SlideShare ist ein Scribd-Unternehmen logo
1 von 28
Downloaden Sie, um offline zu lesen
Invest	
  in	
  security	
  
to	
  secure	
  investments	
  
EAS-­‐SEC:	
  Framework	
  for	
  
Securing	
  Enterprise	
  Business	
  
Applica;ons	
  
Alexander	
  Polyakov	
  
CTO	
  ERPScan	
  
About	
  ERPScan	
  
•  The	
   only	
   360-­‐degree	
   SAP	
   Security	
   solu8on	
   -­‐	
   ERPScan	
   Security	
  
Monitoring	
  Suite	
  for	
  SAP	
  
•  Leader	
  by	
  the	
  number	
  of	
  acknowledgements	
  from	
  SAP	
  (	
  150+	
  )	
  
•  60+	
  presenta;ons	
  key	
  security	
  conferences	
  worldwide	
  
•  25	
  Awards	
  and	
  nomina;ons	
  
•  Research	
  team	
  -­‐	
  20	
  experts	
  with	
  experience	
  in	
  	
  different	
  areas	
  
of	
  security	
  
•  Headquarters	
  in	
  Palo	
  Alto	
  (US)	
  and	
  Amsterdam	
  (EU)	
  
	
  
	
  
2	
  
SAP	
  in	
  Internet	
  
3	
  
SAP	
  Security	
  notes	
  by	
  year	
  
0	
  
100	
  
200	
  
300	
  
400	
  
500	
  
600	
  
700	
  
800	
  
900	
  
2001	
   2002	
   2003	
   2004	
   2005	
   2006	
   2007	
   2008	
   2009	
   2010	
   2011	
   2012	
   2013	
  
More	
  than	
  2600	
  in	
  total	
  
4	
  
SAP	
  on	
  the	
  Internet	
  
•  Companies	
  have	
  SAP	
  Portals,	
  SAP	
  SRMs,	
  SAP	
  CRMs	
  remotely	
  
accessible	
  
•  Companies	
  connect	
  different	
  offices	
  (by	
  SAP	
  XI)	
  
•  Companies	
  are	
  connected	
  to	
  SAP	
  (through	
  SAP	
  Router)	
  
•  SAP	
  GUI	
  users	
  are	
  connected	
  to	
  the	
  Internet	
  
•  Administrators	
  open	
  management	
  interfaces	
  to	
  the	
  Internet	
  for	
  
remote	
  control	
  
Almost	
  all	
  business	
  applica;ons	
  have	
  web	
  access	
  now
5	
  
SAP	
  Router	
  
•  Special	
  applica8on	
  proxy	
  	
  
•  Transfers	
  requests	
  from	
  Internet	
  to	
  SAP	
  (and	
  not	
  only)	
  
•  Can	
  work	
  through	
  VPN	
  or	
  SNC	
  	
  
•  Almost	
  every	
  company	
  uses	
  it	
  for	
  connec8ng	
  to	
  SAP	
  to	
  
download	
  updates	
  
•  Usually	
  listens	
  to	
  port	
  3299	
  	
  
	
  
	
  
	
  
About	
  5000	
  Routers	
  in	
  Internet
6	
  
SAP	
  Router	
  vulnerability	
  
•  Remote	
  Code	
  Execu8on	
  vulnerability	
  
•  CVSS	
  9.3	
  
•  Nominated	
  for	
  top	
  5	
  server-­‐side	
  vulnerabili8es	
  2013	
  
	
  
	
  
7	
  
SAP	
  Router	
  
85%	
  	
   *	
  Vulnerable	
  SAP	
  Routers	
  
8	
  
SAP	
  Malware	
  
9	
  
Why	
  security?	
  	
  
•  Espionage	
  
–  Stealing	
  financial	
  informa8on	
  
–  Stealing	
  corporate	
  secrets	
  
–  Stealing	
  supplier	
  and	
  customer	
  lists	
  
–  Stealing	
  HR	
  data	
  
•  Sabotage	
  
–  Denial	
  of	
  service	
  
–  Modifica8on	
  of	
  financial	
  reports	
  
–  Access	
  to	
  technology	
  network	
  (SCADA)	
  by	
  trust	
  rela8ons	
  
•  Fraud	
  
–  False	
  transac8ons	
  
–  Modifica8on	
  of	
  master	
  data	
  
	
  
10	
  
11	
  
3	
  areas	
  of	
  SAP	
  Security	
  
2010	
  
Applica3on	
  pla4orm	
  security	
  
Prevents	
  unauthorized	
  access	
  both	
  insiders	
  and	
  remote	
  
a3ackers	
  
Solu8on:	
  Vulnerability	
  Assessment	
  and	
  Monitoring	
  
2008	
  
ABAP	
  Code	
  security	
  
Prevents	
  a3acks	
  or	
  mistakes	
  made	
  by	
  developers	
  
Solu8on:	
  Code	
  audit	
  
2002	
  
Business	
  logic	
  security	
  (SOD)	
  
Prevents	
  a3acks	
  	
  or	
  mistakes	
  made	
  	
  
Solu8on:	
  GRC	
  
 
	
