audit and security application report
TRANSCRIPT
MINISTRY OF HIGHER EDUCATIONAND SCIENTIFIC RESEARCH
Higher Institute of Computer Sciences El-Manar
Summer Internship Report
Realized by: Rihab CHEBBAH
Company Supervisors: Mr Ibrahim JAOUAD & Mr Atef BAYACompany: LEONI Tunisia
Departement: Information Management Technology
Internship Period: From 01/06/2016 to 30/06/2016
MINISTRY OF HIGHER EDUCATIONAND SCIENTIFIC RESEARCH
Higher Institute of Computer Sciences El-Manar
Summer Internship Report
Realized by: Rihab CHEBBAHCompany Supervisors: Mr Ibrahim JAOUAD & Mr Atef BAYACompany: LEONI Tunisia
Departement: Information Management TechnologyInternship Period: From 01/06/2016 to 30/06/2016
Supervisors Signatures:
With grateful heart, I would like to remem-
ber the persons who had helped me during the
course of my internship program.
I wish to place on record my words of grati-
tude to Mr. Ibrahim JAOUAD for being my ad-
visor and the enzyme during my internship.
I owe warm-harted acknowledgement of grat-
itude to Mr. Atef BAYA for being my master
mind behind my internship program.
Rihab CHEBBAH
Acknowledgement
Introduction
Security is now a serious problem and, if present trends continue, the problem willbe much worse in the future. While there are many reasons for security problems, aprimary cause is that much of the software cannot withstand security attacks. Theseattacks exploit vulnerabilities in software systems.Software security vulnerabilities are caused by defective speci�cation, design, and im-plementation. Unfortunately, common development practices leave software with manyvulnerabilities. To have a secure infrastructure, the software must contain few, if any,vulnerabilities. This requires that software be built to sound security requirements andhave few if any speci�cation, design, or code defects.No processes or practices have currently been shown to consistently produce securesoftware. However, some available development practices are capable of substantiallyimproving the security of software systems including having exceptionally low defectrates. Since introducing these methods requires signi�cant training and discipline, theywill not be widely adopted without strong motivation from sources such as corporateleaders, customers, or regulation.Within this contexe is framed my project "and audit application security" during thecourse. In this report, we will �nd 5 chapters. The �rst is dedicated to present the com-pany that accepted me there for an internship. The second chapter presents applicationdevelopment security. Throughout the third chapter will present tested techniques toensure application security. The following chapter contains the di�erent terms, mech-anisms, models and tools that identify vulnerabilities in an application and the lastchapter includes the practice we have done during this internship.
1
Chapter 1
Company Presentation
1.1 Introduction
All over this chapter, we will introduce the Leoni Group as well as its division in Tunisia
1.2 History
In 1569, Anthoni Fournier in Nuremberg founded the �rst workshop for the manufac-ture of Lyonese Wares: �nest metal threads and wires of gold and silver, and later onof silver plated and gold plated copper.In 1917, Fourriers's son merged three succeeding companies into newly establishedLeonische Werke Roth-Nürnberg AG. Fourteen years later, the company name waschanged to Leonische Drahtwerke AG, Nuremberg and they had started the productionof rubber sheathed cables. After that, exactly in 1956, he Started to manufacture cableassemblies. In 1977, Leoni started its global expansion by establishing a wiring harnessplant in Tunisia. This was soon followed by further new plants subsidiaries and acqui-sitions in many countries, USA, Germany, China, Corea, Egypt, etc ...Till now, Leoni have acquired the wiring harness division of the French automative sup-plier Valeo. This resulted in Leoni becoming the European market leader for automativewiring systems and the number four supplier in the world.
3
1.3 Leoni structure
Leoni group has 2 main divisions : Wiring Systems Division (WSD) and Wire & CableSolutions (WCS)Leoni group has more then 67,000 employees: 58,000 within the WSD and the rest,8,000 employees, within WCS.
Wiring Systems Division
For the automotive and other industries LEONI is a proven global partner. Its WiringSystems Division develops and supplies innovative wiring solutions, as well as compo-nents, for passenger car producers, commercial vehicle manufacturers and for systemand component suppliers.
Figure 1.1: Wiring Systems Division
LEONI is the European market leader for wiring systems and is one of the world'spremier providers of automotive electrical and electronic distribution systems. Its mis-sion is to give the customer precisely what is required, from the initial design conceptto the safe installation of the �nal product.
Wire & Cable Solutions
The Wire Cable Solutions Division (WCS) bene�ted from the still heavy demand forautomotive cables as well as good performance of the business involving cables for in-dustry and the healthcare sector.
4
Figure 1.2: Wire & Cable Solutions
With the aim of strategic further growth, the division will sharpen the focus of itsmarket activity and to that end will look into consolidating its portfolio. In additionto further strengthening of its position in the automotive cables market, the agendaincludes expansion of select segments of industrial business. This will involve steppingup development towards being a solutions provider.
1.4 Leoni Global Network
Leoni's Group is located in over 16 countries; Brazil, China, Egypt, France, Germany,India, Italy, Morocco, Mexico, Porugal, Romania, Russia, Serbia, Slovakia, Ukraine andTunisia; with over 35 production's sites. Its production space is about 550,000 m2.
Figure 1.3: Leoni's locations
5
1.5 Leoni Wiring System Tunisia
Leoni Wiring System was established in Tunisia in 1977 and had built 2 subsidiaries;Sousse and Mateur Sud Mateur Nord.In Sousse, Leoni has di�erent plant sections which work for di�erent cars' costemerslike Audi, BMW, VW and others... About 6500 employees work there.Mateur Sud Mateur Nord has over 6000 employees and there are 2 plant sections : onefor the costemers Fiat and Panda and one for PSA.
1.6 Information Management at LEONI
The Information Management (IM) at LEONI is organized as shown below:
Figure 1.4: IM Organization - Bundling of Global Services
Above the world, Leoni Wiring System has 4 IM service centers : one in NorthAfrica, one in Easten Europe, one in Americas and the other one in Asia.
6
Figure 1.5: IM Service Centers Organization
1.7 Information Management Service Center North
Africa
Information Management Service Center North Africa (IM SC NA) is 1 of the 4 servicecenters of IM in the world. It supports in IT as well Applications Environment. it wasestablished in 2005 with 3 members worked as web developers. Now, it has 65 memberswith 14 teams.
Figure 1.6: Information Management Service Center North Africa teams
7
The teams are classi�ed according to their objective: one team assistance for theIM SC NA, one Team IM demand for managing projects, three development teamsfor programmig softwares, three teams works as system analysts, two teams for PPSconsulting, one team for MES consulting and four teams works as systems Administratorfor IT section.
