Your SlideShare is downloading. ×
0
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Assessing and Measuring Security in Custom SAP Applications

547

Published on

Presentation by Sebastian Schinzel at the conference Mastering SAP Technologies 2008, Goldcoast Australia

Presentation by Sebastian Schinzel at the conference Mastering SAP Technologies 2008, Goldcoast Australia

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
547
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • How attackers bring home the bacon A method to find, analyse, and document threats to your business assets Measure the security of your applications
  • - Normal users were falsely logged on as different users
  • SAP architectures very complex --> People cannot grasp architecture, different opinions about how architecture works among developers --> Many forgotten legacy systems --> A lot of glue code to make legacy systems work with newer components --> A lot of customisations with zero documentation, authors have long moved on no in-depth-knowledge, system just works --> no need to know system as long as it runs
  • How attackers bring home the bacon A method to find, analyse, and document threats to your business assets Measure the security of your applications
  • Result?
  • How attackers bring home the bacon A method to find, analyse, and document threats to your business assets Measure the security of your applications
  • How attackers bring home the bacon A method to find, analyse, and document threats to your business assets Measure the security of your applications
  • Easy to fix: mitigation by changing web server configuration
  • Easy to fix: mitigation by changing web server configuration
  • How attackers bring home the bacon A method to find, analyse, and document threats to your business assets Measure the security of your applications
  • Meet me at the virtual forge booth
  • Transcript

