SlideShare ist ein Scribd-Unternehmen logo

Uninvited Guests: Why do hackers love our SAP landscapes?

Virtual Forge
Virtual Forge

Sachar Paulus (Professor for IT Security at Mannheim University of Applied Sciences) on the security requirements to SAP systems and the challenges in protecting critical SAP infrastructures. Recommendations for the development of an optimal security strategy in the SAP environment.

Technologie
1 von 12
Downloaden Sie, um offline zu lesen
Prof. Dr. Sachar Paulus Uninvited guests: why do hackers all over the world love our SAP landscapes?
Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 About the speaker Professor for IT Security at Mannheim University of Applied Sciences! Previously Dean of Studies for a M. Sc. Programme in Security Management! Research professorship through EU Project „OPTET“: Operationally Trustworthiness Enabling Technologies! Management Consultant! SAP Security, Secure Software Engineering, Information Security Management Systems! Experience! 8 years with SAP (Director Product Management Security, Chief Security Officer)! Prior to this working in SMEs in the area of security solutions and cryptology
Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 Agenda SAP compliance requirements! Hackers and SAP systems! SAP and the Cloud! ! The software life cycle! ! Potential reasons! Recommendations
Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 SAP compliance requirements Many, many different sources: ! MA Risk, GoBS, IDW PS 330, KonTraG, …! Sarbanes-Oxley, FDA CFR, PCI DSS, …! ! Content:! Critical authorizations! Critical combinations of authorizations! Encryption, secure storage! digital signatures These are:! - functional requirements! - on-top solutions! - require low communication effort
Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 Hackers and SAP systems How hackers see SAP! Very complicated, requires a lot of knowledge, proprietary! But: IF interesting, then there is no real obstacle! JUST DO IT! Since HANA there is a growing interest of hackers! These are protected by:! - non-functional requirements! - system properties! - communication with CISO dept ! Attack surface! Insiders, social engineering, etc.! Web based access and interfaces (e.g. SQL-Injection)! SAP specific weaknesses (e.g. RFC, Trusted Systems)! Trojan horses, worms
Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 SAP and the Cloud! Running SAP in the Cloud! Public Cloud: are the legal requirements met (e.g. data protection regulation)? In which legal system is the data processed? Who has (legitimate) access to the data?! Public Cloud: Are the risks higher than running SAP in-house? Depends against whom to protect…! Any Cloud: do you trust your service provider?! Using SAP Cloud Services! There is a considerable offering with different types of services…! … but in most cases they use standard internet technology! ==> you need to handle standard internet / web security!
Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 The software life cycle! Where do you NEED to work on security?! Requirements engineering ! Architecture and design (= mostly prescribed by SAP)! Coding (specifically customizing)! Deployment! Support! Security is important in ANY of these phases! If one piece is missing, all other efforts may! not help any more ! Fact: in ALL phases awareness and competence are missing!! Ex. 1: Do you know your SAP security requirements?! Ex. 2: Do you install SAP Security Notes in a timely manner?
Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 Potential reasons! Fact: in most organizations, SAP Security is way behind „normal“ Information Security Management! Potential reasons:! SAP operations is separated from other IT services ! Pure functional view on security, no quality view! No acceptance / understanding why firewalls are useless! There is not enough damage happening (resp. there is not enough communication about attacks)! Nobody is responsible! The software manufacturer is to blame, I cannot do anything about it! Access control is so tedious and costly - there is no space for something else
Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 Recommendations: top down Assign the responsibility for SAP Security! You need a name and a face! Develop your SAP security strategy! Perform risk management - which of the risks am I ready to take? What about SAP operations? What about the IT department?! Develop your SAP security architecture! Choose measures and solutions - what can be done by the SAP standard - what is my focus area - how does all this play together?! Record and document your SAP security requirements! You need to document them to get them transparent - and subsequently addressed! Document and let management approve your SAP security strategy and architecture
Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 Recommendations: organizational topics Cooperate with the information security department (CISO)! Break down the „SAP“ wall, align with your peers! Comparing risks may be demotivating at first, but will improve the overall approach! Cooperate with the quality assurance department! Security is a quality goal - and should be handled as such in the internal QA processes! Integrate security checks into Procure-to-Pay! Your peers do it for desktop software - why not having the same approach for SAP add-ons and customization?
Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 Further recommendations Authorizations! It is more important to think about „who decides about what“ than to buy the right tool! Clear and simple organizational structures are making authorizations management a lot easier! SAP internet security! The (new) web- and internet-interfaces of SAP are easily accessible to hackers and should be treated with care, specifically SAP HANA! Don’t trust too much into third party products that claim to prevent attacks in real time (a la „Application Level Firewall“)! SAP specifics! SAP is a critical infrastructure: limit the use and accessibility of SAP specific protocols! Assure secure coding in ABAP!
Prof. Dr. Sachar Paulus Uninvited guests: why do hackers all over the world love our SAP landscapes?

