Assessing and Measuring Security in Custom SAP Applications

666 views
615 views

Published on

Presentation by Sebastian Schinzel at the conference Mastering SAP Technologies 2008, Goldcoast Australia

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
666
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • How attackers bring home the bacon A method to find, analyse, and document threats to your business assets Measure the security of your applications
  • - Normal users were falsely logged on as different users
  • SAP architectures very complex --> People cannot grasp architecture, different opinions about how architecture works among developers --> Many forgotten legacy systems --> A lot of glue code to make legacy systems work with newer components --> A lot of customisations with zero documentation, authors have long moved on no in-depth-knowledge, system just works --> no need to know system as long as it runs
  • How attackers bring home the bacon A method to find, analyse, and document threats to your business assets Measure the security of your applications
  • Result?
  • How attackers bring home the bacon A method to find, analyse, and document threats to your business assets Measure the security of your applications
  • How attackers bring home the bacon A method to find, analyse, and document threats to your business assets Measure the security of your applications
  • Easy to fix: mitigation by changing web server configuration
  • Easy to fix: mitigation by changing web server configuration
  • How attackers bring home the bacon A method to find, analyse, and document threats to your business assets Measure the security of your applications
  • Meet me at the virtual forge booth
  • Assessing and Measuring Security in Custom SAP Applications

