Dr. Markus Schumacher, Virtual Forge CEO, presented at this year's SAP TechEd security risks that may arise with the introduction of new technologies based on SAP HANA. He points to 5 rules to optimally protect SAP HANA environments.

2. run your business safer
SEC 112
SAP HANA Security:
New technologies, new risks
Markus Schumacher
© 2015, Virtual Forge, Inc. All rights reserved.

3. Agenda
Virtual Forge: Who we are
Understanding HANA security
New risks in SAP HANA
5 rules to protect SAP HANA
Security, Compliance and Quality solutions

4. Virtual Forge:
Who we are

5. About Virtual Forge
Experts in SAP Security, Compliance and Quality
2001: Founded as consulting house
2008: Release of “CodeProfiler”
2013: Release of “SystemProfiler”
Patented Data and Control Flow Analysis for ABAP®
Gartner:
Magic Quadrant for Application Security Testing 2013
Named Virtual Forge the “Leading Vendor for ABAP® Security”
Cool Vendor in the SAP Ecosystem 2011

6. About Virtual Forge
The Key Benefits
Cost reduction
Automated process
leads to lower effort
and cost for:
- identifying errors
(up to 95%)
- correcting errors (up
to 70%)
- QA effort
(up to 90%)
Improved
User Experience
Our products
are seamlessly
integrated into the
SAP environment
- enables working in
a familiar
environment
- Makes work
noticeably easier
Expertise
& Experience
- more than
170 customers
- more than
1,400 customer
projects
- more than
2,000 product
installations
Independence
- active member of
the SAP community
- participating in
DSAG and ASUG
chapters
- cooperating with
global auditing firms
Industry
recognition
- admitted to the
Garter Magic
Quadrant for
Application Security
Testing (AST)
in 2013 and 2014
- Chosen as one of
the top 500 cyber
security companies
to watch in 2015

7. Trusted Advisor for Security, Compliance and Quality

8. The Virtual Forge Portfolio
Security
Compliance
Quality
Code Level System Level
Virtual Forge
Professional Services help
to improve development,
operating lifecycle and
security in SAP® standards.
Virtual Forge
SystemProfiler detects
and corrects errors in
SAP system
configurations and
avoids recurrence.
SYSTEMPROFILER
Virtual Forge
CodeProfiler pinpoints
vulnerabilities in ABAP®
program codes and
corrects errors
automatically.
CODEPROFILER PROFESSIONAL
SERVICES
Entire SAP landscape

9. Understanding
HANA security

10. HANA as a data mart
Similar to “classic” BW architecture, HANA gathers data from (several) source systems
HANA in a classic 3-tier architecture
HANA replaces regular relational database
HANA as a technical infrastructure for native applications
New business application platform (S/4 HANA)
Understanding HANA Security
HANA deployment scenarios

11. Content Considerations
Contains business critical data à espionage target
Central to business processes à sabotage target
Technology Considerations
Fraud possibilities
IT / Security has little experience with HANA
Understanding HANA Security
Why is HANA important to Hackers

12. HANA provides its own security functions
Standard security features such as authentication, user/role mgt., authorization,
encryption…
Need to be configured within HANA toolset
Other mechanisms to integrate HANA into the general security infrastructure
Includes Standard SAP administration tools, Network, OS and DB security tools, etc.
Different documents deal with HANA security, e.g. HANA security overview,
HANA security admin guide, SQLScript-Reference-guide
Understanding HANA Security
What SAP says about HANA security
Security complexity rises with SAP HANA
!