  
• 	
  OWASP	
  
• 	
  WASC	
  
• 	
  SANS	
  25	
  
• 	
  CWE	
  
• NIST	
  
• SOX	
  
• ISO	
  
• PCI-­‐DSS	
  
• 	
  SAP	
  NetWeaver	
  ABAP	
  Security	
  configura8on	
  
• 	
  ISACA	
  (ITAF)	
  	
  
• 	
  DSAG	
  
12	
  
Compliance	
  
•  Guidelines	
  made	
  by	
  SAP	
  
•  First	
  official	
  SAP	
  guide	
  for	
  technical	
  security	
  od	
  ABAP	
  stack	
  	
  
•  Secure	
  Configura8on	
  of	
  SAP	
  NetWeaver®	
  Applica8on	
  Server	
  
Using	
  ABAP	
  	
  
•  First	
  version	
  -­‐	
  	
  2010	
  year,	
  version	
  1.2	
  	
  –	
  2012	
  year	
  
•  For	
  rapid	
  assessment	
  of	
  most	
  common	
  technical	
  
misconfigura8ons	
  in	
  plaform	
  
•  Consists	
  of	
  9	
  areas	
  and	
  82	
  checks	
  
•  Ideas	
  as	
  a	
  second	
  step	
  and	
  give	
  more	
  details	
  to	
  some	
  of	
  EAS-­‐SEC	
  
standard	
  areas	
  
	
  
hgp://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0d2445f-­‐509d-­‐2d10-­‐6fa7-­‐9d3608950fee?overridelayout=true	
  
13	
  
SAP	
  Security	
  Guidelines	
  
•  Guidelines	
  made	
  by	
  ISACA	
  	
  
•  Checks	
  cover	
  configura8on	
  and	
  access	
  control	
  areas	
  
•  First	
  most	
  full	
  compliance	
  	
  
•  There	
  were	
  3	
  versions	
  published	
  in	
  2002	
  2006	
  2009	
  (some	
  areas	
  
are	
  outdated	
  )	
  	
  
•  Technical	
  part	
  covered	
  less	
  than	
  access	
  control	
  and	
  miss	
  cri8cal	
  
areas	
  
•  Most	
  advantage	
  is	
  a	
  big	
  database	
  of	
  access	
  control	
  checks	
  	
  
•  Consists	
  of	
  4	
  parts	
  and	
  about	
  160	
  checks	
  	
  
•  Ideal	
  as	
  a	
  third	
  step	
  and	
  detailed	
  coverage	
  of	
  access	
  control	
  
14	
  
ISACA	
  Assurance	
  (ITAFF)	
  
•  Set	
  of	
  recommenda8ons	
  from	
  Deutsche	
  SAP	
  Uses	
  Group	
  
•  Checks	
  cover	
  all	
  security	
  areas	
  from	
  technical	
  configura8on	
  and	
  
source	
  code	
  to	
  access	
  control	
  and	
  management	
  procedures	
  
•  Currently	
  biggest	
  guideline	
  about	
  SAP	
  Security	
  	
  
•  Last	
  version	
  in	
  Jan	
  2011	
  
•  Consists	
  of	
  8	
  areas	
  and	
  200+	
  checks	
  	
  
•  Ideal	
  as	
  a	
  final	
  step	
  for	
  securing	
  SAP	
  but	
  consists	
  of	
  many	
  checks	
  
which	
  needs	
  addi8onal	
  decision	
  making	
  which	
  is	
  highly	
  depends	
  
on	
  installa8on.	
  
hgp://www.dsag.de/fileadmin/media/Leifaeden/110818_Leifaden_Datenschutz_Englisch_final.pdf	
  
15	
  
DSAG	
  	
  
Enterprise	
  Applica:on	
  Systems	
  Vulnerability	
  Assessment	
  –	
  for	
  
NetWeaver	
  ABAP	
  
•  Developed	
  by	
  ERPScan:	
  First	
  standard	
  of	
  series	
  EAS-­‐SEC	
  
•  Rapid	
  assessment	
  of	
  SAP	
  security	
  in	
  9	
  areas	
  
•  Contains	
  33	
  most	
  cri;cal	
  checks	
  
•  Ideal	
  as	
  a	
  first	
  step	
  
•  Also	
  contain	
  informa8on	
  for	
  next	
  steps	
  
•  Categorized	
  by	
  priority	
  and	
  cri8cality	
  
16	
  
EAS-­‐SEC	
  for	
  NetWeaver	
  (EASSEC-­‐AIVA-­‐
ABAP)	
  
 
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  EASSSEC-­‐AIVA	
  
	
  	
  Access	
   Cri;cality	
  	
  	
   Easy	
  to	
  
exploit	
  
%	
  of	
  
vulnerable	
  
systems	
  
1.	
  Lack	
  of	
  patch	
  management	
   Anonymous	
   High	
   High	
   99%	
  
2.	
  Default	
  Passwords	
  for	
  applica;on	
  access	
   Anonymous	
   High	
   High	
   95%	
  
3.	
  Unnecessary	
  enabled	
  func;onality	
   Anonymous	
   High	
   High	
   90%	
  
4.	
  	
