Rihab Chebbah, profile picture
Uploaded byRihab Chebbah
PPTX, PDF565 views

Audit and security application

This document summarizes a presentation about Leoni Wiring Systems and application security. It discusses Leoni's history and global expansion. It also covers secure software development practices, including introducing security early and conducting threat analysis. Security testing goals and methods like threat modeling are explained. Finally, it provides examples of secure computing concepts and a use case for a Sophos tool to track unmanaged machines. The overall document aims to discuss best practices for application security.

Embed presentation

Downloaded 30 times
Work realized by: ₪ Rihab CHBBAH Application Security Audit Academic Year : 2015/2016
Plan • Introduction • Leoni Wiring System Presentation • Security Software Development Part 1 • Security Testing Part 2 • Secure Computing • Use cases Part 3 Conclusion
Presentation  Introduction  LEONI Wiring System
LEONI - Presentation Anthonie Fournier from Lyon founded the first workshop 1569 3 succeded companies merged into newly established Leoni 1917
Started to manufacture cable assemblies 1956 Leoni started its global expansion by establishing a wiring harness plant in Tunisia. 1977
Leoni has acquired the wiring harness division of the French automative supplier Valeo with 88 subsidiaries all over the world Tod ay Finis h
Leoni Group ◊ more than 67,000 employees worldwide ◊ Located in many countries : Germany, China, Coria, Egypt, Frenc Wire & Cable Solutions ◊ more than 8,000 employees ◊ Automotive Industry & Healthcare Communication & Infrastructure Electrical Appliances Conductor & Copper Solutions Wiring Systems Division ◊ more than 59,000 employe ◊ Automotive Industry
LEONI Wiring System Tunisia Sousse Mateur Sud & Mateur  Plant Section MB – Routine  Plant Section MB – Project-MFA  Plant Section BMW  Plant Section A&VW  Plant Section Supply International  Plant Section PSA  Plant Section Fiat/Panda
LEONI Wiring System Tunisia Information ManagementInformation Management IM - Demand IM – Supply IM – Information Technology IM – International Services IM team assistance IM CIO Office IM Center Oganizatio ɤ IM Service Center North Africa (IM ɤ IM Service Center Easten Europe ɤ IM Service Center Americas ɤ IM Service Center Asia
LEONI Wiring System Tunisia - IM SC NA ∞ Created in 2005, ∞ 1 Team, ∞ 3 Members (Web Developers) ∞ 14 Teams (IT, System Analysts, IM-Dema Development, PPS and MES Consulting and as ∞ 65 Members
LEONI Wiring System Tunisia – IM SC IT Teams  Security  Microsoft  Network & Communication  Data Center & Private Cloud The relationship between these levels is based on client-provider concept.
LEONI Wiring System Tunisia – IM SC NA IT SecurityTeam Enterprise solutions Sophos Enterprise Solutio ∞ Application Control ∞ Device Control ∞ Update Manger ∞ Firewall
LEONI Wiring System Tunisia – IM SC NA IT SecurityTeam Sophos Anti-Virus VARONIS – Folder Access Rights Audit SAFEGUARD Hard Disk Encryption Generate reports to all Data owners to check Access rights of their own folders Encrypt Hard Disks Of Notebooks Protect machines from malwares.
Presentation  Introduction  LEONI Wiring System
Introduction Application security is the use of software, hard and procedural methods to prevent security flaw in applications and protect them from external t
Part 1  Security Software Development
Secure Software Development “The need to consider security and privacy “up front” is a fund system development. The optimal point to define trustworthin a software project is during the initial planning stages. This e requirements allows development teams to identify key milest and permits the integration of security and privacy in a way th to plans and schedules. “ -Simplified Implementation of the Microsoft SD
Secure Software Development By introducing security early in the development lifecycle, companies are able to meet their customer demands for more secure products and services. And companies can derive additional benefits such as reduction in patch maintenance and faster time to remediate.
Part 2  Security Testing
Security Testing is deemed successful when the below attribut Authentication Authorization Availability Confidentiality Integrity Non-Repudiation Security Testing Goal is to make sure that the Application does not have any Or system fallback
Security Testing
Security Testing The inclusion of threat analysis & modeling in the SDLC c Applications are being developed with security built-in fr Threat Analysis & modeling allows you to systematically iden that are most likely to affect your system. By identifying an a solid understanding of the architecture and implementatio you can address threats with appropriate countermeasures With the threats that present the greatest risk.
Security Testing Threat modeling accomplishes the following:  Defines the security of an application ·  Identifies and investigates potential threats an  Brings justification for security features  Identifies a logical thought process in defining  Results in finding architecture bugs earlier and  Results in fewer vulnerabilities ·  Creates a set of documents
Security Testing Threat tree
Part 3  Secure Computing  Use Cases
Secure Computing Asset: A system resource. Threat: A potential occurrence, malicious or otherwise Vulnerability: A weakness in some aspect or feature of a syste Attack : An action taken by someone or something that harm Countermeasure: A safeguard that addresses a threat and mit Basic Terminologies
Secure Computing Threat models the CIA model is described by its aspects : Confidentiality,
Secure Computing Threat models STRIDE model is a system developed by Microsoft for thinking about comp It provides a mnemonic for security threats in six categories. The threat categories are:  Spoofing of user identity  Tampering  Repudiation  Information disclosure  Denial of service (D.o.S)  Elevation of privilege The STRIDE name comes from the initials of the six threat categories listed It was initially proposed for threat modellng, but is now used more broadly.
Secure Computing Modeling Tools Microsoft SDL Threat Modeling Tool
Secure Computing Modeling Tools Threat Analysis & modeling Tool
Part 3  Secure Computing  Use Cases
Use CaseSophos Unmanaged machines follow-up tool "OUlist.txt" contains the list of the sites to follo "ContactList. xlsx" file which contains the list of c "Email- Body.txt" to modify the email body, "ExceptionList.xlsx" to add a technical exception This application will query the Sophos Database to generate Unmanaged ma
Use CaseSophos Unmanaged machines follow-up tool Roles User Roles Service Roles Administrator SQL Server Active Directory, .Net Framework, Microsoft Excel, Windows Text file.
Use CaseSophos Unmanaged machines follow-up tool Data
Use CaseSophos Unmanaged machines follow-up tool Components
Use CaseSophos Unmanaged machines follow-up tool Application Use Case
Use CaseSophos Unmanaged machines follow-up tool Threat Analysis Attacks ◊ Buffer Overflow ◊ Cryptanalysis Attacks ◊ Denial of Service ◊ Network Eavesdropping ◊ SQL injection Threats ◊ Threat factor for Confidentiality ◊ Threat factor for Integrity ◊ Threat factor for Availability
Use CaseSophos Unmanaged machines follow-up tool Threat Testing
Conclusion
Conclusion safety is the most paramount aspect considered when develo With that said, safety is increased with the correct security
Thank you for all your attenti

