How to assess the risks in your SAP systems at the push of a button

Virtual Forge, Inc.
How to Assess the Risks in Your SAP® Systems
at the Push of a Button
Basis and SAP Administration 2015

Virtual Forge: Management Summary
 We reduce business risks and protect your entire SAP environment.
 We cover all SAP® risk categories from Security to Compliance to Quality,
on both code- and system layer.
 Our solutions follow a simple approach: Assess – Safeguard – Optimize.
 Improving the state of your entire SAP system continuously.
 We provide highly efficient, automated solutions built using our deep knowledge and
experience.
 We ensure that SAP systems of leading global companies adhere to the highest
Security, Compliance and Quality standards.

We ensure Security, Compliance and Quality worldwide.

Customer Success Stories
The U.S. Department of Defense
“Virtual Forge CodeProfiler enables us to prove that our code is secure and compliant… It is accurate, comprehensive and
consistent and ensures that all ABAP code meets our high standards.”
~Christine Warring, TEWLS Sustainment Manager for the Dept of Defense
The Globe and Mail
“With Virtual Forge CodeProfiler tightly integrated into our SAP change and transport management processes, we were able
to scan all our custom ABAP code and identify non-compliant code in no time at all.”
~Joby Joseph, SAP Security Lead at the Globe and Mail
SAP
“Applying the Virtual Forge CodeProfiler and the close collaboration helped us to increase the level of security and
improved the quality of our business solutions.”
~Ralph Salomon, Vice President, IT Security & Risk Office, at SAP
Siemens
“One of the key requirements was to scan several billion lines of code each week. Together with Virtual Forge,
we have been able to create a truly unique solution.”
~Michael Brauer, Director of Corporate Automation within the Corporate IT department at Siemens

A simple approach: Assess – Safeguard – Optimize.
Assess:
Automatically assess risk by continuously monitoring
system configuration and code changes.
Safeguard:
Implement automatic testing for risk in ABAP code and
SAP System Configurations.
Optimize:
Continually reduce risk exposure as possible during
ongoing operations and projects.
SAP
Security, Compliance
& Quality
1. Assess
2. Safeguard3. Optimize

Why manage risk?
Some facts…
1. More than 248,500 companies depend upon SAP to run their business
2. SAP customers include:
1. Transport > 1.1 million flight passengers per day
2. Produce > 77,000 cars every day
3. Produce > 65% of all TV’s
4. 72% of the world-wide beer production depends on companies that run SAP!!!

Cyber-attacks, fraud, and system downtimes are key business risks
SAP Security, Compliance and Quality challenges
SAP Applications
• Authorizations
• Transport
Management
• Patches
• Business Continuity
• Application
Performance
SAP Configuration
• Authorizations
• SAP Operating
& Database System
• Web Security
• Communication
Channels
• Logging / Forensic
SAP Coding
• Assessment
• Development
• Architecture
• Code Quality
• Testing
• Deployment
Key Business RisksSources of Risk
System configuration
and settings
Custom coding
Extended functionality
of the SAP standard
Sources: Cost of Cyber Crime Study (Poneomon Institute, 2013), Global Fraud Study (ACFE, 2014),The Avoidable Cost of Downtime (CA Technologies, 2010)
Cyber-attacks $7.2 million per case
Frauds 5% annual revenue loss per company
System downtimes 14 hrs per case

Analysis of custom ABAP in 217 customer systems shows:
ABAP
Custom ABAP
code
There is more than 1 critical
security/compliance issue per 1,000
Lines of Custom ABAP® Code. A
typical SAP system has 2,150
security/compliance issues in custom
code.
For you this means:
An attacker gains full access to all
business data by exploiting just one
of these vulnerabilities.
For you this means:
Companies only use a fraction of the
hardware speed their systems could
provide. Any failure can lead to data
corruption and system downtime.
There are 1 critical performance and
3 critical Robustness issues per
1,000 Lines of Custom ABAP® Code.
Source: CodeProfiler analysis of 453 million lines of custom ABAP® code from 217 SAP systems (status: Oct 2014)

Demonstration of ABAP Vulnerability

Analysis of the configuration of 121 SAP Systems shows:
SAP
System
Configuration
90% of all SAP systems are
vulnerable to attacks, and the number
of SAP systems connected to the
internet is increasing rapidly
For you this means:
An attacker gains full access to all
business data by exploiting just one
critical vulnerability.
For you this means:
Manual configuration results in high operating
costs. Only one omission can lead to severe
security, compliance, or quality issues
Understanding best practices and managing
configurations in a changing environment is a
difficult and ongoing task, and configuration
drift is a constant challenge.
Source: SystemProfiler analysis of 427 SAP systems (Status: Dec 2014)

