Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber Attacks?
 

Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber Attacks?

on

  • 770 views

Virtual Forge Presentation on New Mobile Threats in the SAP Environment held at ASUG Philiadelphia Chapter Meeting - September 2013

Virtual Forge Presentation on New Mobile Threats in the SAP Environment held at ASUG Philiadelphia Chapter Meeting - September 2013

Statistics

Views

Total Views
770
Views on SlideShare
757
Embed Views
13

Actions

Likes
0
Downloads
2
Comments
0

2 Embeds 13

https://twitter.com 12
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber Attacks? Presentation Transcript

  • 1. Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge
  • 2. Agenda  Mobile Trends and The New Threats  The Forgotten Layer  Benchmarks of Defects in Custom ABAP  What Can Go Wrong?  Security Standards
  • 3. Virtual Forge Founded in 2001 CodeProfiler released 2008, SystemProfiler released 2013 Patented Data and Control Flow Analysis for ABAP Gartner: • Magic Quadrant for Application Security Testing • Leading vendor for ABAP Security • Cool Vendor 2011 Heidelberg, Weimar and Philadelphia Experts in the field of SAP® system and application security and quality
  • 4.  Mobile Trends and the new Threats  The Forgotten Layer  Benchmarks of Defects in Custom ABAP  What Can Go Wrong?  Security Standards Agenda
  • 5. Going Mobile ... and the Key Threats  Access from anywhere Hostile environment (public) 5 Source: Dimension Research – “The impact of mobile devices on information security” Attractive target for attackers Increased attack surface  Extensive access to corporate information  New features added daily
  • 6. Attack Vectors against Mobiles 6 Source: Fraunhofer SIT: „How Smartphones and Co. may be Cheating on you”
  • 7. Facts McAfee Threats Report: First Quarter 2013  “… the total number of samples in our mobile malware ‘zoo’ reached 50,926, with 28 percent of that arriving in 2013” (source this is the Q1 report!)  “… IP addresses in the United States are again both the source and the target of most malicious network activity.” 7 Q1 only!
  • 8. Facts (continued)  Attacks on Mobile devices focus either:  Using the mobile to steal sensitive data  Getting access data to backend systems  Apple: “50% of smartphone users do not set up a passcode”  Phishing  “Companies from the United States are the most targeted, suffering 80 percent of all attacks.”  Phishing by country: 8
  • 9.  Mobile Trends and the new Threats  The Forgotten Layer  Benchmarks of Defects in Custom ABAP  What Can Go Wrong?  Security Standards Agenda
  • 10. ALL Mobile apps eventually call ABAP programs Where the data comes from Mobile Gateway Java Application HTML Application SAP … C++ Application ABAP RFC/BAdI
  • 11. The Attack Surface of SAP 1 9 9 7
  • 12. The Attack Surface of SAP 2 0 0 2
  • 13. The Attack Surface of SAP Since 2 0 0 7
  • 14. The Attack Surface of SAP Since 2 0 11 NetWeaver Gateway
  • 15.  SAP security must be addressed holistically  Business Run-time Apps must properly enforce Business Logic  GRC & SoD are only effective if they are enforced within the applications Operating System Database Business Runtime The Forgotten Layer – Business Runtime Business Logic
  • 16. SAP System Security Tests Testing of >550 SAP Systems (including some of the largest organizations of the world)  Over 95% of the systems analyzed were exposed to espionage, sabotage and fraud attacks  None of the evaluated SAP systems were fully updated with the latest SAP security patches  Most of these exploitable vulnerabilities have been publicly known to SAP customers for more than 5 years Source: Onapsis-BlackHat 2012
  • 17. Increased External SAP Access Points  Increased External Access Points
  • 18. Never Trust the Other Side! - Security Paradigm  Unsecured devices have access to sensitive backend systems (e.g. BYOD)  93% have mobile devices connected to their corporate networks  The attacks against Mobiles continue to rise dramatically  52% of large companies say cost of mobile security incidents last year exceeded $500,000  45% have more than five times as many personal mobile devices as they had two years ago, a 36% increase from 2012  Best Practice:  Stringently enforce device-level security  Test and validate the complete application and data processing 18
  • 19. “Our SAP systems are secure…“
  • 20.  Mobile Trends and the new Threats  The Forgotten Layer  Benchmarks of Defects in Custom ABAP  What Can Go Wrong?  Security Standards Agenda
  • 21. Source of Defects  Source of Defects Little/no technical specifications Manual/Basic code reviews Testing focused on functional aspects External/3rd Party development Limited/no code change monitoring
  • 22. Definitions Average (Arithmetic Mean): Median: The value in the middle, when the numbers are sorted Example: 1,2,3,100,101  Median = 3 LOC = Lines of Code (without comments and empty lines) KLOC = 1 Thousand LOC MLOC = 1 Million LOC
  • 23. Benchmark Data As of: July, 2013 # of Systems: 88 Total LOC: 156,443,087 Namespaces: All custom ABAP code (Y*,Z*, 3rd-Party namespaces, BADIs,…) Test Case Domains: Security Compliance Performance Maintainability Robustness