More Related Content

PPT
The information security audit
byDhani Ahmad
 
PPT
Security technologies
byDhani Ahmad
 
PPT
Privacy & security in heath care it
byDhani Ahmad
 
PPT
Risk management i
byDhani Ahmad
 
PPT
Risk management ii
byDhani Ahmad
 
PPTX
Security Audit Information – Physical
byPLN9 Security Services Pvt. Ltd.
 
PPT
Physical security
byDhani Ahmad
 
PPT
The need for security
byDhani Ahmad
 
The information security audit
byDhani Ahmad
 
Security technologies
byDhani Ahmad
 
Privacy & security in heath care it
byDhani Ahmad
 
Risk management i
byDhani Ahmad
 
Risk management ii
byDhani Ahmad
 
Security Audit Information – Physical
byPLN9 Security Services Pvt. Ltd.
 
Physical security
byDhani Ahmad
 
The need for security
byDhani Ahmad
 

What's hot

PDF
Audit and security application report
byRihab Chebbah
 
PPTX
Enterprise IT Security Audit | Cyber Security Services
byAkshay Kurhade
 
PPTX
System Security Plans 101
byDonald E. Hester
 
PPT
The Importance of Security within the Computer Environment
byAdetula Bunmi
 
PPT
Physical Security
byKriscila Yumul
 
PPT
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
byTammy Clark
 
PPT
is_1_Introduction to Information Security
bySARJERAO Sarju
 
PDF
10. industrial networks safety and security tom hammond
byPROFIBUS and PROFINET InternationaI - PI UK
 
PPTX
Security and Control Issues in information Systems
byDr. Rosemarie Sibbaluca-Guirre
 
PPT
Information Assurance And Security - Chapter 1 - Lesson 3
byMLG College of Learning, Inc
 
PPT
Start With A Great Information Security Plan!
byTammy Clark
 
PPT
Introduction to information security
byElumalai Vasan
 
PDF
Cyber Security
byIRJET Journal
 
PPTX
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
byTonex
 
PPTX
How To Secure MIS
byAaDi Malik
 
PDF
International Journal of Engineering Research and Development (IJERD)
byIJERD Editor
 