1.8 Information Management IT teams
The IM IT group is composed of multiple teams; Microsoft, Security team, team ofNetwork and Communication and also a team of Data Center & Private Cloud.These teams are providing services to the local ITs. They are the second level support.They are supported by external companies as third level support. The relationshipbetween these levels is based on client-provider concept.
Figure 1.7: IT Support levels
1.9 Information Management IT Security Team
Leoni uses Enterprise solutions to manage its products.
8
Figure 1.8: Enterprise Solution
Sophos enterprise Solutions
Sophos enterprise Solution is an automated console that manages and updates Sophossecurity software on computers using operating system and virtual environment such asVMware vShield. It allows protecting network against malware, �le types and dangerouswebsites, malicious network tra�c, adware and against other potentially unwantedapplications. It also checks the Web sites where users can go and further protectingthe network against malware and prevents any user to visit inappropriate websites.Moreover, Sophos enterprise console prevents the use of unauthorized external storagedevices and wireless connection technologies on endpoint computers, administers theprotection of client �rewall on endpoint computers and assesses computers for anymissing patch.
Application control
Application Control enables network administrators to block certain legitimate appli-cations from running on work computers.Typically, they use Application Control to prevent users from running applications thatare not a security threat, but that they decide are unsuitable for use in the workplaceenvironment, e.g., games or instant messaging programs.In accordance with the company policy on Application Control, the administrators canauthorize required applications, and block those which are not required all from thecentral console.
9
Sophos Device Control
Sophos Device Control allows an administrator to manage the use of storage devices,network interfaces and media devices connected to all managed endpoints.
Sophos Update Manager
Sophos Update Manager is always installed on the computer where the EnterpriseConsole is installed. This is the component which is responsible for getting the updatesfrom Sophos and is the updating source for the computers on the network.It allows administrators to create shares that contain the endpoint software that theywant to deploy. The computers update themselves from these shares.
Sophos Firewall
The Sophos �rewall enables only named applications, or classes of applications, toaccess the company network or internet. The default �rewall settings permit only basicnetwork communications and are not adequate for normal use. Anything more thanbasic networking, e.g. your email software, web browser and any network databaseaccess, will probably not work correctly with the default policy which blocks all non-essential connections.
Sophos policies
Meanwhile installing Enterprise Console, default policies are created. These policiesare applied to any created groups. The default policies are designed to provide e�ectivelevels of protection. If the administrators want to use features like network accesscontrol, patch, application control, data control, device control, or tamper protection,they need to create new policies or change the default policies.
Sophos Enterprise Console reports
Enterprise Console reports are available via the 'Report Manager'. Using the ReportManager, administrators can quickly create a report based on an existing template,change con�guration of an existing report, and schedule a report to run at regularintervals, with the results being sent to a chosen recipients as an email attachment.They can also print reports and export them in a number of formats.
10
IM IT Security Team services
Leoni uses:
Sophos as Antivirus solution;
Safeguard for Encryption Solution;
Varonis as Folder Access Rights Audit solution.
The goal of the team IM-IT security in Tunisia is to ensure a secure environment forthe end user by managing the antivirus (Sophos), the data encryption (Safeguard) andthe data ownership (Varonis). The PKI is measured by the service vailability.
Sophos anti-virus
Sophos antivirus is an endpoint protection for innovative businesses against current andfuture threats.It's a simple and sophisticated antivirus at a time, advanced protection against threats,Web �ltering and compliance with policies. It has proven protection that automaticallyidenti�es new threats, blocks or deletes them. It includes an intrusion prevention systemon the host (HIPS) integrated that automatically adjusts to better combat malware.It o�ers also a Live Protection connected to the lab to get the latest threat data.Its infrastructre is composed of :
Endpoint Device acts as a user endpoint in a distributed computing system. Typ-ically, the term is used speci�cally for Internet-connected PC hardware on aTCP/IP network. However, various network types have their own types of end-point devices in which users can access information from a network. It can includedesktop or laptop computers, as well as portable devices like tablets and smartphones.
Center Installation Directory This is a set of �les that includes everything neededfor installation.
Management Server is a set of tools from Microsoft that assists in managing PCsconnected to a local-area network (LAN). It enables an administrator to createan inventory of all the hardware and software on the network and to store it ina database. Using this database, it can then perform software distribution andinstallation over the LAN. This server also enables the administrator to performdiagnostic tests on PCs attached to the LAN.
11
Sophos Update Manager Manages data and update distribution from Sophos.
VARONIS Folder Access Rights Audit
Varonis ensures that only the right people have access to the right data at all times, allaccess is monitored, and abuse is �agged.It Identifes where most sensitive data resides, sees who has access to it, who is accessingit, and safely locks it down. Varonis FARA runs also permissions reports, �nds lost�les, assigns data owners, and conducts security investigations more e�ciently thanever.IT sta� spend less time on manual data management and protection tasks and can focuson critical projects because it automatically detects and corrects changes that don'tmeet organization's change management policies. They Receive alerts on anomalousbehavior, privilege escalations, and unauthorized access to critical �les and folders.
Sophos Safeguard Hard-Disk Encryption
Hard Disk Encryption provides automatic security for all information on endpoint harddrives, including user data, operating system �les and temporary and erased �les. Formaximum data protection, multi-factor pre-boot authentication ensures user identity,while encryption prevents data loss from theft. It protects from unauthorized accesswhen laptops are lost or stolen.
Conclusion
Troughout this chapter, we presented Leoni Wiring System and detailed its servicesespecially the services of IM IT security team where I did my internship
12
Chapter 2
Security Software Development
Introduction
Applications are developed with many di�erent skill levels and a variety of securityawareness. The security must be assumed at every stage of projects' development.
2.1 Programming Languages
Di�erent programming languages are used to develop software code. There are 2 typesof programming languages: compiled and interpreted languages.
• Using compiled languages, the programmer compiles the code. The code then isconverted to an executable �le for use on a speci�c OS. This type of programmingis less prone to be manipulated but there is a possibility to contain some backdoors or other security �aws created by unskilled programmers.
• With interpreted languages, the developer shares the source code. The end usercan use it and execute it on their OS. In this case, they can inject any back doorsinto the original code written by the developers.
13
2.2 Object Oriented Programming
Object-Oriented Programming refers to a type of computer programming in which pro-grammers de�ne not only the data type of a data structure, but also the functions thatcan be applied to the data structure. In this way, the data structure becomes an objectthat includes both data and functions. In addition, programmers can create relation-ships between one object and another. For example, objects can inherit characteristicsfrom other objects. With OOP, users need to know every input, output and actionscorresponds to each object.