Empfohlen

Application Security Webcast
Application Security WebcastApplication Security Webcast
Application Security Webcast
Vlad Styran
 
6 lessons to better business security
6 lessons to better business security6 lessons to better business security
6 lessons to better business security
CareMIT Pty Ltd
 
Network security
Network securityNetwork security
Network security
ROBERT S
 
Comprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachComprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated Approach
CloudPassage
 
Hipaa Compliance With IT
Hipaa Compliance With ITHipaa Compliance With IT
Hipaa Compliance With IT
Nainil Chheda
 
No more security empires - The ciso as an individual contributor
No more security empires - The ciso as an individual contributorNo more security empires - The ciso as an individual contributor
No more security empires - The ciso as an individual contributor
Priyanka Aash
 
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Virtual Forge
 
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Virtual Forge
 

Empfohlen

Application Security Webcast
Application Security WebcastApplication Security Webcast
Application Security Webcast
Vlad Styran
 
6 lessons to better business security
6 lessons to better business security6 lessons to better business security
6 lessons to better business security
CareMIT Pty Ltd
 
Network security
Network securityNetwork security
Network security
ROBERT S
 
Comprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachComprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated Approach
CloudPassage
 
Hipaa Compliance With IT
Hipaa Compliance With ITHipaa Compliance With IT
Hipaa Compliance With IT
Nainil Chheda
 
No more security empires - The ciso as an individual contributor
No more security empires - The ciso as an individual contributorNo more security empires - The ciso as an individual contributor
No more security empires - The ciso as an individual contributor
Priyanka Aash
 
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Virtual Forge
 
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Virtual Forge
 
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
Tunde Ogunkoya
 
protect4s-product-sheet
protect4s-product-sheetprotect4s-product-sheet
protect4s-product-sheet
Fred van de Langenberg
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
Tunde Ogunkoya
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
Onapsis Inc.
 
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Symmetry™
 
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
akquinet enterprise solutions GmbH
 
Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015
Tunde Ogunkoya
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016
Twan van den Broek
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
Onapsis Inc.
 
Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?
Trish McGinity, CCSK
 
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
SAP Analytics
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
ERPScan
 
Palo Alto Networks Soc Ent Okt2009
Palo Alto Networks Soc Ent Okt2009Palo Alto Networks Soc Ent Okt2009
Palo Alto Networks Soc Ent Okt2009
Zernike College
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
akquinet enterprise solutions GmbH
 
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]
akquinet enterprise solutions GmbH
 
End-to-end SAP S/4HANA security projects are child’s play – if you have the r...
End-to-end SAP S/4HANA security projects are child’s play – if you have the r...End-to-end SAP S/4HANA security projects are child’s play – if you have the r...
End-to-end SAP S/4HANA security projects are child’s play – if you have the r...
akquinet enterprise solutions GmbH
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
michelemanzotti
 
SAP Landscape Security
SAP Landscape SecuritySAP Landscape Security
SAP Landscape Security
Joachim Kaland
 
How the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP CodeHow the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP Code
Virtual Forge
 
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
Virtual Forge
 

Weitere ähnliche Inhalte

Ähnlich wie Uninvited Guests: Why do hackers love our SAP landscapes?

ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
Tunde Ogunkoya
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
Tunde Ogunkoya
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
Onapsis Inc.
 
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Symmetry™
 
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
akquinet enterprise solutions GmbH
 
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
akquinet enterprise solutions GmbH
 
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]
akquinet enterprise solutions GmbH
 
End-to-end SAP S/4HANA security projects are child’s play – if you have the r...
End-to-end SAP S/4HANA security projects are child’s play – if you have the r...End-to-end SAP S/4HANA security projects are child’s play – if you have the r...
End-to-end SAP S/4HANA security projects are child’s play – if you have the r...
akquinet enterprise solutions GmbH
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
michelemanzotti
 
SAP Landscape Security
SAP Landscape SecuritySAP Landscape Security
SAP Landscape Security
Joachim Kaland
 

Ähnlich wie Uninvited Guests: Why do hackers love our SAP landscapes? (20)

ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
 
protect4s-product-sheet
protect4s-product-sheetprotect4s-product-sheet
protect4s-product-sheet
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
 
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
 
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
 
Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 
Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?
 