PPTX
Security and control in Management Information System
bySatya P. Joshi
 
PDF
Cyber Security: Differences between Industrial Control Systems and ICT Approach
byCommunity Protection Forum
 
PPT
Security & control in management information system
byOnline
 
PPTX
MIS: Information Security Management
byJonathan Coleman
 
Audit and security application report
byRihab Chebbah
 
Enterprise IT Security Audit | Cyber Security Services
byAkshay Kurhade
 
System Security Plans 101
byDonald E. Hester
 
The Importance of Security within the Computer Environment
byAdetula Bunmi
 
Physical Security
byKriscila Yumul
 
How To Successfully Defend Against Irc Bots, Compromises, And Information Leaks
byTammy Clark
 
is_1_Introduction to Information Security
bySARJERAO Sarju
 
10. industrial networks safety and security tom hammond
byPROFIBUS and PROFINET InternationaI - PI UK
 
Security and Control Issues in information Systems
byDr. Rosemarie Sibbaluca-Guirre
 
Information Assurance And Security - Chapter 1 - Lesson 3
byMLG College of Learning, Inc
 
Start With A Great Information Security Plan!
byTammy Clark
 
Introduction to information security
byElumalai Vasan
 
Cyber Security
byIRJET Journal
 
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
byTonex
 
How To Secure MIS
byAaDi Malik
 
International Journal of Engineering Research and Development (IJERD)
byIJERD Editor
 
Security and control in Management Information System
bySatya P. Joshi
 
Cyber Security: Differences between Industrial Control Systems and ICT Approach
byCommunity Protection Forum
 
Security & control in management information system
byOnline
 
MIS: Information Security Management
byJonathan Coleman
 

Viewers also liked

PDF
SYSTEMS AUDIT
byArul Nambi
 
PDF
Product_Brochure_Sales
bySarah-Jane Hutchins
 
PPTX
Personnel Audit: Auditing process
byShalini Thakur
 
PDF
Steps in it audit
bykinjalmkothari92
 
PPT
Network Security
byRaymond Jose
 
PPTX
Network security
byMadhumithah Ilango
 
PPT
Network Security and Cryptography
byAdam Reagan
 
SYSTEMS AUDIT
byArul Nambi
 
Product_Brochure_Sales
bySarah-Jane Hutchins
 
Personnel Audit: Auditing process
byShalini Thakur
 
Steps in it audit
bykinjalmkothari92
 
Network Security
byRaymond Jose
 
Network security
byMadhumithah Ilango
 
Network Security and Cryptography
byAdam Reagan
 

Similar to Audit and security application

PDF
The Future of Software Security Assurance
byRafal Los
 
PPT
Software Security in the Real World
byMark Curphey
 
PPT
AMI Security 101 - Smart Grid Security East 2011
bydma1965
 
PDF
Threat modelling & apps testing
byAdrian Munteanu
 
PPTX
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
PPT
Software Security Engineering
byMarco Morana
 
PDF
Application Threat Modeling In Risk Management
byMel Drews
 
PDF
finalreportsoarnew (1).pdf
byFirozkumar2
 
PDF
finalreportsoarnew.pdf
byFirozkumar2
 
PPT
Software Security Testing
byankitmehta21
 
PPT
Service-Oriented Security Engineering
byRichard Veryard
 
PPTX
Keeping Secrets on the Internet of Things - Mobile Web Application Security
byKelly Robertson
 
PPT
Security_Updates_cybersecuirty ppt presentation.ppt
by21881a6619
 
PPTX
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
PPTX
Threat Modeling-modélisation_de_menaces.pptx
bytuxbambi
 
PPTX
Cyber Tekes Safety and Security programme 2013
byTurvallisuus2013
 
KEY
EISA Considerations for Web Application Security
byLarry Ball
 
PPTX
An integrated security testing framework and tool
byMoutasm Tamimi
 
PDF
Security is our duty and we shall deliver it - White Paper
byMohd Anwar Jamal Faiz
 
PPTX
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 
The Future of Software Security Assurance
byRafal Los
 
Software Security in the Real World
byMark Curphey
 
AMI Security 101 - Smart Grid Security East 2011
bydma1965
 
Threat modelling & apps testing
byAdrian Munteanu
 
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
Software Security Engineering
byMarco Morana
 
Application Threat Modeling In Risk Management
byMel Drews
 
finalreportsoarnew (1).pdf
byFirozkumar2
 
finalreportsoarnew.pdf
byFirozkumar2
 
Software Security Testing
byankitmehta21
 
Service-Oriented Security Engineering
byRichard Veryard
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
byKelly Robertson
 
