Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SAP Inside Track Frankfurt 2018 #Sitfra 2018

149 views

Published on

SAP Inside Track Frankfurt 2018 #Sitfra 2018

Published in: Technology
  • Be the first to comment

  • Be the first to like this

SAP Inside Track Frankfurt 2018 #Sitfra 2018

  1. 1. The importance of applying SAP Security notes
  2. 2. Who we are WWW.PROTECT4S.COMWWW.PROTECT4S.COM “ERP-SEC works closely together with SAP to reduce risk in their customers systems. ERP-SEC was invited twice by SAP’s global security team in Walldorf to present on their ongoing SAP Security research” ERP Security • Experts in SAP Security assessments and hardening • Worldwide top 5 found SAP Security research • Regular presenters on SAP Security • Developer Protect4S • Founded in 2010 • Several business partners in BeNeLux • Our mission is to raise the level of security of mission-critical SAP platforms with a minimal impact on daily business. Affiliations: Partners:
  3. 3. The Why WWW.PROTECT4S.COMWWW.PROTECT4S.COM Introduction • SAP Security notes, patching and it’s part in securing SAP systems • People involved in patching in the room? • Results security assessments over the years • Why? Fraud Sabotage Theft
  4. 4. WWW.PROTECT4S.COMWWW.PROTECT4S.COM Something about SAP • Market leader in enterprise application software • ~ 300.000 customers worldwide • SAP customers include: – 87% of the Forbes Global 2000 companies – 98% of the 100 most valued brands • Headquarters: Walldorf, Germany, offices in more than 130 countries • Founded April 1, 1972 • Over 75.000 employees worldwide • 74% of the world’s transaction revenue touches an SAP system • Bottomline: Interesting Target! Source: http://www.sap.com/bin/sapcom/en_us/downloadasset.2016-01-jan-26-01.SAP-Corporate-Fact-Sheet-En-20160126-pdf.bypassReg.html
  5. 5. WWW.PROTECT4S.COMWWW.PROTECT4S.COM Some numbers SAP has released 4000+ security patches to date. Each month 20+ are added to that number In 2017 alone 268 Security notes were released where 44 have priority HIGH or HOTNEWS Over 90% of the SAP systems we have assessed over the past 7 years, contained vulnerabilities that could lead to a full compromise. Proper vulnerability management could have prevented this in most cases.
  6. 6. SAP Security notes WWW.PROTECT4S.COMWWW.PROTECT4S.COM 0 100 200 300 400 500 600 700 800 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 Findings of SAP and external researchers resulted in many patches: > 4000 SAP SECURITY NOTES in total to date
  7. 7. Demotime – Game Over WWW.PROTECT4S.COMWWW.PROTECT4S.COM Game over… Demotime
  8. 8. Just 1 missing SAP note… WWW.PROTECT4S.COMWWW.PROTECT4S.COM
  9. 9. Long Risk window WWW.PROTECT4S.COMWWW.PROTECT4S.COM Typically seen at customers (no joke) • Customers apply SP Stack once every year or less • Some do SAP Security notes in between • Many do not apply SAP Security notes on monthly basis • Risk-window is long; months or even years (Keep in mind: SAP Security notes are easy to Reverse Engineer)
  10. 10. Some numbers WWW.PROTECT4S.COMWWW.PROTECT4S.COM But what do they mean? • 42 • 895 Min. number of days it took SAP to fix one of our >70 reported issues Max. number of days it took SAP to fix one of our >70 reported issues
  11. 11. Long Risk window WWW.PROTECT4S.COMWWW.PROTECT4S.COM
  12. 12. Long Risk window WWW.PROTECT4S.COMWWW.PROTECT4S.COM
  13. 13. SAP Security notes survey WWW.PROTECT4S.COMWWW.PROTECT4S.COM
  14. 14. SAP Security notes survey WWW.PROTECT4S.COMWWW.PROTECT4S.COM
  15. 15. SAP Security notes survey WWW.PROTECT4S.COMWWW.PROTECT4S.COM
  16. 16. Patch management challenges WWW.PROTECT4S.COMWWW.PROTECT4S.COM A challenge for SAP customers • Testing • Securing SAP systems is complex and time consuming • Time-consuming task: implementing SAP Security notes • Up-to-now a manual, repetitive task • SAP notes released on a monthly base by dozens • Awareness • Time • Budget • Knowledge • ….
  17. 17. Solutions WWW.PROTECT4S.COMWWW.PROTECT4S.COM To know what SAP Security notes you are missing there are a few options: • SAP Marketplace – Security notes launchpad • SAP Solution Manager – System Recommendations • 3rd party tooling Check applicable SAP Security notes on a monthly basis and apply at least the high risk ones
  18. 18. SAP Security notes WWW.PROTECT4S.COMWWW.PROTECT4S.COM Concluding • SAP has the patches, customers need to take action • SAP Infrastructures and their security are often complex and work cannot be done manually (anymore). Automate this to be effective and efficient • 1 single missing SAP Security Note can lead to a fully compromised SAP system and all data it contains • Repetitive mitigation activities wrt SAP Security notes can be automated to some extend to save on time and money and to raise the level of security • But in order to secure SAP infrastructures do not solely focus on patching
  19. 19. Discussion WWW.PROTECT4S.COMWWW.PROTECT4S.COM Alternative solutions? The cloud? Managed cloud? SAP public cloud? ….
  20. 20. Disclaimer WWW.PROTECT4S.COMWWW.PROTECT4S.COM SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2017 ERP Security BV.
  21. 21. n WWW.PROTECT4S.COM

×