    • 1. Assessing and Measuring Security in Custom SAP Applications Sebastian Schinzel IT-Security Consultant Virtual Forge GmbH
    • 2.
      • Common Security Vulnerabilities
      • Threat Modelling
      • Measuring security
      • How can I improve my security performance?
      • Hands-on Threat Modelling
      Agenda
    • 3. Common Security Vulnerabilities
      • http://www.zdnet.com.au/news/security/soa/XSS-flaw-makes-PM-say-I-want-to-suck-your-blood-/0,130061744,339282682,00.htm
    • 4.
      • Cross Site Scripting (XSS) “most serious web application vulnerability” according to OWASP Top 10
      Common Security Vulnerabilities
      • Learn about XSS at http://virtualforge.de/vmovie.php
      • Or meet me at the Virtual Forge booth
    • 5. Common Security Vulnerabilities
      • http://www.theage.com.au/news/tv--radio/porn-privacy-glitches-hit-big-bro/2007/04/23/1177180548617.html
    • 6.
      • Vulnerabilities in handling of user session IDs
        • Small pool of available session IDs
        • Pool got exhausted with many concurrent users
        • Users were falsely logged in as another already logged in user
      • Small pool of session IDs = predictable session IDs
        • Easy to find and exploit for an attacker
        • Attack easy to automate
        • Possibility of getting caught is low
      Common Security Vulnerabilities
    • 7. Common Security Vulnerabilities
    • 8.
      • Problems:
      • SAP architectures very complex
      • You had no security incidents because...
        • ... your application landscape is secure?
        • ... you regularly pray to god?
        • ... the hacker covered the tracks?
        • ... nobody bothered so far to look for vulnerabilities?
      •  How can you reasonably protect your business data?
      Common Security Vulnerabilities
    • 9.
      • Common Security Vulnerabilities
      • Threat Modelling
      • Measuring security
      • How can I improve my security performance?
      • Hands-on Threat Modelling
      Agenda
    • 10.
      • Problem:
      • Security experts and business people speak different languages
        • Security expert: “XSS, XSRF, SQL-Injection, Input Validation, Output Encoding, Encryption, ...”
        • Business people: “Return of Investment, Industrial Espionage, Risk Management, Business Assets, ...”
      • Threat Modelling creates a common language for security experts and business people
      Threat Modelling
    • 11.
      • How can you reasonably protect your business data?
      • Cost-Benefit analysis from an attacker viewpoint
      • Targets are interesting for an attacker if
      • Cost of attack << Benefit of successful attack
      Threat Modelling Probability of getting caught Skill needed for attack Time needed for attack Cost Repudiation Blackmail Industrial espionage Benefit
    • 12.
      • Determine threats your applications face
        • List the assets of your company
        • How are these assets processed by your applications? (  Processes)
        • Who uses the applications to work with the company’s assets? (  Actors)
      Threat Modelling
    • 13.
      • Assets
        • Employee data (e.g. SSN)
        • Customer data (e.g. Credit Card Data)
      • Process
        • Online Recruiting
        • Online shop (order form, edit customer data)
      • Actors
        • HR Department
        • Customers, shipping department
      Threat Modelling
    • 14.
      • Example:
      • Asset: Private data of customers (e.g. CC data )
      • Process: A registered user edits the private data in the web form
      • Threats
        • A registered user views private data of other customers by tampering with the form’s request
        • A registered user edits private data of other customers
      Threat Modelling
    • 15.
      • Add further information to the threats
        • Business impact
        • Level of exposure
        • Affected users
        • Damage potential
        • Exploitability
      Threat Modelling
    • 16.
      • Common Security Vulnerabilities
      • Threat Modelling
      • Measuring security
      • How can I improve my security performance?
      • Hands-on Threat Modelling
      Agenda
    • 17.
      • People thinking about security
      • “ Yes, others have issues, we read that in the news – but not here.”
      • “ We haven’t been attacked so far.”
      • “ We use a firewall and IDS.”
      • “ This is a feature, not a defect!”
      • “ This is the responsibility of the vendor.”
      Measuring Security  How do you know?  What is the impact?  Is that enough?  How can you tell?  How secure is your code?
    • 18. Measuring Security
      • Another view on metrics …
              • There is an 80% risk that a child hit by a car driving at 40 mph hour will be killed
              • There is an 80% chance that a child hit by a car driving at 30 mph would survive
              • People now drive slower as a result
              • Smoking ban reduces likeliness of heart attacks …
          • That’s how security metrics should be 
            • shaping behaviour and not just being interesting! 
    • 19. Measuring Security
      • Recall
      • Secure code is the real line of defence
      • Metrics should change behaviour
      • Software Security Metrics should lead to secure software!
      • Change behaviour of customers, vendors, consultants, developers, …
    • 20.
      • Different levels of measurement
      Measuring Security
    • 21.
      • Common Security Vulnerabilities
      • Threat Modelling
      • Measuring security
      • How can I improve my security performance?
      • Hands-on Threat Modelling
      Agenda
    • 22.
      • Rank entries in threat model
        • Determine the most critical threats to your business assets
        • Determine threats that are easy to mitigate (easy wins)
      • Perform a security assessment (external security experts)
        • Check applications that are involved with critical threats
        • Find security vulnerabilities in those applications
        • Determine root causes of vulnerabilities (faulty input validation, faulty output encoding, faults in application design, misuse of frameworks and libraries)
      • Map found vulnerabilities to threats in the threat model
      How Can I Improve My Security Performance
    • 23.
      • The aftermath:
      • Rank the vulnerabilities that were found during the assessment
        • What are the most critical vulnerabilities?
        • What vulnerabilities are easy to fix (quick wins)
      • Fix it!
        • Fix easy wins immediately
        • Create plan about how to mitigate the most critical threats as soon as possible
      • Create road map for Security Assurance
      How Can I Improve My Security Performance
    • 24.
      • The aftermath:
      • Create road map for Security Assurance
        • Train software architects for secure software application design
        • Train developers for security development guidelines and best practices
        • Include regular security assessments in your development lifecycle
        • Incorporate managed security services (e.g. regular scans of web page for trivial security vulnerabilities)
      How Can I Improve My Security Performance
    • 25.
      • Common Security Vulnerabilities
      • Threat Modelling
      • Measuring security
      • How can I improve my security performance?
      • Hands-on Threat Modelling
      Agenda
    • 26. Hands-on Threat Modelling
    • 27.
      • Security incidents happen regularly
      • SAP application landscapes are very complex, thus difficult to build securely
      • Use Threat Modelling to find the risks to your assets
      • Measure security to improve security
      • Create a road map for security assurance
      Conclusion
    • 28. 3 Key Points to Take Home
      • “ Complexity is the worst enemy of security” (Schneier)
      • Measure security to improve security
      • Security can only be successful when it is an ongoing process. One-time efforts are not effective.
    • 29. QUESTIONS? Sebastian Schinzel [email_address]

    ×