The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
SAP GRC online Training on Access Control , which includes all the four components Access Risk Analysis( ARA), Emergency Access Management ( EAM), Access Request Management(ARM), Business Role Management( BRM).
GRC 12 online training
SAP GRC 10 Online Training
Software AG was top ranked in current offering and received among the highest scores in the strategy category in the Forrester Wave. webMethods Hybrid Integration Platform combines traditional on-premise integration with cloud integration capabilities to support a wide range of integration patterns for the modern digital enterprise.
Kellton Tech’s Digital Connected Enterprise (DCE) is a leader in enterprise-level integration, API management and multi-speed IT strategy, leveraging Software AG’s Digital Business Platform Kellton Tech empowers world’s best-known brands to effectively use Software AG’s Digital Business Platform to innovate, differentiate and win in the digital world.
In this session, we will discuss
- Details about webMethods 9.12 release
- Significant features and enhancements in webMethods 9.12
- Kellton Tech’s upgrade methodology and modernization offering
SAP GRC online Training on Access Control , which includes all the four components Access Risk Analysis( ARA), Emergency Access Management ( EAM), Access Request Management(ARM), Business Role Management( BRM).
GRC 12 online training
SAP GRC 10 Online Training
Software AG was top ranked in current offering and received among the highest scores in the strategy category in the Forrester Wave. webMethods Hybrid Integration Platform combines traditional on-premise integration with cloud integration capabilities to support a wide range of integration patterns for the modern digital enterprise.
Kellton Tech’s Digital Connected Enterprise (DCE) is a leader in enterprise-level integration, API management and multi-speed IT strategy, leveraging Software AG’s Digital Business Platform Kellton Tech empowers world’s best-known brands to effectively use Software AG’s Digital Business Platform to innovate, differentiate and win in the digital world.
In this session, we will discuss
- Details about webMethods 9.12 release
- Significant features and enhancements in webMethods 9.12
- Kellton Tech’s upgrade methodology and modernization offering
SAP SECURITY training by yektek has unique content.
http://www.yektek.com/sap-security-online-training
SECURITY online Training will cover R3 security online training, BI security online training, HR security online training, CRM security online training, SRM Security online training and PORTAL security online training.
Sap security interview question & answersNancy Nelida
We are Providing SAP Security Online Training with real time project based training and interview question & Answers by 12+ professional trainers to the people in US, UK and Worldwide.
Learn how to reduce financial fraud and improve risks management. What are the most common risks for activities and business processes? How a SoD repository is commonly set up? Learn the top 3 SoD conflict types and how to implement a methodology in order to leverage your SAP governance.
Main points covered:
• How to reduce financial fraud and improve risks management
• What are the most common risks for activities and business processes?
• How a SoD repository is commonly set up?
• Learn the top 3 SoD conflict types
Presenter:
The webinar was presented by M. Roseau, director of business development for In Fidem, a Canadian company based in Montreal, Quebec.
Link of the recorded session published on YouTube: https://youtu.be/bRsiWx2NodA
SAP SECURITY training by yektek has unique content.
http://www.yektek.com/sap-security-online-training
SECURITY online Training will cover R3 security online training, BI security online training, HR security online training, CRM security online training, SRM Security online training and PORTAL security online training.
Sap security interview question & answersNancy Nelida
We are Providing SAP Security Online Training with real time project based training and interview question & Answers by 12+ professional trainers to the people in US, UK and Worldwide.
Learn how to reduce financial fraud and improve risks management. What are the most common risks for activities and business processes? How a SoD repository is commonly set up? Learn the top 3 SoD conflict types and how to implement a methodology in order to leverage your SAP governance.
Main points covered:
• How to reduce financial fraud and improve risks management
• What are the most common risks for activities and business processes?
• How a SoD repository is commonly set up?
• Learn the top 3 SoD conflict types
Presenter:
The webinar was presented by M. Roseau, director of business development for In Fidem, a Canadian company based in Montreal, Quebec.
Link of the recorded session published on YouTube: https://youtu.be/bRsiWx2NodA
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
SAP is the most popular business application with more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
The presentation provides examples of simple and advanced attacks along with ways to avoid them.
If I want a perfect cyberweapon, I'll target ERPERPScan
ERP Systems are widely used in Oil and Gas, Manufacturing, Logistics, Financials
Nuclear, Retail, Telecommunication and other industries. All mission-critical data are stored in ERP Systems, so attacks against them may result in Espionage, Sabotage and Fraud.
The presentation gives examples of real and potential attacks and describes important details of ERP Security.
Alexander Polyakov, CTO of ERPScan, presented this talk at RSA Conference Europe 2013.
Forgotten world - Corporate Business Application SystemsERPScan
Enterprise Resource Planning (ERP) is the collection of computers, servers and databases that store & manage:
- Human Resources information
- Inventory
- Shipping
- Procurement
- Financial, Banking & Accounting
- Payroll.
Basically, it's data the company really cares about.
ERP seemed to be a forgotten world in information security field. However, any vulnerability or compromise of these systems can cause a significant monetary loss or even stoppage of business. Although a relatively new area, during the last year there has been more awareness of security problems in ERP.
This presentation covers such parts of ERP Security as ERP Security issues, Architecture Flaws, Vulnerabilities and others.