13. New risks in
SAP HANA

14. Weaknesses can include XSS, SQL
injection, Directory Traversal
Risk #1: Web Applications
SAP HANA systems can easily be found
on the Internet
Unauthorized access possible
Services can be misused
SAP HANA is still vulnerable to
typical web weaknesses

15. Be aware of risks in privileged functions,
preventing OS command execution, etc.
Risk #2: R-Serve
R is used for statistical and advanced
data analysis
SAP HANA can be connected to R-Serve
to utilize R functions
For separate hosts, remote
functions enabled

16. Make sure server-side scripting is
protected against any injection
attack
Risk #3: RAM scraping
HANA makes RAM scraping attractive
for hackers
Leaves almost no footprint
Circumvents encryption
Data on SAP HANA is not
encrypted on RAM level

17. ABAP programming needs to be
validated for weaknesses
Risk #4: Custom Development
SAP HANA applications are accessible
through browsers
ABAP is still used for HANA in a 3-tier
or data mart scenario
Increased development complexity
Web applications need to be secured at
all levels

18. Risk #5: Basis security
Reality: SAP HANA runs in parallel to
existing systems
SAP HANA includes separate security
functions
Basic security features to be considered
Increased system landscape
complexity with HANA means more
security settings to keep in mind

19. 5 rules to
protect SAP
HANA

20. Rule #1:
No surprise: User and role management
Secure standard users (SYSTEM, <sid>adm, etc.)
Restrict authorizations
Use Single Sign-On
Strong Password Policies
Extensive privileges compromise the entire system
!

21. Rule #2:
Obviously: Data encryption and security
Encrypt all sensitive data (encryption is disabled by default on SAP
HANA)
Encrypt at all levels (data at rest, secure store in the file system)
Establish key management procedures
Encryption effectively minimizes data theft
!

22. Rule #3:
Remember: Secure application development
Avoid http exposed packages
Use standard authentication methods
Follow development guidelines
Validate custom application security
Your code – your responsibility
!

23. Rule #4:
Don’t forget: Harden System settings
Ensure OS system security
Validate all other (HANA) system security settings
Secure communications for all connections
Restrict access wherever necessary
Monitor all security settings –
configuration drift is a real challenge!

24. Rule #5:
Not to mention: Enable auditing and logging
Enable audit log
Restrict audit authorizations
Secure access to audits and logs
Auditing enables a
forensic analysis in case of an attack!

25. Security,
Compliance and
Quality Solutions

26. HANA can be an attractive target for hackers
Many known and new risks apply to HANA
Web applications
R-Serve
RAM-Scraping
Custom developments
Complexity of SAP system landscapes increases with additional
HANA scenarios
For an optimal use of HANA, many settings need to be adjusted
Challenges to HANA Security & Quality

27. Optimizing ABAP code for HANA usage (CodeProfiler)
HANA Test Cases (HANA Readiness & Optimization)
Automated Correction (“Quick Fix” and Bulk)
Securing HANA configuration (SystemProfiler)
Additional platform for SystemProfiler
Test Cases, e.g. communication security, authorization, others
CodeProfiler for HANA
Eclipse and Web IDE Integration
First HANA Code Scanner ever
Virtual Forge HANA Security Suite

28. Optimizing Code for HANA

29. Hybrid Performance Analysis for HANA

30. Securing HANA configuration with SystemProfiler

31. Scanning HANA Scripts During Development (Eclipse)

32. Scanning HANA Scripts During Development (Web Editor)

33. Reporting Dashboards

34. Take action:
We evaluate the current state of your SAP environment for free
Take an instant test
Visit www.virtualforge.com
ü Summary of
findings
ü Priorization and
classification of
vulnerabilities
ü Specific examples
of findings
ü Code and system
metrics
Quality
Compliance
Security
Secure
SAP®-
systems
Risk Assessment /
Penetration Test
• SAP configuration
• Custom code
Free

35. Dr. Markus Schumacher
www.virtualforge.com
@Virtual_Forge
Thank you!
Feel free to write or call for any questions and requests35

36. Disclaimer
© 2015 Virtual Forge Inc. All rights reserved.
SAP, R/3, SAP NetWeaver, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG. All other product and service
names mentioned are the trademarks of their respective companies.
Information contained in this publication is subject to change without prior notice. It is provided by
Virtual Forge and serves informational purposes only. Virtual Forge is not liable for errors or
incomplete information in this publication. Information contained in this publication does not imply any
further liability.
Virtual Forge Terms and Conditions apply. See www.virtualforge.com for details.