  Open	
  remote	
  management	
  interfaces	
   Anonymous	
   High	
   Medium	
   90%	
  
5.	
  	
  Insecure	
  configura;on	
   Anonymous	
   Medium	
   Medium	
   90%	
  
6.	
  Unencrypted	
  communica;on	
  	
   Anonymous	
   Medium	
   Medium	
   80%	
  
7.	
  Access	
  control	
  and	
  SOD	
   User	
   High	
   Medium	
   99%	
  
8.	
  Insecure	
  trust	
  rela;ons	
   User	
   High	
   Medium	
   80%	
  
9.	
  Logging	
  and	
  Monitoring	
   Administrator	
   High	
   Medium	
   98%	
  
17	
  
EASSEC-­‐AIVA-­‐2013	
  
•  [EASAI-­‐NA-­‐01]	
  Component	
  updates	
  
•  [EASAI-­‐NA-­‐02]	
  Kernel	
  updated	
  
	
  
	
  
	
  
What	
  next:	
  Other	
  components	
  should	
  be	
  be	
  updated	
  separately	
  –	
  
SAP	
  Router,	
  SAP	
  Gui,	
  SAP	
  NetWEaver	
  J2EE,	
  SAP	
  BusinessObjects.	
  
And	
  also	
  OS	
  and	
  Database.	
  
18	
  
Lack	
  of	
  patch	
  management	
  
•  [EASAI-­‐NA-­‐03]	
  Default	
  password	
  check	
  for	
  user	
  SAP*	
  
•  [EASAI-­‐NA-­‐04]	
  Default	
  password	
  check	
  for	
  user	
  DDIC	
  
•  [EASAI-­‐NA-­‐05]	
  Default	
  password	
  check	
  for	
  user	
  SAPCPIC	
  
•  [EASAI-­‐NA-­‐06]	
  Default	
  password	
  check	
  for	
  user	
  MSADM	
  
•  [EASAI-­‐NA-­‐07]	
  Default	
  password	
  check	
  for	
  user	
  EARLYWATCH	
  
	
  
What	
  next:	
  Couple	
  of	
  addi:onal	
  SAP	
  components	
  also	
  use	
  their	
  
own	
  default	
  passwords.	
  For	
  example	
  services	
  SAP	
  SDM	
  and	
  SAP	
  
ITS	
  in	
  their	
  old	
  versions	
  has	
  default	
  passwords.	
  ARer	
  you	
  check	
  
all	
  default	
  passwords	
  you	
  can	
  start	
  with	
  bruteforcing	
  for	
  simple	
  
passwords.	
  	
  
19	
  
Default	
  passwords	
  
•  [EASAI-­‐NA-­‐08]	
  Access	
  to	
  RFC-­‐func8ons	
  using	
  SOAP	
  interface	
  
•  [EASAI-­‐NA-­‐09]	
  Access	
  to	
  RFC-­‐func8ons	
  using	
  FORM	
  interface	
  
•  [EASAI-­‐NA-­‐10]	
  Access	
  to	
  XI	
  service	
  using	
  SOAP	
  interface	
  	
  
	
  
	
  
	
  
	
  
	
  
What	
  next:	
  You	
  should	
  analyze	
  about	
  1500	
  other	
  services	
  which	
  
are	
  remotely	
  enabled	
  if	
  they	
  are	
  really	
  needed	
  and	
  also	
  disable	
  
unused	
  transac:ons,	
  programs	
  and	
  reports.	
  	
  
20	
  
Unnecessary	
  enabled	
  func;onality	
  
•  [EASAI-­‐NA-­‐11]	
  Unauthorized	
  access	
  to	
  SAPControl	
  service	
  
•  [EASAI-­‐NA-­‐12]	
  Unauthorized	
  access	
  to	
  SAPHostControl	
  service	
  
•  [EASAI-­‐NA-­‐13]	
  Unauthorized	
  access	
  to	
  Message	
  Server	
  service	
  
•  [EASAI-­‐NA-­‐14]	
  Unauthorized	
  access	
  to	
  Oracle	
  database	
  
	
  
	
  
	
  
	
  
What	
  next:	
  Full	
  list	
  of	
  SAP	
  services	
  you	
  can	
  get	
  from	
  document	
  
	
  TCP/IP	
  Ports	
  Used	
  by	
  SAP	
  Applica:ons	
  .Also	
  you	
  should	
  take	
  
care	
  about	
  3rd	
  party	
  services	
  which	
  can	
  be	
  enabled	
  on	
  this	
  
server.	
  	