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...ERPScan
Any information an attacker might want is stored in corporate ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage, and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system, and they can cause significant reputation and financial losses to the business.
This research provides information about SSRF attacks and their classification. It also shows examples of SSRF attacks, as well as new potential and real SSRF vectors.
The increasing number of talks about SAP Security and SAP Security notes indicates that it becomes a hot topic nowadays.
The presentation describes top types of SAP vulnerabilities, the number of SAP systems available on the Internet and different risks business may face.
We did not manage to find any solution that could resolve all of these security problems described there, so we created one ourselves.
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
An increasing number of SAP Security Notes and talks on SAP Security proves that it becomes a really hot topic nowadays. However, SAP systems attacks are still believed to be available only for insiders. The reality is not so good. There are about 5000 systems including dispatchers, message servers, SapHostcontrols, Web-services on the internet.
Top 10 vulnerabilities 2011-2012 are:
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
The presentation provides a detailed description of these attacks, its potential business risks and the way to prevent them.
SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored.
The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.
The latest changes to SAP cybersecurity landscapeERPScan
SAP is the most popular business application with more than 250000 customers worldwide.
The presentation describes latest trends in SAP Security. There are multiple vulnerabilities found in SAP NetWeaver ABAP, SAP NetWeaver J2EE, SAP BusinessObjects, SAP HANA, and SAP Mobile Platform.
Practical pentesting of ERPs and business applicationsERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in the company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.
The presentation describes the specificity of ERP pentesting and focuses on SAP NetWeaver JAVA and Oracle PeopleSoft pentesting.
Practical SAP pentesting (B-Sides San Paulo)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.
5 real ways to destroy business by breaking SAP applicationsERPScan
SAP is the most popular business application with more than 263000 customers worldwide.
SAP risks can be divided into three groups: Espionage, Sabotage and Fraud.
The presentation provides a review of 5 most dangerous risks any business may face with. For every risk, there is its type, attack scenario, affected sector, and vulnerable module.
Practical SAP pentesting workshop (NullCon Goa)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at NullCon Goa Conference is a practical SAP pentesting guide.
EAS-SEC: Framework for securing business applicationsERPScan
For a quite long time, ERP Security was only the synonym of segregation of duties. But nowadays this situation has changed. There are 3 areas of Business Application Security such as SOD, Custom Code security and Application platform security. SAP customers are now aware of problems with SAP installations, but they still don’t know, where should they start to solve them.
The aim of EAS-SEC (http://eas-sec.org/) is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment.
Business applications like ERP, CRM, SRM, and others are one of the major topics in the field of computer security as these applications store business data and any vulnerabilities in these applications can cause a significant monetary and reputational loss or even stoppage of business.
Nonetheless, people still do not pay much attention to the technical side of SAP security.
As for SAP, we saw different vulnerabilities at all levels (architecture, software vulnerabilities and implementation).
The interest in SAP security has been growing exponentially, and not only among whitehats. SAP invests money and resources in security, provides guidelines, and arranges conferences, but, unfortunately, SAP users still pay little attention to SAP security
There are most important takeaways for CISOs to provide SAP Security for Enterprises. The presentation destroys the SAP Security myths, includes statistics obtained by ERPScan Research Group, and future trends in SAP Security.
The interest in SAP security is growing exponentially, and not only among whitehats. Unfortunately, SAP users still pay little attention to SAP security.
Obtained findings were presented at RSA APAC Conference 2013.
This research focuses on statistics of SAP Vulnerabilities, threats from the Internet, known incidents and future trends.
Business applications like ERP, CRM, SRM, and others are one of the major topic of information security as these applications store business-critical data and any vulnerability in them can cause a significant monetary and reputational loss or even stoppage of business.
There are several myths about Business Applications Security such as:
Myth 1: Business Applications are available only internally.
Myth 2: ERP security is a vendors' problem.
Myth 3: Business Application internals are very specific and unknown to hackers.
Myth 4 ERP security is all about Segregation Of Duties.
Our findings explode these myths.
A crushing blow at the heart of SAP’s J2EE Engine. ERPScan
Automation of business processes like ERP, PLM, CRM, SRM based on ABAP.
There are the following integration, collaboration and management based on J2EE engine:
- SAP Portal
- SAP PI
- SAP XI
- SAP Mobile Infrastructure
- SAP Solution Manager.
Administrators, developers, pentesters, and researchers mostly focus on ABAP stack. Hackers know about it, so they will find easier ways to control your business.
The presentation describes SAP J2EE Platform Architecture and provides examples of internal and external attacks and ways of its prevention.
Architecture vulnerabilities in SAP platformsERPScan
SAP security becomes a hot theme nowadays. Attacks on SAP can put a business at risk of Espionage, Sabotage and Fraud.
The presentation covers the following architecture and unusual issues:
Authentication Bypass
1. Verb tampering
2. Invoker servlet
Encryption
3. Storage – SAPGUI
4. Authentication – P4
5. Transfer – RFC, Diag
SSRF
6. Port Scan
7. Command execution
8. Security bypass
Also, the presentation gives advice for developers and describes future trends in SAP Security area.
The presentation provides the list of top 10 SAP vulnerabilities (2011-2012) as well as ways of defense.
