SlideShare a Scribd company logo

Assessing and Securing SAP Solutions

ERPScan
ERPScan

The document discusses security issues related to SAP solutions and introduces ERPScan as an innovative product to help address these issues. It notes that over 2500 security notes have been released for SAP, highlighting growing threats. ERPScan provides integrated assessment of application platform security, ABAP code security, and business logic security. It can monitor SAP servers for vulnerabilities, misconfigurations, critical authorizations, and compliance with standards. The system aims to help automate security checks and reduce costs associated with SAP security problems.

Software
1 of 23
Download to read offline
Invest  in  security   to  secure  investments   Securing  and  Assessing     SAP  Solu1ons   Alexander  Polyakov     ERPScan  CTO    
About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu8on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta1ons  key  security  conferences  worldwide   •  25  Awards  and  nomina1ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
 SAP  Security  related  costs   3   SAP   Audit  related   costs   Expenses  on   compliance   Addi8onal   security  training   costs   Losses  caused  by   insider  fraud   Losses  caused  by   hackers  
Problems   •  How  to  automate  security  checks  for  different  landscapes?   •  How  to  protect  ourselves  from  fraud?   •  How  to  decrease  costs?     •  Where  to  find  informa1on        about  the  latest    threats?     4  
Talks  about  SAP  security   5   0   5   10   15   20   25   30   35   2006   2007   2008   2009   2010   2011   2012   Most  popular:   •  BlackHat     •  HITB     •  Troopers     •  RSA     •  Source     •  DeepSec       •  etc.  
New  threats   2007  –  Architecture  vulnerabili8es  in  RFC  protocol   2008  –  Aacks  via  SAPGUI   2009  –  SAP  backdoors   2010  –  Aacks  via  SAP  WEB  applica8ons   2010  –  Stuxnet  for  SAP   2011  –  Architecture  and  program  vulnerabili8es  in  ABAP   2011  –  A  crushing  blow  in  SAP  J2EE  engine   2012  –  Vulnerabili8es  in  SAP  solu8ons  like  SOLMAN   2012  –  SSRF  and  XML  Tunneling   2012  –  Diag  protocol  aXacks;  Message  Server  aXacks   2012  –  Mul1ple  XML  issues         6   Are  you  familiar  with  them?  
SAP  Security  notes   7   0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   By  September  2012,  >  2500  security  notes   Only  one  vulnerability  is  enough  to  get   access  to  ALL  business-­‐cri:cal  DATA  
SAP  vulnerabili1es  by  type   8   0   50   100   150   200   250   300   350   12  -­‐SQL  Inj   11  -­‐  BOF   10  -­‐  Denial  of  service     9  -­‐  Remote  Code  Execu8on   8  -­‐  Verb  tampering   7  -­‐  Code  injec8on  vulnerability   6  -­‐  Hard-­‐coded  creden8als   5  -­‐  Unauthorized  usage  of  applica8on   4  -­‐  Informa8on  Disclosure   3  -­‐  Missing  Auth  check   2  -­‐  XSS/Unauthorised  modifica8on  of  stored   1  -­‐  Directory  Traversal       Stats  from:   •  1Q  2012   •  1Q  2010   •  4Q  2009  
Authen1ca1on  bypass  in  J2EE     9  
SAP  on  the  Internet  (web  services)   10   621  SAP  web  services     can  be  found  on  the  Internet    (In  Germany)  
SAP  on  the  Internet   11   More  than  5000  systems  in  the  world     More  than  260  in  Germany    including  Dispatcher,  Message  Server,  SapHostControl,  etc.  
SAP  on  the  Internet  (Germany)   12   %  of  companies  that  expose  different  services   0   1   2   3   4   5   6   7   8   9   SAP   Dispatcher   SAP  MMC   SAP  Message   Server     SAP   HostControl   SAP  ITS     Agate   SAP  Message   Server  hpd  
