The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
There is a myth that SAP is not accessible and cannot be attacked from the Internet. The system becomes more and more popular, cloud services and mobile solutions appear, so more and more SAP services become accessible from the Internet.
Why are vulnerabilities which allow to read any file from SAP OS important? Because SAP stores a lot of sensitive information in files. It can be log files, traces files, some configurations or properties files. Of course, most of them have protection like encryption, but the presentation shows how you can easily bypass this encryption.
SAP Mobile infrastructure consists of multiple systems such as SAP Mobile Platform (formerly Sybase Unwired Platform) also SAP Afaria MDM solution, Sybase SQL Anywhere Database, and hundreds of SAP's mobile applications. They even have their own store for mobile apps that can be developed by third parties. This talk highlights how one can hack SAP Mobile.
In this popular platform, we have discovered a lot of typical vulnerabilities - XSS, XXE, hardcoded static encryption keys, and vulnerabilities that are specific to this platform - logic vulnerabilities and privilege escalations. As a result, after compromising the SAP Mobile platform, we demonstrated how to get access to compromised mobile phones.
Practical SAP pentesting workshop (NullCon Goa)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at NullCon Goa Conference is a practical SAP pentesting guide.
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
There is a myth that SAP is not accessible and cannot be attacked from the Internet. The system becomes more and more popular, cloud services and mobile solutions appear, so more and more SAP services become accessible from the Internet.
Why are vulnerabilities which allow to read any file from SAP OS important? Because SAP stores a lot of sensitive information in files. It can be log files, traces files, some configurations or properties files. Of course, most of them have protection like encryption, but the presentation shows how you can easily bypass this encryption.
SAP Mobile infrastructure consists of multiple systems such as SAP Mobile Platform (formerly Sybase Unwired Platform) also SAP Afaria MDM solution, Sybase SQL Anywhere Database, and hundreds of SAP's mobile applications. They even have their own store for mobile apps that can be developed by third parties. This talk highlights how one can hack SAP Mobile.
In this popular platform, we have discovered a lot of typical vulnerabilities - XSS, XXE, hardcoded static encryption keys, and vulnerabilities that are specific to this platform - logic vulnerabilities and privilege escalations. As a result, after compromising the SAP Mobile platform, we demonstrated how to get access to compromised mobile phones.
Practical SAP pentesting workshop (NullCon Goa)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at NullCon Goa Conference is a practical SAP pentesting guide.
Forgotten world - Corporate Business Application SystemsERPScan
Enterprise Resource Planning (ERP) is the collection of computers, servers and databases that store & manage:
- Human Resources information
- Inventory
- Shipping
- Procurement
- Financial, Banking & Accounting
- Payroll.
Basically, it's data the company really cares about.
ERP seemed to be a forgotten world in information security field. However, any vulnerability or compromise of these systems can cause a significant monetary loss or even stoppage of business. Although a relatively new area, during the last year there has been more awareness of security problems in ERP.
This presentation covers such parts of ERP Security as ERP Security issues, Architecture Flaws, Vulnerabilities and others.
A crushing blow at the heart of SAP’s J2EE Engine. ERPScan
Automation of business processes like ERP, PLM, CRM, SRM based on ABAP.
There are the following integration, collaboration and management based on J2EE engine:
- SAP Portal
- SAP PI
- SAP XI
- SAP Mobile Infrastructure
- SAP Solution Manager.
Administrators, developers, pentesters, and researchers mostly focus on ABAP stack. Hackers know about it, so they will find easier ways to control your business.
The presentation describes SAP J2EE Platform Architecture and provides examples of internal and external attacks and ways of its prevention.
Business applications like ERP, CRM, SRM, and others are one of the major topics in the field of computer security as these applications store business data and any vulnerabilities in these applications can cause a significant monetary and reputational loss or even stoppage of business.
Nonetheless, people still do not pay much attention to the technical side of SAP security.
As for SAP, we saw different vulnerabilities at all levels (architecture, software vulnerabilities and implementation).
Practical SAP pentesting (B-Sides San Paulo)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.
SAP systems provides Business Intelligence platforms, which can be a promising target for business espionage. Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised?
What if an attacker has poisoned the system and changed the key indicators? SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence.
In this presentation we will discuss our recent research on SAP BusinessObjects security. Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.
The presentation provides the list of top 10 SAP vulnerabilities (2011-2012) as well as ways of defense.