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...ERPScan
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
Is your SAP system vulnerable to cyber attacks?Virtual Forge
This presentation was held by Stephen Lamy, Virtual Forge, at the Basis & SAP Administration 2015 Conference in Las Vegas, March 2015.
Stephen Lamy demonstrated specific risks that custom ABAP can introduce into an SAP system, and provided proven advice to minimize ABAP security risks.
Key Takeaways:
- What vulnerabilities exist in productive SAP systems, and better understand how your SAP systems can be compromised
- What are common and dangerous ABAP risks, such as directory traversal and ABAP command injection
- Best practices to develop secure and compliant ABAP code, such as implementing internal coding guidelines and standards, protecting your systems from risky third-party code, and choosing the right tools for your process
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
SAP Mobile infrastructure consists of multiple systems such as SAP Mobile Platform (formerly Sybase Unwired Platform) also SAP Afaria MDM solution, Sybase SQL Anywhere Database, and hundreds of SAP's mobile applications. They even have their own store for mobile apps that can be developed by third parties. This talk highlights how one can hack SAP Mobile.
In this popular platform, we have discovered a lot of typical vulnerabilities - XSS, XXE, hardcoded static encryption keys, and vulnerabilities that are specific to this platform - logic vulnerabilities and privilege escalations. As a result, after compromising the SAP Mobile platform, we demonstrated how to get access to compromised mobile phones.
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...ERPScan
This research includes detailed attack timeline, discovers what kind of vulnerability was exploited and provides the recommendations how to avoid data breaches in SAP systems.
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes PeopleSoft Architecture and provides several internal and external attack vectors. Let’s look at the most dangerous one. PeopleSoft systems are often accessible from the Internet. And some parts of the system have to be available before registration, for example, job application forms or “Forgot your password?” forms. For this purpose, there is a special user with minimal rights in PeopleSoft systems. When you enter, the system automatically authenticates you as this user. It is an opportunity to perform a privilege escalation attack by bruteforcing the authentication cookie called TokenID. TokenID is generated based on SHA1 hashing algorithm, and according to the latest information, 8-characters alpha-numeric password can be decrypted within one day on latest GPUs that cost about $ 500.
13 real ways to destroy business by breaking company’s SAP applicationsERPScan
All SAP risks can be divided into three groups: Espionage, Sabotage and Fraud.
The presentation provides a review of 13 most dangerous risks any business may face with. For every risk, there is its type, attack scenario, affected sector, and vulnerable module.
There is a myth that SAP is not accessible and cannot be attacked from the Internet. The system becomes more and more popular, cloud services and mobile solutions appear, so more and more SAP services become accessible from the Internet.
Why are vulnerabilities which allow to read any file from SAP OS important? Because SAP stores a lot of sensitive information in files. It can be log files, traces files, some configurations or properties files. Of course, most of them have protection like encryption, but the presentation shows how you can easily bypass this encryption.
Online analytical processing (OLAP) is an approach to formulate and answer multidimensional queries to large datasets. OLAP and Business Intelligence were initially developed to help top and middle-level executives to analyze the information about processes and data inside and outside the company. OLAP is all about BI and Big Data.
The main players of OLAP industry are Microsoft with Microsoft Analysis Services, SAP with SAP NetWeaver BW, SAS OLAP Server, IBM Cognos T1, open source icCube solution, Essbase and OLAP addon from Oracle and others.
MDX is a very popular language. At this moment, we don’t have an alternative language for multidimensional data requests. All developers forget about MDX security. However, security issues in MDX may cause a lot of attacks: data stealing, file reading, privilege escalation, remote code execution, SQL injection, cross-site scripting, etc.
The presentation covers topics such as details of OLAP technology, MDX attacks, Getting RCE with MDX, and mdXML attacks.
Dmitry Chastukhin, Director of security consulting at ERPScan, speaks at Deepsec Conference 2012 on SAP Security.
SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored.
The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
Cyaniclab : Software Development Agency Portfolio.pdf
Implementing SAP security in 5 steps
1. Invest
in
security
to
secure
investments
Implemen'ng
SAP
security
in
5
steps
Alexander
Polyakov.
CTO,
ERPScan
2. About
ERPScan
• The
only
360-‐degree
SAP
security
solu'on:
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgments
from
SAP
(
150+
)
• 60+
presenta=ons
at
key
security
conferences
worldwide
• 25
awards
and
nomina=ons
• Research
team
–
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2
3. Large
enterprise
sectors
• Oil
&
Gas
• Manufacturing
• Logis'cs
• Finance
• Nuclear
Power
• Retail
• Telecommunica'on
• etc.
3
4. • The
role
of
business
applica'ons
in
a
typical
work
environment
• The
need
to
control
them
to
op'mize
business
processes
• Scope
for
enormous
reduc'on
in
resource
overheads
and
other
direct
monetary
impact
• Poten'al
problems
that
one
can’t
overlook
• The
need
to
reflect
on
security
aspects
–
is
it
overstated?
• Why
is
it
a
REAL
and
existent
risk?
4
Business
applica=ons
5. • Espionage
– The^
of
financial
informa'on
– Corporate
secret
and
informa'on
the^
– Supplier
and
customer
list
the^
– HR
data
the^
• Sabotage
– Denial
of
service
– Tampering
of
financial
records
and
accoun'ng
data
– Access
to
technology
network
(SCADA)
by
trust
rela'ons
• Fraud
– False
transac'ons
– Modifica'on
of
master
data
5
What
can
the
implica=ons
be?
