SlideShare ist ein Scribd-Unternehmen logo

sitNL Security Update from SAP TechEd 2013

Twan van den Broek
Twan van den Broek

Trends, some live hacking, statistics, SAP Security topics from SAP TechEd 2013

Technologie
1 von 26
Downloaden Sie, um offline zu lesen
SITNL 2013 Security update SAP Teched 2013
Agenda Guaranteed HANA-FREE presentation Introduction Update: what happened in 2013 SAP Teched 2013 Security topics (Too many to name them all) Read Access Logging ABAP code scan System Recommendations vs RSECNOTE Some statistics (Creating this presentation involved Shameless copying of SAP Teched materials, thank you SAP)
Who we are… ERP Security • • • • • A company specialized in securing SAP infrastructures Started by SAP basis specialists who are enthusiastic about platform security Our team consists of experienced SAP specialists and developers with 10+ years of experience We deliver SAP Security consulting services In the global top 5 of SAP researching companies
SAP Security in the spotlight From SitNL last year…
SAP Security in the spotlight New this year… (Source: http://blogs.technet.com/b/mmpc/archive/2013/11/20/carberp-based-trojan-attacking-sap.aspx)
Read Access Logging You probably knew the Security Audit Log, AIS or change documents Where the AIS, Security Audit Log and change documents for masterdata all focused on CHANGE/DELETE/UPDATE actions, RAL allows to log READ access.
Read Access Logging Supported Channels
Read Access Logging Availability
Read Access Logging Also see SIS 104
ABAP Code Scanning The challenge…
ABAP Code Scanning Overview of Code check Tools ABAP Test Cockpit (ATC) Central place for all check tools, exemption handling, result storage Code Inspector (SCI) Open framework for customers, partners and SAP to develop code related checks Extended Program Check (SLIN) SAP NW add-on for code vulnerability analysis Code checks for security vulnerabilities. Main focus is to analyze the data flow and user input
ABAP Code Scanning Overview of available checks
Abap Code Scanning ABAP Code Scan Also see SIS 261
Solman System Recommendations SAP Solution Manager System Recommendations Slow, not frequent implementing of support packages leave systems vulnerable
System Recommendations System Recommendations vs RSECNOTE Recommendations for ABAP & JAVA Extra functionality like ChaRM integration Complete overview based on system Not only Security notes Way to go Focus on Hotnews ABAP only limited functionality Incomplete OLDSKOOL
System Recommendations System Recommendations overview
System Recommendations System Recommendations overview
System Recommendations System Recommendations Also see SIS 103
Some Statistics Preliminary research statistics on internet connected systems; SAProuter After scanning the entire IPv4 range we found: • 7746 SAProuters connected to the internet • Of which almost half (3693) are UNprotected bij ACL, giving access to the local intranet • Of the vulnerable SAProuters, most (85%) are running on Windows • 13 of the vulnerable SAProuters (0,35%) are located in NL SAPROUTERS FOUND ON INTERNET ACL Protected 52% Open 48% Open SAProuters running Windows; 85% Open SAProuters running Unix/Linux; 15%
System Recommendations Exploit SAP system via Internet via SAPRouter
Some Statistics Security vulnerabilities found by SAP vs External Security Researchers The ratio of vulnerabilities found by External Researchers vs SAP internally is going up: Source: http://erpscan.com/wp-content/uploads/2013/11/SAP-Security-in-Figures-A-Global-Survey-2013.pdf
Key takeaways Summary • • • • • SAP security is complex, but don’t let that be an excuse ! Especially since SAP and external suppliers are providing more and better tools / solutions Do take special care when connecting systems to the internet Be aware that every aspect of an SAP infrastructure needs to be secured. Application server, OS, DB, network, Frontend, SoD, Custom Code, etc, etc… PATCH! PATCH! PATCH! Join & contribute! www.bizec.org
Questions? Thank you
Need more info? Contact us... • • More information needed? See www.erp-sec.com or follow @jvis / @erpsec
Disclaimer SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2013 ERP Security BV.
sitNL Security Update from SAP TechEd 2013

Empfohlen

Highlights SAPphire NOW 2014
Highlights SAPphire NOW 2014Highlights SAPphire NOW 2014
Highlights SAPphire NOW 2014Twan van den Broek
 