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
Learn About the Top Oracle E-Business Suite Security VulnerabilitiesOAUGNJ
Learn about the top security risks and vulnerabilities specific to the Oracle E-Business Suite and why you should care! Whether your ERP is in the process of being implemented or has been in place for years, there are a number of security vulnerabilities commonly overlooked by implementation / support teams focused on project timing, budget, and functionality. This presentation is geared toward the end user community, system administrators, and other application support personnel and what they need to know to protect their Oracle EBS data from unauthorized access.
Amplify the participants’ overall security awareness
Share knowledge and experiences in securing Oracle EBS
Provide a detailed list of commonly overlooked security vulnerabilities, risks each pose, and how to fix or mitigate each
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...ERPScan
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
SolarWinds Federal Webinar - Maximizing Your Deployment with Appstack (Jan2016)hayesct
This live, interactive Federal webinar showed how you can complete your view of your servers, applications and infrastructure layers with the SolarWinds Application Stack Management Bundle (AppStack). This bundle integrates four SolarWinds® products- SolarWinds Server & Application Monitor, Virtualization Manager, Storage Resource Monitor, and Web Performance Monitor- to create a correlated view of the environment that depicts how application performance can be tracked from the storage layer to the application services layer, and provide a complete view of your agency’s infrastructure.
• Would you like to see how you can maximize the products you have today and get a correlated view of your servers and applications to better understand the impact of performance issues to the storage or physical server level?
• Would you like to quickly identify the root cause of your application issues within a unified dashboard?
• Would full visibility into the performance of your environment across all layers be helpful?
• Would you like to understand relationships and dependencies in your application management stack?
Our Federal Systems Engineers will demonstrate AppStack and focus on key features and use cases of interest to our federal customers. During this interactive webinar you will learn about the benefits of the AppStack integration and how the bundle can add value and maximize your SolarWinds deployment.
This webinar will cover:
• Automating application to infrastructure relationship mapping
• Drilling into performance details for troubleshooting in one click
• Solving performance problems from the web-console
• Pinpointing virtualization bottlenecks
• Multi-vendor support for applications, servers, hypervisors, and arrays
• Quickly customizing your view with filter and search capabilities
• Providing visibility to storage
• Monitoring the end-user experience
Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence is to develop applications where security controls are incorporated in development cycle and used by developers while writing their code. How can developers deliver more secure applications? What are the security techniques they can use while writing the software?
This presentation will discuss the proactive controls that will guide developers down the path of secure software. It will explore the security techniques that can be incorporated in development cycle and will provide real world examples on how to solve some of the most prevalent security problems on the internet.
Recommended to all builders and security professionals interested in incorporating security techniques as part of software development life cycle in the effort to build more secure applications.
URL: http://sched.co/A652
Staged Patching Approach in Oracle E-Business Suitevasuballa
In this session, we will deep dive into Staged Appltop Patching approach in Oracle E-Business Suite. We will learn more on how Staged Patching approach can cut down patching downtime. We will discuss the scenarios like 11i to R12 upgrades and R12 point release upgrades, where we can leverage Staged Patching approach. What is the future of Staged Patching in upcoming Release 12.2? How Online patching feature is different from Staged Patching approach ?
Forgotten world - Corporate Business Application SystemsERPScan
Enterprise Resource Planning (ERP) is the collection of computers, servers and databases that store & manage:
- Human Resources information
- Inventory
- Shipping
- Procurement
- Financial, Banking & Accounting
- Payroll.
Basically, it's data the company really cares about.
ERP seemed to be a forgotten world in information security field. However, any vulnerability or compromise of these systems can cause a significant monetary loss or even stoppage of business. Although a relatively new area, during the last year there has been more awareness of security problems in ERP.
This presentation covers such parts of ERP Security as ERP Security issues, Architecture Flaws, Vulnerabilities and others.
A crushing blow at the heart of SAP’s J2EE Engine. ERPScan
Automation of business processes like ERP, PLM, CRM, SRM based on ABAP.
There are the following integration, collaboration and management based on J2EE engine:
- SAP Portal
- SAP PI
- SAP XI
- SAP Mobile Infrastructure
- SAP Solution Manager.
Administrators, developers, pentesters, and researchers mostly focus on ABAP stack. Hackers know about it, so they will find easier ways to control your business.