  
21	
  
Open	
  remote	
  management	
  interfaces	
  
•  [EASAI-­‐NA-­‐15]	
  Minimum	
  password	
  length	
  
•  [EASAI-­‐NA-­‐16]	
  User	
  locking	
  policy	
  
•  [EASAI-­‐NA-­‐17]	
  Password	
  compliance	
  to	
  current	
  standards	
  
•  [EASAI-­‐NA-­‐18]	
  Access	
  control	
  to	
  RFC	
  (reginfo.dat)	
  
•  [EASAI-­‐NA-­‐19]	
  Access	
  control	
  to	
  RFC	
  (secinfo.dat)	
  
	
  
	
  
What	
  next:	
  First	
  of	
  all	
  you	
  can	
  look	
  at	
  (Secure	
  Configura:on	
  of	
  SAP	
  
NetWeaver®	
  Applica:on	
  Server	
  Using	
  ABAP)	
  document	
  for	
  
detailed	
  configura:on	
  checks.	
  ARerwards	
  you	
  can	
  pass	
  throught	
  
detailed	
  documents	
  for	
  each	
  and	
  every	
  SAP	
  service	
  and	
  module	
  	
  
hgp://help.sap.com/saphelp_nw70/helpdata/en/8c/
2ec59131d7f84ea514a67d628925a9/frameset.htm	
  	
  	
  	
  
	
  
22	
  
Insecure	
  configura;on	
  
•  [EASAI-­‐NA-­‐20]	
  Users	
  with	
  SAP_ALL	
  profile	
  
•  [EASAI-­‐NA-­‐21]	
  Users	
  which	
  can	
  run	
  any	
  program	
  	
  
•  [EASAI-­‐NA-­‐22]	
  Users	
  which	
  can	
  modify	
  cri8cal	
  table	
  USR02	
  
•  [EASAI-­‐NA-­‐23]	
  Users	
  which	
  can	
  execute	
  any	
  OS	
  command	
  
•  [EASAI-­‐NA-­‐24]	
  Disabled	
  authoriza8on	
  checks	
  
	
  
What	
  next:	
  	
  There	
  are	
  at	
  leas	
  about	
  100	
  cri:cal	
  transac:ons	
  only	
  
in	
  BASIS	
  and	
  approximately	
  the	
  same	
  number	
  in	
  each	
  other	
  
module.	
  Detailed	
  informa:on	
  can	
  be	
  found	
  in	
  ISACA	
  guidelines	
  .	
  
ARer	
  that	
  you	
  can	
  start	
  with	
  Segrega:on	
  of	
  Du:es.	
  
23	
  
Access	
  control	
  and	
  SOD	
  conflicts	
  
•  [EASAI-­‐NA-­‐25]	
  Use	
  of	
  	
  SSL	
  for	
  securing	
  HTTP	
  connec8ons	
  
•  [EASAI-­‐NA-­‐26]	
  Use	
  of	
  SNC	
  for	
  securing	
  SAP	
  Gui	
  connec8ons	
  	
  
•  [EASAI-­‐NA-­‐27]	
  Use	
  of	
  SNC	
  for	
  securing	
  RFC	
  connec8ons	
  	
  
	
  
	
  
What	
  next:	
  Even	
  if	
  you	
  use	
  encryp:on	
  you	
  should	
  check	
  how	
  is	
  it	
  
configured	
  for	
  every	
  type	
  of	
  encryp:on	
  and	
  for	
  every	
  service	
  
because	
  there	
  are	
  different	
  complex	
  configura:ons	
  for	
  each	
  of	
  
encryp:on	
  type.	
  For	
  example	
  latest	
  a3acks	
  on	
  SSL	
  like	
  BEAST	
  
and	
  CRIME	
  require	
  companies	
  to	
  use	
  more	
  complex	
  SSL	
  
configura:on.	
  	
  
24	
  
Unencrypted	
  connec;ons	
  
•  [EASAI-­‐NA-­‐28]	
  RFC	
  connec8ons	
  with	
  stored	
  authen8ca8on	
  data	
  
•  [EASAI-­‐NA-­‐29]	
  Trusted	
  systems	
  with	
  lower	
  security	
  	
  
	
  
What	
  next:	
  	
  Check	
  other	
  ways	
  to	
  get	
  access	
  to	
  trusted	
  systems	
  such	
  
as	
  database	
  links	
  o	
  use	
  of	
  the	
  same	
  OS	
  user	
  or	
  just	
  use	
  of	
  the	
  
same	
  passwords	
  for	
  different	
  systems.	
  	
  	
  
25	
  
Insecure	
  trusted	
  connec;ons	
  
•  [EASAI-­‐NA-­‐30]	
  Logging	
  of	
  security	
  events	
  
•  [EASAI-­‐NA-­‐31]	
  Logging	
  of	
  HTTP	
  requests	
  	
  	
  
•  [EASAI-­‐NA-­‐32]	
  Logging	
  of	
  table	
  changes	
  
•  [EASAI-­‐NA-­‐33]	
  Logging	
  of	
  access	
  to	
  Gateway	
  	
  
	
  
	
  
What	
  next:	
  There	
  are	
  about	
  30	
  different	
  types	
  of	
  log	
  files	
  in	
  SAP.	
  The	
  next	
  
step	
  aRer	
  properly	
  enabling	
  main	
  of	
  them	
  you	
  should	
  properly	
  
configure	
  complex	
  op:ons	
  such	
  as	
  what	
  exact	
  tables	
  to	
  monitor	
  for	
  
changes,	
  what	
  kind	
  of	
  events	
  to	
  analyze	
  in	
  security	
  events	
  log,	
  what	
  
types	
  of	
  Gateway	
  a3acks	
  should	
  be	
  collected	
  and	
  so	
  on.	
  Next	
  step	
  is	
  
to	
  enable	
  their	
  centralized	
  collec:on	
  and	
  storage	
  and	
  then	
  add	
  other	
  
log	
  events.	
  	
