Your SlideShare is downloading. ×
sitNL Security Update from SAP TechEd 2013
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

sitNL Security Update from SAP TechEd 2013


Published on

Trends, some live hacking, statistics, SAP Security topics from SAP TechEd 2013

Trends, some live hacking, statistics, SAP Security topics from SAP TechEd 2013

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. SITNL 2013 Security update SAP Teched 2013
  • 2. Agenda Guaranteed HANA-FREE presentation Introduction Update: what happened in 2013 SAP Teched 2013 Security topics (Too many to name them all) Read Access Logging ABAP code scan System Recommendations vs RSECNOTE Some statistics (Creating this presentation involved Shameless copying of SAP Teched materials, thank you SAP)
  • 3. Who we are… ERP Security • • • • • A company specialized in securing SAP infrastructures Started by SAP basis specialists who are enthusiastic about platform security Our team consists of experienced SAP specialists and developers with 10+ years of experience We deliver SAP Security consulting services In the global top 5 of SAP researching companies
  • 4. SAP Security in the spotlight From SitNL last year…
  • 5. SAP Security in the spotlight New this year… (Source:
  • 6. Read Access Logging You probably knew the Security Audit Log, AIS or change documents Where the AIS, Security Audit Log and change documents for masterdata all focused on CHANGE/DELETE/UPDATE actions, RAL allows to log READ access.
  • 7. Read Access Logging Supported Channels
  • 8. Read Access Logging Availability
  • 9. Read Access Logging Also see SIS 104
  • 10. ABAP Code Scanning The challenge…
  • 11. ABAP Code Scanning Overview of Code check Tools ABAP Test Cockpit (ATC) Central place for all check tools, exemption handling, result storage Code Inspector (SCI) Open framework for customers, partners and SAP to develop code related checks Extended Program Check (SLIN) SAP NW add-on for code vulnerability analysis Code checks for security vulnerabilities. Main focus is to analyze the data flow and user input
  • 12. ABAP Code Scanning Overview of available checks
  • 13. Abap Code Scanning ABAP Code Scan Also see SIS 261
  • 14. Solman System Recommendations SAP Solution Manager System Recommendations Slow, not frequent implementing of support packages leave systems vulnerable
  • 15. System Recommendations System Recommendations vs RSECNOTE Recommendations for ABAP & JAVA Extra functionality like ChaRM integration Complete overview based on system Not only Security notes Way to go Focus on Hotnews ABAP only limited functionality Incomplete OLDSKOOL
  • 16. System Recommendations System Recommendations overview
  • 17. System Recommendations System Recommendations overview
  • 18. System Recommendations System Recommendations Also see SIS 103
  • 19. Some Statistics Preliminary research statistics on internet connected systems; SAProuter After scanning the entire IPv4 range we found: • 7746 SAProuters connected to the internet • Of which almost half (3693) are UNprotected bij ACL, giving access to the local intranet • Of the vulnerable SAProuters, most (85%) are running on Windows • 13 of the vulnerable SAProuters (0,35%) are located in NL SAPROUTERS FOUND ON INTERNET ACL Protected 52% Open 48% Open SAProuters running Windows; 85% Open SAProuters running Unix/Linux; 15%
  • 20. System Recommendations Exploit SAP system via Internet via SAPRouter
  • 21. Some Statistics Security vulnerabilities found by SAP vs External Security Researchers The ratio of vulnerabilities found by External Researchers vs SAP internally is going up: Source:
  • 22. Key takeaways Summary • • • • • SAP security is complex, but don’t let that be an excuse ! Especially since SAP and external suppliers are providing more and better tools / solutions Do take special care when connecting systems to the internet Be aware that every aspect of an SAP infrastructure needs to be secured. Application server, OS, DB, network, Frontend, SoD, Custom Code, etc, etc… PATCH! PATCH! PATCH! Join & contribute!
  • 23. Questions? Thank you
  • 24. Need more info? Contact us... • • More information needed? See or follow @jvis / @erpsec
  • 25. Disclaimer SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2013 ERP Security BV.