  • 24. Custom ABAP Benchmarks  Benchmark StatisticsMetric Average Median Source Code Lines (LOC) (without comments and empty lines) 1,862,418 1,032,539 Comments 596,059 325,931 Inline Comments 122,876 63,892 Percentage of Comments in Analyzed Lines 28% 28% Pragmas 5,119 1,621 Average Module Size (LOC) 53 52
  • 25. Critical Defects at the Average Customer  Benchmarks of Critical Defects Domain Average Median Pro KLOC (Average) Security (Critical only) 1,475 903 0,79 Compliance (Critical only) 270 93 0,14 Performance (Critical only) 1,171 1,016 0,63 Maintainability (Critical only) 415 0 0,22 Robustness (Critical only) 1,586 427 0,85 Metric Average Median Source Code Lines (LOC) (without comments and empty lines) 1,862,418 1,032,539
  • 26. Critical Defects at the Average Customer  1 critical security or compliance defect in every ~1,000 lines of ABAP code  Probabilities: ABAP Command Injection 50% Authorization Issue 100% Directory Traversal 93% 26
  • 27. Security Defects: Top 20 Test Case Missing AUTHORITY-CHECK before CALL TRANSACTION Missing AUTHORITY-CHECK in Reports Directory Traversal (Write Access) Hard-coded SAP System ID Checks (sy-sysid) Missing AUTHORITY-CHECK in RFC-Enabled Functions Dangerous ABAP Commands Directory Traversal (Read Access) File Upload (SAP GUI) Hard-coded SAP Client Checks (sy-mandt) File Download (SAP GUI) Generic RFC Destinations OSQL Injection (Read Access) Broken AUTHORITY-CHECKs Generic Table Query (Write Access) Generic ABAP Module Calls Exposed Kernel Calls Cross-Site Scripting ABAP Command Injection (report) ABAP Command Injection (program) Hard-coded Passwords
  • 28.  Mobile Trends and the new Threats  The Forgotten Layer  Benchmarks of Defects in Custom ABAP  What Can Go Wrong?  Security Standards Agenda
  • 29. Free Benchmark Scan of Your ABAP Code • Summary of findings • Prioritization of found vulnerabilities • Specific examples of findings from your own code • Code metrics • Benchmark (on request) Robustness & Maintainability Performance Data Loss Prevention Security & Compliance Your ABAP™ code What Can Go Wrong? Register Here for a Free Benchmark Scan
  • 30.  Mobile Trends and the new Threats  The Forgotten Layer  Benchmarks of Defects in Custom ABAP  What Can Go Wrong?  Security Standards Agenda
  • 31. Security Guidelines for SAP  Culture • Increase awareness of the need for SAP Security (for example, though workshops) • Provide security training (Developer, Administrator, User, etc)  Organization • Make SAP Security an integral part of your corporate security strategy • Develop company and partner security standards and processes that are binding!  Compliance • Make security a pre-requisite for all SAP projects • Test that all delivered applications comply with security standards • Add SAP Security to your audit activities Seite
  • 32. 32  Technology • Implement automated testing into your change control process to enable faster detection and mediation of security and quality defects  Cost Awareness • The earlier that defects are found, the less they cost to correct Cost of a correcting a single defect when found in: Unit testing (DEV) = $100 User Testing (QA) = $1,000 In productive system (PROD) =$10,000 After System failure, attack,… = $?????? Security Guidelines for SAP – continued
  • 33. Protecting Against Security Defects  BIZEC APP/11 Standard Security Tests ID Vulnerability Description APP-01 ABAP Command Injection Execution of arbitrary ABAP Commands APP-02 OS Command Injection Execution of arbitrary OS Commands APP-03 Native SQL Injection Execution of arbitrary SQL Commands APP-04 Improper Authorization (Missing, Broken, Proprietary, Generic) Missing or incorrect Authorization Checks APP-05 Directory Traversal Unauthorized write/read access to files (SAP Server) APP-06 Direct Database Modifications Unauthorized Access to SAP Standard Tables APP-07 Cross-Client Database Access Cross-Client Access to Business Data APP-08 Open SQL Injection Malicious Manipulation of OSQL Commands APP-09 Generic Module Execution Unauthorized Execution of Modules (Reports, FMs, etc.) APP-10 Cross-Site Scripting Manipulation of the Browser UI, Identity Theft APP-11 Obscure ABAP Code Hidden / untestable ABAP Code
  • 34. LEARNING POINTS  Attacks on mobile Devices are rising exponentially.  The combination of increased external (Web, mobile, etc.) applications has increased the diligence required by companies to ensure that their SAP systems are safe and stable.  Custom ABAP and 3rd party code often have a relatively high number of defects that can introduce serious risks to your SAP production systems.  Manual code reviews and basic tools offer no real protection at a relatively high cost.
  • 35. RETURN ON INVESTMENT  Implementing automated testing into your change control process will enable faster detection and mediation of security and quality defects  The earlier that defects are found, the less they cost to correct Cost of a correcting a single defect when found in: Unit testing (DEV) = $100 User Testing (QA) = $1,000 In productive system (PROD) =$10,000 After System failure, attack,… = $??????
  • 36. BEST PRACTICES  Enforce stringent security and quality standards for all custom and 3rd party code – add them to contracts!  Implement change control procedures that include automatic testing of all ABAP changes before importing to productive systems.
  • 37. Thank You! Stephen Lamy stephen.lamy@virtualforge.com +1 610 864 0261 @Virtual_Forge