Security_Updates_cybersecuirty ppt presentation.ppt
by21881a6619
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
Threat Modeling-modélisation_de_menaces.pptx
bytuxbambi
 
Cyber Tekes Safety and Security programme 2013
byTurvallisuus2013
 
EISA Considerations for Web Application Security
byLarry Ball
 
An integrated security testing framework and tool
byMoutasm Tamimi
 
Security is our duty and we shall deliver it - White Paper
byMohd Anwar Jamal Faiz
 
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 

More from Rihab Chebbah

PDF
Rédaction de-la-mémoire
byRihab Chebbah
 
PDF
BYOD - Bring Your Own Device
byRihab Chebbah
 
PDF
Microsoft threat modeling tool 2016
byRihab Chebbah
 
PPTX
Security testing
byRihab Chebbah
 
PDF
Simulation d'un réseau Ad-Hoc sous NS2
byRihab Chebbah
 
PDF
Implémentation de la QoS au sein d'un IP/MPLS - Rapport
byRihab Chebbah
 
PPTX
Implémentation de la QoS au sein d'un IP/MPLS - Présentation
byRihab Chebbah
 
PDF
CV Rihab chebbah
byRihab Chebbah
 
PPTX
supervision data center
byRihab Chebbah
 
Rédaction de-la-mémoire
byRihab Chebbah
 
BYOD - Bring Your Own Device
byRihab Chebbah
 
Microsoft threat modeling tool 2016
byRihab Chebbah
 
Security testing
byRihab Chebbah
 
Simulation d'un réseau Ad-Hoc sous NS2
byRihab Chebbah
 
Implémentation de la QoS au sein d'un IP/MPLS - Rapport
byRihab Chebbah
 
Implémentation de la QoS au sein d'un IP/MPLS - Présentation
byRihab Chebbah
 
CV Rihab chebbah
byRihab Chebbah
 
supervision data center
byRihab Chebbah
 

Recently uploaded

PDF
BP809ET COSMETIC SCIENCE (Theory) Unit 1
byRushi Mandali
 
PDF
Biological source, chemical constituents, and therapeutic efficacy of the fol...
bySai Meer College of Pharmacy
 
PPTX
How to Create_Generate Engineering Change Orders ECOs in Odoo 18
byCeline George
 
PDF
Four Stars Of Destiny By General Manoj Mukund Naravane
byAman744562
 
PPTX
Return For Exchange in Odoo 18 Inventory
byCeline George
 
PPTX
Greengnorance Toolkit Module1 Climate Change
byKarl Donert
 
PPTX
Greengnorance Toolkit Module 5 Waste Management
byKarl Donert
 
PPTX
WEEK 2 (2).pptx TLE COOKERY 10 QUARTER 4
byResynFayeCortez2
 
PDF
A Study of W. H. Auden’s September 1, 1939
bypriyarathod315
 
PPTX
A Memory of Two Mondays by Arthur Miller
byDhatriParmar
 
PPTX
Renal Physiology- Functional anatomy of Kidney.pptx
byDisha Soriya
 
PPTX
Greengnorance Toolkit Module 2 Energy saving
byKarl Donert
 
PDF
AI Is a Tool, Not a Voice: Radio, Trust, and the Human Factor
byN.A. Shah Ansari
 
PDF
Power, Propaganda, and Fear: A Study of W. H. Auden’s Epitaph on a Tyrant
bypriyarathod315
 
PPTX
Simulation Learning in Health Sciences and Human Service programs at Camosun ...
bygabitouss
 
PPTX
PRE TERM LABOR ( PREMATURE LABOUR IN PREGNANCY)
byMuthu Kumar
 
PPTX
13 February 2026 - Bullying in education prevalence, impact and responses acr...
byEduSkills OECD
 
PPTX
Overview of How to set priority in Odoo 19 Todo
byCeline George
 
PPTX
Methods & Applications of Enzyme Immobilization Technique.pptx
byAnupkumar Sharma
 
PPTX
How to perform product search based on a custom field from the Website Shop p...
byCeline George
 
BP809ET COSMETIC SCIENCE (Theory) Unit 1
byRushi Mandali
 
Biological source, chemical constituents, and therapeutic efficacy of the fol...
bySai Meer College of Pharmacy
 
