SlideShare a Scribd company logo

DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation_August18.2016

Download as PPTX, PDF
Tunde Ogunkoya
Tunde Ogunkoya

- DeltaGRiC Consulting is an SAP partner focused on helping organizations detect cybersecurity risks and compliance violations affecting their SAP and Oracle systems using ERPScan Monitoring Suite. - Traditional approaches to SAP security like segregation of duties matrices are insufficient as advanced attacks are targeting application vulnerabilities. Widespread SAP systems expose critical business data to unauthorized access through vulnerabilities. - Organizations struggle to effectively manage security risks from unpatched vulnerabilities in complex SAP landscapes that include new technologies like HANA and connections to IoT devices. Continuous monitoring of configurations and vulnerabilities is needed to protect SAP systems.

1 of 29
…Your SAP/Oracle Landscape Security Assurance “There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don’t know it.” – Gartner, Inc., 2012 Critical Application Risks (Cyber, Legal, Operational) in Commercial Software Vs Open Source’
www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 2 Who am I? In Africa, we are the first of our kind, DeltaGRiC Consulting is the first and yet the ONLY Consultancy in the SAP Africa Eco-System that focuses on helping organizations detect cyber security risks and compliance violations affecting SAP and Oracle (PeopleSoft) business platforms using ERPScan Monitoring Suite (Exclusively) We are an SAP Open Ecosystem Partner ; we Design, implementation, Support, as well as Audit of SAP solutions. • Consulting Partner, DeltaGRiC Consulting – Leading Consultancy in the SAP Africa Ecosystem, focusing on mitigating cyber Risk and Compliance violations in SAP run organizations • Enterprise Application Security Enthusiast/Evangelist – Focused on SAP and Open Source Software. • Delivered first ever SAP cybersecurity project on the African Continent - RSSC, Swaziland • Opinion on SAP Security matters / OSS Security matters (Times News) • Advocate of “Compliance is only but a check-in-the-box” and does NOT really mitigate the actual Security Risks. • Participated in the Curriculum content development for the Graduate Program in Cyber Security & Intelligence at the Ontario College of Management and Technology, Canada (OCMT). • I am not an Expert!! I know one thing: that I know nothing … Apology 29d Socrates
www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 3 The wide-spread myth that ERP security is limited to SOD matrix has been dispelled lately and seems more like an ancient legend now. Within the last 7 years SAP security experts have spoken a great deal about various attacks on SAP from RFC interface, SAPROUTER, SAP WEB and SAP GUI client workstations. Also, the programs developed in SAP’s own language – ABAP, which exists in almost every company to customize ERP solutions, can store program vulnerabilities left by unqualified developers or special backdoors which can help insiders to gain illicit access to business data. Interest in the topic has been growing exponentially: in 2007, there would be 1 report on SAP at the technical conferences dedicated to hacking and security, whereas in 2012 there were more than 30 of them already. A variety of hack tools has been released that prove the possibility of SAP attacks and simplify them for cybercriminals. According to the statistics of vulnerabilities found in business applications, there were more than 100 vulnerabilities patched in SAP products in 2009, while it grew to more than 500 in 2010. By January, 2013, there are more than 2500 SAP security notes about vulnerabilities in various SAP components. Today, the total number of Vulnerabilities on SAP run in excess of 3300. Most of these vulnerabilities allow an unauthorized user to gain access to all the critical business data, so it is necessary to think about implementing a specific system of SAP security. Unfortunately, many information security officers are scarcely informed about the security of business applications like SAP & Oracle. Executive Summary A SAP Story
SAP / Hadoop / Oracle/ Microsoft/ Odoo / *&^$#  The wide-spread myth that Business critical Application Security especially ERP is limited to SOD matrix has been dispelled.  Application languages come in various flavours - ABAP, C#, C++, JAVA, which exists in almost every company – A lot of the times, they can store program vulnerabilities left by unqualified developers or special backdoors which can help insiders to gain illicit access to business data. =  Of all the recorded cyber breaches that occurred in 2015, 50% was attributed to the Application layer. A variety of hack tools has been released that prove the possibility of SAP attacks and simplify them for cybercriminals.  Most of these vulnerabilities allow an unauthorized user to gain access to all the critical business data, so it is necessary to think about implementing a specific system of SAP security. Unfortunately, many information security officers are scarcely informed about the security of business applications like SAP & Oracle. Commercial Vs Open Source
Application Security Trends Credits: Alexander Polyakov ERPScan research : RSA Conference 2014
A deep Dive into why SAP?  Why SAP?  SAP holds the corporate 'Crown Jewels':  * 290,000 corporate customers, including; 87% of the global 2000; 98% of the most valued brands  * SAP touches  74% of all global transactions  US$16 Trillion of retail sales  .......and this data and information is of interest and real value to:  Criminal hackers and activists; Competitors, partners and nation states  Unhappy employees and contractors
Protecting your Enterprise (SAP & Open Source Business Critical Applications) from Cyber-Attacks Three Areas of SAP Security : 1. Business Logic Area : SOD , Access Controls, Insiders 2. Source Code Security: Developers Mistakes or even Sabotage plans, Insiders 3. Application Platform Security: External, Over Network; Hackers, Web Services, Mobility, Portal for Partners, etc. Open Source Security: 1. Open Source Debacle ; Gartner identifies 95% of mission critical Applications contain open source BUT how do we identify and inventory the open source software present in the applications?
Why SAP? SAP holds the corporate 'Crown Jewels': * 282,000 corporate customers, including 87% of the global 2000 98% of the most valued brands * SAP touches 74% of all global transactions US$16 Trillion of retail sales .......and this data and information is of interest and real value to: Criminal hackers and activists Competitors, partners and nation states Unhappy employees and contractors
www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 9 SAP Cyber Security Myth OR Reality? It is what It is
www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 10