The presentation describes SAP J2EE Platform Architecture and provides examples of internal and external attacks and ways of its prevention.
Business applications like ERP, CRM, SRM, and others are one of the major topics in the field of computer security as these applications store business data and any vulnerabilities in these applications can cause a significant monetary and reputational loss or even stoppage of business.
Nonetheless, people still do not pay much attention to the technical side of SAP security.
As for SAP, we saw different vulnerabilities at all levels (architecture, software vulnerabilities and implementation).
Practical SAP pentesting (B-Sides San Paulo)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.
SAP systems provides Business Intelligence platforms, which can be a promising target for business espionage. Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised?
What if an attacker has poisoned the system and changed the key indicators? SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence.
In this presentation we will discuss our recent research on SAP BusinessObjects security. Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.
The presentation provides the list of top 10 SAP vulnerabilities (2011-2012) as well as ways of defense.
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
Learn About the Top Oracle E-Business Suite Security VulnerabilitiesOAUGNJ
Learn about the top security risks and vulnerabilities specific to the Oracle E-Business Suite and why you should care! Whether your ERP is in the process of being implemented or has been in place for years, there are a number of security vulnerabilities commonly overlooked by implementation / support teams focused on project timing, budget, and functionality. This presentation is geared toward the end user community, system administrators, and other application support personnel and what they need to know to protect their Oracle EBS data from unauthorized access.
Amplify the participants’ overall security awareness
Share knowledge and experiences in securing Oracle EBS
Provide a detailed list of commonly overlooked security vulnerabilities, risks each pose, and how to fix or mitigate each
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...ERPScan
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
SolarWinds Federal Webinar - Maximizing Your Deployment with Appstack (Jan2016)hayesct
This live, interactive Federal webinar showed how you can complete your view of your servers, applications and infrastructure layers with the SolarWinds Application Stack Management Bundle (AppStack). This bundle integrates four SolarWinds® products- SolarWinds Server & Application Monitor, Virtualization Manager, Storage Resource Monitor, and Web Performance Monitor- to create a correlated view of the environment that depicts how application performance can be tracked from the storage layer to the application services layer, and provide a complete view of your agency’s infrastructure.
• Would you like to see how you can maximize the products you have today and get a correlated view of your servers and applications to better understand the impact of performance issues to the storage or physical server level?
• Would you like to quickly identify the root cause of your application issues within a unified dashboard?
• Would full visibility into the performance of your environment across all layers be helpful?
• Would you like to understand relationships and dependencies in your application management stack?
Our Federal Systems Engineers will demonstrate AppStack and focus on key features and use cases of interest to our federal customers. During this interactive webinar you will learn about the benefits of the AppStack integration and how the bundle can add value and maximize your SolarWinds deployment.
This webinar will cover:
• Automating application to infrastructure relationship mapping
• Drilling into performance details for troubleshooting in one click
• Solving performance problems from the web-console
• Pinpointing virtualization bottlenecks
• Multi-vendor support for applications, servers, hypervisors, and arrays
• Quickly customizing your view with filter and search capabilities
• Providing visibility to storage
• Monitoring the end-user experience
Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence is to develop applications where security controls are incorporated in development cycle and used by developers while writing their code. How can developers deliver more secure applications? What are the security techniques they can use while writing the software?
This presentation will discuss the proactive controls that will guide developers down the path of secure software. It will explore the security techniques that can be incorporated in development cycle and will provide real world examples on how to solve some of the most prevalent security problems on the internet.
Recommended to all builders and security professionals interested in incorporating security techniques as part of software development life cycle in the effort to build more secure applications.
URL: http://sched.co/A652
Staged Patching Approach in Oracle E-Business Suitevasuballa
In this session, we will deep dive into Staged Appltop Patching approach in Oracle E-Business Suite. We will learn more on how Staged Patching approach can cut down patching downtime. We will discuss the scenarios like 11i to R12 upgrades and R12 point release upgrades, where we can leverage Staged Patching approach. What is the future of Staged Patching in upcoming Release 12.2? How Online patching feature is different from Staged Patching approach ?
Network Forensics and Practical Packet AnalysisPriyanka Aash
Why Packet Analysis?
3 Phases - Analysis, Conversion & Collection
How do we do it ?
Statistics - Protocol Hierarchy
Statistics - End Points & Conversations
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
Targeted attacks need targeted Defense
What protocol should we use for CTI information exchange?