  
26	
  
Logging	
  and	
  Monitoring	
  
•  Release	
  similar	
  compliance	
  guidelines	
  for	
  other	
  applica8ons	
  
•  Update	
  eas-­‐sec.org	
  
•  Spread	
  this	
  ini8a8ve	
  	
  
27	
  
Next	
  Steps	
  
?	
  	
  
	
  	
  
	
  
	
  
	
  	
  	
  	
  	
  	
  	
  	
  The	
  only	
  solu8on	
  in	
  the	
  market	
  to	
  assess	
  3	
  8ers	
  of	
  SAP	
  Security	
  
28	
  
Ques;ons	
  

Weitere ähnliche Inhalte

Was ist angesagt?

SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessERPScan
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsERPScan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and bestERPScan
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthIgor Igoroshka
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeERPScan
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. ERPScan
 
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...akquinet enterprise solutions GmbH
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP Technology
 
Rectify your top findings before the external auditors arrive! [Webinar]
Rectify your top findings before the external auditors arrive! [Webinar]Rectify your top findings before the external auditors arrive! [Webinar]
Rectify your top findings before the external auditors arrive! [Webinar]akquinet enterprise solutions GmbH
 
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...akquinet enterprise solutions GmbH
 
Security concerns in web erp
Security concerns in web erpSecurity concerns in web erp
Security concerns in web erpManoj Jhawar
 
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]akquinet enterprise solutions GmbH
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP SystemsOnapsis Inc.
 
The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018PureSec
 

Was ist angesagt? (20)

SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
 
SAST Threat Detection for SAP [Webinar]
SAST Threat Detection for SAP [Webinar]SAST Threat Detection for SAP [Webinar]
SAST Threat Detection for SAP [Webinar]
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine.
 
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
 
Rectify your top findings before the external auditors arrive! [Webinar]
Rectify your top findings before the external auditors arrive! [Webinar]Rectify your top findings before the external auditors arrive! [Webinar]
Rectify your top findings before the external auditors arrive! [Webinar]
 
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
 
Security concerns in web erp
Security concerns in web erpSecurity concerns in web erp
Security concerns in web erp
 
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
 
The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018
 

Andere mochten auch

Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsERPScan
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating ERPScan
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
 
Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)ERPScan
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easyERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applicationsERPScan
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP securityERPScan
 
Updated Use Case Narratives
Updated Use Case NarrativesUpdated Use Case Narratives
Updated Use Case NarrativesJhoy Pedreza
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERPScan
 
Information Security Committee Presentation Sample
Information Security Committee Presentation SampleInformation Security Committee Presentation Sample
Information Security Committee Presentation Sampleoaes2006
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Donald E. Hester
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010Donald E. Hester
 
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26Bill Annibell
 

Andere mochten auch (18)

Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
 
Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
 
Updated Use Case Narratives
Updated Use Case NarrativesUpdated Use Case Narratives
Updated Use Case Narratives
 
Acitivity diagram
Acitivity diagramAcitivity diagram
Acitivity diagram
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
 
Information Security Committee Presentation Sample
Information Security Committee Presentation SampleInformation Security Committee Presentation Sample
Information Security Committee Presentation Sample
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010
 
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
 

Ähnlich wie EAS-SEC: Framework for securing business applications

EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC ProjectERPScan
 
ciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Securityciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP SecurityPriyanka Aash
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsERPScan
 
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...PeterSmetny1
 
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsFederal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsSolarWinds
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolShah Sheikh
 
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWinds
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWindsFederal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWinds
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWindsSolarWinds
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruMarketingArrowECS_CZ
 
Top 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & TricksTop 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & TricksAppDynamics
 
Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...akquinet enterprise solutions GmbH
 
GRCSing2015_Kumar_Howtoperformasystem
GRCSing2015_Kumar_HowtoperformasystemGRCSing2015_Kumar_Howtoperformasystem
GRCSing2015_Kumar_HowtoperformasystemBarun Kumar
 
Accel Frontline Remote Infrastructure Capabilities
Accel Frontline Remote Infrastructure CapabilitiesAccel Frontline Remote Infrastructure Capabilities
Accel Frontline Remote Infrastructure Capabilitiesshaun_raghavan
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.pptAssadLeo1
 

Ähnlich wie EAS-SEC: Framework for securing business applications (17)

EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
 
ciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Securityciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Security
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platforms
 
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
 
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsFederal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrol
 
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWinds
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWindsFederal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWinds
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWinds
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC Miniclusteru
 
Top 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & TricksTop 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & Tricks
 
Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...
 