Design Thinking with Field Service Engineers (VNSG UX)
Design Thinking with Field Service Engineers (VNSG UX)Design Thinking with Field Service Engineers (VNSG UX)
Design Thinking with Field Service Engineers (VNSG UX)Twan van den Broek
 
SAP communties rock!
SAP communties rock!SAP communties rock!
SAP communties rock!Twan van den Broek
 
Chg3
Chg3Chg3
Chg3Hue College of Economics, Hue University
 
Sitnl 2012 erp security
Sitnl 2012 erp securitySitnl 2012 erp security
Sitnl 2012 erp securityTwan van den Broek
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Twan van den Broek
 
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2jvandevis
 
Sap ha240 col10 - hana sp10 version latest sample
Sap ha240 col10 - hana sp10 version latest sampleSap ha240 col10 - hana sp10 version latest sample
Sap ha240 col10 - hana sp10 version latest sampleSap Materials
 

Empfohlen

Highlights SAPphire NOW 2014
Highlights SAPphire NOW 2014Highlights SAPphire NOW 2014
Highlights SAPphire NOW 2014Twan van den Broek
 
Design Thinking with Field Service Engineers (VNSG UX)
Design Thinking with Field Service Engineers (VNSG UX)Design Thinking with Field Service Engineers (VNSG UX)
Design Thinking with Field Service Engineers (VNSG UX)Twan van den Broek
 
SAP communties rock!
SAP communties rock!SAP communties rock!
SAP communties rock!Twan van den Broek
 
Chg3
Chg3Chg3
Chg3Hue College of Economics, Hue University
 
Sitnl 2012 erp security
Sitnl 2012 erp securitySitnl 2012 erp security
Sitnl 2012 erp securityTwan van den Broek
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Twan van den Broek
 
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2jvandevis
 
Sap ha240 col10 - hana sp10 version latest sample
Sap ha240 col10 - hana sp10 version latest sampleSap ha240 col10 - hana sp10 version latest sample
Sap ha240 col10 - hana sp10 version latest sampleSap Materials
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsAchim D. Brucker
 
Migración sap(procedimientos)
Migración sap(procedimientos)Migración sap(procedimientos)
Migración sap(procedimientos)ricardopabloasensio
 
White papersap sollandscape
White papersap sollandscapeWhite papersap sollandscape
White papersap sollandscapeGiuseppe Caselli
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP SystemsOnapsis Inc.
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
Testing SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HPTesting SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HPSAP Solution Extensions
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...Ganesh Kumar
 
The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)Twan van den Broek
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...Jaime Marchant Benavides
 
SAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editionsSAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editionsJuan Frias
 
OWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościOWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościklagrz
 
How to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bwHow to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bwLuc Vanrobays
 
How to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchHow to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchGanesh Kumar
 
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"Kevin Cox
 
SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018jvandevis
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016Twan van den Broek
 
Ac409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511faAc409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511faNagendra Babu
 
Jenkins world 2018
Jenkins world 2018Jenkins world 2018
Jenkins world 2018Lowell Young
 
Itm110 how does sap solution manager support sap hana
Itm110 how does sap solution manager support sap hanaItm110 how does sap solution manager support sap hana
Itm110 how does sap solution manager support sap hanaOlivier Bilger
 
Smau Roma 2010 Massimo Sala
Smau Roma 2010 Massimo SalaSmau Roma 2010 Massimo Sala
Smau Roma 2010 Massimo SalaSMAU
 
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)Twan van den Broek
 
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)Twan van den Broek
 

Weitere ähnliche Inhalte

Ähnlich wie sitNL Security Update from SAP TechEd 2013

SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsAchim D. Brucker
 
White papersap sollandscape
White papersap sollandscapeWhite papersap sollandscape
White papersap sollandscapeGiuseppe Caselli
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP SystemsOnapsis Inc.
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
Testing SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HPTesting SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HPSAP Solution Extensions
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...Ganesh Kumar
 
The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)Twan van den Broek
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...Jaime Marchant Benavides
 
SAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editionsSAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editionsJuan Frias
 
OWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościOWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościklagrz
 
How to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bwHow to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bwLuc Vanrobays
 