How should we describe our indicators of compromise
Structured threat information expression (STIX)
How we can keep information within our defined trust boundaries?
Where to store IOCs?
Threat Intelligence Feeds Lifecycle
How to measure the CTI process?
EAS-SEC: Framework for securing business applicationsERPScan
For a quite long time, ERP Security was only the synonym of segregation of duties. But nowadays this situation has changed. There are 3 areas of Business Application Security such as SOD, Custom Code security and Application platform security. SAP customers are now aware of problems with SAP installations, but they still don’t know, where should they start to solve them.
The aim of EAS-SEC (http://eas-sec.org/) is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment.
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
SAP is the most popular business application with more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
The presentation provides examples of simple and advanced attacks along with ways to avoid them.
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usPROIDEA
Nowadays, everyone knows about the great importance of SAP systems and the critical data processed by them. Large companies install SAP Security Notes regularly so as not to repeat the mistake of Nvidia. One bug is not enough anymore to get access to all corporate SAP systems. Pentesters frequently find themselves in a situation where the OS of an SAP server has been compromised successfully, but they have not got an access to the ERP system. In addition, it is rather common to have an unprivileged account, which give them access to the encrypted password, but not to the whole system. Sometimes they even try to break into other systems with help of the passwords, which users usually use in the systems they’ve already broken, but they can’t, because they need them to be decrypted first. Where do we find the treasured password to access the financial transactions and revenues of NASDAQ monsters?
Where and how does SAP store user passwords? Are all passwords stored as hashes, or can attackers find passwords in plaintext?
This talk reviews the many places where SAP stores critical credentials, such as usernames and passwords, and, which is more interesting, the way it stores them. Methods of retrieving them will be described, and decryption utilities will be presented.
SAP GUI shortcuts, RFC connections, SAP Security Storage, logs, traces, Database links, SAP HANA Storage, you name it – all varieties of SAP modules will be discussed in this talk.
The increasing number of talks about SAP Security and SAP Security notes indicates that it becomes a hot topic nowadays.
The presentation describes top types of SAP vulnerabilities, the number of SAP systems available on the Internet and different risks business may face.
We did not manage to find any solution that could resolve all of these security problems described there, so we created one ourselves.
Practical pentesting of ERPs and business applicationsERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in the company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.
The presentation describes the specificity of ERP pentesting and focuses on SAP NetWeaver JAVA and Oracle PeopleSoft pentesting.
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
An increasing number of SAP Security Notes and talks on SAP Security proves that it becomes a really hot topic nowadays. However, SAP systems attacks are still believed to be available only for insiders. The reality is not so good. There are about 5000 systems including dispatchers, message servers, SapHostcontrols, Web-services on the internet.
Top 10 vulnerabilities 2011-2012 are:
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
The presentation provides a detailed description of these attacks, its potential business risks and the way to prevent them.
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...ERPScan
Any information an attacker might want is stored in corporate ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage, and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system, and they can cause significant reputation and financial losses to the business.
This research provides information about SSRF attacks and their classification. It also shows examples of SSRF attacks, as well as new potential and real SSRF vectors.
Architecture vulnerabilities in SAP platformsERPScan
SAP security becomes a hot theme nowadays. Attacks on SAP can put a business at risk of Espionage, Sabotage and Fraud.
The presentation covers the following architecture and unusual issues:
Authentication Bypass
1. Verb tampering
2. Invoker servlet
Encryption
3. Storage – SAPGUI
4. Authentication – P4
5. Transfer – RFC, Diag
SSRF
6. Port Scan
7. Command execution
8. Security bypass
Also, the presentation gives advice for developers and describes future trends in SAP Security area.
Thousands of security-relevant settings in a common SAP system do not make it easy to implement a comprehensive security check. Although the DSAG test guide and other standards explain what should be checked, they do not show how this can be done, and certainly not what the ideal approach is. Therefore, in this webinar we will show you how you can effectively and efficiently control the security status of your SAP ERP and S/4HANA systems and what advantages a tool-based check offers you.
Topics of focus:
• Challenges with the implementation of security guidelines
• Overview of relevant regulations
• Project methodology for a security management process
• Advantages of tool-supported checks with the SAST SUITE
• Best practice tips
-------------------------------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
SSRF vs. Business-critical applications. XXE tunneling in SAPERPScan
Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.