Business  risks   13   Espionage   •  Stealing  financial  informa8on   •  Stealing  corporate  secrets   •  Stealing  suppliers  and  customers  list   •  Stealing  HR  data   Sabotage   •  Denial  of  service   •  Modifica8on  of  financial  reports   •  Access  to  technology  network  (SCADA)  by  trusted  connec8ons     Fraud   •  False  transac8ons   •  Modifica8on  of  master  data   •  etc.  
14   3  areas  of  SAP  Security   2010   Applica3on  pla4orm  security   Prevents  unauthorized  access  both  insiders  and  remote   aPackers   Solu8on:  Vulnerability  Assessment  and  Monitoring   2008   ABAP  Code  security   Prevents  aPacks  or  mistakes  made  by  developers   Solu8on:  Code  audit   2002   Business  logic  security  (SOD)   Prevents  aPacks    or  mistakes  made     Solu8on:  GRC  
Solu1on   15   We  did  not  manage  to  find  any  solu:on  that   could  resolve  all  of  these  and  other  security   problems  described  above     so  we  created  one  ourselves  
ERPScan       An   innova8ve   product   for   integrated   assessment   of   SAP   plamorm   security   and  standard  compliance.  The  system  can  monitor  SAP  servers  for  sonware   vulnerabili8es,  misconfigura8ons,  cri8cal  authoriza8ons,  code  security,  and  it   performs   assessment   of   compliance   with   current   standards   and   best   prac8ces  including  SAP  best  prac8ces.   16  
 ERPScan  scheme   17   JAVA   Output                Connectors   Security  audit   module   ABAP  code  scan   module   Control   SOD   module  
Анализ  безопасности  ABAP  кода               Mul1level  security  monitoring  tool   18   Connectors  ABAP   JAVA   Metrics   Risk  assessment   Compliance   Reports   Output  interfaces   Users  Project  management  Inventory   Control  func1ons   Misconfigura1ons   Vulnerabili1es   Cri1cal  access   Audit   ABAP  code  scan   Vulnerabili1es   Backdoors   Efficiency   SAP  Router  SOAP   HTTP   SoD   Customized  cri1cal  du1es     Segrega1on  of  Du1es  
Main  func1ons   •  Anonymous  scan  (pen-­‐test)   •  System  enumera8on  /  monitoring   •  Configura8on  analysis   •  Search  for  vulnerabili8es   •  Access  control   •  SOD  conflicts   •  ABAP  code  audit   •  SAP  /  ISACA  compliance   •  Risk  assessment   19  
Geqng  beXer  every  day   More  than  6400  configura8on  checks     More  than  350  vulnerability  checks     More  than  100  0-­‐day  checks     More  than  65  checks  for  ABAP  source  code  issues   20   Analysis  of  misconfigura8ons,  vulnerabili8es  and   cri8cal  authoriza8ons  for  ABAP  and  JAVA  
ERPScan’s  success  secret   21   We  pay  an  enormous  lot  of  aen8on  to  gaps  in  security     so  that  our  clients  are  always  one  step  ahead  of  the  bad  guys       ERPScan   Uniqueness   Research  Exper:se   •   One  of  the  first  in  the  world  to  research  SAP  security   •  The  first  in  the  world  to  research  SAP  J2EE  Engine  security   •  The  only  solu8on  to  assess  3  8ers  of  SAP  security  
About  us   •  Among  leaders  in  SAP  security  assessment  in  the  world  since   2008   •  More  than  150  SAP  vulnerabili1es  discovered   •  More  than  50  acknowledges  from  SAP   •  Were  invited  to  speak  and  teach  about  SAP  security  at  20  key   conferences  worldwide  including  USA,  EUROPE,  ASIA,  CEMEA   like  BlackHat,  Defcon,  RSA   •  Conduc8ng  SAP  security  workshops  for  SAP  Security  Response   Team  in  SAP  headquarters   22   Leading  SAP  AG  partner  in  discovering  and  solving  security  vulnerabili1es  
Contacts   23   Visit  Booth  #553       Tel:  +7(812)7031547     web:  www.erpscan.com         e-­‐mail:  info@erpscan.com,  sales@erpscan.com  