How to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchHow to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchGanesh Kumar
 
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"Kevin Cox
 
SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018jvandevis
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016Twan van den Broek
 
Ac409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511faAc409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511faNagendra Babu
 
Jenkins world 2018
Jenkins world 2018Jenkins world 2018
Jenkins world 2018Lowell Young
 
Itm110 how does sap solution manager support sap hana
Itm110 how does sap solution manager support sap hanaItm110 how does sap solution manager support sap hana
Itm110 how does sap solution manager support sap hanaOlivier Bilger
 
Smau Roma 2010 Massimo Sala
Smau Roma 2010 Massimo SalaSmau Roma 2010 Massimo Sala
Smau Roma 2010 Massimo SalaSMAU
 

Ähnlich wie sitNL Security Update from SAP TechEd 2013 (20)

SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial Tools
 
Migración sap(procedimientos)
Migración sap(procedimientos)Migración sap(procedimientos)
Migración sap(procedimientos)
 
White papersap sollandscape
White papersap sollandscapeWhite papersap sollandscape
White papersap sollandscape
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 
Testing SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HPTesting SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HP
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...
 
The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...
 
SAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editionsSAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editions
 
OWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościOWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatności
 
How to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bwHow to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bw
 
How to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchHow to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratch
 
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
 
SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016
 
Ac409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511faAc409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511fa
 
Jenkins world 2018
Jenkins world 2018Jenkins world 2018
Jenkins world 2018
 
Itm110 how does sap solution manager support sap hana
Itm110 how does sap solution manager support sap hanaItm110 how does sap solution manager support sap hana
Itm110 how does sap solution manager support sap hana
 
Smau Roma 2010 Massimo Sala
Smau Roma 2010 Massimo SalaSmau Roma 2010 Massimo Sala
Smau Roma 2010 Massimo Sala
 

Mehr von Twan van den Broek

How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)Twan van den Broek
 
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)Twan van den Broek
 
SAP Data Hub – What is it, and what’s new? (Sefan Linders)
SAP Data Hub – What is it, and what’s new? (Sefan Linders)SAP Data Hub – What is it, and what’s new? (Sefan Linders)
SAP Data Hub – What is it, and what’s new? (Sefan Linders)Twan van den Broek
 
SAP HANA SQL Data Warehousing (Sefan Linders)
SAP HANA SQL Data Warehousing (Sefan Linders)SAP HANA SQL Data Warehousing (Sefan Linders)
SAP HANA SQL Data Warehousing (Sefan Linders)Twan van den Broek
 
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)Twan van den Broek
 
Beyond OData introducing the xmla model for ui5 (Roland Bouwman)
Beyond OData introducing the xmla model for ui5 (Roland Bouwman)Beyond OData introducing the xmla model for ui5 (Roland Bouwman)
Beyond OData introducing the xmla model for ui5 (Roland Bouwman)Twan van den Broek
 
Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)
Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)
Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)Twan van den Broek
 
SQL Data Warehousing in SAP HANA (Sefan Linders)
SQL Data Warehousing in SAP HANA (Sefan Linders)SQL Data Warehousing in SAP HANA (Sefan Linders)
SQL Data Warehousing in SAP HANA (Sefan Linders)Twan van den Broek
 
SAP Predictive Analytics (Nico van der Hoeven)
SAP Predictive Analytics (Nico van der Hoeven)SAP Predictive Analytics (Nico van der Hoeven)
SAP Predictive Analytics (Nico van der Hoeven)Twan van den Broek
 
DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)
DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)
DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)Twan van den Broek
 
Building an innovation culture - Powered by diversity
Building an innovation culture - Powered by diversityBuilding an innovation culture - Powered by diversity
Building an innovation culture - Powered by diversityTwan van den Broek
 
SAP Leonardo / Machine Learning (Iver van de Zand)
SAP Leonardo / Machine Learning (Iver van de Zand)SAP Leonardo / Machine Learning (Iver van de Zand)
SAP Leonardo / Machine Learning (Iver van de Zand)Twan van den Broek
 
SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)
SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)
SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)Twan van den Broek
 