The presentation describes the history of SSRF attack, or Server Side Request Forgery, its types and different kinds of attacks on SAP.
Is your SAP system vulnerable to cyber attacks?Virtual Forge
This presentation was held by Stephen Lamy, Virtual Forge, at the Basis & SAP Administration 2015 Conference in Las Vegas, March 2015.
Stephen Lamy demonstrated specific risks that custom ABAP can introduce into an SAP system, and provided proven advice to minimize ABAP security risks.
Key Takeaways:
- What vulnerabilities exist in productive SAP systems, and better understand how your SAP systems can be compromised
- What are common and dangerous ABAP risks, such as directory traversal and ABAP command injection
- Best practices to develop secure and compliant ABAP code, such as implementing internal coding guidelines and standards, protecting your systems from risky third-party code, and choosing the right tools for your process
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
It covers popular IaaS/PaaS attack vectors, list them, and map to other relevant projects such as STRIDE & MITRE. Security professionals can better understand what are the common attack vectors that are utilized in attacks, examples for previous events, and where they should focus their controls and security efforts.
Discuss Security Incidents & Business Use Case, Understanding Web 3 Pros
and Web 3 Cons. Prevention mechanism and how to make sure that it doesn’t happen to you?
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
Round Table Discussion On "Emerging New Threats And Top CISO Priorities In 2022"_ Bangalore
Date - 28 September, 2022. Decision Makers of different organizations joined this discussion and spoke on New Threats & Top CISO Priorities
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
5. Compliance
• С чего начать
erpscan.com
ERPScan — invest in security to secure investments
5
6. Compliance
• SAP NetWeaver ABAP Security configuration
• ISACA (ITAF)
• DSAG
• BIZEC
•NIST
•SOX
•ISO
•PCI-DSS
erpscan.com
• OWASP
• WASC
• SANS 25
• CWE
ERPScan — invest in security to secure investments
6
7. SAP Security Guidelines
• Guidelines made by SAP
• First official SAP guide for technical security od ABAP stack
• Secure Configuration of SAP NetWeaver® Application Server
Using ABAP
• First version - 2010 year, version 1.2 – 2012 year
• For rapid assessment of most common technical
misconfigurations in platform
• Consists of 9 areas and 82 checks
• Ideas as a second step and give more details to some of EAS-SEC
standard areas
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0d2445f-509d-2d10-6fa7-9d3608950fee?overridelayout=true
erpscan.com
ERPScan — invest in security to secure investments
7
8. SAP Security Guidelines
•
•
•
•
•
•
•
•
•
Network access control
Workstation security
Password policies
Network security
HTTP security
Unnecessary web-applications
RFC-connections
SAP Gateway security
SAP Message Server security
erpscan.com
ERPScan — invest in security to secure investments
8
9. ISACA Assurance (ITAFF)
• Guidelines made by ISACA
• Checks cover configuration and access control areas
• First most full compliance
• There were 3 versions published in 2002 2006 2009 (some areas
are outdated )
• Technical part covered less than access control and miss critical
areas
• Most advantage is a big database of access control checks
• Consists of 4 parts and about 160 checks
• Ideal as a third step and detailed coverage of access control
erpscan.com
ERPScan — invest in security to secure investments
9
10. DSAG
• Set of recommendations from Deutsche SAP Uses Group
• Checks cover all security areas from technical configuration and
source code to access control and management procedures
• Currently biggest guideline about SAP Security
• Last version in Jan 2011
• Consists of 8 areas and 200+ checks
• Ideal as a final step for securing SAP but consists of many checks
which neds additional decision making which is highly depends
on installation.