How to Create_Generate Engineering Change Orders ECOs in Odoo 18
byCeline George
 
Four Stars Of Destiny By General Manoj Mukund Naravane
byAman744562
 
Return For Exchange in Odoo 18 Inventory
byCeline George
 
Greengnorance Toolkit Module1 Climate Change
byKarl Donert
 
Greengnorance Toolkit Module 5 Waste Management
byKarl Donert
 
WEEK 2 (2).pptx TLE COOKERY 10 QUARTER 4
byResynFayeCortez2
 
A Study of W. H. Auden’s September 1, 1939
bypriyarathod315
 
A Memory of Two Mondays by Arthur Miller
byDhatriParmar
 
Renal Physiology- Functional anatomy of Kidney.pptx
byDisha Soriya
 
Greengnorance Toolkit Module 2 Energy saving
byKarl Donert
 
AI Is a Tool, Not a Voice: Radio, Trust, and the Human Factor
byN.A. Shah Ansari
 
Power, Propaganda, and Fear: A Study of W. H. Auden’s Epitaph on a Tyrant
bypriyarathod315
 
Simulation Learning in Health Sciences and Human Service programs at Camosun ...
bygabitouss
 
PRE TERM LABOR ( PREMATURE LABOUR IN PREGNANCY)
byMuthu Kumar
 
13 February 2026 - Bullying in education prevalence, impact and responses acr...
byEduSkills OECD
 
Overview of How to set priority in Odoo 19 Todo
byCeline George
 
Methods & Applications of Enzyme Immobilization Technique.pptx
byAnupkumar Sharma
 
How to perform product search based on a custom field from the Website Shop p...
byCeline George
 