www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 11 Associated Challenges SAP Security Problems SAP Cyber-Security GAP Management often has a false sense of confidence that they have SAP covered, while cybersecurity teams feel they have little to no visibility into SAP. It was also apparent that the SAP cyber-security gap is becoming more ambiguous because of asset mapping issues – who houses the “crown jewels” are being secured on a daily basis.. SAP Patch Management Debacle On average all companies are working with an 18-month window of vulnerability timeline. This window starts with the time a vulnerability is found to when a patch is issued by SAP and finally deployed by the organization itself. Deployment is still the biggest problem organizations face. In fact - SAP has issued over 3300 patches in total with 391 issued in 2014 alone. That is 30+ per month on average. With approximately 46% of patches ranked as “critical” it’s difficult for an organization to prioritize their patches without disruption to the business. Misconfiguration Companies are having a very difficult time keeping track of how systems are configured let alone understanding their entire SAP landscape. An organization’s “Crown Jewels” reside within SAP and misconfigured SAP systems and portals are open targets for any adversary. Even if systems have the latest patch installed, a misconfiguration will allow hackers to access key information and business processes. In most cases, an attacker’s presence will go unnoticed for months. HANA / IoT Organizations are moving to the new de- facto database server HANA for new SAP solutions. This changes everything as organizations cannot view SAP as a “legacy” system. Organizations have also been told that with HANA they will be more secure, however the fact is that since 2014 there’s been a 450% increase in new security patches and with 82% considered “high priority”. Additionally as organizations continue to advance their SAP systems with rapid application development, mobile deployments and connecting a multitude of different devices (think vending machines, water meters, etc) to SAP via open APIs an organization’s SAP attack surface is expanding at a rapid pace let alone the complexity of managing security risks.
Possible Exposed SAP Servers in Africa South Africa, Kenya, Nigeria ShodanHQ Search: SAP Google Search: SAP inurl:cmd=login Google Search: peoplesoft inurl:cmd=login Our Findings: • Close to 200 SAProuters were found on Shodan and 72% of them vulnerable to remote code execution • Most popular release (35%) is still NetWeaver 7.0, and it was released in 2005. • One third of Internet-facing SAP web services does not use SSL at all. • Major Bank in Africa, Major Airline in Africa Vulnerable, Government portal and Automotive company May, 2015
Continuous Public Publishing of Vulnerabilities Global Security Researchers BUT No Pentest Information Available CVE? CVSS ?? Risk Prioritization • CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services • CVSS, is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability
www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 14 SAP Cyber Security Myth OR Reality? It is what It is
www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 15 Why would people want to attack my system? SAP, PeopleSoft PeopleSoft Cyber Security Myth OR Reality? It is what It is
www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 16 Continuous Monitoring Solution for SAP Conduct complex security assessment, scanning SAP servers for software vulnerabilities and misconfigurations. It also performs assessment for compliance to current standards and best practices including SAP best practices and ISACA guidelines The compliance block includes: 1. DSAG compliance guideline 2. OWASP-EAS for SAP guideline 3. Password Bruteforce 4. Blackbox pentest 5. Whitebox Security Assessment Vulnerability Management With the help of this module, it is easy to find users which have the rights to execute critical actions that can lead to fraud Retrieves history of executed transactions to understand if access is really needed by user. It will help to easily remove up to 70% of users that don’t need a specific kind of access. Segregation of Duties It is a SAST tool developed especially for ABAP language, able to find critical issues and backdoors in custom source code. predefined lists for different business areas like BASIS, HR, FI, and others, and you can also customize your own lists. Identification of Backdoors Scanning for Transport request, development request and dictionary objects Source Code Security SAP Security: Vulnerability Management, Source Code Security, SOD
Open source has passed the tipping point “By 2016, Open Source Software will be included in mission-critical applications within 99% of Global 2000 enterprises.” Will face problems because of no policy. 50% 10% 30% 80% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 2010 2014 2018 Open Source as % of G2000 Codebase Reference: Gartner, Inc.
How pervasive is open source? • >98% of the applications tested used open source Open Source Custom Code Open Source Custom Code Composition of software tested across 1400 Black Duck customers Reference: Black Duck Software audits On average, open source comprised over 30% of the code base
Delivered Code …and absorbed into final code. Internally Developed Code Outsourced Code Legacy Code Reused Code/ Containers Supply Chain Code Third Party Commercial Code How open source enters a codebase Open Source Code Open source code introduced in many ways…
Open source: easy targets Easy access to code Exploits readily availableVulnerabilities are public • Used everywhere
Who’s responsible for security? Commercial Code Open Source Code • Dedicated security researchers • Alerting and notification infrastructure • Regular patch updates • Dedicated support team with SLA • “community”-based code analysis • Monitor newsfeeds yourself • No standard patching mechanism • Ultimately, you are responsible
WHAT DO THESE VULNERABILITIES HAVE IN COMMON? Heartbleed Shellshock GhostFreak Venom Since: Discovered: 2011 2014 1989 2014 1990’s 2015 2000 2015 2004 2015 Discovered by: Component: OpenSSL Riku, Antti, Matti, Mehta Bash Chazelas OpenSSL Beurdouche GNU C library Qualys researchers QEMU Geffner
Increasing Number of OSS vulnerabilities Reference: Black Duck Software knowledgebase, NVD, VulnDB 0 500 1000 1500 2000 2500 3000 3500 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Open Source Vulnerabilities Reported Per Year nvd vulndb-exclusive
automated tools Miss Most Open Source Vulns All possible security vulnerabilities Identifiable with Static Analysis Identifiable with Dynamic Analysis SAST and DAST only discover common vulnerabilities Undiscovered vulnerabilities are too complex, nuanced 3,000+ disclosed in 2014, <1% found by automated tools
How are companies addressing this today? Not well. Manual tabulation • Architectural Review Board • At end of SDLC • High effort and low accuracy • No controls Spreadsheet-based inventory • Dependent on developer best effort or memory • Difficult maintenance • Not source of truth Tracking vulnerabilities • No single responsible entity • Manual effort and labor intensive • Unmanageable (11/day) • Match applications, components & versions with vulnerabilities Vulnerability detection • Run monthly/quarterly vulnerability assessment tools (e.g., Nessus, Nexpose) against all applications to identify exploitable instances
www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 26
A solution to solving this problem would include these components Choose Open Source Inventory Open Source Map Existing Vulnerabilities Track New Vulnerabilitie s Maintain accurate list of open source components throughout the SDL Identify vulns during development Alert new vulns in production apps Proactively choose secure, supported open source TRUST VERIFY MONITOR
In Conclusion With IoT, the attack surface automatically doubles every 17 months. Protecting SAP from cyberthreats begins with a shift in beliefs about accessibility, vulnerability and responsibility. A cybersecurity program is only effective when it begins with the appreciation that everything is now connected and therefore accessible. SAP systems and applications, whether in development or production, are as much at stake as any other system. Extending the same (or better) assessments, auditing procedures and tests that you would for any other enterprise platform or application is no different when you consider your valuable investments in and reliance on ERP systems such as SAP. Know what lies in your code – Open Source Real Attack Surface = Number of critical Web Applications X Average number of Vulnerability per web Application
www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 29 Questions? Nigeria | South Africa | Kenya G17, PineWood Office Park, 24 Mabinuori, Shangisha Woodmead Magodo Estates JHB, South Africa Lagos - Nigeria T: +27 11 083 9828 |+1 408 641 4307 | +27 60 658 7180 info@deltagricconsulting.com www.deltagricconsulting.com Thank You

