  6. Instantly, leoni has acquired the wirng harness division of the french automative supplier valeo with 88 subsidiaries all over the world
  7. Within leoni group, we find over 67,000 employees herein 16 countries, it has 2 main divisions : wiring system division with more than 58,000 employees for automotive industry and wire and cable solutons with more than 8,000 emplyees for automotive cables in industry, healthcare and other sectors
  8. Leoni had built 2 subsidiaries in tunisia located in sousse with different plant sections for different cars costemers, and the other plant in mateur sud and mateur nord with 2 plant section for PSA and Fiat and panda
  9. The information management at leoni is gathering an assistance team, an office of chief information officer and collects demand, supply, information technology and internatioanl services teams Above the world, leoni has 4 IM service centers, on in north africa, one in easten europ, one in americas and other one in Asia
  10. For the IM service center north africa, it was created in 2005 and huddle 1 team composed of 3 web developers, Nowadays, the IM service center north africa gathers 14 teams in different sectors with 65 members
  11. The IM IT sector composed of 4 teams : security , Microsoft, network and communiction and also data center and private clouad They are the second level support. They are supported by external companies as third level support. The relationship between these levels is based on client-provider concept.
  12. They use sophos enterprise solutions to manage their products that manages and updates Sophos security software on computers using operating system and virtual environment, this enterprise solutions provides protecting network against malware, file types adware and against other potentially unwanted applications. Moreover, it prevents the use of unauthorized external storage devices and wireless connection technologies on endpoint computers, administers the protection of client firewall on endpoint computers,
  13. They uses sophos anti-virus to protect machines from malwares, varonis as folder access rights audit to generate reports to all data owners to check access rights of their own folders and safeguard as hard disk encryption to encrypt hard disks of notebooks
  14. Developping now the subject, we will start with a small introduction
  15. Application security has become a major concern in recent years. Hackers are using new techniques to gain access to sensitive data, disable applications and administer other malicious activities aimed at the software application. The need to secure an application is imperative for use in today’s world
  16. So, how to secure software development?
  17. When it comes to software development, security needs to be brought in from “around the edges”. Security defects can, and should be treated like software defects and managed as part of the development process. Developing reliable and secure software is a tough challenge that confronts IT teams – both security and development teams
  18. Leoni has taken the lead to establish secure code development initiatives that inject a set of security deliverables into each phase of the software development process, The SDL models are structured around mapping security into key phases of the software development lifecycle: Planning, Dsign, Implementation, testing, release and deployment By introducing security early in the development lifecycle, companies are able to meet their customer demands for more secure products and services. And companies can derive additional benefits such as reduction in patch maintenance and faster time to remediate.
  19. Testing the security is a priority. So what is security testing?
  20. Security testing is basically a type of software testing that's done to check whether the application or the product is secured or not. It checks to see if the application is vulnerable to attacks, if anyone hack the system or login to the application without any authorization.
  21. Security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. testing must start early to minimize defects and cost of quality. Security testing must start right from the Requirements Gathering phase to make sure that the quality of end-product is high. This is to ensure that any intentional/unintentional unforeseen action does not halt or delay the system.
  22. One method being used to implement application security in the design process is threat analysis & modeling. The basis for threat analysis & modeling is the process of designing a security specification and then eventually testing that specification. The threat modeling process is conducted during application design and is used to identify the reasons and methods that an attacker would use to identify vulnerabilities or threats in the system.
  23. Threat modeling accomplishes the following: · Defines the security of an application · Identifies and investigates potential threats and vulnerabilities · Brings justification for security features at both the hardware and software levels for identified threats · Identifies a logical thought process in defining the security of a system · Results in finding architecture bugs earlier and more often · Results in fewer vulnerabilities · Creates a set of documents that are used to create security specifications and security testing, thus preventing duplication of security efforts
  24. threat trees is a Method to explore valid attack paths , Represents conditions needed to exploit the threat, Determines all the combined vulnerabilities associated with a threat and it Focuses on mitigating the vulnerabilities that form the “path of least resistance”
  25. For better undrestanding we will specify useful technical termes then we will explain the work
  26. For the basic termonologies we will define some terms Asset: A resource of value, such as the data in a database or on the file system. A system resource. Threat: A potential occurrence, malicious or otherwise, that might damage or compromise your assets. Vulnerability: A weakness in some aspect or feature of a system that makes a threat possible. Vulnerabilities might exist at the network, host, or application levels. Attack (or exploit): An action taken by someone or something that harms an asset. This could be someone following through on a threat or exploiting a vulnerability. Countermeasure: A safeguard that addresses a threat and mitigates risk.