Audit and security application

  • 1.
    Work realized by: ₪Rihab CHBBAH Application Security Audit Academic Year : 2015/2016
  • 2.
    Plan • Introduction • LeoniWiring System Presentation • Security Software Development Part 1 • Security Testing Part 2 • Secure Computing • Use cases Part 3 Conclusion
  • 3.
  • 4.
    LEONI - Presentation Anthonie Fournier fromLyon founded the first workshop 1569 3 succeded companies merged into newly established Leoni 1917
  • 5.
    Started to manufacture cableassemblies 1956 Leoni started its global expansion by establishing a wiring harness plant in Tunisia. 1977
  • 6.
    Leoni has acquiredthe wiring harness division of the French automative supplier Valeo with 88 subsidiaries all over the world Tod ay Finis h
  • 7.
    Leoni Group ◊ morethan 67,000 employees worldwide ◊ Located in many countries : Germany, China, Coria, Egypt, Frenc Wire & Cable Solutions ◊ more than 8,000 employees ◊ Automotive Industry & Healthcare Communication & Infrastructure Electrical Appliances Conductor & Copper Solutions Wiring Systems Division ◊ more than 59,000 employe ◊ Automotive Industry
  • 8.
    LEONI Wiring System Tunisia Sousse MateurSud & Mateur  Plant Section MB – Routine  Plant Section MB – Project-MFA  Plant Section BMW  Plant Section A&VW  Plant Section Supply International  Plant Section PSA  Plant Section Fiat/Panda
  • 9.
    LEONI Wiring SystemTunisia Information ManagementInformation Management IM - Demand IM – Supply IM – Information Technology IM – International Services IM team assistance IM CIO Office IM Center Oganizatio ɤ IM Service Center North Africa (IM ɤ IM Service Center Easten Europe ɤ IM Service Center Americas ɤ IM Service Center Asia
  • 10.
    LEONI Wiring SystemTunisia - IM SC NA ∞ Created in 2005, ∞ 1 Team, ∞ 3 Members (Web Developers) ∞ 14 Teams (IT, System Analysts, IM-Dema Development, PPS and MES Consulting and as ∞ 65 Members
  • 11.
    LEONI Wiring SystemTunisia – IM SC IT Teams  Security  Microsoft  Network & Communication  Data Center & Private Cloud The relationship between these levels is based on client-provider concept.
  • 12.
    LEONI Wiring SystemTunisia – IM SC NA IT SecurityTeam Enterprise solutions Sophos Enterprise Solutio ∞ Application Control ∞ Device Control ∞ Update Manger ∞ Firewall
  • 13.
    LEONI Wiring SystemTunisia – IM SC NA IT SecurityTeam Sophos Anti-Virus VARONIS – Folder Access Rights Audit SAFEGUARD Hard Disk Encryption Generate reports to all Data owners to check Access rights of their own folders Encrypt Hard Disks Of Notebooks Protect machines from malwares.
  • 14.
  • 15.
    Introduction Application security isthe use of software, hard and procedural methods to prevent security flaw in applications and protect them from external t
  • 16.
    Part 1  SecuritySoftware Development
  • 17.
    Secure Software Development “Theneed to consider security and privacy “up front” is a fund system development. The optimal point to define trustworthin a software project is during the initial planning stages. This e requirements allows development teams to identify key milest and permits the integration of security and privacy in a way th to plans and schedules. “ -Simplified Implementation of the Microsoft SD
  • 18.
    Secure Software Development Byintroducing security early in the development lifecycle, companies are able to meet their customer demands for more secure products and services. And companies can derive additional benefits such as reduction in patch maintenance and faster time to remediate.
  • 19.
  • 20.
    Security Testing isdeemed successful when the below attribut Authentication Authorization Availability Confidentiality Integrity Non-Repudiation Security Testing Goal is to make sure that the Application does not have any Or system fallback
  • 21.
  • 22.
    Security Testing The inclusionof threat analysis & modeling in the SDLC c Applications are being developed with security built-in fr Threat Analysis & modeling allows you to systematically iden that are most likely to affect your system. By identifying an a solid understanding of the architecture and implementatio you can address threats with appropriate countermeasures With the threats that present the greatest risk.
  • 23.
    Security Testing Threat modelingaccomplishes the following:  Defines the security of an application ·  Identifies and investigates potential threats an  Brings justification for security features  Identifies a logical thought process in defining  Results in finding architecture bugs earlier and  Results in fewer vulnerabilities ·  Creates a set of documents
  • 24.
  • 25.
    Part 3  SecureComputing  Use Cases
  • 26.
    Secure Computing Asset: Asystem resource. Threat: A potential occurrence, malicious or otherwise Vulnerability: A weakness in some aspect or feature of a syste Attack : An action taken by someone or something that harm Countermeasure: A safeguard that addresses a threat and mit Basic Terminologies
  • 27.
    Secure Computing Threat models theCIA model is described by its aspects : Confidentiality,
  • 28.
    Secure Computing Threat models STRIDEmodel is a system developed by Microsoft for thinking about comp It provides a mnemonic for security threats in six categories. The threat categories are:  Spoofing of user identity  Tampering  Repudiation  Information disclosure  Denial of service (D.o.S)  Elevation of privilege The STRIDE name comes from the initials of the six threat categories listed It was initially proposed for threat modellng, but is now used more broadly.
  • 29.
  • 30.
  • 31.
    Part 3  SecureComputing  Use Cases
  • 32.
    Use CaseSophos Unmanagedmachines follow-up tool "OUlist.txt" contains the list of the sites to follo "ContactList. xlsx" file which contains the list of c "Email- Body.txt" to modify the email body, "ExceptionList.xlsx" to add a technical exception This application will query the Sophos Database to generate Unmanaged ma
  • 33.
    Use CaseSophos Unmanagedmachines follow-up tool Roles User Roles Service Roles Administrator SQL Server Active Directory, .Net Framework, Microsoft Excel, Windows Text file.
  • 34.
    Use CaseSophos Unmanagedmachines follow-up tool Data
  • 35.
    Use CaseSophos Unmanagedmachines follow-up tool Components
  • 36.
    Use CaseSophos Unmanagedmachines follow-up tool Application Use Case
  • 37.
    Use CaseSophos Unmanagedmachines follow-up tool Threat Analysis Attacks ◊ Buffer Overflow ◊ Cryptanalysis Attacks ◊ Denial of Service ◊ Network Eavesdropping ◊ SQL injection Threats ◊ Threat factor for Confidentiality ◊ Threat factor for Integrity ◊ Threat factor for Availability
  • 38.
    Use CaseSophos Unmanagedmachines follow-up tool Threat Testing
  • 39.
  • 40.
    Conclusion safety is themost paramount aspect considered when develo With that said, safety is increased with the correct security
  • 41.
    Thank you forall your attenti

