SlideShare ist ein Scribd-Unternehmen logo

SAP inside track NL 2013, SAP Security update

J
jvandevis

This presentation was presented on the SAP Inside Track The Netherlands 2013 in Eindhoven, Ciber. It discussed some new presented SAP Security features as well as some other SAP Security related information,

Technologie
1 von 26
Downloaden Sie, um offline zu lesen
SITNL 2013 Security update SAP Teched 2013
Agenda Guaranteed HANA-FREE presentation Introduction Update: what happened in 2013 SAP Teched 2013 Security topics (Too many to name them all) Read Access Logging ABAP code scan System Recommendations vs RSECNOTE Some statistics (Creating this presentation involved Shameless copying of SAP Teched materials, thank you SAP)
Who we are… ERP Security • • • • • A company specialized in securing SAP infrastructures Started by SAP basis specialists who are enthusiastic about platform security Our team consists of experienced SAP specialists and developers with 10+ years of experience We deliver SAP Security consulting services In the global top 5 of SAP researching companies
SAP Security in the spotlight From SitNL last year…
SAP Security in the spotlight New this year… (Source: http://blogs.technet.com/b/mmpc/archive/2013/11/20/carberp-based-trojan-attacking-sap.aspx)
Read Access Logging You probably knew the Security Audit Log, AIS or change documents Where the AIS, Security Audit Log and change documents for masterdata all focused on CHANGE/DELETE/UPDATE actions, RAL allows to log READ access.
Read Access Logging Supported Channels
Read Access Logging Availability
Read Access Logging Also see SIS 104
ABAP Code Scanning The challenge…
ABAP Code Scanning Overview of Code check Tools ABAP Test Cockpit (ATC) Central place for all check tools, exemption handling, result storage Code Inspector (SCI) Open framework for customers, partners and SAP to develop code related checks Extended Program Check (SLIN) SAP NW add-on for code vulnerability analysis Code checks for security vulnerabilities. Main focus is to analyze the data flow and user input
ABAP Code Scanning Overview of available checks
Abap Code Scanning ABAP Code Scan Also see SIS 261
Solman System Recommendations SAP Solution Manager System Recommendations Slow, not frequent implementing of support packages leave systems vulnerable
System Recommendations System Recommendations vs RSECNOTE Recommendations for ABAP & JAVA Extra functionality like ChaRM integration Complete overview based on system Not only Security notes Way to go Focus on Hotnews ABAP only limited functionality Incomplete OLDSKOOL
System Recommendations System Recommendations overview
System Recommendations System Recommendations overview
System Recommendations System Recommendations Also see SIS 103
Some Statistics Preliminary research statistics on internet connected systems; SAProuter After scanning the entire IPv4 range we found: • 7746 SAProuters connected to the internet • Of which almost half (3693) are UNprotected bij ACL, giving access to the local intranet • Of the vulnerable SAProuters, most (85%) are running on Windows • 13 of the vulnerable SAProuters (0,35%) are located in NL SAPROUTERS FOUND ON INTERNET ACL Protected 52% Open 48% Open SAProuters running Windows; 85% Open SAProuters running Unix/Linux; 15%
System Recommendations Exploit SAP system via Internet via SAPRouter
Some Statistics Security vulnerabilities found by SAP vs External Security Researchers The ratio of vulnerabilities found by External Researchers vs SAP internally is going up: Source: http://erpscan.com/wp-content/uploads/2013/11/SAP-Security-in-Figures-A-Global-Survey-2013.pdf
Key takeaways Summary • • • • • SAP security is complex, but don’t let that be an excuse ! Especially since SAP and external suppliers are providing more and better tools / solutions Do take special care when connecting systems to the internet Be aware that every aspect of an SAP infrastructure needs to be secured. Application server, OS, DB, network, Frontend, SoD, Custom Code, etc, etc… PATCH! PATCH! PATCH! Join & contribute! www.bizec.org
Questions? Thank you
Need more info? Contact us... • • More information needed? See www.erp-sec.com or follow @jvis / @erpsec
Disclaimer SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2013 ERP Security BV.
SAP inside track NL 2013, SAP Security update

Empfohlen

Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Twan van den Broek
 
Sitnl erp sec-2011
Sitnl erp sec-2011Sitnl erp sec-2011
Sitnl erp sec-2011jvandevis
 
Sitnl 2012 erp security
Sitnl 2012 erp securitySitnl 2012 erp security
Sitnl 2012 erp securityjvandevis
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2jvandevis
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 