Recommended

ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
Tunde Ogunkoya
 
Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015
Tunde Ogunkoya
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
michelemanzotti
 
Understanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security StrategyUnderstanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security Strategy
Priyanka Aash
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
Onapsis Inc.
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
NowSecure
 
Building Cyber Resilience at the Speed of Business
Building Cyber Resilience at the Speed of BusinessBuilding Cyber Resilience at the Speed of Business
Building Cyber Resilience at the Speed of Business
Rahul Neel Mani
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
NowSecure
 

Recommended

ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
Tunde Ogunkoya
 
Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015
Tunde Ogunkoya
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
michelemanzotti
 
Understanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security StrategyUnderstanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security Strategy
Priyanka Aash
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
Onapsis Inc.
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
NowSecure
 
Building Cyber Resilience at the Speed of Business
Building Cyber Resilience at the Speed of BusinessBuilding Cyber Resilience at the Speed of Business
Building Cyber Resilience at the Speed of Business
Rahul Neel Mani
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
NowSecure
 
bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)
bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)
bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)
Sam Kumarsamy
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
Rahul Neel Mani
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
NowSecure
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application Attacks
Prathan Phongthiproek
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016
Kyle Lai
 
Seguridad: Realidad o Ficción: Control y Seguridad en sus Aplicaciones F5
Seguridad: Realidad o Ficción: Control y Seguridad en sus Aplicaciones F5Seguridad: Realidad o Ficción: Control y Seguridad en sus Aplicaciones F5
Seguridad: Realidad o Ficción: Control y Seguridad en sus Aplicaciones F5
Cristian Garcia G.
 
CA World - mft1755 - gaps in your defense hacking the mainframe - philip young
CA World - mft1755 - gaps in your defense hacking the mainframe - philip youngCA World - mft1755 - gaps in your defense hacking the mainframe - philip young
CA World - mft1755 - gaps in your defense hacking the mainframe - philip young
Philip Young
 
MDR-SOC is a cybersecurity framework services | Ampcus Inc
MDR-SOC is a cybersecurity framework services | Ampcus IncMDR-SOC is a cybersecurity framework services | Ampcus Inc
MDR-SOC is a cybersecurity framework services | Ampcus Inc
Unified11
 
Stop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksStop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their Tracks
Imperva
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
NowSecure
 
Company_Profile_Updated_17032016
Company_Profile_Updated_17032016Company_Profile_Updated_17032016
Company_Profile_Updated_17032016
Dr. Afnan Ullah Khan
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
Prathan Phongthiproek
 
OWASP Top Ten 2013
OWASP Top Ten 2013OWASP Top Ten 2013
OWASP Top Ten 2013
Alessandro Bonu
 
Csa summit argentina-reavis
Csa summit argentina-reavisCsa summit argentina-reavis
Csa summit argentina-reavis
CSA Argentina
 
From app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaFrom app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok gupta
owaspindia
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp
 
