Audit and security application
-
Upload
rihab-chebbah -
Category
Education
-
view
100 -
download
2
Transcript of Audit and security application
![Page 1: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/1.jpg)
Work realized by:
₪ Rihab CHBBAH
Application Security Audit
Academic Year : 2015/2016
![Page 2: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/2.jpg)
Plan
• Introduction• Leoni Wiring
System
Presentation
• Security Software Development
Part 1
• Security Testing
Part 2
• Secure Computing• Use cases
Part 3
Conclusion
![Page 3: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/3.jpg)
Presentation Introduction LEONI Wiring System
![Page 4: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/4.jpg)
LEONI - Presentation
Anthonie Fournier from Lyon founded the first workshop
1569
3 succeded companies merged into newly established Leoni
1917
![Page 5: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/5.jpg)
Started to manufacture cable assemblies
1956
Leoni started its global expansion by establishing a wiring harness plant in Tunisia.
1977
![Page 6: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/6.jpg)
Leoni has acquired the wiring harness division of the French automative supplier Valeo with 88 subsidiaries all over the world
Today
Finish
![Page 7: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/7.jpg)
Leoni Group◊ more than 67,000 employees worldwide◊ Located in many countries : Germany, China, Coria, Egypt, French, Tunisia …
Wire & Cable Solutions◊ more than 8,000 employees ◊ Automotive
Industry & Healthcare Communication & Infrastructure Electrical Appliances Conductor & Copper Solutions
Wiring Systems Division◊ more than 59,000 employees ◊ Automotive Industry
![Page 8: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/8.jpg)
LEONI Wiring System Tunisia
Sousse
Mateur Sud & Mateur Nord
Plant Section MB – Routine Plant Section MB – Project-MFA Plant Section BMW Plant Section A&VW Plant Section Supply International
Plant Section PSA Plant Section Fiat/Panda
![Page 9: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/9.jpg)
LEONI Wiring System Tunisia Information ManagementInformation
Management
IM - Demand IM – Supply IM – Information Technology
IM – International Services
IM team assistance IM CIO Office
IM Center Oganizationɤ IM Service Center North Africa (IM SC NA) ɤ IM Service Center Easten Europe ɤ IM Service Center Americas ɤ IM Service Center Asia
![Page 10: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/10.jpg)
LEONI Wiring System Tunisia - IM SC NA
∞ Created in 2005,∞ 1 Team,∞ 3 Members (Web Developers)
∞ 14 Teams (IT, System Analysts, IM-Demand, Development, PPS and MES Consulting and assistance)∞ 65 Members
![Page 11: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/11.jpg)
LEONI Wiring System Tunisia – IM SC IT Teams
Security Microsoft Network & Communication Data Center & Private Cloud
The relationship between these levels is based on client-provider concept.
![Page 12: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/12.jpg)
LEONI Wiring System Tunisia – IM SC NA IT SecurityTeam
Enterprise solutionsSophos Enterprise Solutions∞ Application Control∞ Device Control∞ Update Manger∞ Firewall
![Page 13: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/13.jpg)
LEONI Wiring System Tunisia – IM SC NA IT SecurityTeam
Sophos Anti-Virus
VARONIS – Folder AccessRights Audit
SAFEGUARD Hard Disk Encryption
Generate reports to all Data owners to check Access rights of their own folders
Encrypt Hard Disks Of Notebooks
Protect machines from malwares.
![Page 14: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/14.jpg)
Presentation Introduction LEONI Wiring
System
![Page 15: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/15.jpg)
Introduction
Application security is the use of software, hardware, and procedural methods to prevent security flaws in applications and protect them from external threats.
![Page 16: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/16.jpg)
Part 1 Security Software Development
![Page 17: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/17.jpg)
Secure Software Development
“The need to consider security and privacy “up front” is a fundamental aspect of secure system development. The optimal point to define trustworthiness requirements for a software project is during the initial planning stages. This early definition of requirements allows development teams to identify key milestones and deliverables, and permits the integration of security and privacy in a way that minimizes any disruption to plans and schedules. “
-Simplified Implementation of the Microsoft SDL-
![Page 18: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/18.jpg)
Secure Software Development
By introducing security early in the development lifecycle, companies are able to meet their customer demands for more secure products and services. And companies can derive additional benefits such as reduction in patch maintenance and faster time to remediate.
