This presentation was presented on the SAP Inside Track The Netherlands 2013 in Eindhoven, Ciber.
It discussed some new presented SAP Security features as well as some other SAP Security related information,
2. Agenda
Guaranteed
HANA-FREE
presentation
Introduction
Update: what happened in 2013
SAP Teched 2013 Security topics (Too many to name them all)
Read Access Logging
ABAP code scan
System Recommendations vs RSECNOTE
Some statistics
(Creating this presentation involved Shameless copying of SAP Teched materials, thank you SAP)
3. Who we are…
ERP Security
•
•
•
•
•
A company specialized in securing SAP infrastructures
Started by SAP basis specialists who are enthusiastic about platform security
Our team consists of experienced SAP specialists and developers with 10+ years of experience
We deliver SAP Security consulting services
In the global top 5 of SAP researching companies
5. SAP Security in the spotlight
New this year…
(Source: http://blogs.technet.com/b/mmpc/archive/2013/11/20/carberp-based-trojan-attacking-sap.aspx)
6. Read Access Logging
You probably knew the Security Audit Log, AIS or change documents
Where the AIS, Security Audit Log and change documents for masterdata all focused on
CHANGE/DELETE/UPDATE actions, RAL allows to log READ access.
11. ABAP Code Scanning
Overview of Code check Tools
ABAP Test Cockpit (ATC)
Central place for all check tools, exemption handling, result storage
Code Inspector (SCI)
Open framework for customers, partners and SAP to develop code related checks
Extended Program Check (SLIN)
SAP NW add-on for code vulnerability analysis
Code checks for security vulnerabilities.
Main focus is to analyze the data flow and user input
14. Solman System Recommendations
SAP Solution Manager System Recommendations
Slow, not frequent implementing of support packages leave systems vulnerable
15. System Recommendations
System Recommendations vs RSECNOTE
Recommendations for ABAP & JAVA
Extra functionality like ChaRM integration
Complete overview based on system
Not only Security notes
Way to go
Focus on Hotnews
ABAP only
limited functionality
Incomplete
OLDSKOOL
19. Some Statistics
Preliminary research statistics on internet connected systems; SAProuter
After scanning the entire IPv4 range we found:
• 7746 SAProuters connected to the internet
• Of which almost half (3693) are UNprotected bij ACL, giving access to the local intranet
• Of the vulnerable SAProuters, most (85%) are running on Windows
• 13 of the vulnerable SAProuters (0,35%) are located in NL
SAPROUTERS FOUND ON INTERNET
ACL
Protected
52%
Open
48%
Open SAProuters
running Windows;
85%
Open SAProuters
running Unix/Linux;
15%
21. Some Statistics
Security vulnerabilities found by SAP vs External Security Researchers
The ratio of vulnerabilities found by External Researchers vs SAP internally is going up:
Source: http://erpscan.com/wp-content/uploads/2013/11/SAP-Security-in-Figures-A-Global-Survey-2013.pdf
22. Key takeaways
Summary
•
•
•
•
•
SAP security is complex, but don’t let that be an excuse !
Especially since SAP and external suppliers are providing more and better tools / solutions
Do take special care when connecting systems to the internet
Be aware that every aspect of an SAP infrastructure needs to be secured. Application server, OS,
DB, network, Frontend, SoD, Custom Code, etc, etc…
PATCH! PATCH! PATCH!
Join & contribute! www.bizec.org