6. SAP
Вставьте
рисунок
на
слайд,
скруглите
верхний
левый
и
нижний
правый
угол
(Формат
–
Формат
рисунка),
добавьте
контур
(оранжевый,
толщина
–
3)
6
• The
most
popular
business
applica'on
• More
than
263000
customers
worldwide
• 83%
Forbes
500
companies
run
SAP
• Main
system
–
ERP
• Main
pla}orms
‒ SAP
NetWeaver
ABAP
‒ SAP
NetWeaver
J2EE
‒ SAP
BusinessObjects
‒ SAP
HANA
‒ SAP
Mobile
Pla}orm
(SUP)
7. SAP
security
• Complexity
Complexity
kills
security.
Many
different
vulnerabili'es
in
all
levels,
from
network
to
applica'on
• Customiza=on
Cannot
be
installed
out
of
the
box.
A
lot
of
(up
to
50
%)
custom
code
and
business
logic
• Risky
Rarely
updated
because
administrators
are
scared
of
crashes
and
down'me
• Unknown
Mostly
available
inside
the
company
(closed
world)
hƒp://erpscan.com/wp-‐content/uploads/pres/Forgoƒen%20World%20-‐%20Corporate%20Business%20Applica'on%20Systems%20Whitepaper.pdf
7
8. Securing
SAP
• Have
budget
– Find
people
and
tools
•
Don’t
have
budget
– Try
to
show
business
how
cri'cal
it
is
8
9. Ask
3rd
par=es
for
• Whitepapers
• Webinars
from
experts
• SAAS
scanning
of
external-‐facing
systems
• SAP
penetra'on
tes'ng
• Deep
SAP
security
assessment
9
11. Pentest
–
anonymous
scan
for
SAP
vulnerabili=es
and
ways
to
exploit
them
• Analysis
of
exposed
services
(more
than
20
possible)
• BlackBox
analysis
of
installed
applica'ons
and
vulnerabili'es
• Exploita'on
of
found
vulnerabili'es
• Privilege
escala'on
• Presenta'on
report
for
management
ü Pentest
can
be
a
star'ng
point
for
an
SAP
security
project
ü Pentest
can
also
be
a
final
test
a^er
implementa'on
11
Pentest
12. Analysis
of
running
services
• Scan
an
external
company
network
for
SAP
services
• Scan
internal
SAP
systems
from
the
user
or
guest
network
• Scan
internal
SAP
systems
from
the
admin
network
12
13. Remotely
exposed
services
13
0
5
10
15
20
25
30
35
SAP
HostControl
SAP
Dispatcher
SAP
MMC
SAP
Message
Server
hƒpd
SAP
Message
Server
SAP
Router
Exposed
services
2011
Exposed
services
2013
14. Internal
access
• Only
these
services
should
be
open
for
user
access
– Dispatcher
or
Message
Server
– Gateway
(for
some
users)
– ICM
(for
some
users,
if
used)
14
15. Pentest
JAVA
Examples
of
vulnerabili=es
• Auth
bypass
in
CTC
• Anonymous
user
crea'on
• Anonymous
file
read
• Informa'on
disclosure
• Unauthorized
access
to
KM
documents
15
16. Pentest
ABAP
Examples
of
vulnerabili=es:
• Reginfo/Secinfo
bypass
• Oracle
database
access
bypass
• Buffer
overflows
• Informa'on
disclosure
about
files
in
MMC
• Unauthorized
access
to
log
files
• Injec'on
of
OS
commands
in
SAPHostControl
• Dangerous
web
services
• Informa'on
disclosure
of
parameters
in
Message
Server
HTTP
16
17. Full
SAP
security
assessment
17
• BlackBox
vulnerability
scan
• Penetra'on
tes'ng
• WhiteBox
configura'on
scan
‒ Configura'on
analysis
‒ Access
control
checks
‒ SAP
Security
Notes
analysis
‒ Password
complexity
checks
(bruteforce)
18. Configura=on
analysis
18
• Authen'ca'on
(Password
policies,
SSO,
users
by
different
criteria)
• Access
control
(Access
to
different
web
services,
tables,
transac'ons,
insecure
test
services,
unnecessary
transac'ons
and
web
applica'ons)
• Encryp'on
(SSL
and
SNC
encryp'on)
• Monitoring
(security
audit
log,
system
log
and
others)
• Insecure
configura'on(all
other
security
checks
for
par'cular
services:
Gateway,
Message
Server,
ITS,
SAPGUI,
Web
Dispatcher,
MMC,
Host
Control,
Portal)
19. Access
control
19
• Users
with
cri'cal
profiles
• Users
with
cri'cal
roles
• Users
with
access
to
cri'cal
tables
• Users
with
access
to
transport
• Users
with
access
to
development
• Users
with
access
to
user
administra'on
• Users
with
access
to
system
administra'on
• Users
with
access
to
HR
func'ons
• Users
with
access
to
CRM
func'ons
• …Specific
access
control
checks
for
industry
solu'ons
20. Vulnerability
scan
20
• Check
for
latest
component
versions
• Check
for
missing
SAP
Security
Notes
• Correlate
patches
with
SAP
Security
Notes
• Exploit
vulnerabili'es
to
check
if
they
really
exist
• Risk
management
22. Compliance
First
of
all,
choose
the
one
you
want
• Technical
‒ EAS-‐SEC
‒ SAP
NetWeaver
ABAP
Security
Configura'on
‒ ISACA
(ITAF)
‒ DSAG
• Industry
‒ PCI
DSS
‒ NERC
CIP
22
24. 24
Business
logic
security
(SoD)
Prevents
a4acks
or
mistakes
made
by
insiders
Custom
code
security
Prevents
a4acks
or
mistakes
made
by
developers
Applica=on
pla^orm
security
Prevents
unauthorized
access
both
by
insiders
and
remote
a4ackers
3
areas
of
Business
Applica=on
Security
25. • For
web,
we
have
OWASP,
WASC
• For
network
and
OS,
we
have
NIST,
SANS
• But
what
about
Enterprise
Business
Applica'ons?