2.3 Avoiding and mitigating system failure
To avoid and mitigate system failure, there are some methods could be used: inputveri�cations and fail-safe or fail-open procedures:
Input veri�cation: veri�es that the values inserted by a user match the programmer'sexpectation before allowing further processing.
Fail-open procedures: programmers should code scripts to respond and handle failuresystem.
• Fail-secure failure state: this failure block the system and only the adminis-trator could solve it and restore it to normal operation.
• Fail-open state: it allows users with permissiveness to solve it.
2.4 Systems Development Life Cycle (SDLC)
It's a software development processes de�nes the principal stages that projects passesthrough to ensure good coding practices, embedding security in every stage.
14
Figure 2.1: Systems Development Life Cycle
Conceptual de�nition: This phase is the �rst step of any system's life cycle. It de�nesthe project and commits the appropriate resources.
Functional requirements development: this phase involves collecting, de�ning and val-idating functional, support and training requirements.
Control speci�cations development: security of the project is designed at this stage. Itshould provide access control to users, audit trail, detective mechanism for �aws.
Design review: in this phase, the designers determine how the system will interoperate.
Code review walk-through: During this phase, systems are developed or acquiredbased on detailed design speci�cations.
System test review: after coding, testes are required to verify the system operationusing development personnel to seek out any obvious error.
Maintenance and change management: this phase is due to ensure that sponsor needscontinue to be met and that the system continues to perform according to speci-�cations
Life Cycle Model
Software development organizations implement process methodologies to ease the pro-cess of development.
15
Waterfall model
the waterfall model has 7 phases: system requirements, software requirements, prelim-inary design, detail design, code and debug, testing, operations and maintenance. Itdescribes a method of development that is linear and sequential; allows returning tothe previous phase to correct system faults
Spiral model
The spiral model has four phases: Planning, Risk Analysis, Engineering and Evaluation.His emphasis places on risk analysis. We use it when costs and risk evaluation isimportant or when the requirements are complex....
Agile software development
Agile development methodology provides opportunities to assess the direction of aproject throughout the development lifecycle. Agile methodology is described as it-erative and incremental.In an agile paradigm, every aspect of development, requirements, design . . . is contin-ually revisited throughout the lifecycle.Agile software developed has produced Manifesto for Agile Method development TheAgile Manifesto is based on twelve principles:
1. Customer satisfaction by early and continuous delivery of valuable software
2. Welcome changing requirements, even in late development
3. Working software is delivered frequently (weeks rather than months)
4. Close, daily cooperation between business people and developers.
5. Projects are built around motivated individuals, who should be trusted
6. Face-to-face conversation is the best form of communication (co-location)
7. Working software is the principal measure of progress
8. Sustainable development, able to maintain a constant pace
9. Continuous attention to technical excellence and good design
10. Simplicity; the art of maximizing the amount of work not done; is essential
16
11. Best architectures, requirements, and designs emerge from self-organizing teams
12. Regularly, the team re�ects on how to become more e�ective, and adjusts accord-ingly
Software capability maturity model
It is a methodology used to develop and re�ne an organization's software developmentprocess. CMM can be used to assess an organization against a scale of �ve processmaturity levels.There are �ve maturity levels designated.
1. Initial: the starting point for use of a new or undocumented repeat process.
2. Repeatable: the process is at least documented su�ciently such that repeating thesame steps may be attempted.
3. De�ned: the process is de�ned / con�rmed as a standard business processes.
4. Managed: the process is quantitatively managed in accordance with agreed-uponmetrics.
5. Optimizing: the process management includes deliberate process optimization/improvement
IDEAL model
The IDEAL model forms an infrastructure to guide organizations in planning and im-plementing an e�ective software process improvement program, and is the foundingstrategy employed in delivering many Software Engineering Institute (SEI) services.Organizations that follow the IDEAL approach to software process improvement (SPI)can e�ectively integrate SEI technologies, courses, workshops, and services into a com-prehensive method for managing and improving their overall capacity.
17
Figure 2.2: Ideal Model Process
Gant chart and Pert
Gant chart is a graphical tool illustrates a schedule that helps to plan and coordinatespeci�c tasks in a project.Pert is a project scheduling tool used to direct improvements to project managementand software coding in order to produce more e�cient software.
2.5 Change and con�guration management
Change management
After releasing a software project, there can be suggestions from users to perform theproject, correct the bugs or to request any other modi�cations. Thus, programmersshould have procedures to manage changes to support future auditing, investigationand analysis requirements.Change management process has 3 basic components:
• Request control: used by terminal users to request modi�cations, also by managersto conduct or bene�t analysis and by developers to prioritize tasks.
• Change control: dedicated only for developers. They can re-create the situationencountered by the users and analysis the appropriate changes. In addition, thedevelopers can restrict the e�ects of the new-code after updating or changing tominimize the diminishment of a security.
18
• Release control: this phase assures the re-release of the software project and itincludes acceptance testing to ensure that any alterations to end-user work tasksare understood and functional.
Con�guration
Security administrators should be aware of the importance of con�guration manage-ment. It used to control the software project versions and change it to the softwarecon�guration.It has 4 main components:
• Con�guration identi�cation: administrators document the con�guration of coherentsoftware products throughout the organization.
• Con�guration control: this phase veri�es the changes made in accordance with thechange control respecting the policies. Updates can be made only from authorizeddistributions in accordance with those policies.
• Con�guration status accounting: at this stage, procedures are used to track autho-rized changes.
• Con�guration audit: It ensures that there is no unauthorized con�guration changed.
2.6 DevOps Approach
It's a combination of software development and operations that cooperate together torespond to the requirements while maintaining a high quality.
Figure 2.3: DevOps Approach
19
2.7 Application Programming Interfaces (APIs)
Nowadays, web applications need interactions between di�erent web services. There-fore, organizations o�er APIs to facilitate these interactions through function calls.The APIs pose some security risks. So, developers must use the authentication re-quirement. This authenti�cation is done to provide authorized APIs users with APIkey passed with each API call. The backend system validates this API key beforeprocessing a request while ensuring that this request is authorized to call the speci�cAPI.
2.8 Software Testing
After programming a software project, it's necessary to check and test the projectoperations. There are 3 software testing methods:
• White-box testing: this method examines the code itself line by line and analysisthe program for potential errors.
• Black-box testing: it examines the software project by using di�erent inputs' sce-narios and inspecting the output with no need to view the code.
• Gray-box testing: it examines the code to help design their tests and also examinesthe software analyzing inputs and outputs.
The security of software is also needed testing. There are 2 categories of testing:
• Static test: it veri�es the security of software by analyzing either the source codeor the compiled application without running the project. Static testing uses anautomated tool design to detect �aws.