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
Palo Alto Networks Soc Ent Okt2009
Palo Alto Networks Soc Ent Okt2009Palo Alto Networks Soc Ent Okt2009
Palo Alto Networks Soc Ent Okt2009
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
 
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]
 
End-to-end SAP S/4HANA security projects are child’s play – if you have the r...
End-to-end SAP S/4HANA security projects are child’s play – if you have the r...End-to-end SAP S/4HANA security projects are child’s play – if you have the r...
End-to-end SAP S/4HANA security projects are child’s play – if you have the r...
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
 
SAP Landscape Security
SAP Landscape SecuritySAP Landscape Security
SAP Landscape Security
 

Mehr von Virtual Forge

Stabile und performante Anwendungen für SAP HANA entwickeln
Stabile und performante Anwendungen für SAP HANA entwickelnStabile und performante Anwendungen für SAP HANA entwickeln
Stabile und performante Anwendungen für SAP HANA entwickeln
Virtual Forge
 
Develop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANADevelop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANA
Virtual Forge
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
Virtual Forge
 
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
Virtual Forge
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?
Virtual Forge
 
How to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a buttonHow to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a button
Virtual Forge
 
Risks of Hosted SAP Environments
Risks of Hosted SAP EnvironmentsRisks of Hosted SAP Environments
Risks of Hosted SAP Environments
Virtual Forge
 

Mehr von Virtual Forge (19)

How the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP CodeHow the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP Code
 
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
 
SAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New RisksSAP HANA Security: New Technology, New Risks
SAP HANA Security: New Technology, New Risks
 
Stabile und performante Anwendungen für SAP HANA entwickeln
Stabile und performante Anwendungen für SAP HANA entwickelnStabile und performante Anwendungen für SAP HANA entwickeln
Stabile und performante Anwendungen für SAP HANA entwickeln
 
Develop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANADevelop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANA
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
 
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?
 
How to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a buttonHow to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a button
 
Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?
Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?
Ungebetene Gäste: Warum lieben Hacker aus aller Welt unsere SAP Landschaften?
 
Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...
Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...
Case Study: Automated Code Reviews In A Grown SAP Application Landscape At EW...
 
Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...
Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...
Case Study: Automatisierte Code Reviews in einer gewachsenen SAP-Applikations...
 
10 GOLDEN RULES FOR CODING AUTHORIZATION CHECKS IN ABAP
10 GOLDEN RULES FOR CODING AUTHORIZATION CHECKS IN ABAP10 GOLDEN RULES FOR CODING AUTHORIZATION CHECKS IN ABAP
10 GOLDEN RULES FOR CODING AUTHORIZATION CHECKS IN ABAP
 
Risks of Hosted SAP Environments
Risks of Hosted SAP EnvironmentsRisks of Hosted SAP Environments
Risks of Hosted SAP Environments
 
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
 
Die Top 5 Mythen der SAP Sicherheit
Die Top 5 Mythen der SAP SicherheitDie Top 5 Mythen der SAP Sicherheit
Die Top 5 Mythen der SAP Sicherheit
 
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
 
ABAP Code Qualität - Best Practices
ABAP Code Qualität - Best PracticesABAP Code Qualität - Best Practices
ABAP Code Qualität - Best Practices
 
Best Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and SecurityBest Practices for Ensuring SAP ABAP Code Quality and Security
Best Practices for Ensuring SAP ABAP Code Quality and Security
 

Kürzlich hochgeladen

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Kürzlich hochgeladen (20)

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Uninvited Guests: Why do hackers love our SAP landscapes?