http://www.dsag.de/fileadmin/media/Leitfaeden/110818_Leitfaden_Datenschutz_Englisch_final.pdf
erpscan.com
ERPScan — invest in security to secure investments
10
11. Итого
Либо огромные и детальные
Либо общие и ни о чем
Либо детальные но не обо всём
erpscan.com
ERPScan — invest in security to secure investments
11
12. EAS-SEC for NetWeaver (EASAI-NA)
Enterprise Application Systems Application Implementation –
NetWeaver ABAP
• Developed by ERPScan: First standard of series EAS-SEC
• Published
• Rapid assessment of SAP security in 9 areas
• Contains 33 most critical checks
• Ideal as a first step
• Also contain information for next steps
• Categorized by priority and criticality
erpscan.com
ERPScan — invest in security to secure investments
12
13. EASAI-NA-2013
Access
Criticality
% of
exploit
EASAI-NA
Easy to
vulnerable
systems
1. Lack of patch management
Anonymous
High
High
99%
2. Default Passwords for application access
Anonymous
High
High
95%
3. Unnecessary enabled functionality
Anonymous
High
High
90%
4. Open remote management interfaces
Anonymous
High
Medium
90%
5. Insecure configuration
Anonymous
Medium
Medium
90%
6. Unencrypted communication
Anonymous
Medium
Medium
80%
7. Access control and SOD
User
High
Medium
99%
8. Insecure trust relations
User
High
Medium
80%
9. Logging and Monitoring
Administrator
High
Medium
98%
erpscan.com
ERPScan — invest in security to secure investments
13
14. Lack of patch management
• [EASAI-NA-01] Component updates
• [EASAI-NA-02] Kernel updated
What next: Other components should be be updated separately –
SAP Router, SAP Gui, SAP NetWEaver J2EE, SAP BusinessObjects.
And also OS and Database.
erpscan.com
ERPScan — invest in security to secure investments
14
15. Default passwords
•
•
•
•
•
[EASAI-NA-03] Default password check for user SAP*
[EASAI-NA-04] Default password check for user DDIC
[EASAI-NA-05] Default password check for user SAPCPIC
[EASAI-NA-06] Default password check for user MSADM
[EASAI-NA-07] Default password check for user EARLYWATCH
What next: Couple of additional SAP components also use their own
default passwords. For example services SAP SDM and SAP ITS in
their old versions has default passwords. After you check all
default passwords you can start with bruteforcing for simple
passwords.
erpscan.com
ERPScan — invest in security to secure investments
15
16. Unnecessary enabled functionality
• [EASAI-NA-08] Access to RFC-functions using SOAP interface
• [EASAI-NA-09] Access to RFC-functions using FORM interface
• [EASAI-NA-10] Access to XI service using SOAP interface
What next: You should analyze about 1500 other services which are
remotely enabled if they are really needed and also disable
unused transactions, programs and reports.
erpscan.com
ERPScan — invest in security to secure investments
16
17. Open remote management interfaces
•
•
•
•
[EASAI-NA-11] Unauthorized access to SAPControl service
[EASAI-NA-12] Unauthorized access to SAPHostControl service
[EASAI-NA-13] Unauthorized access to Message Server service
[EASAI-NA-14] Unauthorized access to Oracle database
What next: Full list of SAP services you can get from document
TCP/IP Ports Used by SAP Applications .Also you should take care
about 3rd party services which can be enabled on this server.
erpscan.com
ERPScan — invest in security to secure investments
17
18. Insecure configuration
•
•
•
•
•
[EASAI-NA-15] Minimum password length
[EASAI-NA-16] User locking policy
[EASAI-NA-17] Password compliance to current standards
[EASAI-NA-18] Access control to RFC (reginfo.dat)
[EASAI-NA-19] Access control to RFC (secinfo.dat)
What next: First of all you can look at (Secure Configuration of SAP
NetWeaver® Application Server Using ABAP) document for
detailed configuration checks. Afterwards you can pass throught
detailed documents for each and every SAP service and module
http://help.sap.com/saphelp_nw70/helpdata/en/8c/2ec59131d7
f84ea514a67d628925a9/frameset.htm
erpscan.com
ERPScan — invest in security to secure investments
18
19. Access control and SOD conflicts
•
•
•
•
•
[EASAI-NA-20] Users with SAP_ALL profile
[EASAI-NA-21] Users which can run any program
[EASAI-NA-22] Users which can modify critical table USR02
[EASAI-NA-23] Users which can execute any OS command
[EASAI-NA-24] Disabled authorization checks
What next: There are at leas about 100 critical transactions only in
BASIS and approximately the same number in each other module.