    1. 1. Assessing and Measuring Security in Custom SAP Applications Sebastian Schinzel IT-Security Consultant Virtual Forge GmbH
    2. 2. <ul><li>Common Security Vulnerabilities </li></ul><ul><li>Threat Modelling </li></ul><ul><li>Measuring security </li></ul><ul><li>How can I improve my security performance? </li></ul><ul><li>Hands-on Threat Modelling </li></ul>Agenda
    3. 3. Common Security Vulnerabilities <ul><li>http://www.zdnet.com.au/news/security/soa/XSS-flaw-makes-PM-say-I-want-to-suck-your-blood-/0,130061744,339282682,00.htm </li></ul>
    4. 4. <ul><li>Cross Site Scripting (XSS) “most serious web application vulnerability” according to OWASP Top 10 </li></ul>Common Security Vulnerabilities <ul><li>Learn about XSS at http://virtualforge.de/vmovie.php </li></ul><ul><li>Or meet me at the Virtual Forge booth </li></ul>
    5. 5. Common Security Vulnerabilities <ul><li>http://www.theage.com.au/news/tv--radio/porn-privacy-glitches-hit-big-bro/2007/04/23/1177180548617.html </li></ul>
    6. 6. <ul><li>Vulnerabilities in handling of user session IDs </li></ul><ul><ul><li>Small pool of available session IDs </li></ul></ul><ul><ul><li>Pool got exhausted with many concurrent users </li></ul></ul><ul><ul><li>Users were falsely logged in as another already logged in user </li></ul></ul><ul><li>Small pool of session IDs = predictable session IDs </li></ul><ul><ul><li>Easy to find and exploit for an attacker </li></ul></ul><ul><ul><li>Attack easy to automate </li></ul></ul><ul><ul><li>Possibility of getting caught is low </li></ul></ul>Common Security Vulnerabilities
    7. 7. Common Security Vulnerabilities
    8. 8. <ul><li>Problems: </li></ul><ul><li>SAP architectures very complex </li></ul><ul><li>You had no security incidents because... </li></ul><ul><ul><li>... your application landscape is secure? </li></ul></ul><ul><ul><li>... you regularly pray to god? </li></ul></ul><ul><ul><li>... the hacker covered the tracks? </li></ul></ul><ul><ul><li>... nobody bothered so far to look for vulnerabilities? </li></ul></ul><ul><li> How can you reasonably protect your business data? </li></ul>Common Security Vulnerabilities
    9. 9. <ul><li>Common Security Vulnerabilities </li></ul><ul><li>Threat Modelling </li></ul><ul><li>Measuring security </li></ul><ul><li>How can I improve my security performance? </li></ul><ul><li>Hands-on Threat Modelling </li></ul>Agenda
    10. 10. <ul><li>Problem: </li></ul><ul><li>Security experts and business people speak different languages </li></ul><ul><ul><li>Security expert: “XSS, XSRF, SQL-Injection, Input Validation, Output Encoding, Encryption, ...” </li></ul></ul><ul><ul><li>Business people: “Return of Investment, Industrial Espionage, Risk Management, Business Assets, ...” </li></ul></ul><ul><li>Threat Modelling creates a common language for security experts and business people </li></ul>Threat Modelling
    11. 11. <ul><li>How can you reasonably protect your business data? </li></ul><ul><li>Cost-Benefit analysis from an attacker viewpoint </li></ul><ul><li>Targets are interesting for an attacker if </li></ul><ul><li>Cost of attack << Benefit of successful attack </li></ul>Threat Modelling Probability of getting caught Skill needed for attack Time needed for attack Cost Repudiation Blackmail Industrial espionage Benefit
    12. 12. <ul><li>Determine threats your applications face </li></ul><ul><ul><li>List the assets of your company </li></ul></ul><ul><ul><li>How are these assets processed by your applications? (  Processes) </li></ul></ul><ul><ul><li>Who uses the applications to work with the company’s assets? (  Actors) </li></ul></ul>Threat Modelling
    13. 13. <ul><li>Assets </li></ul><ul><ul><li>Employee data (e.g. SSN) </li></ul></ul><ul><ul><li>Customer data (e.g. Credit Card Data) </li></ul></ul><ul><li>Process </li></ul><ul><ul><li>Online Recruiting </li></ul></ul><ul><ul><li>Online shop (order form, edit customer data) </li></ul></ul><ul><li>Actors </li></ul><ul><ul><li>HR Department </li></ul></ul><ul><ul><li>Customers, shipping department </li></ul></ul>Threat Modelling
    14. 14. <ul><li>Example: </li></ul><ul><li>Asset: Private data of customers (e.g. CC data ) </li></ul><ul><li>Process: A registered user edits the private data in the web form </li></ul><ul><li>Threats </li></ul><ul><ul><li>A registered user views private data of other customers by tampering with the form’s request </li></ul></ul><ul><ul><li>A registered user edits private data of other customers </li></ul></ul>Threat Modelling
    15. 15. <ul><li>Add further information to the threats </li></ul><ul><ul><li>Business impact </li></ul></ul><ul><ul><li>Level of exposure </li></ul></ul><ul><ul><li>Affected users </li></ul></ul><ul><ul><li>Damage potential </li></ul></ul><ul><ul><li>Exploitability </li></ul></ul>Threat Modelling