Why Zero Trust Architecture Will Become the New Normal in 2021
Why Zero Trust Architecture Will Become the New Normal in 2021Why Zero Trust Architecture Will Become the New Normal in 2021
Why Zero Trust Architecture Will Become the New Normal in 2021
Cloudflare
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]
geeksec80
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
Onapsis Inc.
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from Cyberattacks
SAP Customer Experience
 

More Related Content

What's hot

bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)
bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)
bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)
Sam Kumarsamy
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
Rahul Neel Mani
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
NowSecure
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application Attacks
Prathan Phongthiproek
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016
Kyle Lai
 
Seguridad: Realidad o Ficción: Control y Seguridad en sus Aplicaciones F5
Seguridad: Realidad o Ficción: Control y Seguridad en sus Aplicaciones F5Seguridad: Realidad o Ficción: Control y Seguridad en sus Aplicaciones F5
Seguridad: Realidad o Ficción: Control y Seguridad en sus Aplicaciones F5
Cristian Garcia G.
 
CA World - mft1755 - gaps in your defense hacking the mainframe - philip young
CA World - mft1755 - gaps in your defense hacking the mainframe - philip youngCA World - mft1755 - gaps in your defense hacking the mainframe - philip young
CA World - mft1755 - gaps in your defense hacking the mainframe - philip young
Philip Young
 
MDR-SOC is a cybersecurity framework services | Ampcus Inc
MDR-SOC is a cybersecurity framework services | Ampcus IncMDR-SOC is a cybersecurity framework services | Ampcus Inc
MDR-SOC is a cybersecurity framework services | Ampcus Inc
Unified11
 
Stop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksStop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their Tracks
Imperva
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
NowSecure
 
Company_Profile_Updated_17032016
Company_Profile_Updated_17032016Company_Profile_Updated_17032016
Company_Profile_Updated_17032016
Dr. Afnan Ullah Khan
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
Prathan Phongthiproek
 
OWASP Top Ten 2013
OWASP Top Ten 2013OWASP Top Ten 2013
OWASP Top Ten 2013
Alessandro Bonu
 
Csa summit argentina-reavis
Csa summit argentina-reavisCsa summit argentina-reavis
Csa summit argentina-reavis
CSA Argentina
 
From app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaFrom app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok gupta
owaspindia
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp
 
Why Zero Trust Architecture Will Become the New Normal in 2021
Why Zero Trust Architecture Will Become the New Normal in 2021Why Zero Trust Architecture Will Become the New Normal in 2021
Why Zero Trust Architecture Will Become the New Normal in 2021
Cloudflare
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]
geeksec80
 

What's hot (20)

bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)
bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)
bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application Attacks
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016
 
Seguridad: Realidad o Ficción: Control y Seguridad en sus Aplicaciones F5
Seguridad: Realidad o Ficción: Control y Seguridad en sus Aplicaciones F5Seguridad: Realidad o Ficción: Control y Seguridad en sus Aplicaciones F5
Seguridad: Realidad o Ficción: Control y Seguridad en sus Aplicaciones F5
 
CA World - mft1755 - gaps in your defense hacking the mainframe - philip young
CA World - mft1755 - gaps in your defense hacking the mainframe - philip youngCA World - mft1755 - gaps in your defense hacking the mainframe - philip young
CA World - mft1755 - gaps in your defense hacking the mainframe - philip young
 
MDR-SOC is a cybersecurity framework services | Ampcus Inc
MDR-SOC is a cybersecurity framework services | Ampcus IncMDR-SOC is a cybersecurity framework services | Ampcus Inc
MDR-SOC is a cybersecurity framework services | Ampcus Inc
 
Stop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their TracksStop Account Takeover Attacks, Right in their Tracks
Stop Account Takeover Attacks, Right in their Tracks
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
 
Company_Profile_Updated_17032016
Company_Profile_Updated_17032016Company_Profile_Updated_17032016
Company_Profile_Updated_17032016
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
OWASP Top Ten 2013
OWASP Top Ten 2013OWASP Top Ten 2013
OWASP Top Ten 2013
 
Csa summit argentina-reavis
Csa summit argentina-reavisCsa summit argentina-reavis
Csa summit argentina-reavis
 
From app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaFrom app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok gupta
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
 
Why Zero Trust Architecture Will Become the New Normal in 2021
Why Zero Trust Architecture Will Become the New Normal in 2021Why Zero Trust Architecture Will Become the New Normal in 2021
Why Zero Trust Architecture Will Become the New Normal in 2021
 
529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]529 owasp top 10 2013 - rc1[1]
529 owasp top 10 2013 - rc1[1]
 

Similar to DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation_August18.2016

Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
Onapsis Inc.
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from Cyberattacks
SAP Customer Experience
 
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Symmetry™
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Onapsis Inc.
 
SAP Security – Dealing with the Internal Threat of Working from Home
SAP Security – Dealing with the Internal Threat of Working from HomeSAP Security – Dealing with the Internal Threat of Working from Home
SAP Security – Dealing with the Internal Threat of Working from Home
Dudley Cartwright
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
ERPScan
 
The 14 Most Common Security Risks For SaaS Applications And How To Fix Them.pdf
The 14 Most Common Security Risks For SaaS Applications And How To Fix Them.pdfThe 14 Most Common Security Risks For SaaS Applications And How To Fix Them.pdf
The 14 Most Common Security Risks For SaaS Applications And How To Fix Them.pdf
Groovy Web
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
RedhuntLabs2
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
ERPScan
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
Onapsis Inc.
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
Onapsis Inc.
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
Pentest-Tools.com
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - Print
Andrew Kanikuru
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
Onapsis Inc.
 