Recommended

Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
ERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
ERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
ERPScan
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 steps
ERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
ERPScan
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
ERPScan
 

Recommended

Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
ERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
ERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
ERPScan
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 steps
ERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
ERPScan
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
ERPScan
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP Mobile
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP
ERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
ERPScan
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
ERPScan
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
ERPScan
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
ERPScan
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
ERPScan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
ERPScan
 
Sap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksSap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless Attacks
Ertunga Arsal
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
ERPScan
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
ERPScan
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
ERPScan
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
n|u - The Open Security Community
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
ERPScan
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
Igor Igoroshka
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
Onapsis Inc.
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
Onapsis Inc.
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
Onapsis Inc.
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
ERPScan
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 

More Related Content

What's hot

SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
ERPScan
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
ERPScan
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
Onapsis Inc.
 

What's hot (20)

Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP Mobile
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
Sap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksSap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless Attacks
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 

Viewers also liked

SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
ERPScan
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 

Viewers also liked (6)

SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
 
Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
 

Similar to Assessing and Securing SAP Solutions

EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
ERPScan
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?
Virtual Forge
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and Best
Positive Hack Days
 
How to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a buttonHow to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a button
Virtual Forge
 
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...
Dao Van Hang
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
ERPScan
 
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
akquinet enterprise solutions GmbH
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
PROIDEA
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
Olivier DASINI
 

Similar to Assessing and Securing SAP Solutions (20)

EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and Best
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
 
How to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a buttonHow to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a button
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platforms
 
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
 
ciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Securityciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Security
 
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
 
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
 
Accelerating SAP transformations with Micro Focus
Accelerating SAP transformations with Micro FocusAccelerating SAP transformations with Micro Focus
Accelerating SAP transformations with Micro Focus
 
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
 
SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 

Recently uploaded

Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Delhi Call girls
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 

Recently uploaded (20)

Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 

Assessing and Securing SAP Solutions

  • 1. Invest  in  security   to  secure  investments   Securing  and  Assessing     SAP  Solu1ons   Alexander  Polyakov     ERPScan  CTO    
  • 2. About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu8on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta1ons  key  security  conferences  worldwide   •  25  Awards  and  nomina1ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
  • 3.  SAP  Security  related  costs   3   SAP   Audit  related   costs   Expenses  on   compliance   Addi8onal   security  training   costs   Losses  caused  by   insider  fraud   Losses  caused  by   hackers  
  • 4. Problems   •  How  to  automate  security  checks  for  different  landscapes?   •  How  to  protect  ourselves  from  fraud?   •  How  to  decrease  costs?     •  Where  to  find  informa1on        about  the  latest    threats?     4  
  • 5. Talks  about  SAP  security   5   0   5   10   15   20   25   30   35   2006   2007   2008   2009   2010   2011   2012   Most  popular:   •  BlackHat     •  HITB     •  Troopers     •  RSA     •  Source     •  DeepSec       •  etc.  
  • 6. New  threats   2007  –  Architecture  vulnerabili8es  in  RFC  protocol   2008  –  Aacks  via  SAPGUI   2009  –  SAP  backdoors   2010  –  Aacks  via  SAP  WEB  applica8ons   2010  –  Stuxnet  for  SAP   2011  –  Architecture  and  program  vulnerabili8es  in  ABAP   2011  –  A  crushing  blow  in  SAP  J2EE  engine   2012  –  Vulnerabili8es  in  SAP  solu8ons  like  SOLMAN   2012  –  SSRF  and  XML  Tunneling   2012  –  Diag  protocol  aXacks;  Message  Server  aXacks   2012  –  Mul1ple  XML  issues         6   Are  you  familiar  with  them?  
  • 7. SAP  Security  notes   7   0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   By  September  2012,  >  2500  security  notes   Only  one  vulnerability  is  enough  to  get   access  to  ALL  business-­‐cri:cal  DATA  
  • 8. SAP  vulnerabili1es  by  type   8   0   50   100   150   200   250   300   350   12  -­‐SQL  Inj   11  -­‐  BOF   10  -­‐  Denial  of  service     9  -­‐  Remote  Code  Execu8on   8  -­‐  Verb  tampering   7  -­‐  Code  injec8on  vulnerability   6  -­‐  Hard-­‐coded  creden8als   5  -­‐  Unauthorized  usage  of  applica8on   4  -­‐  Informa8on  Disclosure   3  -­‐  Missing  Auth  check   2  -­‐  XSS/Unauthorised  modifica8on  of  stored   1  -­‐  Directory  Traversal       Stats  from:   •  1Q  2012   •  1Q  2010   •  4Q  2009  
  • 9. Authen1ca1on  bypass  in  J2EE     9  
  • 10. SAP  on  the  Internet  (web  services)   10   621  SAP  web  services     can  be  found  on  the  Internet    (In  Germany)  
  • 11. SAP  on  the  Internet   11   More  than  5000  systems  in  the  world     More  than  260  in  Germany    including  Dispatcher,  Message  Server,  SapHostControl,  etc.  
  • 12. SAP  on  the  Internet  (Germany)   12   %  of  companies  that  expose  different  services   0   1   2   3   4   5   6   7   8   9   SAP   Dispatcher   SAP  MMC   SAP  Message   Server     SAP   HostControl   SAP  ITS     Agate   SAP  Message   Server  hpd  
  • 13. Business  risks   13   Espionage   •  Stealing  financial  informa8on   •  Stealing  corporate  secrets   •  Stealing  suppliers  and  customers  list   •  Stealing  HR  data   Sabotage   •  Denial  of  service   •  Modifica8on  of  financial  reports   •  Access  to  technology  network  (SCADA)  by  trusted  connec8ons     Fraud   •  False  transac8ons   •  Modifica8on  of  master  data   •  etc.  
  • 14. 14   3  areas  of  SAP  Security   2010   Applica3on  pla4orm  security   Prevents  unauthorized  access  both  insiders  and  remote   aPackers   Solu8on:  Vulnerability  Assessment  and  Monitoring   2008   ABAP  Code  security   Prevents  aPacks  or  mistakes  made  by  developers   Solu8on:  Code  audit   2002   Business  logic  security  (SOD)   Prevents  aPacks    or  mistakes  made     Solu8on:  GRC  
  • 15. Solu1on   15   We  did  not  manage  to  find  any  solu:on  that   could  resolve  all  of  these  and  other  security   problems  described  above     so  we  created  one  ourselves  
  • 16. ERPScan       An   innova8ve   product   for   integrated   assessment   of   SAP   plamorm   security   and  standard  compliance.  The  system  can  monitor  SAP  servers  for  sonware   vulnerabili8es,  misconfigura8ons,  cri8cal  authoriza8ons,  code  security,  and  it   performs   assessment   of   compliance   with   current   standards   and   best   prac8ces  including  SAP  best  prac8ces.   16  
  • 17.  ERPScan  scheme   17   JAVA   Output                Connectors   Security  audit   module   ABAP  code  scan   module   Control   SOD   module  
  • 18. Анализ  безопасности  ABAP  кода               Mul1level  security  monitoring  tool   18   Connectors  ABAP   JAVA   Metrics   Risk  assessment   Compliance   Reports   Output  interfaces   Users  Project  management  Inventory   Control  func1ons   Misconfigura1ons   Vulnerabili1es   Cri1cal  access   Audit   ABAP  code  scan   Vulnerabili1es   Backdoors   Efficiency   SAP  Router  SOAP   HTTP   SoD   Customized  cri1cal  du1es     Segrega1on  of  Du1es  
  • 19. Main  func1ons   •  Anonymous  scan  (pen-­‐test)   •  System  enumera8on  /  monitoring   •  Configura8on  analysis   •  Search  for  vulnerabili8es   •  Access  control   •  SOD  conflicts   •  ABAP  code  audit   •  SAP  /  ISACA  compliance   •  Risk  assessment   19  
  • 20. Geqng  beXer  every  day   More  than  6400  configura8on  checks     More  than  350  vulnerability  checks     More  than  100  0-­‐day  checks     More  than  65  checks  for  ABAP  source  code  issues   20   Analysis  of  misconfigura8ons,  vulnerabili8es  and   cri8cal  authoriza8ons  for  ABAP  and  JAVA  
  • 21. ERPScan’s  success  secret   21   We  pay  an  enormous  lot  of  aen8on  to  gaps  in  security     so  that  our  clients  are  always  one  step  ahead  of  the  bad  guys       ERPScan   Uniqueness   Research  Exper:se   •   One  of  the  first  in  the  world  to  research  SAP  security   •  The  first  in  the  world  to  research  SAP  J2EE  Engine  security   •  The  only  solu8on  to  assess  3  8ers  of  SAP  security  
  • 22. About  us   •  Among  leaders  in  SAP  security  assessment  in  the  world  since   2008   •  More  than  150  SAP  vulnerabili1es  discovered   •  More  than  50  acknowledges  from  SAP   •  Were  invited  to  speak  and  teach  about  SAP  security  at  20  key   conferences  worldwide  including  USA,  EUROPE,  ASIA,  CEMEA   like  BlackHat,  Defcon,  RSA   •  Conduc8ng  SAP  security  workshops  for  SAP  Security  Response   Team  in  SAP  headquarters   22   Leading  SAP  AG  partner  in  discovering  and  solving  security  vulnerabili1es  
  • 23. Contacts   23   Visit  Booth  #553       Tel:  +7(812)7031547     web:  www.erpscan.com         e-­‐mail:  info@erpscan.com,  sales@erpscan.com