25
Security
guidelines
26. • Ques'ons
like
"why?"
and
"what
for?"
are
the
alpha
and
omega
of
every
research
• The
most
frequent
ques'on
we
were
asked:
“Guys,
you
are
awesome!
You
are
doing
a
great
job
so
far,
finding
so
many
problems
in
our
installaCons.
It's
absolutely
fantasCc,
but
we
don’t
know
where
to
start
solving
them.
Could
you
provide
us
with
top
10/20/50/100/[your
favorite
number]
most
criCcal
bugs
in
every
area?”
26
Why?
(1)
27. • We
had
to
do
something
completely
different
from
just
Top
10
most
cri'cal
bugs
• Even
if
you
patch
all
vulnerabili'es,
lots
of
problems
could
s'll
remain:
access
control,
configura'on,
logs
• The
number
one
challenge
is
to
understand
all
security
areas
of
EAS
and
to
have
the
opportunity
to
select
several
most
cri'cal
issues
for
every
area
27
Why?
(2)
28. Why?
(3)
• We
started
to
analyze
the
exis'ng
guidelines
and
standards
– High
level
policies:
NIST,SOX,ISO,PCI-‐DSS
– Technical
guides:
OWASP,
WASC,
SANS
25,
CWE
– SAP
guides:
o Configura'on
of
SAP
NetWeaver®
Applica'on
Server
Using
ABAP
by
SAP
o ISACA
Assurance
(ITAF)
by
ISACA
o DSAG
by
German
SAP
User
Group
• Those
standards
are
great,
but,
unfortunately,
all
of
them
have
at
least
one
big
disadvantage
28
29. • Guidelines
made
by
SAP
• First
official
SAP
guide
for
technical
security
of
ABAP
stack
• Secure
Configura'on
of
SAP
NetWeaver®
Applica'on
Server
Using
ABAP
• First
version
in
2010,
version
1.2
in
2012
29
SAP
security
guidelines
30. • For
rapid
assessment
of
the
most
common
technical
pla}orm
misconfigura'ons
• Consists
of
9
areas
and
82
checks
• Ideal
as
a
second
step,
gives
more
details
for
some
standard
EAS-‐SEC
areas
h4p://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/
f0d2445f-‐509d-‐2d10-‐6fa7-‐9d3608950fee?overridelayout=true
30
SAP
security
guidelines
31. • Advantages:
– Very
brief
but
quite
comprehensive
(only
9
pages)
– Covers
applica'on
pla}orm
issues
– Applicable
for
every
ABAP
based
pla}orm
(either
ERP
or
Solu'on
Manager
or
HR)
• Disadvantages:
– 82
checks
is
s'll
a
lot
for
a
first
brief
look
on
secure
configura'on
– Doesn’t
cover
access
control
issues
and
logging
and
misses
some
things
even
in
pla}orm
security
– Gives
people
false
sense
of
security
if
they
cover
all
checks.
But
it
wouldn’t
be
completely
true
31
SAP
security
guidelines
32. • Guidelines
made
by
ISACA
• Checks
cover
configura'on
and
access
control
areas
• The
first
most
complete
compliance
• There
were
3
versions
published
in
2002,
2006,
2009
(some
areas
are
outdated
now)
32
ISACA
Assurance
(ITAFF)
33. • Technical
part
covers
incomplete
access
control
info
and
misses
some
cri'cal
areas
• The
biggest
advantage
is
the
big
database
of
access
control
checks
• Consists
of
4
parts
and
more
than
160
checks
• Ideal
as
a
third-‐step-‐guide
and
very
useful
for
its
detailed
coverage
of
access
control
33
ISACA
Assurance
(ITAFF)
34. • Advantages:
– Detailed
coverage
of
access
control
checks
• Disadvantages:
– Outdated
– Technical
part
is
missing
– Too
many
checks,
can’t
be
easily
used
by
a
non-‐SAP
specialist
– Can’t
be
applied
to
any
system
without
prior
understanding
of
the
business
processes
– Is
officially
available
only
as
part
of
the
book,
or
you
should
be
at
least
an
ISACA
member
to
get
it
34
ISACA
Assurance
(ITAFF)
35. • Set
of
recommenda'ons
from
Deutsche
SAP
Uses
Group
• Checks
cover
all
security
areas,
from
technical
configura'on
and
source
code
to
access
control
and
management
procedures
• Currently
the
biggest
guideline
about
SAP
security
35
DSAG
36. • Last
version
in
Jan
2011
• Consists
of
8
areas
and
200+
checks
• Ideal
as
a
final
step
for
securing
SAP
but
consists
of
many
checks
which
needs
addi'onal
decision
making
(highly
depends
on
the
installa'on)
h4p://www.dsag.de/fileadmin/media/Lei[aeden/
110818_Lei[aden_Datenschutz_Englisch_final.pdf
36
DSAG
37. • Advantages:
– Ideal
as
a
final
step
for
securing
SAP.