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
SAP Analytics
 
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
akquinet enterprise solutions GmbH
 
AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)
IndusfacePvtLtd
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
Brencil Kaimba
 
Securing mobile apps in a BYOD world
Securing mobile apps in a BYOD worldSecuring mobile apps in a BYOD world
Securing mobile apps in a BYOD world
SAP Solution Extensions
 
SAP Landscape Security
SAP Landscape SecuritySAP Landscape Security
SAP Landscape Security
Joachim Kaland
 

Similar to DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation_August18.2016 (20)

Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from Cyberattacks
 
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
 
SAP Security – Dealing with the Internal Threat of Working from Home
SAP Security – Dealing with the Internal Threat of Working from HomeSAP Security – Dealing with the Internal Threat of Working from Home
SAP Security – Dealing with the Internal Threat of Working from Home
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
 
The 14 Most Common Security Risks For SaaS Applications And How To Fix Them.pdf
The 14 Most Common Security Risks For SaaS Applications And How To Fix Them.pdfThe 14 Most Common Security Risks For SaaS Applications And How To Fix Them.pdf
The 14 Most Common Security Risks For SaaS Applications And How To Fix Them.pdf
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - Print
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
 
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
 
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
 
AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
Securing mobile apps in a BYOD world
Securing mobile apps in a BYOD worldSecuring mobile apps in a BYOD world
Securing mobile apps in a BYOD world
 
SAP Landscape Security
SAP Landscape SecuritySAP Landscape Security
SAP Landscape Security
 

DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation_August18.2016

  • 1. …Your SAP/Oracle Landscape Security Assurance “There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don’t know it.” – Gartner, Inc., 2012 Critical Application Risks (Cyber, Legal, Operational) in Commercial Software Vs Open Source’
  • 2. www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 2 Who am I? In Africa, we are the first of our kind, DeltaGRiC Consulting is the first and yet the ONLY Consultancy in the SAP Africa Eco-System that focuses on helping organizations detect cyber security risks and compliance violations affecting SAP and Oracle (PeopleSoft) business platforms using ERPScan Monitoring Suite (Exclusively) We are an SAP Open Ecosystem Partner ; we Design, implementation, Support, as well as Audit of SAP solutions. • Consulting Partner, DeltaGRiC Consulting – Leading Consultancy in the SAP Africa Ecosystem, focusing on mitigating cyber Risk and Compliance violations in SAP run organizations • Enterprise Application Security Enthusiast/Evangelist – Focused on SAP and Open Source Software. • Delivered first ever SAP cybersecurity project on the African Continent - RSSC, Swaziland • Opinion on SAP Security matters / OSS Security matters (Times News) • Advocate of “Compliance is only but a check-in-the-box” and does NOT really mitigate the actual Security Risks. • Participated in the Curriculum content development for the Graduate Program in Cyber Security & Intelligence at the Ontario College of Management and Technology, Canada (OCMT). • I am not an Expert!! I know one thing: that I know nothing … Apology 29d Socrates
  • 3. www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 3 The wide-spread myth that ERP security is limited to SOD matrix has been dispelled lately and seems more like an ancient legend now. Within the last 7 years SAP security experts have spoken a great deal about various attacks on SAP from RFC interface, SAPROUTER, SAP WEB and SAP GUI client workstations. Also, the programs developed in SAP’s own language – ABAP, which exists in almost every company to customize ERP solutions, can store program vulnerabilities left by unqualified developers or special backdoors which can help insiders to gain illicit access to business data. Interest in the topic has been growing exponentially: in 2007, there would be 1 report on SAP at the technical conferences dedicated to hacking and security, whereas in 2012 there were more than 30 of them already. A variety of hack tools has been released that prove the possibility of SAP attacks and simplify them for cybercriminals. According to the statistics of vulnerabilities found in business applications, there were more than 100 vulnerabilities patched in SAP products in 2009, while it grew to more than 500 in 2010. By January, 2013, there are more than 2500 SAP security notes about vulnerabilities in various SAP components. Today, the total number of Vulnerabilities on SAP run in excess of 3300. Most of these vulnerabilities allow an unauthorized user to gain access to all the critical business data, so it is necessary to think about implementing a specific system of SAP security. Unfortunately, many information security officers are scarcely informed about the security of business applications like SAP & Oracle. Executive Summary A SAP Story
  • 4. SAP / Hadoop / Oracle/ Microsoft/ Odoo / *&^$#  The wide-spread myth that Business critical Application Security especially ERP is limited to SOD matrix has been dispelled.  Application languages come in various flavours - ABAP, C#, C++, JAVA, which exists in almost every company – A lot of the times, they can store program vulnerabilities left by unqualified developers or special backdoors which can help insiders to gain illicit access to business data. =  Of all the recorded cyber breaches that occurred in 2015, 50% was attributed to the Application layer. A variety of hack tools has been released that prove the possibility of SAP attacks and simplify them for cybercriminals.  Most of these vulnerabilities allow an unauthorized user to gain access to all the critical business data, so it is necessary to think about implementing a specific system of SAP security. Unfortunately, many information security officers are scarcely informed about the security of business applications like SAP & Oracle. Commercial Vs Open Source
  • 5. Application Security Trends Credits: Alexander Polyakov ERPScan research : RSA Conference 2014
  • 6. A deep Dive into why SAP?  Why SAP?  SAP holds the corporate 'Crown Jewels':  * 290,000 corporate customers, including; 87% of the global 2000; 98% of the most valued brands  * SAP touches  74% of all global transactions  US$16 Trillion of retail sales  .......and this data and information is of interest and real value to:  Criminal hackers and activists; Competitors, partners and nation states  Unhappy employees and contractors
  • 7. Protecting your Enterprise (SAP & Open Source Business Critical Applications) from Cyber-Attacks Three Areas of SAP Security : 1. Business Logic Area : SOD , Access Controls, Insiders 2. Source Code Security: Developers Mistakes or even Sabotage plans, Insiders 3. Application Platform Security: External, Over Network; Hackers, Web Services, Mobility, Portal for Partners, etc. Open Source Security: 1. Open Source Debacle ; Gartner identifies 95% of mission critical Applications contain open source BUT how do we identify and inventory the open source software present in the applications?
  • 8. Why SAP? SAP holds the corporate 'Crown Jewels': * 282,000 corporate customers, including 87% of the global 2000 98% of the most valued brands * SAP touches 74% of all global transactions US$16 Trillion of retail sales .......and this data and information is of interest and real value to: Criminal hackers and activists Competitors, partners and nation states Unhappy employees and contractors
  • 9. www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 9 SAP Cyber Security Myth OR Reality? It is what It is
  • 10. www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 10
  • 11. www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 11 Associated Challenges SAP Security Problems SAP Cyber-Security GAP Management often has a false sense of confidence that they have SAP covered, while cybersecurity teams feel they have little to no visibility into SAP. It was also apparent that the SAP cyber-security gap is becoming more ambiguous because of asset mapping issues – who houses the “crown jewels” are being secured on a daily basis.. SAP Patch Management Debacle On average all companies are working with an 18-month window of vulnerability timeline. This window starts with the time a vulnerability is found to when a patch is issued by SAP and finally deployed by the organization itself. Deployment is still the biggest problem organizations face. In fact - SAP has issued over 3300 patches in total with 391 issued in 2014 alone. That is 30+ per month on average. With approximately 46% of patches ranked as “critical” it’s difficult for an organization to prioritize their patches without disruption to the business. Misconfiguration Companies are having a very difficult time keeping track of how systems are configured let alone understanding their entire SAP landscape. An organization’s “Crown Jewels” reside within SAP and misconfigured SAP systems and portals are open targets for any adversary. Even if systems have the latest patch installed, a misconfiguration will allow hackers to access key information and business processes. In most cases, an attacker’s presence will go unnoticed for months. HANA / IoT Organizations are moving to the new de- facto database server HANA for new SAP solutions. This changes everything as organizations cannot view SAP as a “legacy” system. Organizations have also been told that with HANA they will be more secure, however the fact is that since 2014 there’s been a 450% increase in new security patches and with 82% considered “high priority”. Additionally as organizations continue to advance their SAP systems with rapid application development, mobile deployments and connecting a multitude of different devices (think vending machines, water meters, etc) to SAP via open APIs an organization’s SAP attack surface is expanding at a rapid pace let alone the complexity of managing security risks.