    16. 16. <ul><li>Common Security Vulnerabilities </li></ul><ul><li>Threat Modelling </li></ul><ul><li>Measuring security </li></ul><ul><li>How can I improve my security performance? </li></ul><ul><li>Hands-on Threat Modelling </li></ul>Agenda
    17. 17. <ul><li>People thinking about security </li></ul><ul><li>“ Yes, others have issues, we read that in the news – but not here.” </li></ul><ul><li>“ We haven’t been attacked so far.” </li></ul><ul><li>“ We use a firewall and IDS.” </li></ul><ul><li>“ This is a feature, not a defect!” </li></ul><ul><li>“ This is the responsibility of the vendor.” </li></ul>Measuring Security  How do you know?  What is the impact?  Is that enough?  How can you tell?  How secure is your code?
    18. 18. Measuring Security <ul><li>Another view on metrics … </li></ul><ul><ul><ul><ul><ul><li>There is an 80% risk that a child hit by a car driving at 40 mph hour will be killed </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>There is an 80% chance that a child hit by a car driving at 30 mph would survive </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>People now drive slower as a result </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Smoking ban reduces likeliness of heart attacks … </li></ul></ul></ul></ul></ul><ul><ul><ul><li>That’s how security metrics should be  </li></ul></ul></ul><ul><ul><ul><ul><li>shaping behaviour and not just being interesting!  </li></ul></ul></ul></ul>
    19. 19. Measuring Security <ul><li>Recall </li></ul><ul><li>Secure code is the real line of defence </li></ul><ul><li>Metrics should change behaviour </li></ul><ul><li>Software Security Metrics should lead to secure software! </li></ul><ul><li>Change behaviour of customers, vendors, consultants, developers, … </li></ul>
    20. 20. <ul><li>Different levels of measurement </li></ul>Measuring Security
    21. 21. <ul><li>Common Security Vulnerabilities </li></ul><ul><li>Threat Modelling </li></ul><ul><li>Measuring security </li></ul><ul><li>How can I improve my security performance? </li></ul><ul><li>Hands-on Threat Modelling </li></ul>Agenda
    22. 22. <ul><li>Rank entries in threat model </li></ul><ul><ul><li>Determine the most critical threats to your business assets </li></ul></ul><ul><ul><li>Determine threats that are easy to mitigate (easy wins) </li></ul></ul><ul><li>Perform a security assessment (external security experts) </li></ul><ul><ul><li>Check applications that are involved with critical threats </li></ul></ul><ul><ul><li>Find security vulnerabilities in those applications </li></ul></ul><ul><ul><li>Determine root causes of vulnerabilities (faulty input validation, faulty output encoding, faults in application design, misuse of frameworks and libraries) </li></ul></ul><ul><li>Map found vulnerabilities to threats in the threat model </li></ul>How Can I Improve My Security Performance
    23. 23. <ul><li>The aftermath: </li></ul><ul><li>Rank the vulnerabilities that were found during the assessment </li></ul><ul><ul><li>What are the most critical vulnerabilities? </li></ul></ul><ul><ul><li>What vulnerabilities are easy to fix (quick wins) </li></ul></ul><ul><li>Fix it! </li></ul><ul><ul><li>Fix easy wins immediately </li></ul></ul><ul><ul><li>Create plan about how to mitigate the most critical threats as soon as possible </li></ul></ul><ul><li>Create road map for Security Assurance </li></ul>How Can I Improve My Security Performance
    24. 24. <ul><li>The aftermath: </li></ul><ul><li>Create road map for Security Assurance </li></ul><ul><ul><li>Train software architects for secure software application design </li></ul></ul><ul><ul><li>Train developers for security development guidelines and best practices </li></ul></ul><ul><ul><li>Include regular security assessments in your development lifecycle </li></ul></ul><ul><ul><li>Incorporate managed security services (e.g. regular scans of web page for trivial security vulnerabilities) </li></ul></ul>How Can I Improve My Security Performance
    25. 25. <ul><li>Common Security Vulnerabilities </li></ul><ul><li>Threat Modelling </li></ul><ul><li>Measuring security </li></ul><ul><li>How can I improve my security performance? </li></ul><ul><li>Hands-on Threat Modelling </li></ul>Agenda
    26. 26. Hands-on Threat Modelling
    27. 27. <ul><li>Security incidents happen regularly </li></ul><ul><li>SAP application landscapes are very complex, thus difficult to build securely </li></ul><ul><li>Use Threat Modelling to find the risks to your assets </li></ul><ul><li>Measure security to improve security </li></ul><ul><li>Create a road map for security assurance </li></ul>Conclusion
    28. 28. 3 Key Points to Take Home <ul><li>“ Complexity is the worst enemy of security” (Schneier) </li></ul><ul><li>Measure security to improve security </li></ul><ul><li>Security can only be successful when it is an ongoing process. One-time efforts are not effective. </li></ul>
    29. 29. QUESTIONS? Sebastian Schinzel [email_address]

    ×