– Great
for
SAP
security
administrators,
covers
almost
all
areas
• Disadvantages:
– Same
as
ISACA:
too
big
for
a
starter,
and
no
help
at
all
for
security
people
who
are
not
familiar
with
SAP
– Can’t
be
directly
applied
to
every
system
without
prior
understanding
of
business
processes.
Many
checks
are
recommenda'ons,
and
the
users
should
think
for
themselves
if
they
are
applicable
in
each
case
37
DSAG
39. • The
authors'
efforts
were:
– to
make
this
list
as
brief
as
possible
– to
cover
the
most
cri'cal
threats
for
each
area
– to
make
it
easily
used
not
only
by
SAP/ERP
security
experts
but
by
every
security
specialist
– to
provide
comprehensive
coverage
of
all
cri'cal
SAP
security
areas
• At
the
same
'me,
to
develop
the
most
complete
guide
would
be
a
never-‐ending
story
• So
we
implemented
the
80/20
rule
for
SAP
security
39
EAS-‐SEC
40. • Developed
by
ERPScan
• First
release
2010
• Second
edi'on
2013
(hƒp://eas-‐sec.org
)
• 3
main
areas
– Implementa'on
assessment
– Code
review
– Awareness
• Rapid
assessment
of
Business
Applica'on
security
40
EAS-‐SEC
41. 41
EASSEC-‐PVAG
Access Cri=cality
Easy
to
exploit
%
of
vulnerable
systems
1.
Lack
of
patch
management Anonymous High High 99%
2.
Default
passwords
for
applica'on
access Anonymous High High 95%
3.
Unnecessary
enabled
func'onality Anonymous High High 90%
4.
Open
remote
management
interfaces Anonymous High Medium 90%
5.
Insecure
configura'on Anonymous Medium Medium 90%
6.
Unencrypted
communica'on
Anonymous Medium Medium 80%
7.
Access
control
and
SOD User High Medium 99%
8.
Insecure
trust
rela'ons User High Medium 80%
9.
Logging
and
monitoring Administrator High Medium 98%
EASSEC
Implementa=on
Assessment
42. EAS-‐SEC
for
SAP
NetWeaver
ABAP
Enterprise
ApplicaCon
Systems
ApplicaCon
ImplementaCon
–
NetWeaver
ABAP
– Developed
by
ERPScan:
First
standard
in
the
EAS-‐SEC
series
– Published
in
2013
hƒp://erpscan.com/publica'ons/the-‐sap-‐netweaver-‐abap-‐pla}orm-‐
vulnerability-‐assessment-‐guide/
– Rapid
assessment
of
SAP
security
in
9
areas
– Contains
33
most
cri'cal
checks
– Ideal
as
a
first
step
– Also
contains
informa'on
for
next
steps
– Categorized
by
priority
and
cri'cality
42
43. Enterprise
ApplicaCon
Systems
Vulnerability
Assessment
–
for
NetWeaver
ABAP
– First
standard
in
the
EAS-‐SEC
series
– Rapid
assessment
of
SAP
security
in
9
areas
– Contains
33
most
cri'cal
checks
– Ideal
as
a
first
step
– Also
contains
informa'on
for
next
steps
– Categorized
by
priority
and
cri'cality
43
EAS-‐SEC
for
NetWeaver
(EASSEC-‐PVAG-‐ABAP)
44. • [EASAI-‐NA-‐01]
Component
updates
• [EASAI-‐NA-‐02]
Kernel
updated
What’s
next:
Other
components
should
be
be
updated
separately
–
SAProuter,
SAP
GUI,
SAP
NetWeaver
J2EE,
SAP
BusinessObjects.
Also,
OS
and
database
44
Lack
of
patch
management
45. • [EASAI-‐NA-‐03]
Default
password
check
for
user
SAP*
• [EASAI-‐NA-‐04]
Default
password
check
for
user
DDIC
• [EASAI-‐NA-‐05]
Default
password
check
for
user
SAPCPIC
• [EASAI-‐NA-‐06]
Default
password
check
for
user
MSADM
• [EASAI-‐NA-‐07]
Default
password
check
for
user
EARLYWATCH
What’s
next:
A
couple
of
addiConal
SAP
components,
like
old
versions
of
SAP
SDM
and
SAP
ITS,
have
default
passwords.