Empfohlen

Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Twan van den Broek
 
Sitnl erp sec-2011
Sitnl erp sec-2011Sitnl erp sec-2011
Sitnl erp sec-2011jvandevis
 
Sitnl 2012 erp security
Sitnl 2012 erp securitySitnl 2012 erp security
Sitnl 2012 erp securityjvandevis
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2jvandevis
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 
Sap ha240 col10 - hana sp10 version latest sample
Sap ha240 col10 - hana sp10 version latest sampleSap ha240 col10 - hana sp10 version latest sample
Sap ha240 col10 - hana sp10 version latest sampleSap Materials
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsAchim D. Brucker
 
Migración sap(procedimientos)
Migración sap(procedimientos)Migración sap(procedimientos)
Migración sap(procedimientos)ricardopabloasensio
 
White papersap sollandscape
White papersap sollandscapeWhite papersap sollandscape
White papersap sollandscapeGiuseppe Caselli
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP SystemsOnapsis Inc.
 
Testing SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HPTesting SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HPSAP Solution Extensions
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...Ganesh Kumar
 
The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)Twan van den Broek
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...Jaime Marchant Benavides
 
SAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editionsSAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editionsJuan Frias
 
OWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościOWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościklagrz
 
How to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bwHow to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bwLuc Vanrobays
 
How to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchHow to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchGanesh Kumar
 
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"Kevin Cox
 
SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018jvandevis
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016Twan van den Broek
 
Ac409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511faAc409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511faNagendra Babu
 
Jenkins world 2018
Jenkins world 2018Jenkins world 2018
Jenkins world 2018Lowell Young
 
Itm110 how does sap solution manager support sap hana
Itm110 how does sap solution manager support sap hanaItm110 how does sap solution manager support sap hana
Itm110 how does sap solution manager support sap hanaOlivier Bilger
 
Smau Roma 2010 Massimo Sala
Smau Roma 2010 Massimo SalaSmau Roma 2010 Massimo Sala
Smau Roma 2010 Massimo SalaSMAU
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Weitere ähnliche Inhalte

Ähnlich wie SAP inside track NL 2013, SAP Security update

Sap ha240 col10 - hana sp10 version latest sample
Sap ha240 col10 - hana sp10 version latest sampleSap ha240 col10 - hana sp10 version latest sample
Sap ha240 col10 - hana sp10 version latest sampleSap Materials
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsAchim D. Brucker
 
White papersap sollandscape
White papersap sollandscapeWhite papersap sollandscape
White papersap sollandscapeGiuseppe Caselli
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP SystemsOnapsis Inc.
 
Testing SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HPTesting SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HPSAP Solution Extensions
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...Ganesh Kumar
 
The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)Twan van den Broek
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...Jaime Marchant Benavides
 
SAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editionsSAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editionsJuan Frias
 
OWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościOWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościklagrz
 
How to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bwHow to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bwLuc Vanrobays
 
How to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchHow to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchGanesh Kumar
 
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"Kevin Cox
 
SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018jvandevis
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016Twan van den Broek
 
Ac409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511faAc409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511faNagendra Babu
 
Jenkins world 2018
Jenkins world 2018Jenkins world 2018
Jenkins world 2018Lowell Young
 
Itm110 how does sap solution manager support sap hana
Itm110 how does sap solution manager support sap hanaItm110 how does sap solution manager support sap hana
Itm110 how does sap solution manager support sap hanaOlivier Bilger
 
Smau Roma 2010 Massimo Sala
Smau Roma 2010 Massimo SalaSmau Roma 2010 Massimo Sala
Smau Roma 2010 Massimo SalaSMAU
 

Ähnlich wie SAP inside track NL 2013, SAP Security update (20)

Sap ha240 col10 - hana sp10 version latest sample
Sap ha240 col10 - hana sp10 version latest sampleSap ha240 col10 - hana sp10 version latest sample
Sap ha240 col10 - hana sp10 version latest sample
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial Tools
 
Migración sap(procedimientos)
Migración sap(procedimientos)Migración sap(procedimientos)
Migración sap(procedimientos)
 
White papersap sollandscape
White papersap sollandscapeWhite papersap sollandscape
White papersap sollandscape
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
 
Testing SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HPTesting SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HP
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...
 
The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...
 
SAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editionsSAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editions
 
OWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościOWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatności
 
How to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bwHow to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bw
 
How to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchHow to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratch
 
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
 
SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016
 
Ac409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511faAc409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511fa
 
Jenkins world 2018
Jenkins world 2018Jenkins world 2018
Jenkins world 2018
 
Itm110 how does sap solution manager support sap hana
Itm110 how does sap solution manager support sap hanaItm110 how does sap solution manager support sap hana
Itm110 how does sap solution manager support sap hana
 
Smau Roma 2010 Massimo Sala
Smau Roma 2010 Massimo SalaSmau Roma 2010 Massimo Sala
Smau Roma 2010 Massimo Sala
 

Kürzlich hochgeladen

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Kürzlich hochgeladen (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

SAP inside track NL 2013, SAP Security update

  • 1. SITNL 2013 Security update SAP Teched 2013
  • 2. Agenda Guaranteed HANA-FREE presentation Introduction Update: what happened in 2013 SAP Teched 2013 Security topics (Too many to name them all) Read Access Logging ABAP code scan System Recommendations vs RSECNOTE Some statistics (Creating this presentation involved Shameless copying of SAP Teched materials, thank you SAP)
  • 3. Who we are… ERP Security • • • • • A company specialized in securing SAP infrastructures Started by SAP basis specialists who are enthusiastic about platform security Our team consists of experienced SAP specialists and developers with 10+ years of experience We deliver SAP Security consulting services In the global top 5 of SAP researching companies
  • 4. SAP Security in the spotlight From SitNL last year…
  • 5. SAP Security in the spotlight New this year… (Source: http://blogs.technet.com/b/mmpc/archive/2013/11/20/carberp-based-trojan-attacking-sap.aspx)
  • 6. Read Access Logging You probably knew the Security Audit Log, AIS or change documents Where the AIS, Security Audit Log and change documents for masterdata all focused on CHANGE/DELETE/UPDATE actions, RAL allows to log READ access.
  • 10. ABAP Code Scanning The challenge…
  • 11. ABAP Code Scanning Overview of Code check Tools ABAP Test Cockpit (ATC) Central place for all check tools, exemption handling, result storage Code Inspector (SCI) Open framework for customers, partners and SAP to develop code related checks Extended Program Check (SLIN) SAP NW add-on for code vulnerability analysis Code checks for security vulnerabilities. Main focus is to analyze the data flow and user input
  • 12. ABAP Code Scanning Overview of available checks
  • 13. Abap Code Scanning ABAP Code Scan Also see SIS 261
  • 14. Solman System Recommendations SAP Solution Manager System Recommendations Slow, not frequent implementing of support packages leave systems vulnerable
  • 15. System Recommendations System Recommendations vs RSECNOTE Recommendations for ABAP & JAVA Extra functionality like ChaRM integration Complete overview based on system Not only Security notes Way to go Focus on Hotnews ABAP only limited functionality Incomplete OLDSKOOL
  • 19. Some Statistics Preliminary research statistics on internet connected systems; SAProuter After scanning the entire IPv4 range we found: • 7746 SAProuters connected to the internet • Of which almost half (3693) are UNprotected bij ACL, giving access to the local intranet • Of the vulnerable SAProuters, most (85%) are running on Windows • 13 of the vulnerable SAProuters (0,35%) are located in NL SAPROUTERS FOUND ON INTERNET ACL Protected 52% Open 48% Open SAProuters running Windows; 85% Open SAProuters running Unix/Linux; 15%
  • 20. System Recommendations Exploit SAP system via Internet via SAPRouter
  • 21. Some Statistics Security vulnerabilities found by SAP vs External Security Researchers The ratio of vulnerabilities found by External Researchers vs SAP internally is going up: Source: http://erpscan.com/wp-content/uploads/2013/11/SAP-Security-in-Figures-A-Global-Survey-2013.pdf
  • 22. Key takeaways Summary • • • • • SAP security is complex, but don’t let that be an excuse ! Especially since SAP and external suppliers are providing more and better tools / solutions Do take special care when connecting systems to the internet Be aware that every aspect of an SAP infrastructure needs to be secured. Application server, OS, DB, network, Frontend, SoD, Custom Code, etc, etc… PATCH! PATCH! PATCH! Join & contribute! www.bizec.org
  • 24. Need more info? Contact us... • • More information needed? See www.erp-sec.com or follow @jvis / @erpsec
  • 25. Disclaimer SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2013 ERP Security BV.