  27. Threat modeling allows to apply a structured approach to security and to address the top threats that have the greatest potential impact to applications, it exist different models beginning with the cia model The cia model is A simple but widely-applicable security model is the CIA triad standing for: Confidentiality Integrity Availability These are the three key principles which should be guaranteed in any kind of secure system. This principle is applicable across the whole subject of Security Analysis, from access to a user's internet history to security of encrypted data across the internet. If any one of the three can be breached it can have serious consequences for the parties concerned.
  28. It also exists a stride model, This model classifes threats in accordance with their categories. By using these categories of threats, one has the ability to create a security strategy for a particular system in order to have planned responses and mitigations to threats or attacks.
  29. Some tools are dedicated to modeling threats, we have the microsoft sdl threat modeling tool, it is a software-focused tool designed for rich client/server application development (for example, Windows and SQL Server, among others) The tool assumes the final deployment pattern of the product is unknown (that is, if it will be used to manage business-critical applications with customer credit cards or not), so the focus of the tool is to ensure security of the software’s underlying code.
  30. An other tool called threat analysis and modeling tool, this tool allows non-security subject matter experts to enter already known information including business requirements and application architecture which is then used to produce a feature-rich threat model.
  31. The work that I did is presented at this section
  32. This application will query the Sophos Database to generate Unamanaged machines in different Leoni sites. The list of sites can be found on a text file, After quering the Sophos Database the application will create a folder, On this folder, the application will generate an Excel le for each site. The Excel le will contain the information about each machine, After generating the Excel file with the list of Unmanaged machines, the application will look for the corresponding contact person(s) of the concerned site in an Excel file ,An email will be sent to the contact person(s) with the list of Unmanaged machines. The maintenance of this application will be ensured through the maintenance of the "OUlist.txt" which contains the list of the sites to follow up, the "ContactList.xlsx" file which contains the list of contact persons by site, "Email-Body.txt" to modify the email body, and "ExceptionList.xlsx" to add a technical exception.
  33. The Threat Analysis and Modeling Tool allows us to decompose the application into roles, Data and components. For the roles : User roles are assigned to any user who will be interacting with the application. with this application, we have found only the administrator as user. He is the only one who has the ability to solve a problem of an unmanaged machine. Service Roles are trust levels, containing specic identities, which dene the context of various components running in the software application. Within this context, we have found the SQL Server, Active Directory, .Net Framework, Microsoft Excel and Windows Text le.
  34. Data defines the information type that is maintained, or processed, by the software application. with this application, we needed to the Contact List, the Exception List, Site List, Mail Body and unmanaged machines
  35. Components are the building blocks of a software application that dene an instance of a technology type, We have found as components within this application the SQL Server, Active Directory, .Net Framework, Microsoft Excel and Windows Text file.
  36. At this stage, we had dened the allowable permissions on the Data and the role that has permissions on it. The specic permission are captured using the Create/Read/Update/Delete. A use case is an ordered sequence of actions used to fulll a subset of the allowable permissions that are dened in data access. For each use case identified, a data flow is generated.
  37. Threat analysis is the analysis of the probability of occurrences and consequences of attacks within a system. With the Threat Analysis and Modeling Tool, threats are classified in accordance to the CIA model and oers for each threat solutions to deal with it. Threat factor for Condentiality The primary threat factors for Confidentiality are the unauthorized disclosure of the executing identity and the unauthorized disclosure of the data. Threat factor for Integrity The primary threat factors for Integrity are the violation of the access control, violation of business rule, and violation of data integrity. Threat factor for Availability The primary threat factors for Availability are unavailability and performance degradation.
  38. For each use case, the threat analysis and modeling tool generate a threat tree describes In this diagram: the root node is the threat in question (for example. unauthorized disclosure of read using Active Directory by .Net Role). Then, its children are the vulnerability types (for example, LDAP Injection). Each vulnerability type has an underlying cause (for example, Dynamic LDAP queries using untrusted input). Then, each underlying cause has a mitigation technique (for example, untrusted input should be validated against an inclusion list).
  39. To conclude
  40. safety is the most paramount aspect considered when developing an application. With that said, safety is increased with the correct security requirements put into place. However, in order to determine those security requirements, a process to determine possible threats and risk of those threats to the system is needed. By creating full threat models from use case flow diagrams and by assessing the risk of the detected threats within those models, one is able to determine the best security requirements for an application