Ajer
you
check
all
default
passwords,
you
can
start
bruteforcing
for
simple
passwords
45
Default
passwords
46. • [EASAI-‐NA-‐08]
Access
to
RFC-‐func'ons
using
SOAP
interface
• [EASAI-‐NA-‐09]
Access
to
RFC-‐func'ons
using
FORM
interface
• [EASAI-‐NA-‐10]
Access
to
XI
service
using
SOAP
interface
What’s
next:
Analyze
about
1500
other
services
which
are
remotely
enabled
to
see
if
they
are
really
needed.
Disable
unused
transacCons,
programs
and
reports
46
Unnecessary
enabled
func=onality
47. • [EASAI-‐NA-‐11]
Unauthorized
access
to
SAPControl
service
• [EASAI-‐NA-‐12]
Unauthorized
access
to
SAPHostControl
service
• [EASAI-‐NA-‐13]
Unauthorized
access
to
Message
Server
service
• [EASAI-‐NA-‐14]
Unauthorized
access
to
Oracle
database
What’s
next:
Full
list
of
SAP
services
is
available
here:
TCP/IP
Ports
Used
by
SAP
ApplicaCons.
Also,
take
care
of
3rd
party
services
which
can
be
enabled
on
this
server
47
Open
remote
management
interfaces
48. • [EASAI-‐NA-‐15]
Minimum
password
length
• [EASAI-‐NA-‐16]
User
locking
policy
• [EASAI-‐NA-‐17]
Password
compliance
to
current
standards
• [EASAI-‐NA-‐18]
Access
control
to
RFC
(reginfo.dat)
• [EASAI-‐NA-‐19]
Access
control
to
RFC
(secinfo.dat)
What’s
next:
First
of
all,
look
to
Secure
ConfiguraCon
of
SAP
NetWeaver®
ApplicaCon
Server
Using
ABAP
for
detailed
configuraCon
checks.
Ajerwards,
pass
through
detailed
documents
for
each
and
every
SAP
service
and
module
h4p://help.sap.com/saphelp_nw70/helpdata/en/8c/
2ec59131d7f84ea514a67d628925a9/frameset.htm
48
Insecure
configura=on
49. • [EASAI-‐NA-‐20]
Users
with
SAP_ALL
profile
• [EASAI-‐NA-‐21]
Users
which
can
run
any
program
• [EASAI-‐NA-‐22]
Users
which
can
modify
cri'cal
table
USR02
• [EASAI-‐NA-‐23]
Users
which
can
execute
any
OS
command
• [EASAI-‐NA-‐24]
Disabled
authoriza'on
checks
What’s
next:
There
are
at
least
100
criCcal
transacCons
only
in
BASIS
and
approximately
the
same
number
in
any
other
module.
Detailed
informaCon
can
be
found
in
ISACA
guidelines.
Ajer
that,
you
can
start
SegregaCon
of
DuCes
49
Access
control
and
SoD
conflicts
50. • [EASAI-‐NA-‐25]
Use
of
SSL
for
securing
HTTP
connec'ons
• [EASAI-‐NA-‐26]
Use
of
SNC
for
securing
SAP
GUI
connec'ons
• [EASAI-‐NA-‐27]
Use
of
SNC
for
securing
RFC
connec'ons
What’s
next:
Even
if
you
use
encrypCon,
check
how
it
is
configured
for
every
encrypCon
type
and
for
every
service
because
there
are
different
complex
configuraCons
for
each
encrypCon
type.
For
example,
the
latest
a4acks
on
SSL
(BEAST
and
CRIME)
require
companies
to
use
more
complex
SSL
configuraCons
50
Unencrypted
connec=ons
51. • [EASAI-‐NA-‐28]
RFC
connec'ons
with
stored
authen'ca'on
data
• [EASAI-‐NA-‐29]
Trusted
systems
with
lower
security
What’s
next:
Check
other
ways
to
get
access
to
trusted
systems,
such
as
database
links,
use
of
the
same
OS
user,
or
use
of
similar
passwords
for
different
systems
51
Insecure
trusted
connec=ons
52. • [EASAI-‐NA-‐30]
Logging
of
security
events
• [EASAI-‐NA-‐31]
Logging
of
HTTP
requests
• [EASAI-‐NA-‐32]
Logging
of
table
changes
• [EASAI-‐NA-‐33]
Logging
of
access
to
Gateway
What’s
next:
There
are
about
30
different
types
of
log
files
in
SAP.
Upon
properly
enabling
the
main
ones,
you
should
properly
configure
complex
opCons,
such
as
which
specific
tables
to
monitor
for
changes,
what
kind
of
events
to
analyze
in
security
events
log,
what
types
of
Gateway
a4acks
should
be
collected.
Next
step
is
to
enable
their
centralized
collecCon
and
storage
and
then
add
other
log
events
52
Logging
and
monitoring
54. • SAP
Security
in
Figures
2011
• SAP
Security
in
Figures
2013
• 3000
vulnerabili'es
in
SAP
• SAP
Security
in
Figures
2014
(coming
soon)
54
Awareness
56. Internal
security
• Simple
steps
and
sta's'cs
• Cri'cal
access
• Segrega'on
of
Du'es
• Op'miza'on
and
maintenance
56
57. Simple
steps
• Analyze
sta's'cs
– Number
of
users
in
a
role
o
0
–
Role
is
not
used
o >100
–
Divide
into
different
roles,
check
for
cri'cal
authoriza'ons
– Number
of
authoriza'ons
in
a
role
– Number
of
authoriza'on
objects
in
a
role
57
58. Cri=cal
access
• There
are
different
areas:
HR,
Basis,
Fixed
Assets,
Material
Management
• Each
of
those
roles
has
a
list
of
cri'cal
transac'ons
and
authoriza'ons
(available
in
ISACA
guidelines)
• First
of
all,
decrease
the
number
of
cri'cal
roles
• For
example,
users
who
can
only
modify
the
table
USR02
can
do
everything
they
want!