Detailed information can be found in ISACA guidelines . After that
you can start with Segregation of Duties.
erpscan.com
ERPScan — invest in security to secure investments
19
20. Unencrypted connections
• [EASAI-NA-25] Use of SSL for securing HTTP connections
• [EASAI-NA-26] Use of SNC for securing SAP Gui connections
• [EASAI-NA-27] Use of SNC for securing RFC connections
What next: Even if you use encryption you should check how is it
configured for every type of encryption and for every service
because there are different complex configurations for each of
encryption type. For example latest attacks on SSL like BEAST and
CRIME require companies to use more complex SSL configuration.
erpscan.com
ERPScan — invest in security to secure investments
20
21. Insecure trusted connections
• [EASAI-NA-28] RFC connections with stored authentication data
• [EASAI-NA-29] Trusted systems with lower security
What next: Check other ways to get access to trusted systems such
as database links o use of the same OS user or just use of the
same passwords for different systems.
erpscan.com
ERPScan — invest in security to secure investments
21
22. Logging and Monitoring
•
•
•
•
[EASAI-NA-30] Logging of security events
[EASAI-NA-31] Logging of HTTP requests
[EASAI-NA-32] Logging of table changes
[EASAI-NA-33] Logging of access to Gateway
What next: There are about 30 different types of log files in SAP. The next
step after properly enabling main of them you should properly configure
complex options such as what exact tables to monitor for changes, what
kind of events to analyze in security events log, what types of Gateway
attacks should be collected and so on. Next step is to enable their
centralized collection and storage and then add other log events.
erpscan.com
ERPScan — invest in security to secure investments
22
23. Дальше
• Создана общая структура
• Написан пилотный Compliance для ABAP
• В планах выпустить подобные Compliance для других бизнесприложений
• Распространить информацию
• Перевести ресурс на отдельную платформу
• Привлечь больше контрибьютеров
• Особенно по тем приложениям которые мы мало знаем
erpscan.com
ERPScan — invest in security to secure investments
23
25. Ничего не забыли?
•
•
•
•
Бизнес-приложения постоянно дорабатываются
Нельзя смотреть только на конфигурацию
Необходим анализ доработок
То есть анализ исходного кода
• Что искать?
erpscan.com
ERPScan — invest in security to secure investments
25
26. Развитие идеи
• OWASP – только веб, тока 10
• WASC – только веб
• CWE – слишком мудрёно
• BIZEC – вот, вот, почти то, но, нет.
– потому что только ABAP, и только уязвимости но не категории
• EAS-SEC (EASAD) – похоже на то что надо
erpscan.com
ERPScan — invest in security to secure investments
26
27. Source code review
• EASAD-9
• Enterprise Application Systems Application Development
• 9 areas or source code issues for business languages
• Universal categories for different languages and systems
(SAP,Oracle,Dynamix,1C,Any other)
• Categorized based on criticality and probability of
exploitation
erpscan.com
ERPScan — invest in security to secure investments
27
28. EASAD - 9 categories
Access
Criticality
% of
exploit
EASAD
Easy to
vulnerable
Code injections
Anonymous
High
High
systems
99%
Critical calls
Anonymous
High
High
95%
Missing authorization checks
Anonymous
High
High
90%
Path traversal
Anonymous
High
Medium
90%
Backdoors
USER
Medium
Medium
90%
Modification of displayed content
Anonymous
Medium
Medium
80%
Covert channels
User
High
Medium
99%
Information disclosure
User
High
Medium
80%
Obsolete statements
Administrator
High
Medium
98%
erpscan.com
ERPScan — invest in security to secure investments
28
29. 1. Injections
• SQL Injections
• ABAP Injections
• OS Command Injections
erpscan.com
ERPScan — invest in security to secure investments
29
31. 3. Missing auth checks
erpscan.com
ERPScan — invest in security to secure investments
31
32. 4. Path Traversal (ABAP)
• ????? Open datdaset
erpscan.com
ERPScan — invest in security to secure investments
32
33. 5. Backdoors in source code (SAP)
erpscan.com
ERPScan — invest in security to secure investments
33
34. 6. Unauthorized modification of displayed
content (Peoplecode)
• XSS
• HTML Injection
• ….
erpscan.com
ERPScan — invest in security to secure investments
34
35. 7. Covert channels (1C)
erpscan.com
ERPScan — invest in security to secure investments
35
36. Преимущества
• Любое сомописное приложение
• На любом языке
• Под любую платформу
• Легко мапится на перечисленные категории
•
Которые отсортированы по критичности
erpscan.com
ERPScan — invest in security to secure investments
36
Editor's Notes
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию
Тут тоже картинка в виде пирамидыобрушивающейся на компанию