The document discusses security issues related to SAP solutions and introduces ERPScan as an innovative product to help address these issues. It notes that over 2500 security notes have been released for SAP, highlighting growing threats. ERPScan provides integrated assessment of application platform security, ABAP code security, and business logic security. It can monitor SAP servers for vulnerabilities, misconfigurations, critical authorizations, and compliance with standards. The system aims to help automate security checks and reduce costs associated with SAP security problems.
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
Assessing and Securing SAP Solutions
1. Invest
in
security
to
secure
investments
Securing
and
Assessing
SAP
Solu1ons
Alexander
Polyakov
ERPScan
CTO
2. About
ERPScan
• The
only
360-‐degree
SAP
Security
solu8on
-‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presenta1ons
key
security
conferences
worldwide
• 25
Awards
and
nomina1ons
• Research
team
-‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2
3. SAP
Security
related
costs
3
SAP
Audit
related
costs
Expenses
on
compliance
Addi8onal
security
training
costs
Losses
caused
by
insider
fraud
Losses
caused
by
hackers
4. Problems
• How
to
automate
security
checks
for
different
landscapes?
• How
to
protect
ourselves
from
fraud?
• How
to
decrease
costs?
• Where
to
find
informa1on
about
the
latest
threats?
4
5. Talks
about
SAP
security
5
0
5
10
15
20
25
30
35
2006
2007
2008
2009
2010
2011
2012
Most
popular:
• BlackHat
• HITB
• Troopers
• RSA
• Source
• DeepSec
• etc.
6. New
threats
2007
–
Architecture
vulnerabili8es
in
RFC
protocol
2008
–
Aacks
via
SAPGUI
2009
–
SAP
backdoors
2010
–
Aacks
via
SAP
WEB
applica8ons
2010
–
Stuxnet
for
SAP
2011
–
Architecture
and
program
vulnerabili8es
in
ABAP
2011
–
A
crushing
blow
in
SAP
J2EE
engine
2012
–
Vulnerabili8es
in
SAP
solu8ons
like
SOLMAN
2012
–
SSRF
and
XML
Tunneling
2012
–
Diag
protocol
aXacks;
Message
Server
aXacks
2012
–
Mul1ple
XML
issues
6
Are
you
familiar
with
them?
7. SAP
Security
notes
7
0
100
200
300
400
500
600
700
800
900
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
By
September
2012,
>
2500
security
notes
Only
one
vulnerability
is
enough
to
get
access
to
ALL
business-‐cri:cal
DATA
10. SAP
on
the
Internet
(web
services)
10
621
SAP
web
services
can
be
found
on
the
Internet
(In
Germany)
11. SAP
on
the
Internet
11
More
than
5000
systems
in
the
world
More
than
260
in
Germany
including
Dispatcher,
Message
Server,
SapHostControl,
etc.
12. SAP
on
the
Internet
(Germany)
12
%
of
companies
that
expose
different
services
0
1
2
3
4
5
6
7
8
9
SAP
Dispatcher
SAP
MMC
SAP
Message
Server
SAP
HostControl
SAP
ITS
Agate
SAP
Message
Server
hpd
13. Business
risks
13
Espionage
• Stealing
financial
informa8on
• Stealing
corporate
secrets
• Stealing
suppliers
and
customers
list
• Stealing
HR
data
Sabotage
• Denial
of
service
• Modifica8on
of
financial
reports
• Access
to
technology
network
(SCADA)
by
trusted
connec8ons
Fraud
• False
transac8ons
• Modifica8on
of
master
data
• etc.
14. 14
3
areas
of
SAP
Security
2010
Applica3on
pla4orm
security
Prevents
unauthorized
access
both
insiders
and
remote
aPackers
Solu8on:
Vulnerability
Assessment
and
Monitoring
2008
ABAP
Code
security
Prevents
aPacks
or
mistakes
made
by
developers
Solu8on:
Code
audit
2002
Business
logic
security
(SOD)
Prevents
aPacks
or
mistakes
made
Solu8on:
GRC
15. Solu1on
15
We
did
not
manage
to
find
any
solu:on
that
could
resolve
all
of
these
and
other
security
problems
described
above
so
we
created
one
ourselves
16. ERPScan
An
innova8ve
product
for
integrated
assessment
of
SAP
plamorm
security
and
standard
compliance.
The
system
can
monitor
SAP
servers
for
sonware
vulnerabili8es,
misconfigura8ons,
cri8cal
authoriza8ons,
code
security,
and
it
performs
assessment
of
compliance
with
current
standards
and
best
prac8ces
including
SAP
best
prac8ces.
16
18. Анализ
безопасности
ABAP
кода
Mul1level
security
monitoring
tool
18
Connectors
ABAP
JAVA
Metrics
Risk
assessment
Compliance
Reports
Output
interfaces
Users
Project
management
Inventory
Control
func1ons
Misconfigura1ons
Vulnerabili1es
Cri1cal
access
Audit
ABAP
code
scan
Vulnerabili1es
Backdoors
Efficiency
SAP
Router
SOAP
HTTP
SoD
Customized
cri1cal
du1es
Segrega1on
of
Du1es
19. Main
func1ons
• Anonymous
scan
(pen-‐test)
• System
enumera8on
/
monitoring
• Configura8on
analysis
• Search
for
vulnerabili8es
• Access
control
• SOD
conflicts
• ABAP
code
audit
• SAP
/
ISACA
compliance
• Risk
assessment
19
20. Geqng
beXer
every
day
More
than
6400
configura8on
checks
More
than
350
vulnerability
checks
More
than
100
0-‐day
checks
More
than
65
checks
for
ABAP
source
code
issues
20
Analysis
of
misconfigura8ons,
vulnerabili8es
and
cri8cal
authoriza8ons
for
ABAP
and
JAVA
21. ERPScan’s
success
secret
21
We
pay
an
enormous
lot
of
aen8on
to
gaps
in
security
so
that
our
clients
are
always
one
step
ahead
of
the
bad
guys
ERPScan
Uniqueness
Research
Exper:se
•
One
of
the
first
in
the
world
to
research
SAP
security
• The
first
in
the
world
to
research
SAP
J2EE
Engine
security
• The
only
solu8on
to
assess
3
8ers
of
SAP
security
22. About
us
• Among
leaders
in
SAP
security
assessment
in
the
world
since
2008
• More
than
150
SAP
vulnerabili1es
discovered
• More
than
50
acknowledges
from
SAP
• Were
invited
to
speak
and
teach
about
SAP
security
at
20
key
conferences
worldwide
including
USA,
EUROPE,
ASIA,
CEMEA
like
BlackHat,
Defcon,
RSA
• Conduc8ng
SAP
security
workshops
for
SAP
Security
Response
Team
in
SAP
headquarters
22
Leading
SAP
AG
partner
in
discovering
and
solving
security
vulnerabili1es