![Page 19: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/19.jpg)
Part 2 Security Testing
![Page 20: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/20.jpg)
Security Testing is deemed successful when the below attributes of an application are intactAuthenticationAuthorizationAvailabilityConfidentialityIntegrityNon-Repudiation
Security Testing
Goal is to make sure that the system / Application does not have any loopholesOr system fallback
![Page 21: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/21.jpg)
Security Testing
![Page 22: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/22.jpg)
Security Testing
The inclusion of threat analysis & modeling in the SDLC can help to ensure that Applications are being developed with security built-in from the very beginning.
Threat Analysis & modeling allows you to systematically identify and rate the threats that are most likely to affect your system. By identifying and rating threats based on a solid understanding of the architecture and implementation of your application, you can address threats with appropriate countermeasures in a logical order, starting With the threats that present the greatest risk.
![Page 23: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/23.jpg)
Security Testing
Threat modeling accomplishes the following:
Defines the security of an application · Identifies and investigates potential threats and vulnerabilities · Brings justification for security features Identifies a logical thought process in defining the security of a system · Results in finding architecture bugs earlier and more often · Results in fewer vulnerabilities · Creates a set of documents
![Page 24: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/24.jpg)
Security TestingThreat tree
![Page 25: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/25.jpg)
Part 3 Secure Computing Use Cases
![Page 26: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/26.jpg)
Secure Computing
Asset: A system resource.Threat: A potential occurrence, malicious or otherwiseVulnerability: A weakness in some aspect or feature of a system that makes a threat possibleAttack : An action taken by someone or something that harms an asset..Countermeasure: A safeguard that addresses a threat and mitigates risk.
Basic Terminologies
![Page 27: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/27.jpg)
Secure ComputingThreat models
the CIA model is described by its aspects : Confidentiality, Integrity and Availability.
![Page 28: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/28.jpg)
Secure ComputingThreat models
STRIDE model is a system developed by Microsoft for thinking about computer security threats, It provides a mnemonic for security threats in six categories.
The threat categories are: Spoofing of user identity Tampering Repudiation Information disclosure Denial of service (D.o.S) Elevation of privilege
The STRIDE name comes from the initials of the six threat categories listed. It was initially proposed for threat modellng, but is now used more broadly.
![Page 29: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/29.jpg)
Secure ComputingModeling Tools
Microsoft SDL Threat Modeling Tool
![Page 30: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/30.jpg)
Secure ComputingModeling Tools
Threat Analysis & modeling Tool
![Page 31: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/31.jpg)
Part 3 Secure Computing Use Cases
![Page 32: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/32.jpg)
Use Case Sophos Unmanaged machines follow-up tool
"OUlist.txt" contains the list of the sites to follow up,"ContactList. xlsx" file which contains the list of contact persons by site, "Email- Body.txt" to modify the email body, "ExceptionList.xlsx" to add a technical exception.
This application will query the Sophos Database to generate Unmanaged machines in different LEONI sites.
![Page 33: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/33.jpg)
Use Case Sophos Unmanaged machines follow-up tool
Roles
User Roles Service RolesAdministrator SQL Server
Active Directory, .Net Framework, Microsoft Excel,Windows Text file.
![Page 34: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/34.jpg)
Use Case Sophos Unmanaged machines follow-up tool
Data
![Page 35: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/35.jpg)
Use Case Sophos Unmanaged machines follow-up tool
Components
![Page 36: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/36.jpg)
Use Case Sophos Unmanaged machines follow-up tool
Application Use Case
![Page 37: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/37.jpg)
Use Case Sophos Unmanaged machines follow-up tool
Threat Analysis
Attacks◊ Buffer Overflow◊ Cryptanalysis Attacks◊ Denial of Service◊ Network Eavesdropping◊ SQL injection
Threats◊ Threat factor for
Confidentiality◊ Threat factor for
Integrity◊ Threat factor for
Availability
![Page 38: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/38.jpg)
Use Case Sophos Unmanaged machines follow-up tool
Threat Testing
![Page 39: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/39.jpg)
Conclusion
![Page 40: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/40.jpg)
Conclusion
safety is the most paramount aspect considered when developing an application. With that said, safety is increased with the correct security requirements put into place.
![Page 41: Audit and security application](https://reader036.fdocuments.us/reader036/viewer/2022062503/58ec1e9f1a28ab59608b45d5/html5/thumbnails/41.jpg)
Thank you for all your attention !