• Dynamic test: it tests software in a running mode. It can use web applicationscanning tool to detect �aws in web applications
2.9 Code repository
Code repositories are made to facilitate software development. There are code reposi-tories supports open source software development for public users, and others containscode with secret information limited for authorized developers and users who has readand/or write access. Developers must take care of their access controls and also shouldnot include any sensitive information in public code repository.
20
2.10 Service Level Agreements (SLAs)
It's a contract between organization and internal/external customers to provide anagreed level of di�erent services.
2.11 Software Acquisition
It's a set of rules which direct how software will be obtained. The rules will vary ac-cording to need.
It may state where software will and will not come from, who decides where it comesfrom, who may install it, the methods of delivery and installation, who is responsiblefor maintaining the usage licenses and how often software requirements are reviewed.Some policies will go further and incorporate rules on software disposal, but others willput those rules into a separate software disposal policy.
2.12 Establishing databases and data warehousing
Because of many projects need users' private information, using databases would be asolution to storage theses information safely.
Database management system architecture
There are 2 architectural types: Hierarchical and distributed databases and Relationaldatabase.
Hierarchical and distributed databases
It's a one-to-many data model. It combines attributes and tuples related in a logicaltree structure.The distributed data model stores data in di�erent databases logically connected. It'sa many-to-many data model.
Relational database
It is a database composed of two-dimension tables contains attributes of an object. Therelationship between the tables is de�ned to identify related tuples.The tuples are identi�able using a variety of keys.
21
• Candidate keys: is a subset of attributes that can be used to uniquely identify anyrecord in a table.
• Primary key: it is selected from the candidate key for a table to be used to uniquelyidentify tuples in a table.
• Foreign key: for managing relationships between multiple tables, and ensure dataconsistency. It ensures that if one table contains a foreign key, it corresponds toa still-existing primary key in the order table in the relationship.
All relational databases use the structured Query Languages for accessing and manip-ulating databases.
Database transactions
Transaction is a set of separate actions that must all be completely processed, or noneprocessed at all. It can consist of multiple SQL statements not just one.All database transactions requires 4 characteristics known as ACID :
Atomicity: This means that a transaction must remain whole � it's all or nothing.So, the transaction as a whole must either fully succeed or fully fail. If and whenthe transaction is a success, all of the changes must be saved by the system. Ifthe transaction fails, then all of the changes made by the transaction must becompletely undone and the system must revert back to its original state beforethe changes were applied.
Consistency: this means that a transaction should change the database from oneconsistent state to another.
Isolation: This means that each transaction should do its work independently of othertransactions that might be running at the same time.
Durability: This means that any changes made by transactions that have run tocompletion should stay permanent, even if the database fails or shuts down duesto something like power loss.
Security for multilevel databases
In a multilevel secure Database, users cleared at di�erent security levels access and sharea database consisting of data at di�erent sensitivity levels. A powerful and dynamicapproach to assigning sensitivity levels to data is one which utilizes security constraints
22
or classi�cation rules.Security constraints provide an e�ective and versatile classi�cation policy. They can beused to assign security levels to the data depending on their content and the contextin which the data is displayed. They can also be used to dynamically re-classify thedata. In other words, the security constraints are essential for describing multilevelapplications.We have de�ned various types of security constraints. They include the following:
1. Constraints that classify a database, relation or an attribute
2. Constraints that classify any part of the database depending on the value of somedata
3. Constraints that classify any part of the database depending on the occurrenceof some real-world event
4. Constraints that classify association between data
5. Constraints that classify any part of the database depending on the informationthat has been previously released
6. Constraints that classify collections of data
7. Constraints that classify any part of the database depending on the security levelof some data
8. Constraints which assign fuzzy values to their classi�cations.
Concurrency
It's an edit control, locks features to allow one user to make changes in data and denythe others. And then, unlocks it to allow others to access the data they need. It becomesa detective control when administrators use concurrency with auditing mechanisms totrack the data changes.
Other security mechanisms
Administrators may use features to maintain data's integrity and availability and alsothey can improve granularly security access control.
• Content Dependent Access Control is a method for controlling access of users toresources, based on the content of the resource. CDAC is primarily used toprotect databases containing potentially sensitive data.
23
• Cell-suppression is the concept of hiding individual database �elds or imposing moresecurity restrictions on them
• Context Based Access Control means that the decision whether a user can access aresource doesn't depend solely on who the user is and which resource it is
• Database partitioning Partitioning a database improves performance and simpli�esmaintenance. By splitting a large table into smaller, individual tables, queriesthat access only a fraction of the data can run faster because there is less data toscan.
• Polyinstantiation: is the concept of type being instantiated into multiple independentinstances (objects, copies). A multilevel relation is said to be polyinstantiatedwhen it contains two or more tuples with the same apparent primary key values.
Storage data and information
Data is processed through a computer's storage resources; both memory and physicalresources.
Type of storage
• Primary storage contains Real memory (RAM), the main memory, related to thesystem's CPU, contains registries and cache memories, through Memory Bus.Primary storage is usually the most high-performance storage resource availableto a system.
• Secondary storage consists of more inexpensive and nonvolatile storage resourcessuch as tapes, disks, hard drives, �ash drives and CD/DVD storage.
Storage threats
Information security professionals should be aware of two main threats posed againstdata storage systems.
1. The threat of illegitimate access to storage resources exists no matter what typeof storage is in use. Therefore, administrators should protect against attacksdirectly accessing to the physical storage to �nd data. In addition, systems thatwork with multilevel security should ensure that data from one classi�cation levelis not readable in another level.
24
2. Covert channel attacks are where two entities can communicate by manipulatingshared resources in unintended ways, endangering critical assets. Attackers canuse such a mechanism to leak sensitive information, thus violating provably correctinformation �ow policies.
2.13 Understanding knowledge-based systems
Engineers and developers use a knowledge base to solve complex problems
Expert systems
Expert system has 2 main components: the knowledge base and the inference engine
Knowledge base: experts solve complex problems by reasoning about knowledge in aseries of if-then statements.
Inference engine: experts reason in a logical way with fuzzy logic techniques dependingon past experience to solve problems; analyze information in the knowledge baseto arrive to the appropriate decision.
Neural networks
The network is composed of a large number of highly interconnected processing elementsworking in parallel to solve a speci�c problem. Neural networks learn by example orfrom experience.
Decision support system
It is an application that analyzes business data and presents it so that users can makebusiness decisions more easily. It is an informational application that collects the datain the course of normal business operation.
Security Applications
Many security applications are o�ered to both expert systems and neural networks.These security applications can provide inference engine and also knowledge base tomake information from di�erent audit logs across a network and provide noti�cationsto security administrators when the activity of an individual user varies from the user'sstandard usage pro�le.
25
Conclusion
Within this chapter, we introduced introduced a whole security in application develop-ment as well as applications development patterns and life cycles.