Masterclass Mendix (Jan Penninkhof / Twan van den Broek)
Masterclass Mendix (Jan Penninkhof / Twan van den Broek)Masterclass Mendix (Jan Penninkhof / Twan van den Broek)
Masterclass Mendix (Jan Penninkhof / Twan van den Broek)Twan van den Broek
 
Masterclass Machine Learning (Ronald Kleijn)
Masterclass Machine Learning (Ronald Kleijn)Masterclass Machine Learning (Ronald Kleijn)
Masterclass Machine Learning (Ronald Kleijn)Twan van den Broek
 
SAP Run Live Truck - SAP Cloud Platform use cases
SAP Run Live Truck - SAP Cloud Platform use casesSAP Run Live Truck - SAP Cloud Platform use cases
SAP Run Live Truck - SAP Cloud Platform use casesTwan van den Broek
 
Recap SAP Inside Track NL (sitNL)
Recap SAP Inside Track NL (sitNL)Recap SAP Inside Track NL (sitNL)
Recap SAP Inside Track NL (sitNL)Twan van den Broek
 
Welcome at SAP Inside Track NL (sitNL)
Welcome at SAP Inside Track NL (sitNL)Welcome at SAP Inside Track NL (sitNL)
Welcome at SAP Inside Track NL (sitNL)Twan van den Broek
 

Mehr von Twan van den Broek (20)

How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
 
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
 
SAP Data Hub – What is it, and what’s new? (Sefan Linders)
SAP Data Hub – What is it, and what’s new? (Sefan Linders)SAP Data Hub – What is it, and what’s new? (Sefan Linders)
SAP Data Hub – What is it, and what’s new? (Sefan Linders)
 
SAP HANA SQL Data Warehousing (Sefan Linders)
SAP HANA SQL Data Warehousing (Sefan Linders)SAP HANA SQL Data Warehousing (Sefan Linders)
SAP HANA SQL Data Warehousing (Sefan Linders)
 
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
 
Beyond OData introducing the xmla model for ui5 (Roland Bouwman)
Beyond OData introducing the xmla model for ui5 (Roland Bouwman)Beyond OData introducing the xmla model for ui5 (Roland Bouwman)
Beyond OData introducing the xmla model for ui5 (Roland Bouwman)
 
Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)
Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)
Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)
 
SQL Data Warehousing in SAP HANA (Sefan Linders)
SQL Data Warehousing in SAP HANA (Sefan Linders)SQL Data Warehousing in SAP HANA (Sefan Linders)
SQL Data Warehousing in SAP HANA (Sefan Linders)
 
SAP Predictive Analytics (Nico van der Hoeven)
SAP Predictive Analytics (Nico van der Hoeven)SAP Predictive Analytics (Nico van der Hoeven)
SAP Predictive Analytics (Nico van der Hoeven)
 
Blockchain for the Enterprise
Blockchain for the EnterpriseBlockchain for the Enterprise
Blockchain for the Enterprise
 
DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)
DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)
DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)
 
Building an innovation culture - Powered by diversity
Building an innovation culture - Powered by diversityBuilding an innovation culture - Powered by diversity
Building an innovation culture - Powered by diversity
 
SAP Leonardo / Machine Learning (Iver van de Zand)
SAP Leonardo / Machine Learning (Iver van de Zand)SAP Leonardo / Machine Learning (Iver van de Zand)
SAP Leonardo / Machine Learning (Iver van de Zand)
 
SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)
SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)
SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)
 
Masterclass Mendix (Jan Penninkhof / Twan van den Broek)
Masterclass Mendix (Jan Penninkhof / Twan van den Broek)Masterclass Mendix (Jan Penninkhof / Twan van den Broek)
Masterclass Mendix (Jan Penninkhof / Twan van den Broek)
 
Masterclass Machine Learning (Ronald Kleijn)
Masterclass Machine Learning (Ronald Kleijn)Masterclass Machine Learning (Ronald Kleijn)
Masterclass Machine Learning (Ronald Kleijn)
 
SAP Run Live Truck - SAP Cloud Platform use cases
SAP Run Live Truck - SAP Cloud Platform use casesSAP Run Live Truck - SAP Cloud Platform use cases
SAP Run Live Truck - SAP Cloud Platform use cases
 