Editor's Notes

  • #2 Good morning, today we will present the fruit of work during the internship, we will begin our presentation with an organized plan
  • #3 the presentation will be devised in several parts as demonstrated in the following plan. we will begin with the company presentation where I did my internship then we will develop the subject "audit and security application" starting with an introduction then we will define the security software development and present some techniques to test this security. for better undrestanding, we will specify useful technical terms then we will explain the main work
  • #4 Beginning with Leoni wiring system presentation
  • #5 Leoni was founde in 1569 by anthonie fourrier who was born in lyon france, many yeas later 3 succeeded companies merged into newly established Leoni
  • #6 In 1956 leoni started manufacturing cable assemblies. Thereupon, leoni started its global expansion by establishing a wiring harness plant in Tunisia,
  • #7 Instantly, leoni has acquired the wirng harness division of the french automative supplier valeo with 88 subsidiaries all over the world
  • #8 Within leoni group, we find over 67,000 employees herein 16 countries, it has 2 main divisions : wiring system division with more than 58,000 employees for automotive industry and wire and cable solutons with more than 8,000 emplyees for automotive cables in industry, healthcare and other sectors
  • #9 Leoni had built 2 subsidiaries in tunisia located in sousse with different plant sections for different cars costemers, and the other plant in mateur sud and mateur nord with 2 plant section for PSA and Fiat and panda
  • #10 The information management at leoni is gathering an assistance team, an office of chief information officer and collects demand, supply, information technology and internatioanl services teams Above the world, leoni has 4 IM service centers, on in north africa, one in easten europ, one in americas and other one in Asia
  • #11 For the IM service center north africa, it was created in 2005 and huddle 1 team composed of 3 web developers, Nowadays, the IM service center north africa gathers 14 teams in different sectors with 65 members
  • #12 The IM IT sector composed of 4 teams : security , Microsoft, network and communiction and also data center and private clouad They are the second level support. They are supported by external companies as third level support. The relationship between these levels is based on client-provider concept.
  • #13 They use sophos enterprise solutions to manage their products that manages and updates Sophos security software on computers using operating system and virtual environment, this enterprise solutions provides protecting network against malware, file types adware and against other potentially unwanted applications. Moreover, it prevents the use of unauthorized external storage devices and wireless connection technologies on endpoint computers, administers the protection of client firewall on endpoint computers,
  • #14 They uses sophos anti-virus to protect machines from malwares, varonis as folder access rights audit to generate reports to all data owners to check access rights of their own folders and safeguard as hard disk encryption to encrypt hard disks of notebooks
  • #15 Developping now the subject, we will start with a small introduction
  • #16 Application security has become a major concern in recent years. Hackers are using new techniques to gain access to sensitive data, disable applications and administer other malicious activities aimed at the software application. The need to secure an application is imperative for use in today’s world
  • #17 So, how to secure software development?
  • #18 When it comes to software development, security needs to be brought in from “around the edges”. Security defects can, and should be treated like software defects and managed as part of the development process. Developing reliable and secure software is a tough challenge that confronts IT teams – both security and development teams
  • #19 Leoni has taken the lead to establish secure code development initiatives that inject a set of security deliverables into each phase of the software development process, The SDL models are structured around mapping security into key phases of the software development lifecycle: Planning, Dsign, Implementation, testing, release and deployment By introducing security early in the development lifecycle, companies are able to meet their customer demands for more secure products and services. And companies can derive additional benefits such as reduction in patch maintenance and faster time to remediate.
  • #20 Testing the security is a priority. So what is security testing?
  • #21 Security testing is basically a type of software testing that's done to check whether the application or the product is secured or not. It checks to see if the application is vulnerable to attacks, if anyone hack the system or login to the application without any authorization.
  • #22 Security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. testing must start early to minimize defects and cost of quality. Security testing must start right from the Requirements Gathering phase to make sure that the quality of end-product is high. This is to ensure that any intentional/unintentional unforeseen action does not halt or delay the system.
  • #23 One method being used to implement application security in the design process is threat analysis & modeling. The basis for threat analysis & modeling is the process of designing a security specification and then eventually testing that specification. The threat modeling process is conducted during application design and is used to identify the reasons and methods that an attacker would use to identify vulnerabilities or threats in the system.
  • #24 Threat modeling accomplishes the following: · Defines the security of an application · Identifies and investigates potential threats and vulnerabilities · Brings justification for security features at both the hardware and software levels for identified threats · Identifies a logical thought process in defining the security of a system · Results in finding architecture bugs earlier and more often · Results in fewer vulnerabilities · Creates a set of documents that are used to create security specifications and security testing, thus preventing duplication of security efforts
  • #25 threat trees is a Method to explore valid attack paths , Represents conditions needed to exploit the threat, Determines all the combined vulnerabilities associated with a threat and it Focuses on mitigating the vulnerabilities that form the “path of least resistance”
  • #26 For better undrestanding we will specify useful technical termes then we will explain the work