26
Chapter 3
Security Testing
Introduction
Testing is an important part of software development and it is vital to start it as earlyas possible, its objectives is to �nd �aws and vulnerabilities of a system. Throughoutthis chapter, we will introduce some testing techniques that helps to identify software's�aws
3.1 Secuity testing Description
Security testing is basically a type of software testing that's done to check whetherthe application or the product is secured or not. It checks to see if the application isvulnerable to attacks, if anyone hack the system or login to the application without anyauthorization.Security testing is implemented throughout the entire software development life cycle(SDLC) so that vulnerabilities may be addressed in a timely and thorough manner.
3.2 Security Testing in SDLC phases
Unit Test - Coding phase
During the life cycle of a process,testes are iplemented in deferent phases , we found heunit test In coding pahse.
27
Unit test tests logic in classes by programmers to show code level correctness. Theyshould be fast and not dependend on other parts of the system that you don't intendto test.The primary goal of unit testing is to take the smallest piece of testable software inthe application, isolate it from the remainder of the code, and determine whether itbehaves exactly as you expect. Each unit is tested separately before integrating theminto modules to test the interfaces between modules. Unit testing has proven its valuein that a large percentage of defects are identi�ed during its use.
Integration Test - integration and validation phase
Integration testing identi�es problems that occur when units are combined. By usinga test plan that requires you to test each unit and ensure the viability of each beforecombining units, you know that any errors discovered when combining units are likelyrelated to the interface between units. This method reduces the number of possibilitiesto a far simpler level of analysis.The idea is to test combinations of pieces and eventually expand the process to testyour modules with those of other groups. Eventually all the modules making up aprocess are tested together. Beyond that, if the program is composed of more than oneprocess, they should be tested in pairs rather than all at once.
Functional Test - integration and validate phase
Functional testing is a quality assurance (QA) process and a type of black-box testingthat bases its test cases on the speci�cations of the software component under test.Functions are tested by feeding them input and examining the output, and internalprogram structure is rarely considered. It usually describes what the system does.Functional testing typically involves six steps
1. The identi�cation of functions that the software is expected to perform
2. The creation of input data based on the function's speci�cations
3. The determination of output based on the function's speci�cations
4. The execution of the test case
5. The comparison of actual and expected outputs
6. To check whether the application works as per the customer need.
28
3.3 Fuzzing Test
Fuzzing is a method of testing software to �nd security holes and unexpected behavior ofan application, using semirandom data. It is about injecting invalid or random inputsin order to reveal unexpected behaviour and to identify errors and expose potentialvulnerabilities.
Fuzzing Test Process
Figure 3.1: Fuzzing Test process
The fuzzing process is de�ned as shown here, First, a generator produces test inputs.Second, the test inputs are delivered to the system under test. The delivery mechanismdepends on the type of input that the system processes. Third, the system under testis monitored for crashes and other basic undesirable behavior. Also Reports describesthe results of the test could be generated automatically.One can monitor the target application in many ways:
• Observation of program behavior
• Logs
• Debuggers (!exploitable...)
• Files, processes and network monitors
29
• Virtualization (VMWare)
• Source code modi�cations (breakpoints)
• Additional techniques (Valgrind, GuardMalloc)
• Combined techniques
Fuzzing Test and SDLC
Figure 3.2: Fuzzing Test process
Application is tested by a previously prepared fuzzer. Test results are veri�ed bytesters. Next, they are sent to programmers. If any errors occur, programmers must�x the application. New build once again must pass the fuzzing process.
Advantages
• Full automatization (in most cases)
• Fuzzers �nd real vulnerabilities
• Ability to identify bugs which are hard to �nd by manual testing
• Ability to quickly obtain satisfactory results (�rst bug)
30
disadvantages
• Inability to �nd logical bugs
• Inability to �nd complex bugs
• Time required for performing test is very hard to specify
3.4 Security test cases
Security test cases cheat list or check-list can provide simple test cases and attackvectors that can be used by testers to validate exposure to common vulnerabilities.
Case of input validation
Input validation is the correct testing of any input; we should verify the data is stronglytyped, correct syntax, within length boundaries, contains only permitted characters, orthat numbers are correctly signed and within range boundaries.
Case of Access Control
Access control policies can be speci�ed in programming languages or policy speci�cationlanguages and implemented in a particular access control implementation. Policies needto be carefully designed and implemented to prevent data from unauthorized access,diclosure of sensitive data dos and ddos attacks...
Case of Cryptography Policy
The Cryptography Policy sets out when and how encryption should (or should not)be used. It includes protection of personal, con�dential and commercially sensitiveinformation and communications, key management, and procedures to ensure encryptedinformation can be recovered by the organisation if necessary.
Case of Authenti�cation and Session Management
Authentication is the process of veri�cation that an individual, entity or website is whoit claims to be.Session Management is a process by which a server maintains the state of an entityinteracting with it. Sessions are maintained on the server by a session identi�er which
31
can be passed back and forward between the client and server when transmitting andreceiving requests. Sessions should be unique per user and very di�cult to predict.
Case of Data Protection
Limit access to data based on the least privilege principal. Encrypt sensitive data andinformation like stored passwords, connection strings and properly protect decryptionkeys. We should Make sure all cached or temporary copies of sensitive data are protectedfrom unauthorized access and get purged as soon as they are no longer required.
Communication Security
When transmitting sensitive information, at any tier of the application or networkarchitecture, encryption-in-transit should be used. We should Use a trusted certi�cateauthority to generate public and private keys whenever possible. Moreover, propersecurity controls must be in place to protect the private keys from unauthorized access.
Conclusion
Secure applications can ensure system safety and security. It can impede attacks byhackers. Security testing is one of the most important tests that you should conductbefore introducing it to the commercial domain.
32
Chapter 4
Secure Computing
Introduction
Before we get into the work that has been done for this project, a better understandingof security attributes in the standard computer system, threat models, methodologiesalong with their respective tools.
4.1 Security Attributes and Terms
Malware
Malicious software or malware is software developed by a hacker in order to harm acomputer system. There are di�erent types of malwares:
Virus
It's a malware transmitted via network or through removable media. It settles intoprograms and parasite them while producing harmful e�ects to infect these programs.We distinguish:
Boot virus : it is loaded in memory at startup and takes control of the computer
application Virus : it infects executable program and triggers the execution thereof
33
macro virus : A hacker is a person who circumvents or destroys the protective soft-ware, a computer or a computer network for malicious purposes.