GRCSing2015_Kumar_Howtoperformasystem
GRCSing2015_Kumar_HowtoperformasystemGRCSing2015_Kumar_Howtoperformasystem
GRCSing2015_Kumar_Howtoperformasystem
 
Attacks on SAP Mobile
Attacks on SAP MobileAttacks on SAP Mobile
Attacks on SAP Mobile
 
Accel Frontline Remote Infrastructure Capabilities
Accel Frontline Remote Infrastructure CapabilitiesAccel Frontline Remote Infrastructure Capabilities
Accel Frontline Remote Infrastructure Capabilities
 
Afl rim capabilities
Afl rim capabilitiesAfl rim capabilities
Afl rim capabilities
 
IT Infrastructure Project
IT Infrastructure ProjectIT Infrastructure Project
IT Infrastructure Project
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
 

Mehr von ERPScan

Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...ERPScan
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
 
13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applicationsERPScan
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...ERPScan
 
With big data comes big responsibility
With big data comes big responsibilityWith big data comes big responsibility
With big data comes big responsibilityERPScan
 
Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)ERPScan
 

Mehr von ERPScan (8)

Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
 
13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
 
With big data comes big responsibility
With big data comes big responsibilityWith big data comes big responsibility
With big data comes big responsibility
 
Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)
 

Kürzlich hochgeladen

Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfBrain Inventory
 
Kubernetes go-live checklist for your microservices.pptx
Kubernetes go-live checklist for your microservices.pptxKubernetes go-live checklist for your microservices.pptx
Kubernetes go-live checklist for your microservices.pptxPrakarsh -
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 
20240330_고급진 코드를 위한 exception 다루기
20240330_고급진 코드를 위한 exception 다루기20240330_고급진 코드를 위한 exception 다루기
20240330_고급진 코드를 위한 exception 다루기Chiwon Song
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdfMeon Technology
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmonyelliciumsolutionspun
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxAutus Cyber Tech
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
About .NET 8 and a first glimpse into .NET9
About .NET 8 and a first glimpse into .NET9About .NET 8 and a first glimpse into .NET9
About .NET 8 and a first glimpse into .NET9Jürgen Gutsch
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 

Kürzlich hochgeladen (20)

Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdf
 
Kubernetes go-live checklist for your microservices.pptx
Kubernetes go-live checklist for your microservices.pptxKubernetes go-live checklist for your microservices.pptx
Kubernetes go-live checklist for your microservices.pptx
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 
20240330_고급진 코드를 위한 exception 다루기
20240330_고급진 코드를 위한 exception 다루기20240330_고급진 코드를 위한 exception 다루기
20240330_고급진 코드를 위한 exception 다루기
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdf
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptx
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
Sustainable Web Design - Claire Thornewill
Sustainable Web Design - Claire ThornewillSustainable Web Design - Claire Thornewill
Sustainable Web Design - Claire Thornewill
 
About .NET 8 and a first glimpse into .NET9
About .NET 8 and a first glimpse into .NET9About .NET 8 and a first glimpse into .NET9
About .NET 8 and a first glimpse into .NET9
 
Program with GUTs
Program with GUTsProgram with GUTs
Program with GUTs
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 