  • #27 For the basic termonologies we will define some terms Asset: A resource of value, such as the data in a database or on the file system. A system resource. Threat: A potential occurrence, malicious or otherwise, that might damage or compromise your assets. Vulnerability: A weakness in some aspect or feature of a system that makes a threat possible. Vulnerabilities might exist at the network, host, or application levels. Attack (or exploit): An action taken by someone or something that harms an asset. This could be someone following through on a threat or exploiting a vulnerability. Countermeasure: A safeguard that addresses a threat and mitigates risk.
  • #28 Threat modeling allows to apply a structured approach to security and to address the top threats that have the greatest potential impact to applications, it exist different models beginning with the cia model The cia model is A simple but widely-applicable security model is the CIA triad standing for: Confidentiality Integrity Availability These are the three key principles which should be guaranteed in any kind of secure system. This principle is applicable across the whole subject of Security Analysis, from access to a user's internet history to security of encrypted data across the internet. If any one of the three can be breached it can have serious consequences for the parties concerned.
  • #29 It also exists a stride model, This model classifes threats in accordance with their categories. By using these categories of threats, one has the ability to create a security strategy for a particular system in order to have planned responses and mitigations to threats or attacks.
  • #30 Some tools are dedicated to modeling threats, we have the microsoft sdl threat modeling tool, it is a software-focused tool designed for rich client/server application development (for example, Windows and SQL Server, among others) The tool assumes the final deployment pattern of the product is unknown (that is, if it will be used to manage business-critical applications with customer credit cards or not), so the focus of the tool is to ensure security of the software’s underlying code.
  • #31 An other tool called threat analysis and modeling tool, this tool allows non-security subject matter experts to enter already known information including business requirements and application architecture which is then used to produce a feature-rich threat model.
  • #32 The work that I did is presented at this section
  • #33 This application will query the Sophos Database to generate Unamanaged machines in different Leoni sites. The list of sites can be found on a text file, After quering the Sophos Database the application will create a folder, On this folder, the application will generate an Excel le for each site. The Excel le will contain the information about each machine, After generating the Excel file with the list of Unmanaged machines, the application will look for the corresponding contact person(s) of the concerned site in an Excel file ,An email will be sent to the contact person(s) with the list of Unmanaged machines. The maintenance of this application will be ensured through the maintenance of the "OUlist.txt" which contains the list of the sites to follow up, the "ContactList.xlsx" file which contains the list of contact persons by site, "Email-Body.txt" to modify the email body, and "ExceptionList.xlsx" to add a technical exception.
  • #34 The Threat Analysis and Modeling Tool allows us to decompose the application into roles, Data and components. For the roles : User roles are assigned to any user who will be interacting with the application. with this application, we have found only the administrator as user. He is the only one who has the ability to solve a problem of an unmanaged machine. Service Roles are trust levels, containing specic identities, which dene the context of various components running in the software application. Within this context, we have found the SQL Server, Active Directory, .Net Framework, Microsoft Excel and Windows Text le.
  • #35 Data defines the information type that is maintained, or processed, by the software application. with this application, we needed to the Contact List, the Exception List, Site List, Mail Body and unmanaged machines
  • #36 Components are the building blocks of a software application that dene an instance of a technology type, We have found as components within this application the SQL Server, Active Directory, .Net Framework, Microsoft Excel and Windows Text file.
  • #37 At this stage, we had dened the allowable permissions on the Data and the role that has permissions on it. The specic permission are captured using the Create/Read/Update/Delete. A use case is an ordered sequence of actions used to fulll a subset of the allowable permissions that are dened in data access. For each use case identified, a data flow is generated.
  • #38 Threat analysis is the analysis of the probability of occurrences and consequences of attacks within a system. With the Threat Analysis and Modeling Tool, threats are classified in accordance to the CIA model and oers for each threat solutions to deal with it. Threat factor for Condentiality The primary threat factors for Confidentiality are the unauthorized disclosure of the executing identity and the unauthorized disclosure of the data. Threat factor for Integrity The primary threat factors for Integrity are the violation of the access control, violation of business rule, and violation of data integrity. Threat factor for Availability The primary threat factors for Availability are unavailability and performance degradation.
  • #39 For each use case, the threat analysis and modeling tool generate a threat tree describes In this diagram: the root node is the threat in question (for example. unauthorized disclosure of read using Active Directory by .Net Role). Then, its children are the vulnerability types (for example, LDAP Injection). Each vulnerability type has an underlying cause (for example, Dynamic LDAP queries using untrusted input). Then, each underlying cause has a mitigation technique (for example, untrusted input should be validated against an inclusion list).
  • #40 To conclude
  • #41 safety is the most paramount aspect considered when developing an application. With that said, safety is increased with the correct security requirements put into place. However, in order to determine those security requirements, a process to determine possible threats and risk of those threats to the system is needed. By creating full threat models from use case flow diagrams and by assessing the risk of the detected threats within those models, one is able to determine the best security requirements for an application