Worm
A worm is an independent malware that spreads from computer to computer throughthe Internet or any other network and disrupts the functioning of the systems involvedand executed by users themselves. Worms are often designed to saturate the availableor extending the duration of treatment resources. They can also destroy a computerdata, disrupting the operation of the network or illegally transferring information. Aworm can produce e�ects immediately or in a deferred manner. Unlike viruses, wormsdo not implant themselves within another program. It spreads autonomously.
Trojan horse
Trojan is harmless software, installed or downloaded and in which was hidden malwarethat can for example enable the fraudulent collection, falsi�cation, or destruction ofdata. The Trojan does not reproduce.
Spyware
Is software designed to collect concerned data or system's information it uses to thirdparties without the knowledge of the user.
Adware
Is software that displays advertisements on the computer screen and transmits to hispublisher information to tailor those ads in pro�le. The adware is often integratedor combined with a freeware or shareware with a di�erent object and it's treated asspyware.
Vulnerability
Vulnerability is seen as a weakness in the system which allows an attacker to reduce orcompletely remove the system's information assurance.
Threat
A threat is seen as a possible danger that could exploit the above-mentioned vulnera-bilities. It can be seen as either intentional or accidental; An intentional example would
34
be an attacker sending malicious code to the system to cause a denial of service, whilean accidental threat can be related to any natural disaster that could cause physicalhard to the system.
Attack
An attack is an attempt to destroy, expose, alter, or steal information within the system.It is also de�ned.
Risk
A risk is the likelihood and impact of a possible threat or attack.
Asset
An asset within a system can be data, a device, or any other component that supportsinformation related activities. This is an important aspect to consider since an entiresystem is made up of various assets that have to be considered when dealing with overallsecurity.
4.2 Threat Models
A threat model describes security aspects with respect to a particular kind of systemby associating a set of potential vulnerabilities, threats and attacks while keeping inmind the potential set of assets incorporated with speci�c functions or use cases.Assets play an important role when considering the possible threats to a particularsystem. Without a set of target assets for the system, threats cannot exist within thatsystem. At the same time, however, without assets, there's a possibility that there isno system to.Risk assessment is normally done after the threat modeling process in order to mapeach threat to either a mitigation mechanism or to an assumption that is not worthworrying about in certain contexts.
CIA Model
the CIA model is described by its aspects :Con�dentiality, Integrity and Availability.
35
Figure 4.1: CIA Model
Con�dentiality : De�nition and enforcement of appropriate access levels for sensitiveinformation.
Integrity: Protection of data from being modi�ed or deleted by an unauthorized partyand ensuring that authorized changes that should not have been made can beundone.
Availability : Ensures that access to all resources that are needed to provide informa-tion are always available.
Most security experts are familiar with this particular model as it is the basis fordescribing the most important security aspects of a system.The CIA model gave us a foundation on which we were able to extend on in order tocreate a more detailed threat modeling system.
STRIDE Model
The STRIDE model is an alternative approach to threat modeling that was proposedby Microsoft. The name stride is based on of the initial letter of possible threats.
Spoo�ng: attackers pretend to be someone or something they are not;
Tampering: attackers change data in transit or in a data store ;
36
Repudiation: attackers perform actions that cannot be traced;
Information Disclosure: attackers gain access to data in transit or in data store thatthey shouldn't have access to ;
Denial of Serices: attackers interrupts normal operation of the system;
Elevation of privilege: attackers perform actions they are not authorized to perform.
This model classi�es threats in accordance with their categories. By using these cate-gories of threats, one has the ability to create a security strategy for a particular systemin order to have planned responses and mitigations to threats or attacks.When using STRIDE, the following threat-mitigation table can be used to identifytechniques that can be employed to mitigate the threats.
4.3 Methodologies / Modeling tools
Multiple modeling tools were considered for this project. The tool should be the samealong with being �exible in the sense that it can be adapted to our purposes, andas thorough as possible with regards to the basis of cyber security. Below is a briefdescription of each tool that was researched with some small discussion details.
Microsoft SDL Threat Modeling Tool 2016
MS threat modeling tool 2016 is a tool helps to �nd di�erent threats in the softwaredevelopment lifecycle.The SDL Threat Modeling Tool enables any developer or software architect to:
• Communicate about the security design of their systems
• Analyze those designs for potential security issues using a proven methodology
• Suggest and manage mitigations for security issues
It graphically identi�es processes and data �ows (DFD) that comprise an applicationor service and o�ers
• easy drawing environment,
• an automatic threat generation using the stride per interaction approach
• an option for user-de�ned threats to be added.
37
It follows a well-de�ned process
Figure 4.2: MS Threat Modeling Tool process
Diagram : with this tool, we can drag and drop to build an understanding and asimple DFD for any use case or function speci�ed.The elements of this DFD are explained below
Figure 4.3: Data Flow Diagram elements
Identify threats : Once the model is complete, the MS threat modeling tool can beused to automatically analyze the model and determine what kind of threats areapparent to the function using the STRIDE model. Every threat could a�ect anytype of DFD's elements.
38
Figure 4.4: Threats for each DFD's elements
Mitigation : Mitigation is the point of threat modeling. Threats are further analyzedby exploring the attack paths, the root causes for the threat to be exploited, andthe necessary mitigation controls.we need, �rst of all, to get speci�c about threat manifestation.
threat What we want
Spoo�ng AuthenticationTampering IntegrityRepudiation NonrepudiationInformation Disclosure Con�dentialityDenial of Service AvailabilityElevation of privilege Authorization
Table 4.1: Threat manifestation
When using STRIDE, the following threat-mitigation table can be used to identifytechniques that can be employed to mitigate the threats.
39
Figure 4.5: Standard mitigations
Once threats and corresponding countermeasures are identi�ed it is possible toderive a threat pro�le with the following criteria:
1. Non mitigated threats: Threats which have no countermeasures and repre-sent vulnerabilities that can be fully exploited and cause an impact
2. Partially mitigated threats: Threats partially mitigated by one or more coun-termeasures which represent vulnerabilities that can only partially be ex-ploited and cause a limited impact
3. Fully mitigated threats: These threats have appropriate countermeasures inplace and do not expose vulnerability and cause impact
Validate : validation is done in 3 steps
1. Validate threat models: here, we need to verify the whole threat model; thediagrams must match the �nal code, each threat need to be mitigated in theright way.
2. Validate quality of threats and mitigations: we need to con�rm threats de-scribe the attack, the context and also the impact. In addition, mitigations
40
must be associated with the threat, described very well and also have to �lea bug.
3. Validate information captured: we need to validate the dependencies if weuse some and validate things we noted while building the threat model.