Demonstration of Vulnerable SAP System

Distribution of Online SAP Systems (Internet Census)
*online systems including SAP systems
Graphic: Thünemann/Schinzel

The Evolution of SAP & ABAP Technology
In the past Today Future
 Isolated systems
 Fewer users
 Less data
 Less custom development
 Regular but rare releases
 Open systems
 More users
 More data
 More custom development
 Frequent release cycles
 More open systems
 Even more users
 Even more data
 Even more development
 Higher frequency releases

Attack Surface of SAP
1997 – A simpler life
Direct UIs
External
Systems
SAP ABAP® System

Attack Surface of SAP
Since 2011 – complexity continues to grow
Indirect UIs
External
Systems
Direct UIs
SAP ABAP® System

SAP System Administration – a simple task
Profile
Parameters
Logging
OS Security
System Authorizations
Password Policies
Communication
Security
Patch Days Enhancement Packs
Transport Requests
FirewallsDatabase
Performance
Java Servers
System Audits
Web AS
Security
Security
Notes

System Configuration Drift
Typical SAP landscape
Security &
Quality
(of configuration)
Security Audit QA Project
Time

The Benefits of Automated Risk Management
1. Apply best practice rules to reduce business risks
2. Enforce company policies consistently throughout organization
3. Reduce costs and time by eliminating manual tasks
4. Eliminate human error and lack of knowledge as risk factors
5. Manage emergencies without increasing risk

CodeProfiler for ABAP Code
Assess:
Continually test and correct ABAP code during
development. Inspect entire code base regularly.
Safeguard:
Implement automatic code testing to prevent risky
code from reaching your productive systems.
Optimize:
Continually improve code as possible to close
security and quality gaps.
SAP
& Quality
1. Assess

Ensures that ABAP code meets industry best-practice
standards for security, quality and performance
Performs automatic testing of any code changes and
stops transport of bad code
Reduces the time and cost of development and code
reviews
Developers can scan/correct online during
development
Online documentation includes remediation
instructions for on-the-job learning
Automatic testing of all code changes
Automatic correction for fast remediation
Highly accurate results!
CodeProfiler Benefits

Assess:
Continually audit configuration risk across
the SAP landscape.
Safeguard:
Implement automatic testing and escalation
to reduce potential of risk exposure.
Optimize:
Continually reduce risk exposure as
possible during ongoing operations and
projects.
SystemProfiler for SAP Configuration
SAP
& Quality
1. Assess

Ensures that SAP System Configuration meets
industry best practices
Allows automatic monitoring and correction of
SAP configuration settings across your landscape
Saves time and money by automating manual,
error-prone tasks
Allows you to distribute security policies across
the landscape quickly and easily
Easy to install and scalable to any size landscape
Highly accurate results!
SystemProfiler Benefits
SYSTEMPROFILER

Virtual Forge CodeProfiler
Free Risk Assessment Offer!
How good is your SAP system?
Visit www.virtualforge.com
Quality
Compliance
Security
SAP®
Risk Assessment
Virtual Forge CodeProfiler
and SystemProfiler

Thank you!
Virtual Forge Inc.
stephen.lamy@virtualforge.com | +1 610 924 2751
www.virtualforge.com

Disclaimer
© 2015 Virtual Forge Inc. All rights reserved.
SAP, R/3, SAP NetWeaver, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG. All other product and service
names mentioned are the trademarks of their respective companies.
Information contained in this publication is subject to change without prior notice. It is provided by
Virtual Forge and serves informational purposes only. Virtual Forge is not liable for errors or
incomplete information in this publication. Information contained in this publication does not imply any
further liability.
Virtual Forge Terms and Conditions apply. See www.virtualforge.com for details.

Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of
SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks
of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.

How to assess the risks in your SAP systems at the push of a button

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to How to assess the risks in your SAP systems at the push of a button

Similar to How to assess the risks in your SAP systems at the push of a button (20)

More from Virtual Forge

More from Virtual Forge (16)

Recently uploaded

Recently uploaded (20)

How to assess the risks in your SAP systems at the push of a button