EAS-SEC: Framework for securing business applications

  • 1. Invest  in  security   to  secure  investments   EAS-­‐SEC:  Framework  for   Securing  Enterprise  Business   Applica;ons   Alexander  Polyakov   CTO  ERPScan  
  • 2. About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu8on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta;ons  key  security  conferences  worldwide   •  25  Awards  and  nomina;ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
  • 4. SAP  Security  notes  by  year   0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   More  than  2600  in  total   4  
  • 5. SAP  on  the  Internet   •  Companies  have  SAP  Portals,  SAP  SRMs,  SAP  CRMs  remotely   accessible   •  Companies  connect  different  offices  (by  SAP  XI)   •  Companies  are  connected  to  SAP  (through  SAP  Router)   •  SAP  GUI  users  are  connected  to  the  Internet   •  Administrators  open  management  interfaces  to  the  Internet  for   remote  control   Almost  all  business  applica;ons  have  web  access  now 5  
  • 6. SAP  Router   •  Special  applica8on  proxy     •  Transfers  requests  from  Internet  to  SAP  (and  not  only)   •  Can  work  through  VPN  or  SNC     •  Almost  every  company  uses  it  for  connec8ng  to  SAP  to   download  updates   •  Usually  listens  to  port  3299           About  5000  Routers  in  Internet 6  
  • 7. SAP  Router  vulnerability   •  Remote  Code  Execu8on  vulnerability   •  CVSS  9.3   •  Nominated  for  top  5  server-­‐side  vulnerabili8es  2013       7  
  • 8. SAP  Router   85%     *  Vulnerable  SAP  Routers   8  
  • 10. Why  security?     •  Espionage   –  Stealing  financial  informa8on   –  Stealing  corporate  secrets   –  Stealing  supplier  and  customer  lists   –  Stealing  HR  data   •  Sabotage   –  Denial  of  service   –  Modifica8on  of  financial  reports   –  Access  to  technology  network  (SCADA)  by  trust  rela8ons   •  Fraud   –  False  transac8ons   –  Modifica8on  of  master  data     10  
  • 11. 11   3  areas  of  SAP  Security   2010   Applica3on  pla4orm  security   Prevents  unauthorized  access  both  insiders  and  remote   a3ackers   Solu8on:  Vulnerability  Assessment  and  Monitoring   2008   ABAP  Code  security   Prevents  a3acks  or  mistakes  made  by  developers   Solu8on:  Code  audit   2002   Business  logic  security  (SOD)   Prevents  a3acks    or  mistakes  made     Solu8on:  GRC  
  • 12.     •   OWASP   •   WASC   •   SANS  25   •   CWE   • NIST   • SOX   • ISO   • PCI-­‐DSS   •   SAP  NetWeaver  ABAP  Security  configura8on   •   ISACA  (ITAF)     •   DSAG   12   Compliance  
  • 13. •  Guidelines  made  by  SAP   •  First  official  SAP  guide  for  technical  security  od  ABAP  stack     •  Secure  Configura8on  of  SAP  NetWeaver®  Applica8on  Server   Using  ABAP     •  First  version  -­‐    2010  year,  version  1.2    –  2012  year   •  For  rapid  assessment  of  most  common  technical   misconfigura8ons  in  plaform   •  Consists  of  9  areas  and  82  checks   •  Ideas  as  a  second  step  and  give  more  details  to  some  of  EAS-­‐SEC   standard  areas     hgp://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0d2445f-­‐509d-­‐2d10-­‐6fa7-­‐9d3608950fee?overridelayout=true   13   SAP  Security  Guidelines  
  • 14. •  Guidelines  made  by  ISACA     •  Checks  cover  configura8on  and  access  control  areas   •  First  most  full  compliance     •  There  were  3  versions  published  in  2002  2006  2009  (some  areas   are  outdated  )     •  Technical  part  covered  less  than  access  control  and  miss  cri8cal   areas   •  Most  advantage  is  a  big  database  of  access  control  checks     •  Consists  of  4  parts  and  about  160  checks     •  Ideal  as  a  third  step  and  detailed  coverage  of  access  control   14   ISACA  Assurance  (ITAFF)  
  • 15. •  Set  of  recommenda8ons  from  Deutsche  SAP  Uses  Group   •  Checks  cover  all  security  areas  from  technical  configura8on  and   source  code  to  access  control  and  management  procedures   •  Currently  biggest  guideline  about  SAP  Security     •  Last  version  in  Jan  2011   •  Consists  of  8  areas  and  200+  checks     •  Ideal  as  a  final  step  for  securing  SAP  but  consists  of  many  checks   which  needs  addi8onal  decision  making  which  is  highly  depends   on  installa8on.   hgp://www.dsag.de/fileadmin/media/Leifaeden/110818_Leifaden_Datenschutz_Englisch_final.pdf   15   DSAG    
  • 16. Enterprise  Applica:on  Systems  Vulnerability  Assessment  –  for   NetWeaver  ABAP   •  Developed  by  ERPScan:  First  standard  of  series  EAS-­‐SEC   •  Rapid  assessment  of  SAP  security  in  9  areas   •  Contains  33  most  cri;cal  checks   •  Ideal  as  a  first  step   •  Also  contain  informa8on  for  next  steps   •  Categorized  by  priority  and  cri8cality   16   EAS-­‐SEC  for  NetWeaver  (EASSEC-­‐AIVA-­‐ ABAP)  
  • 17.                                  EASSSEC-­‐AIVA      Access   Cri;cality       Easy  to   exploit   %  of   vulnerable   systems   1.  Lack  of  patch  management   Anonymous   High   High   99%   2.  Default  Passwords  for  applica;on  access   Anonymous   High   High   95%   3.  Unnecessary  enabled  func;onality   Anonymous   High   High   90%   4.    Open  remote  management  interfaces   Anonymous   High   Medium   90%   5.    Insecure  configura;on   Anonymous   Medium   Medium   90%   6.  Unencrypted  communica;on     Anonymous   Medium   Medium   80%   7.  Access  control  and  SOD   User   High   Medium   99%   8.  Insecure  trust  rela;ons   User   High   Medium   80%   9.  Logging  and  Monitoring   Administrator   High   Medium   98%   17   EASSEC-­‐AIVA-­‐2013  