OCTAVE
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)is a riskbased strategic assessment and planning technique for security.It is mainly known for being self-directed. This means that people from a company ororganization assume responsibility for setting their own security strategy.OCTAVE targets organizational risk and concentrates mainly on strategic, practice-related issues. The evaluation methodology is �exible to accommodate most organiza-tions. It also utilizes not only people from the information technology department butalso those from operational departments to address the security needs of the organiza-tion as a whole.It is important to also note some of the key characteristics of the OCTAVE approach.For example, OCTAVE is an asset-driven evaluation approach. Teams that analyze aspeci�c system or infrastructure:
1. Identify information-related assets that are important to the organization
2. Focus risk analysis on those assets judged to be most critical to the organization
3. Consider the relationships among critical assets, threats to those assets, and vul-nerabilities that can expose the speci�ed assets to threats
Microsoft Threat Analysis and Modeling Tool
The Threat Analysis and Modeling Tool (TAM) is an asset-focused tool designed forLOB applications. It is used for applications for which business objectives, deploymentpattern, and data assets and access control are clearly de�ned.The focus of the tool is to understand the business risk in the application, help identifycontrols needed to manage that risk, and protect the assets.
Microsoft Threat Analysis Modeling tool allows non-security subject matter expertsto enter already known information including business requirements and applicationarchitecture which is then used to produce a feature-rich threat model.The theat tree is a method to explore valid attack paths ,represents conditions needed
41
to exploit the threat. It determines all the combined vulnerabilities associated witha threat and focuses on mitigating the vulnerabilities that form the "path of leastresistance".
Figure 4.6: Threat Tree
Along with automatically identifying threats, the tool can produce valuable securityartifacts such as:
• Data access control matrix
• Component access control matrix
• Subject-object matrix
• Data Flow
• Call Flow
• Trust Flow
• Attack Surface
• Focused reports
4.4 Norme ISO 27002
The ISO / IEC 27002 standards is a code of practice for the management of informationsecurity. This is a general consultative document and not a formal speci�cation.it recommends in information security measures on the objectives of security contractsresulting from the information risks to the con�dentiality, integrity and availability of
42
information.According to ISO 27002 standard, we must ensure that information security is part ofinformation systems in providing services on public networks.
Conclusion
All over this chapter, we presented the master keys of our work which will be detailedin the next chapter.
43
Chapter 5
Use case Based on Threat Models
Introduction
During mu interniship in Leoni Wiring System Tunisia, we were given to look for threatsin di�erent scripts. In this chapter, we will present the fruit of our work.
5.1 Script threat analysis
Technical description script
The application is named Sophos Unmanaged machines followup tool. This applicationwill query the Sophos Database to generate Unamanaged machines in di�erent Leonisites. The list of sites can be found on a text �le named "OUlist.txt" located in thesame folder as the application.After quering the Sophos Database for Unmanaged machines in di�erent sites, theapplication will create a folder with the current date as name (DD-MM-YYYY). Onthis folder, the application will generate an Excel �le for each site. The Excel �le willcontain four columns. One for the machine name, one for the DNS status (it containsthe result of nslookup against the concerned machine. If the machine has a DNS entry,the label will contain "Has DNS entry" otherwise, it will contain "Has no DNS entry".The third column is for the connectivity status (It contains the result of pinging themachine, and the fourth named Exempted (this means if the machine is listed in the"Exception list" described above or not).After generating the Excel �le with the list of Unmanaged machines, the application
45
will look for the corresponding contact person(s) of the concerned site in an Excel�le named "ContactList.xlsx" contained in the same folder as the main application.An email will be sent to the contact person(s) with the list of Unmanaged machines.
The maintenance of this application will be ensured through the maintenanceof the "OUlist.txt" which contains the list of the sites to follow up, the "Con-tactList.xlsx" �le which contains the list of contact persons by site, "Email-Body.txt" to modify the email body, and "ExceptionList.xlsx" to add a technicalexception.
Application decomposition
The Threat Analysis and Modeling Tool allows us to decompose the application intoroles, Data and components.
Roles
We have found 2 main roles: user roles and service roles.User roles are assigned to any user who will be interacting with the application. Rolesde�ne the trust levels of software application, and are primarily used to make autho-rization decisions. Further this application, we have found only he site's responsible orthe adminitrator as user. He is the only one who has the ability to solve a problem ofan unmanaged machine.
Figure 5.1: Application decomposition - User Roles
Service Roles are trust levels, containing speci�c identities, which de�ne the contextof various components running in the software application. Within this context, wehave found the SQL Server, Active Directory, .Net Framework, Microsoft Excel andWindows Text �le.
46
Figure 5.2: Application decomposition - Services Roles
Data
Data de�nes the information type that is maintained, or processed, by the softwareapplication. with this application, we needed to the Contact List, the Exception List,Site List, Mail Body and unmanaged machines
Figure 5.3: Application decomposition - Data
Components
Components are the building blocks of a software application that de�ne an instanceof a technology type such as a database, a web service, and so on. We have found ascomponents within this application the SQL Server, Active Directory, .Net Framework,Microsoft Excel and Windows Text �le.
Figure 5.4: Application decomposition - Components
47
Application Use cases
At this stage, we had de�ned the allowable permissions on the Data and the role that haspermissions on it. The speci�c permission are captured using the Create/Read/Update/Delete.A use case is an ordered sequence of actions used to ful�ll a subset of the allowablepermissions that are de�ned in data access.Based on that, the use cases of the application will be identi�ed.
Figure 5.5: Application Use cases
For each use case identi�ed, a data �ow generated.
Figure 5.6: Application Use cases - Data Flow Example
48
5.2 Threat Analysis
Threat analysis is the analysis of the probability of occurrences and consequences ofattacks within a system.
Attacks
Each use cas risks from being attacked. It exists multiple attacks such as:
Bu�er Over�ow
A bu�er overrun occurs when a bu�er declared on the stack is overwritten by copyingdata larger than the bu�er. Variables declared on the stack are located next to thereturn address for the function's caller.In a normal attack, the attacker can get a program with a bu�er overrun to do somethinghe considers useful, such as binding a command shell to the port of their choice.
Cryptanalysis Attacks
Cryptanalysis is the science of cracking codes, decoding secrets, violating authenticationschemes and breaking cryptographic protocols. It is also the science devoted to �ndingand correcting weaknesses in cryptographic algorithms. It is understood within the �eldof Cryptology that an algorithm should not rely on its secrecy. An algorithm shouldalways be made available for public scrutiny. It is this scrutiny that will make it a welltrusted algorithm. Inevitably, vulnerability in the algorithm will be exploited.
Denial of Service
A Denial of Service (DoS) attack is an incident in which a user or organization isdeprived of the services of a resource they would normally expect to have. Typically,the loss of service is disruption of services like e-mail, directory services etc. In theworst cases, for example, a Web site accessed by millions of people can occasionallybe forced to temporarily cease operation. A denial of service attack can also destroyassets in a computer system. Although usually intentional and malicious, a denial ofservice attack can sometimes happen accidentally. A denial of service attack is a typeof information theft which will cost organization's time money.
