This document summarizes a presentation about Leoni Wiring Systems and application security. It discusses Leoni's history and global expansion. It also covers secure software development practices, including introducing security early and conducting threat analysis. Security testing goals and methods like threat modeling are explained. Finally, it provides examples of secure computing concepts and a use case for a Sophos tool to track unmanaged machines. The overall document aims to discuss best practices for application security.

1. Work realized by:
₪ Rihab CHBBAH
Application Security Audit
Academic Year : 2015/2016

2. Plan
• Introduction
• Leoni Wiring
System
Presentation
• Security Software
Development
Part 1
• Security
Testing
Part 2
• Secure
Computing
• Use cases
Part 3
Conclusion

3. Presentation
 Introduction
 LEONI Wiring System

4. LEONI -
Presentation
Anthonie Fournier
from Lyon founded
the first workshop
1569
3 succeded
companies merged
into newly
established Leoni
1917

5. Started to manufacture
cable assemblies
1956
Leoni started its global
expansion by
establishing a wiring
harness plant in Tunisia.
1977

6. Leoni has acquired the wiring
harness division of the
French automative supplier
Valeo with 88 subsidiaries all
over the world
Tod
ay
Finis
h

7. Leoni Group
◊ more than 67,000 employees worldwide
◊ Located in many countries : Germany, China, Coria, Egypt, Frenc
Wire & Cable Solutions
◊ more than 8,000 employees
◊ Automotive
Industry & Healthcare
Communication & Infrastructure
Electrical Appliances
Conductor & Copper Solutions
Wiring Systems Division
◊ more than 59,000 employe
◊ Automotive Industry

8. LEONI Wiring
System Tunisia
Sousse
Mateur Sud & Mateur
 Plant Section MB – Routine
 Plant Section MB – Project-MFA
 Plant Section BMW
 Plant Section A&VW
 Plant Section Supply International
 Plant Section PSA
 Plant Section Fiat/Panda

9. LEONI Wiring System Tunisia
Information
ManagementInformation
Management
IM - Demand IM – Supply
IM – Information
Technology
IM – International
Services
IM team
assistance
IM CIO Office
IM Center Oganizatio
ɤ IM Service Center North Africa (IM
ɤ IM Service Center Easten Europe
ɤ IM Service Center Americas
ɤ IM Service Center Asia

10. LEONI Wiring System Tunisia -
IM SC NA
∞ Created in 2005,
∞ 1 Team,
∞ 3 Members (Web Developers)
∞ 14 Teams (IT, System Analysts, IM-Dema
Development, PPS and MES Consulting and as
∞ 65 Members

11. LEONI Wiring System Tunisia –
IM SC IT Teams
 Security
 Microsoft
 Network & Communication
 Data Center & Private Cloud
The relationship between these levels is based
on client-provider concept.

12. LEONI Wiring System Tunisia –
IM SC NA IT SecurityTeam
Enterprise solutions
Sophos Enterprise Solutio
∞ Application Control
∞ Device Control
∞ Update Manger
∞ Firewall

13. LEONI Wiring System Tunisia –
IM SC NA IT SecurityTeam
Sophos Anti-Virus
VARONIS – Folder Access
Rights Audit
SAFEGUARD
Hard Disk Encryption
Generate reports to all
Data owners to check
Access rights of their
own folders
Encrypt Hard Disks
Of Notebooks
Protect machines from
malwares.

14. Presentation
 Introduction
 LEONI Wiring System

15. Introduction
Application security is the use of software, hard
and procedural methods to prevent security flaw
in applications and protect them from external t

16. Part 1
 Security Software Development

17. Secure Software Development
“The need to consider security and privacy “up front” is a fund
system development. The optimal point to define trustworthin
a software project is during the initial planning stages. This e
requirements allows development teams to identify key milest
and permits the integration of security and privacy in a way th
to plans and schedules. “
-Simplified Implementation of the Microsoft SD

18. Secure Software Development
By introducing security early in the
development lifecycle, companies are
able to meet their customer demands
for more secure products and
services. And companies can derive
additional benefits such as reduction
in patch maintenance and faster time
to remediate.

19. Part 2
 Security Testing

20. Security Testing is deemed successful when the below attribut
Authentication
Authorization
Availability
Confidentiality
Integrity
Non-Repudiation
Security Testing
Goal is to make sure that the
Application does not have any
Or system fallback

21. Security Testing

22. Security Testing
The inclusion of threat analysis & modeling in the SDLC c
Applications are being developed with security built-in fr
Threat Analysis & modeling allows you to systematically iden
that are most likely to affect your system. By identifying an
a solid understanding of the architecture and implementatio
you can address threats with appropriate countermeasures
With the threats that present the greatest risk.

23. Security Testing
Threat modeling accomplishes the following:
 Defines the security of an application ·
 Identifies and investigates potential threats an
 Brings justification for security features
 Identifies a logical thought process in defining
 Results in finding architecture bugs earlier and
 Results in fewer vulnerabilities ·
 Creates a set of documents

24. Security Testing
Threat tree

25. Part 3
 Secure Computing
 Use Cases

26. Secure Computing
Asset: A system resource.
Threat: A potential occurrence, malicious or otherwise
Vulnerability: A weakness in some aspect or feature of a syste
Attack : An action taken by someone or something that harm
Countermeasure: A safeguard that addresses a threat and mit
Basic Terminologies

27. Secure Computing
Threat models
the CIA model is described by its aspects : Confidentiality,

28. Secure Computing
Threat models
STRIDE model is a system developed by Microsoft for thinking about comp
It provides a mnemonic for security threats in six categories.
The threat categories are:
 Spoofing of user identity
 Tampering
 Repudiation
 Information disclosure
 Denial of service (D.o.S)
 Elevation of privilege
The STRIDE name comes from the initials of the six threat categories listed
It was initially proposed for threat modellng, but is now used more broadly.

29. Secure Computing
Modeling Tools
Microsoft SDL Threat Modeling Tool

30. Secure Computing
Modeling Tools
Threat Analysis & modeling Tool

31. Part 3
 Secure Computing
 Use Cases

32. Use CaseSophos Unmanaged machines follow-up tool
"OUlist.txt" contains the list of the sites to follo
"ContactList. xlsx" file which contains the list of c
"Email- Body.txt" to modify the email body,
"ExceptionList.xlsx" to add a technical exception
This application will query the Sophos Database to generate Unmanaged ma

33. Use CaseSophos Unmanaged machines follow-up tool
Roles
User Roles Service Roles
Administrator SQL Server
Active Directory,
.Net Framework,
Microsoft Excel,
Windows Text file.

34. Use CaseSophos Unmanaged machines follow-up tool
Data

35. Use CaseSophos Unmanaged machines follow-up tool
Components

36. Use CaseSophos Unmanaged machines follow-up tool
Application Use Case

37. Use CaseSophos Unmanaged machines follow-up tool
Threat Analysis
Attacks
◊ Buffer Overflow
◊ Cryptanalysis Attacks
◊ Denial of Service
◊ Network Eavesdropping
◊ SQL injection
Threats
◊ Threat factor for
Confidentiality
◊ Threat factor for
Integrity
◊ Threat factor for
Availability

38. Use CaseSophos Unmanaged machines follow-up tool
Threat Testing

39. Conclusion

40. Conclusion
safety is the most paramount aspect considered when develo
With that said, safety is increased with the correct security

41. Thank you for all your attenti