Recap SAP Inside Track NL (sitNL)
Recap SAP Inside Track NL (sitNL)Recap SAP Inside Track NL (sitNL)
Recap SAP Inside Track NL (sitNL)
 
Welcome at SAP Inside Track NL (sitNL)
Welcome at SAP Inside Track NL (sitNL)Welcome at SAP Inside Track NL (sitNL)
Welcome at SAP Inside Track NL (sitNL)
 
Finding ABAP
Finding ABAPFinding ABAP
Finding ABAP
 

Kürzlich hochgeladen

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Kürzlich hochgeladen (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

sitNL Security Update from SAP TechEd 2013

  • 1. SITNL 2013 Security update SAP Teched 2013
  • 2. Agenda Guaranteed HANA-FREE presentation Introduction Update: what happened in 2013 SAP Teched 2013 Security topics (Too many to name them all) Read Access Logging ABAP code scan System Recommendations vs RSECNOTE Some statistics (Creating this presentation involved Shameless copying of SAP Teched materials, thank you SAP)
  • 3. Who we are… ERP Security • • • • • A company specialized in securing SAP infrastructures Started by SAP basis specialists who are enthusiastic about platform security Our team consists of experienced SAP specialists and developers with 10+ years of experience We deliver SAP Security consulting services In the global top 5 of SAP researching companies
  • 4. SAP Security in the spotlight From SitNL last year…
  • 5. SAP Security in the spotlight New this year… (Source: http://blogs.technet.com/b/mmpc/archive/2013/11/20/carberp-based-trojan-attacking-sap.aspx)
  • 6. Read Access Logging You probably knew the Security Audit Log, AIS or change documents Where the AIS, Security Audit Log and change documents for masterdata all focused on CHANGE/DELETE/UPDATE actions, RAL allows to log READ access.
  • 10. ABAP Code Scanning The challenge…
  • 11. ABAP Code Scanning Overview of Code check Tools ABAP Test Cockpit (ATC) Central place for all check tools, exemption handling, result storage Code Inspector (SCI) Open framework for customers, partners and SAP to develop code related checks Extended Program Check (SLIN) SAP NW add-on for code vulnerability analysis Code checks for security vulnerabilities. Main focus is to analyze the data flow and user input
  • 12. ABAP Code Scanning Overview of available checks
  • 13. Abap Code Scanning ABAP Code Scan Also see SIS 261
  • 14. Solman System Recommendations SAP Solution Manager System Recommendations Slow, not frequent implementing of support packages leave systems vulnerable
  • 15. System Recommendations System Recommendations vs RSECNOTE Recommendations for ABAP & JAVA Extra functionality like ChaRM integration Complete overview based on system Not only Security notes Way to go Focus on Hotnews ABAP only limited functionality Incomplete OLDSKOOL
  • 19. Some Statistics Preliminary research statistics on internet connected systems; SAProuter After scanning the entire IPv4 range we found: • 7746 SAProuters connected to the internet • Of which almost half (3693) are UNprotected bij ACL, giving access to the local intranet • Of the vulnerable SAProuters, most (85%) are running on Windows • 13 of the vulnerable SAProuters (0,35%) are located in NL SAPROUTERS FOUND ON INTERNET ACL Protected 52% Open 48% Open SAProuters running Windows; 85% Open SAProuters running Unix/Linux; 15%
  • 20. System Recommendations Exploit SAP system via Internet via SAPRouter
  • 21. Some Statistics Security vulnerabilities found by SAP vs External Security Researchers The ratio of vulnerabilities found by External Researchers vs SAP internally is going up: Source: http://erpscan.com/wp-content/uploads/2013/11/SAP-Security-in-Figures-A-Global-Survey-2013.pdf
  • 22. Key takeaways Summary • • • • • SAP security is complex, but don’t let that be an excuse ! Especially since SAP and external suppliers are providing more and better tools / solutions Do take special care when connecting systems to the internet Be aware that every aspect of an SAP infrastructure needs to be secured. Application server, OS, DB, network, Frontend, SoD, Custom Code, etc, etc… PATCH! PATCH! PATCH! Join & contribute! www.bizec.org
  • 24. Need more info? Contact us... • • More information needed? See www.erp-sec.com or follow @jvis / @erpsec
  • 25. Disclaimer SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2013 ERP Security BV.