49
Network Eavesdropping
Network Eavesdropping is the act of monitoring network tra�c for data, such as clear-text passwords or con�guration information. With a simple packet sni�er, all plaintexttra�c can be read easily. Also, lightweight hashing algorithms can be cracked and thepayload that was thought to be safe can be deciphered.
SQL injection
A SQL injection attack exploits vulnerabilities in input validation to run arbitrarycommands in the database. It can occur when application uses input to constructdynamic SQL statements to access the database. It can also occur if your code usesstored procedures that are passed strings that contain raw user input. Using the SQLinjection attack, the attacker can execute arbitrary commands in the database. Theissue is magni�ed if the application uses an over-privileged account to connect to thedatabase. In this instance it is possible to use the database server to run operatingsystem commands and potentially compromise other servers, in addition to being ableto retrieve, manipulate, and destroy data.
Threats
With the Threat Analysis and Modeling Tool, threats are classi�ed in accordance tothe CIA model and o�ers for each threat solutions to deal with it.
Threat factor for Con�dentiality
The primary threat factors for Con�dentiality are the unauthorized disclosure of theexecuting identity and the unauthorized disclosure of the data.
Threat factor for Integrity
The primary threat factors for Integrity are the violation of the access control, violationof business rule, and violation of data integrity.
Threat factor for Availability
The primary threat factors for Availability are unavailability and performance degra-dation.
50
5.3 Threat Testing
we created a diagram of the threats for each use case.
Figure 5.7: Threat tree
In this diagram:the root node is the threat in question (for example. unauthorized disclosure of readusing Active Directory by .Net Role).Then, its children are the vulnerability types (for example, LDAP Injection).Each vulnerability type has an underlying cause (for example, Dynamic LDAP queriesusing untrusted input).Then, each underlying cause has a mitigation technique (for example, untrusted inputshould be validated against an inclusion list).
51
Conclusion
throughout this chapter, we presented the steps in order to discover the �aws of asystem. Using this tool, we have the opportunity to have a comprehensive reportdetailing each component and each threat and its contermeasures. You will �nd thereport in the Appendix A.
52
Conclusion
The four-week internship spent with the IT Team allowed me to acquire new knowl-edges in the world of IT and also in the world of security.
This course gave me new knowledge and increased my ability of understandings. Ihad the chance to discover the enterprise solutions such as Sophos, VARONIS and alsoSafeguard. Furthermore, I had the opportunity to deepen in the �eld of audit of secu-rity applications used by the IT team.
Having a summer internship with a dynamic, rigorous and with a large capacity forwork team, gave me the knowledge, expertise and also taught me how to communicatewith team members.
53
Unmanaged Machines Report
Appendix A
I
II
III
IV
V
VI
VII
VIII
IX
X
XI
XII
XIII
XIV
XV
XVI
XVII
XVIII
XIX
XX
XXI
XXII
XXIII
Test on Security Software Development
Appendix B
XXIV
XXV
XXVI
XXVII
XXVIII
Contents
Introduction 1
1 Company Presentation 3
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.3 Leoni structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.4 Leoni Global Network . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.5 Leoni Wiring System Tunisia . . . . . . . . . . . . . . . . . . . . . . . 61.6 Information Management at LEONI . . . . . . . . . . . . . . . . . . . . 61.7 Information Management Service Center North Africa . . . . . . . . . 71.8 Information Management IT teams . . . . . . . . . . . . . . . . . . . . 81.9 Information Management IT Security Team . . . . . . . . . . . . . . . 8
2 Security Software Development 13
2.1 Programming Languages . . . . . . . . . . . . . . . . . . . . . . . . . . 132.2 Object Oriented Programming . . . . . . . . . . . . . . . . . . . . . . . 142.3 Avoiding and mitigating system failure . . . . . . . . . . . . . . . . . . 142.4 Systems Development Life Cycle (SDLC) . . . . . . . . . . . . . . . . . 142.5 Change and con�guration management . . . . . . . . . . . . . . . . . . 182.6 DevOps Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.7 Application Programming Interfaces (APIs) . . . . . . . . . . . . . . . 202.8 Software Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.9 Code repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.10 Service Level Agreements (SLAs) . . . . . . . . . . . . . . . . . . . . . 21
XXIX
2.11 Software Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.12 Establishing databases and data warehousing . . . . . . . . . . . . . . . 212.13 Understanding knowledge-based systems . . . . . . . . . . . . . . . . . 25
3 Security Testing 27
3.1 Secuity testing Description . . . . . . . . . . . . . . . . . . . . . . . . . 273.2 Security Testing in SDLC phases . . . . . . . . . . . . . . . . . . . . . 273.3 Fuzzing Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293.4 Security test cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4 Secure Computing 33
4.1 Security Attributes and Terms . . . . . . . . . . . . . . . . . . . . . . . 334.2 Threat Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354.3 Methodologies / Modeling tools . . . . . . . . . . . . . . . . . . . . . . 374.4 Norme ISO 27002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5 Use case Based on Threat Models 45
5.1 Script threat analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455.2 Threat Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495.3 Threat Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Conclusion 52
Appendix A I
Appendix B XXIV
XXX
List of Figures
1.1 Wiring Systems Division . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2 Wire & Cable Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.3 Leoni's locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.4 IM Organization - Bundling of Global Services . . . . . . . . . . . . . . . . 61.5 IM Service Centers Organization . . . . . . . . . . . . . . . . . . . . . . . 71.6 Information Management Service Center North Africa teams . . . . . . . . 71.7 IT Support levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.8 Enterprise Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1 Systems Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . 152.2 Ideal Model Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.3 DevOps Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.1 Fuzzing Test process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293.2 Fuzzing Test process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.1 CIA Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364.2 MS Threat Modeling Tool process . . . . . . . . . . . . . . . . . . . . . . 384.3 Data Flow Diagram elements . . . . . . . . . . . . . . . . . . . . . . . . . 384.4 Threats for each DFD's elements . . . . . . . . . . . . . . . . . . . . . . . 394.5 Standard mitigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404.6 Threat Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.1 Application decomposition - User Roles . . . . . . . . . . . . . . . . . . . . 465.2 Application decomposition - Services Roles . . . . . . . . . . . . . . . . . . 475.3 Application decomposition - Data . . . . . . . . . . . . . . . . . . . . . . . 47
XXXI
5.4 Application decomposition - Components . . . . . . . . . . . . . . . . . . . 475.5 Application Use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485.6 Application Use cases - Data Flow Example . . . . . . . . . . . . . . . . . 485.7 Threat tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
XXXII