  • 1. Prof. Dr. Sachar Paulus Uninvited guests: why do hackers all over the world love our SAP landscapes?
  • 2. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 About the speaker Professor for IT Security at Mannheim University of Applied Sciences! Previously Dean of Studies for a M. Sc. Programme in Security Management! Research professorship through EU Project „OPTET“: Operationally Trustworthiness Enabling Technologies! Management Consultant! SAP Security, Secure Software Engineering, Information Security Management Systems! Experience! 8 years with SAP (Director Product Management Security, Chief Security Officer)! Prior to this working in SMEs in the area of security solutions and cryptology
  • 3. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 Agenda SAP compliance requirements! Hackers and SAP systems! SAP and the Cloud! ! The software life cycle! ! Potential reasons! Recommendations
  • 4. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 SAP compliance requirements Many, many different sources: ! MA Risk, GoBS, IDW PS 330, KonTraG, …! Sarbanes-Oxley, FDA CFR, PCI DSS, …! ! Content:! Critical authorizations! Critical combinations of authorizations! Encryption, secure storage! digital signatures These are:! - functional requirements! - on-top solutions! - require low communication effort
  • 5. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 Hackers and SAP systems How hackers see SAP! Very complicated, requires a lot of knowledge, proprietary! But: IF interesting, then there is no real obstacle! JUST DO IT! Since HANA there is a growing interest of hackers! These are protected by:! - non-functional requirements! - system properties! - communication with CISO dept ! Attack surface! Insiders, social engineering, etc.! Web based access and interfaces (e.g. SQL-Injection)! SAP specific weaknesses (e.g. RFC, Trusted Systems)! Trojan horses, worms
  • 6. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 SAP and the Cloud! Running SAP in the Cloud! Public Cloud: are the legal requirements met (e.g. data protection regulation)? In which legal system is the data processed? Who has (legitimate) access to the data?! Public Cloud: Are the risks higher than running SAP in-house? Depends against whom to protect…! Any Cloud: do you trust your service provider?! Using SAP Cloud Services! There is a considerable offering with different types of services…! … but in most cases they use standard internet technology! ==> you need to handle standard internet / web security!
  • 7. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 The software life cycle! Where do you NEED to work on security?! Requirements engineering ! Architecture and design (= mostly prescribed by SAP)! Coding (specifically customizing)! Deployment! Support! Security is important in ANY of these phases! If one piece is missing, all other efforts may! not help any more ! Fact: in ALL phases awareness and competence are missing!! Ex. 1: Do you know your SAP security requirements?! Ex. 2: Do you install SAP Security Notes in a timely manner?
  • 8. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 Potential reasons! Fact: in most organizations, SAP Security is way behind „normal“ Information Security Management! Potential reasons:! SAP operations is separated from other IT services ! Pure functional view on security, no quality view! No acceptance / understanding why firewalls are useless! There is not enough damage happening (resp. there is not enough communication about attacks)! Nobody is responsible! The software manufacturer is to blame, I cannot do anything about it! Access control is so tedious and costly - there is no space for something else
  • 9. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 Recommendations: top down Assign the responsibility for SAP Security! You need a name and a face! Develop your SAP security strategy! Perform risk management - which of the risks am I ready to take? What about SAP operations? What about the IT department?! Develop your SAP security architecture! Choose measures and solutions - what can be done by the SAP standard - what is my focus area - how does all this play together?! Record and document your SAP security requirements! You need to document them to get them transparent - and subsequently addressed! Document and let management approve your SAP security strategy and architecture
  • 10. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 Recommendations: organizational topics Cooperate with the information security department (CISO)! Break down the „SAP“ wall, align with your peers! Comparing risks may be demotivating at first, but will improve the overall approach! Cooperate with the quality assurance department! Security is a quality goal - and should be handled as such in the internal QA processes! Integrate security checks into Procure-to-Pay! Your peers do it for desktop software - why not having the same approach for SAP add-ons and customization?
  • 11. Hackers love SAP systems- Prof. Dr. Sachar Paulus - © paulus.consult 2014 Further recommendations Authorizations! It is more important to think about „who decides about what“ than to buy the right tool! Clear and simple organizational structures are making authorizations management a lot easier! SAP internet security! The (new) web- and internet-interfaces of SAP are easily accessible to hackers and should be treated with care, specifically SAP HANA! Don’t trust too much into third party products that claim to prevent attacks in real time (a la „Application Level Firewall“)! SAP specifics! SAP is a critical infrastructure: limit the use and accessibility of SAP specific protocols! Assure secure coding in ABAP!
  • 12. Prof. Dr. Sachar Paulus Uninvited guests: why do hackers all over the world love our SAP landscapes?