  • 18. •  [EASAI-­‐NA-­‐01]  Component  updates   •  [EASAI-­‐NA-­‐02]  Kernel  updated         What  next:  Other  components  should  be  be  updated  separately  –   SAP  Router,  SAP  Gui,  SAP  NetWEaver  J2EE,  SAP  BusinessObjects.   And  also  OS  and  Database.   18   Lack  of  patch  management  
  • 19. •  [EASAI-­‐NA-­‐03]  Default  password  check  for  user  SAP*   •  [EASAI-­‐NA-­‐04]  Default  password  check  for  user  DDIC   •  [EASAI-­‐NA-­‐05]  Default  password  check  for  user  SAPCPIC   •  [EASAI-­‐NA-­‐06]  Default  password  check  for  user  MSADM   •  [EASAI-­‐NA-­‐07]  Default  password  check  for  user  EARLYWATCH     What  next:  Couple  of  addi:onal  SAP  components  also  use  their   own  default  passwords.  For  example  services  SAP  SDM  and  SAP   ITS  in  their  old  versions  has  default  passwords.  ARer  you  check   all  default  passwords  you  can  start  with  bruteforcing  for  simple   passwords.     19   Default  passwords  
  • 20. •  [EASAI-­‐NA-­‐08]  Access  to  RFC-­‐func8ons  using  SOAP  interface   •  [EASAI-­‐NA-­‐09]  Access  to  RFC-­‐func8ons  using  FORM  interface   •  [EASAI-­‐NA-­‐10]  Access  to  XI  service  using  SOAP  interface               What  next:  You  should  analyze  about  1500  other  services  which   are  remotely  enabled  if  they  are  really  needed  and  also  disable   unused  transac:ons,  programs  and  reports.     20   Unnecessary  enabled  func;onality  
  • 21. •  [EASAI-­‐NA-­‐11]  Unauthorized  access  to  SAPControl  service   •  [EASAI-­‐NA-­‐12]  Unauthorized  access  to  SAPHostControl  service   •  [EASAI-­‐NA-­‐13]  Unauthorized  access  to  Message  Server  service   •  [EASAI-­‐NA-­‐14]  Unauthorized  access  to  Oracle  database           What  next:  Full  list  of  SAP  services  you  can  get  from  document    TCP/IP  Ports  Used  by  SAP  Applica:ons  .Also  you  should  take   care  about  3rd  party  services  which  can  be  enabled  on  this   server.     21   Open  remote  management  interfaces  
  • 22. •  [EASAI-­‐NA-­‐15]  Minimum  password  length   •  [EASAI-­‐NA-­‐16]  User  locking  policy   •  [EASAI-­‐NA-­‐17]  Password  compliance  to  current  standards   •  [EASAI-­‐NA-­‐18]  Access  control  to  RFC  (reginfo.dat)   •  [EASAI-­‐NA-­‐19]  Access  control  to  RFC  (secinfo.dat)       What  next:  First  of  all  you  can  look  at  (Secure  Configura:on  of  SAP   NetWeaver®  Applica:on  Server  Using  ABAP)  document  for   detailed  configura:on  checks.  ARerwards  you  can  pass  throught   detailed  documents  for  each  and  every  SAP  service  and  module     hgp://help.sap.com/saphelp_nw70/helpdata/en/8c/ 2ec59131d7f84ea514a67d628925a9/frameset.htm           22   Insecure  configura;on  
  • 23. •  [EASAI-­‐NA-­‐20]  Users  with  SAP_ALL  profile   •  [EASAI-­‐NA-­‐21]  Users  which  can  run  any  program     •  [EASAI-­‐NA-­‐22]  Users  which  can  modify  cri8cal  table  USR02   •  [EASAI-­‐NA-­‐23]  Users  which  can  execute  any  OS  command   •  [EASAI-­‐NA-­‐24]  Disabled  authoriza8on  checks     What  next:    There  are  at  leas  about  100  cri:cal  transac:ons  only   in  BASIS  and  approximately  the  same  number  in  each  other   module.  Detailed  informa:on  can  be  found  in  ISACA  guidelines  .   ARer  that  you  can  start  with  Segrega:on  of  Du:es.   23   Access  control  and  SOD  conflicts  
  • 24. •  [EASAI-­‐NA-­‐25]  Use  of    SSL  for  securing  HTTP  connec8ons   •  [EASAI-­‐NA-­‐26]  Use  of  SNC  for  securing  SAP  Gui  connec8ons     •  [EASAI-­‐NA-­‐27]  Use  of  SNC  for  securing  RFC  connec8ons         What  next:  Even  if  you  use  encryp:on  you  should  check  how  is  it   configured  for  every  type  of  encryp:on  and  for  every  service   because  there  are  different  complex  configura:ons  for  each  of   encryp:on  type.  For  example  latest  a3acks  on  SSL  like  BEAST   and  CRIME  require  companies  to  use  more  complex  SSL   configura:on.     24   Unencrypted  connec;ons  
  • 25. •  [EASAI-­‐NA-­‐28]  RFC  connec8ons  with  stored  authen8ca8on  data   •  [EASAI-­‐NA-­‐29]  Trusted  systems  with  lower  security       What  next:    Check  other  ways  to  get  access  to  trusted  systems  such   as  database  links  o  use  of  the  same  OS  user  or  just  use  of  the   same  passwords  for  different  systems.       25   Insecure  trusted  connec;ons  
  • 26. •  [EASAI-­‐NA-­‐30]  Logging  of  security  events   •  [EASAI-­‐NA-­‐31]  Logging  of  HTTP  requests       •  [EASAI-­‐NA-­‐32]  Logging  of  table  changes   •  [EASAI-­‐NA-­‐33]  Logging  of  access  to  Gateway         What  next:  There  are  about  30  different  types  of  log  files  in  SAP.  The  next   step  aRer  properly  enabling  main  of  them  you  should  properly   configure  complex  op:ons  such  as  what  exact  tables  to  monitor  for   changes,  what  kind  of  events  to  analyze  in  security  events  log,  what   types  of  Gateway  a3acks  should  be  collected  and  so  on.  Next  step  is   to  enable  their  centralized  collec:on  and  storage  and  then  add  other   log  events.     26   Logging  and  Monitoring  
  • 27. •  Release  similar  compliance  guidelines  for  other  applica8ons   •  Update  eas-­‐sec.org   •  Spread  this  ini8a8ve     27   Next  Steps  
  • 28. ?                            The  only  solu8on  in  the  market  to  assess  3  8ers  of  SAP  Security   28   Ques;ons