58
60. Cri=cal
access
op=miza=on
• Obtain
the
list
of
roles
with
cri'cal
access
to
par'cular
transac'ons
• Minimize
roles
• Obtain
the
list
of
users
with
cri'cal
access
to
par'cular
transac'ons
• Sort
them
by
type/locking
status/etc.
• Exclude
administrators
and
superusers
(and
minimize
them)
• Minimize
users
60
61. SoD
analysis
• Use
default
templates
or
customize
them
• Obtain
the
list
of
business
roles
in
a
company
• Obtain
the
list
of
ac'ons
in
a
par'cular
role
• Assign
transac'ons
and
authoriza'on
objects
to
ac'ons
• Create
or
modify
matrix
(add
risk
values)
61
64. Analyzing
SoD
results
• Result:
– List
of
users
with
cri'cal
conflicts
– List
of
roles
with
cri'cal
conflicts
• Solving:
– Obtain
roles
with
maximum
number
of
segrega'ons
– Op'mize
them
– Obtain
users
with
maximum
number
of
segrega'ons
– Op'mize
them
64
65. Op=miza=on
• You
will
get
thousands
of
conflicts
the
first
'me
• How
to
solve
them
quickly:
– Exclude
all
administrators
(SAP_ALL)
– Look
at
HOW
exactly
rights
are
assigned
(all
*
values
should
be
excluded)
– Look
at
the
history
of
executed
transac'ons
65
67. ABAP
• SAP
uses
ABAP,
JAVA,
and
XSJX
(for
HANA)
• ABAP,
as
any
other
language,
can
have
vulnerabili'es
• It
can
also
be
used
for
wri'ng
backdoors
• Development
inside
the
company
is
almost
uncontrolled
• Developer
access
to
system
==
god
in
SAP
67
68. Source
code
review
• EASAD-‐9
standard
from
a
series
of
standards
designed
for
Enterprise
Applica'on
Systems
Security
Assessment
(EAS-‐SEC)
• Full
name:
– Enterprise
Applica'on
Systems
Applica'on
Development
• Describes
9
areas
of
source
code
issues
for
business
languages
• Universal
categories
for
different
languages
and
systems
(SAP,
Oracle,
Dynamix,
Infor,
…)
• Categorized
based
on
cri'cality
and
exploita'on
probability
68
72. Aeacks
• It
is
very
hard
to
make
everything
secure,
so
you
need
addi'onal
monitoring
• ACFE
published
a
report
about
7
%
revenue
losses
from
fraud
in
the
USA
• Examples
that
we
saw:
– Salary
modifica'on
– Material
management
fraud
– Mistakes
72
74. SAP
forensics
• Real
aƒacks
exist
• But
there
is
not
so
much
public
info
• Companies
are
not
interested
in
the
publica'on
of
compromise
• But
the
main
problem
is
here:
– How
can
you
be
sure
there
was
no
compromise?
– Only
10%
of
systems
have
Security
Audit
Log
enabled
– Only
a
few
of
them
analyze
those
logs
– And
much
fewer
do
central
storage
and
correla'on
74
75. Log
sta=s=cs
• Web
access
70%
• Security
audit
log
10%
• Table
logging
4%
• Message
Server
2%
• SAP
Gateway
2%
75
76. Log
types
• SAP
Web
Dispatcher
–
Security
log
• SAP
Web
Dispatcher
–
HTTP
log
• SAProuter
log
• SAP
Gateway
log
• SAP
Message
Server
log
• SAP
Message
Server
HTTP
Log
• SAP
security
audit
log
• ABAP
user
changes
log
• ABAP
table
changes
log
• ABAP
document
changes
log
• Trace
files
76
77. SAP
Security
Logs
77
Name
Default
Central
storage
SAP
Web
Dispatcher
–
Security
Log
Enabled
No
SAP
Web
Dispatcher
–
HTTP
log
Disabled
No
SAProuter
log
Disabled
No
SAP
Gateway
log
Disabled
No
SAP
Message
Server
log
Disabled
No
SAP
Message
Server
HTTP
log
Disabled
No
SAP
security
audit
log
Disabled
CCMS?
ABAP
user
changes
log
Enabled
No
ABAP
table
changes
log
Disabled
No
ABAP
document
changes
log
Disabled
No
Trace
files
Disabled
No
Developer
trace
Enabled
No
78. • EAS-‐SEC:
Recourse
which
combines
– Guidelines
for
assessing
enterprise
applica'on
security
– Guidelines
for
assessing
custom
code
– Surveys
about
enterprise
applica'on
security
78
Defense
79. • Cri'cal
networks
are
complex
• System
is
as
secure
as
its
most
insecure
component
• Holis'c
approach
• Check
out
eas-‐sec.org
• Check
out
erpscan.com
79
Conclusion