  • 12. Possible Exposed SAP Servers in Africa South Africa, Kenya, Nigeria ShodanHQ Search: SAP Google Search: SAP inurl:cmd=login Google Search: peoplesoft inurl:cmd=login Our Findings: • Close to 200 SAProuters were found on Shodan and 72% of them vulnerable to remote code execution • Most popular release (35%) is still NetWeaver 7.0, and it was released in 2005. • One third of Internet-facing SAP web services does not use SSL at all. • Major Bank in Africa, Major Airline in Africa Vulnerable, Government portal and Automotive company May, 2015
  • 13. Continuous Public Publishing of Vulnerabilities Global Security Researchers BUT No Pentest Information Available CVE? CVSS ?? Risk Prioritization • CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services • CVSS, is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability
  • 14. www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 14 SAP Cyber Security Myth OR Reality? It is what It is
  • 15. www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 15 Why would people want to attack my system? SAP, PeopleSoft PeopleSoft Cyber Security Myth OR Reality? It is what It is
  • 16. www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 16 Continuous Monitoring Solution for SAP Conduct complex security assessment, scanning SAP servers for software vulnerabilities and misconfigurations. It also performs assessment for compliance to current standards and best practices including SAP best practices and ISACA guidelines The compliance block includes: 1. DSAG compliance guideline 2. OWASP-EAS for SAP guideline 3. Password Bruteforce 4. Blackbox pentest 5. Whitebox Security Assessment Vulnerability Management With the help of this module, it is easy to find users which have the rights to execute critical actions that can lead to fraud Retrieves history of executed transactions to understand if access is really needed by user. It will help to easily remove up to 70% of users that don’t need a specific kind of access. Segregation of Duties It is a SAST tool developed especially for ABAP language, able to find critical issues and backdoors in custom source code. predefined lists for different business areas like BASIS, HR, FI, and others, and you can also customize your own lists. Identification of Backdoors Scanning for Transport request, development request and dictionary objects Source Code Security SAP Security: Vulnerability Management, Source Code Security, SOD
  • 17. Open source has passed the tipping point “By 2016, Open Source Software will be included in mission-critical applications within 99% of Global 2000 enterprises.” Will face problems because of no policy. 50% 10% 30% 80% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 2010 2014 2018 Open Source as % of G2000 Codebase Reference: Gartner, Inc.
  • 18. How pervasive is open source? • >98% of the applications tested used open source Open Source Custom Code Open Source Custom Code Composition of software tested across 1400 Black Duck customers Reference: Black Duck Software audits On average, open source comprised over 30% of the code base
  • 19. Delivered Code …and absorbed into final code. Internally Developed Code Outsourced Code Legacy Code Reused Code/ Containers Supply Chain Code Third Party Commercial Code How open source enters a codebase Open Source Code Open source code introduced in many ways…
  • 20. Open source: easy targets Easy access to code Exploits readily availableVulnerabilities are public • Used everywhere
  • 21. Who’s responsible for security? Commercial Code Open Source Code • Dedicated security researchers • Alerting and notification infrastructure • Regular patch updates • Dedicated support team with SLA • “community”-based code analysis • Monitor newsfeeds yourself • No standard patching mechanism • Ultimately, you are responsible
  • 22. WHAT DO THESE VULNERABILITIES HAVE IN COMMON? Heartbleed Shellshock GhostFreak Venom Since: Discovered: 2011 2014 1989 2014 1990’s 2015 2000 2015 2004 2015 Discovered by: Component: OpenSSL Riku, Antti, Matti, Mehta Bash Chazelas OpenSSL Beurdouche GNU C library Qualys researchers QEMU Geffner
  • 23. Increasing Number of OSS vulnerabilities Reference: Black Duck Software knowledgebase, NVD, VulnDB 0 500 1000 1500 2000 2500 3000 3500 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Open Source Vulnerabilities Reported Per Year nvd vulndb-exclusive
  • 24. automated tools Miss Most Open Source Vulns All possible security vulnerabilities Identifiable with Static Analysis Identifiable with Dynamic Analysis SAST and DAST only discover common vulnerabilities Undiscovered vulnerabilities are too complex, nuanced 3,000+ disclosed in 2014, <1% found by automated tools
  • 25. How are companies addressing this today? Not well. Manual tabulation • Architectural Review Board • At end of SDLC • High effort and low accuracy • No controls Spreadsheet-based inventory • Dependent on developer best effort or memory • Difficult maintenance • Not source of truth Tracking vulnerabilities • No single responsible entity • Manual effort and labor intensive • Unmanageable (11/day) • Match applications, components & versions with vulnerabilities Vulnerability detection • Run monthly/quarterly vulnerability assessment tools (e.g., Nessus, Nexpose) against all applications to identify exploitable instances
  • 26. www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 26
  • 27. A solution to solving this problem would include these components Choose Open Source Inventory Open Source Map Existing Vulnerabilities Track New Vulnerabilitie s Maintain accurate list of open source components throughout the SDL Identify vulns during development Alert new vulns in production apps Proactively choose secure, supported open source TRUST VERIFY MONITOR
  • 28. In Conclusion With IoT, the attack surface automatically doubles every 17 months. Protecting SAP from cyberthreats begins with a shift in beliefs about accessibility, vulnerability and responsibility. A cybersecurity program is only effective when it begins with the appreciation that everything is now connected and therefore accessible. SAP systems and applications, whether in development or production, are as much at stake as any other system. Extending the same (or better) assessments, auditing procedures and tests that you would for any other enterprise platform or application is no different when you consider your valuable investments in and reliance on ERP systems such as SAP. Know what lies in your code – Open Source Real Attack Surface = Number of critical Web Applications X Average number of Vulnerability per web Application
  • 29. www.deltagricconsulting.com © 2015 DeltaGRiC Consulting (Pty) ltd. All Rights Reserved. 29 Questions? Nigeria | South Africa | Kenya G17, PineWood Office Park, 24 Mabinuori, Shangisha Woodmead Magodo Estates JHB, South Africa Lagos - Nigeria T: +27 11 083 9828 |+1 408 641 4307 | +27 60 658 7180 info@deltagricconsulting.com www.deltagricconsulting.com Thank You

Editor's Notes

  1. We cannot deny that the application Security challenges are not limited to one side of the divide, infact, the challenges are that : There is a growing attack surface on a daily basis, and organizations are beginning to look for answers to the salient questions they never used to in the past : Questions like: what apps are people running in the organization, How do I set internal policy requirements for application security, is my private or sensitive data exposed over apps, and lastly who is developing those apps? Also with newer deployment models like containers, we need to ask ourselves : how do we test our applications and what do we actually test?
  2. Disclaimer: There is no intention to badmouth any OEM in this discussion but to point out places of research and our skill area . This is not necessarily a SAP problem but an Applications problem. The Risks could manifest itself from many places : Espionage from other countreis e.g. Spy leaks, Sabbotage e.g DDOS, Modification of Financial Data, Access to networks SCADA in Manufacturinbg environmens and ofcourse: white collar organised fraud.
  3. Standard bank Hack in May 2016 and NSA Hacked on 15.08.2016
  4. Big Idea: Open source usage is accelerating rapidly with Gartner predicting by 2018 that 80% of the global 2000 codebase will be open source code. Why? OSS results in more time and cost efficiency in application development, with higher quality code, tested by a broad community. Chances are, open source is already in your mission-critical applications. Gartner points out that not having a policy around open source is one of the problems organizations have. Questions: Does your organization have visibility into where open source code exists in your codebase?
  5. Big Idea: Black Duck’s audit business provides us with some insight – since we audit much of the worlds software during the M&A process. What we’ve seen corroborates Gartner’s view – in that 98% of our Audit customers applications have open source code in use and on average 30% of an application’s code base is open source. Question: If your organization is like many we work with, and 30% of your code base is open source, would that change how you scan for vulnerabilities?
  6. Big idea: if you’re like most of us, you think about open source entering your codebase when a developer, under a tight deadline perhaps, grabs a pre-built component from the internet, perhaps from Github or a similar website. But open source can get into your applications in a number of ways – and keeping track of all of them can become pretty difficult… Question: This slide calls out re-used code and containers as one way OSS makes it’s way into your applicaitons – does your organization have a policy position on the use of container technology, such as Docker? ------------------------- Reference: Internally developed code – stuff your own developers write Supply chain code – code that comes from upstream vendors that deliver parts or the whole of a solution Reuse code/containers – code in other applications that you reuse. Often called “innersourcing”. Third party commercial code – code you license from 3rd party, think Adobe Flash, etc. They might contain open source. Legacy code – really old code (10-15 years) that might contain open source, often unsupported, unpatched, vulnerable Outsourced code – code you pay others to write just for you
  7. Big Idea: Open source is not more or less secure than commercial code, but these characteristics simply make it a VERY attractive target for attackers - 1. It’s ubiquitous, so the change of a bad actor finding an addressable target is much higher than with commercial code 2. The source code is available on the public internet – allowing hackers to pick it apart looking for exploitable holes. 3. Using the NVD and OSVBD (among other sources) attackers can find specifics on vulnerabilities to attack and details on how to exploit them, often exploits themselves are published. 4. If they still need help, youtube videos explaining the exploits and how to deploy them are readily available. Question: The latest high profile vulnerability, GlibC, was made public in February – have you been able to track down where it exists in your environment? How did you / would you accomplish that?
  8. Big Idea: With commercial 3rd party components there is a support infrastructure build to ensure security patches are applied in a timely manner. The simply does not exist with open source libraries and components – you are mostly on your owner there. Question: What’s your companies process / policy for implementing security patches, in general AND is there a similar policy for open source?
  9. Big Idea: We’ve seen a trend recently in “named vulnerabilities”, and Heartbleed, Shellshock, Freak and the others are likely familiar to you. Question: What do these all have in common? Answers we are looking for: Each is a vulnerability in a widely used open source component Each existed for years without being detected by automated analysis tools and penetration testing methods. Each was ultimately identified and disclosed by security researchers conducting manual code reviews. Big Idea #2: If automated security analysis tools and penetration testing tools were effective at finding vulnerabilities in open source, these vulnerabilities would have been found long ago.
  10. Big Idea: Both good and bad researchers are combing open source looking for vulnerabilities and In 2015 over 3,000 new vulnerabilities were disclosed in the National Vulnerability Database and VulnDB, a proprietary database licensed by Black Duck. As more vulnerabilities are disclosed, code once was believed to be secure, may now be vulnerable Question: if you can’t reliably track the open source used in your software, how do respond to these new vulnerabilities in your code base? Static analysis tools build in “rules” for the most well known vulns – how would you find the rest?
  11. Big Idea: No one technique can find every vulnerability – this is why many security teams deploy both Static and Dynamic analysis tools. In many cases we’ve seen team deploy more than just one dynamic analysis tool. Question: Importantly, these tools have been used to scan open source code for years – and they did not find the vulnerabilities we’ve been hearing about recently like Heartbleed, GLibC and Drown – why do you think that is? (Answer you’re looking for here is they require the eyes of specialized human researchers who can look at code, see something that looks “off” and run experiments to determine there is a vuln)
  12. Big Idea: Companies that are addressing open source vulnerabilities typically have a heavy, costly manual process to address it. And at the end of the day, it’s still error-prone and leaves a lot of risk on the table. Companies that choose not to address it at all expose themselves to even greater risk. Question: What’s your current approach? Is it process-heavy or light? What kind of residual risk do you think you are exposed to?
  13. Big Idea: Most manual processes and most open source management solutions can create a list of open source components and match them with known security vulnerabilities, but to solve the problem holistically, you might want to think about what happens BEFORE, meaning how you would proactively choose the right open source components, as well as what happens AFTER deployment, where you need to monitor whether deployed applications are impacted by new vulns as they are discovered. Question: Which pieces of a potential solution do you have already and which are you missing? ---------------------------------------------------------------------------------------------------------------- A best-practices solution would combine elements of TRUST, VERIFICATION, and MONITORING: 1 – Starting with TRUST, this is providing developers and architects a way to choose open source components that are free of known vulnerabilities, and have active community support. This is a proactive step that reduces risk downstream in the software development process, and is the most cost-effective means of risk reduction. 2 – VERIFICATION means two things, having an accurate inventory of open source and being able to map than against all known vulnerabilities, in any and all applications, at any point in the SDL 3 – MONITOR means being able to monitor the released code for newly discovered vulnerabilities and alert the right people for remediation. Many organizations end security testing when applications are released. After all, the code base isn’t changing, nor are the security rules in the tools, so why test simply to see the same results again? However, this ignores the fact that while the code base isn’t changing, the threat environment changes constantly. With over 4,000 new vulnerabilities each year, a comprehensive solution should be continuously monitoring this constant stream of new vulnerabilities, and automatically notify you of any new vulnerabilities in the open source you used in deployed applications, including: Which applications use the code How critical the vulnerability is, and How to remediate it