Global Fortune 1000 companies, major governmental organizations and defense agencies, share something in common: they all rely on SAP platforms to handle their most critical business processes and iinformation. In this scenario, any criminal cyber attacks seeking to conduct espionage, sabotage, or financial fraud, knows that these systems contain the jewels in the crown.
In all SAP implementations there is a special system that acts as the "brain" of the platform: the SAP Solution Manager. Using proprietary interfaces and protocols, the Solution Manager connects and manages all SAP "satellites" of implementation (ERP, CRM, SCM, etc.) systems. Therefore, if an attacker compromises the SolMan, might be able to expand its control over all environments that are under control. Moreover, because of weaknesses in architecture, a malicious group would be possible to start by compromising one of the first satellite systems, and use it as a pivot to control the SolMan.
In this talk we present, through various live demonstrations, novel attack vectors that a hacker can use in intrusion attempt to SAP Solution Manager, and result in a total compromise to the SAP implementation. We will analyze the technical origins of vulnerabilities that allow such attacks, and give you mitigation information about these threats in your organization.
- SAP systems are critical to many large businesses but contain inherent vulnerabilities that could allow backdoors to be installed.
- Several technical vulnerabilities in SAP systems and their databases could allow an attacker to gain high privileges and modify code, including the authentication process.
- Onapsis has developed a tool called Integrity Analyzer for SAP that can detect modifications to SAP code that may indicate backdoors, as it is difficult to detect them from within the compromised SAP system itself. Regular monitoring and security assessments are needed to minimize risks.
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)Onapsis Inc.
The document discusses security vulnerabilities in SAP web applications. It describes how attackers can identify SAP components and versions through server banners and error messages. Some SAP web services like the "Info Service" are publicly accessible by default and return sensitive system information without authentication. Most SAP web services require authentication but have weak authorization checks by default, allowing authenticated users to execute many functionalities without proper authorization. The document provides recommendations to disable server banners, customize error pages, and strengthen authorization checks for SAP web services.
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...Onapsis Inc.
This presentation covers the evolution of threats targeting SAP systems, SAP Web Servers. We will cover attacks to Web Dispatcher while also showing live demo's of Business data ex-filtration and Authentication bypass in enterprise portals.
Also, countermeasures to prevent these attacks will be discussed.
Preventing Vulnerabilities in SAP HANA based DeploymentsOnapsis Inc.
Companies nowadays are choosing in between on-premise, cloud and hybrid deployment models. The common factor across all these scenarios is the underlying platform, used in the background to run all on-premise and cloud-based applications developed by SAP. This platform is called SAP HANA, which is an in-memory database and application server, that serves an increasing number of business applications, providing cutting edge features and performance.
Vulnerabilities affecting SAP HANA have now an increased attack surface, as these could be abused to compromise many diverse deployments and many customers, if the customers are not properly taking care of this risks.
Join us on this presentation to learn about diverse attack vectors affecting current SAP solutions, on-premise and cloud-based. You will not only learn technical details about these vulnerabilities, but also understand how to prevent and detect attacks to our crown jewels, running on HANA.
The document discusses penetration testing of SAP systems. It begins with an introduction to SAP concepts like systems, instances, clients and remote function calls. It then discusses the need for penetration testing business applications due to lack of security during implementations. The document outlines the phases of SAP penetration testing: discovery to find SAP targets, exploration to gather information, and vulnerability assessment to identify security threats.
Pen Testing SAP Critical Information ExposedOnapsis Inc.
The world's largest organizations process huge amounts of critical information. This information is essential for the proper functioning of your business processes. The systems responsible for administering and managing these processes are called ERP and SAP ERP is the most used ERP by large companies.
An attacker would perform acts of fraud, sabotage or espionage on one of these companies focusing its efforts on vulnerable systems and get direct access to the most critical and sensitive business information.
In this talk we will work backwards to see the different stages and attacks that could be performed to compromise a SAP system without any prior knowledge about the target and credentials to access the same system. Thus, by developing penetration testing, we can help companies solve problems and mitigate risk. All demo’s will be performed using open-source tools such as Onapsis Bizploit - the first ERP Penetration Testing framework. This will allow attendees to apply their knowledge to make these assessments in their companies.
How Hackers can Open the Safe and Take the JewelsOnapsis Inc.
The major organizations worldwide run their businesses thanks to the (Enterprise Resource Planning) ERP systems. In order to comply with government regulations, the anti-fraud laws, and specific industry requirements (such as NERC, PCI or HIPAA) security practices are usually confined to implement segregation of duties and access control users.
In recent years, attacks based on vulnerabilities and technical weaknesses in the implementation of ERP systems have gained a lot of attention. These revealed a wide range of surfaces attacks unexplored so far that are available for attackers to take advantage of. The ERP market is well defined and divided among a few players who provide ERP solutions to hundreds of government, military agencies and companies in a variety of industries.
In this talk, we will discuss the attack surface exposed by increased distribution ERP systems, and will conduct several live demonstrations of attacks that you will see if you run an ERP Penetration Test. We will focus on systems critical to the business world ERP: SAP, Oracle Siebel and Oracle JD Edwards. Analyze how it is possible for attackers, through exploiting technical vulnerabilities, aim your attack on the crown jewels and the most critical process of victims organizations, resulting in espionage, sabotage and financial fraud.
- SAP systems are critical to many large businesses but contain inherent vulnerabilities that could allow backdoors to be installed.
- Several technical vulnerabilities in SAP systems and their databases could allow an attacker to gain high privileges and modify code, including the authentication process.
- Onapsis has developed a tool called Integrity Analyzer for SAP that can detect modifications to SAP code that may indicate backdoors, as it is difficult to detect them from within the compromised SAP system itself. Regular monitoring and security assessments are needed to minimize risks.
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)Onapsis Inc.
The document discusses security vulnerabilities in SAP web applications. It describes how attackers can identify SAP components and versions through server banners and error messages. Some SAP web services like the "Info Service" are publicly accessible by default and return sensitive system information without authentication. Most SAP web services require authentication but have weak authorization checks by default, allowing authenticated users to execute many functionalities without proper authorization. The document provides recommendations to disable server banners, customize error pages, and strengthen authorization checks for SAP web services.
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...Onapsis Inc.
This presentation covers the evolution of threats targeting SAP systems, SAP Web Servers. We will cover attacks to Web Dispatcher while also showing live demo's of Business data ex-filtration and Authentication bypass in enterprise portals.
Also, countermeasures to prevent these attacks will be discussed.
Preventing Vulnerabilities in SAP HANA based DeploymentsOnapsis Inc.
Companies nowadays are choosing in between on-premise, cloud and hybrid deployment models. The common factor across all these scenarios is the underlying platform, used in the background to run all on-premise and cloud-based applications developed by SAP. This platform is called SAP HANA, which is an in-memory database and application server, that serves an increasing number of business applications, providing cutting edge features and performance.
Vulnerabilities affecting SAP HANA have now an increased attack surface, as these could be abused to compromise many diverse deployments and many customers, if the customers are not properly taking care of this risks.
Join us on this presentation to learn about diverse attack vectors affecting current SAP solutions, on-premise and cloud-based. You will not only learn technical details about these vulnerabilities, but also understand how to prevent and detect attacks to our crown jewels, running on HANA.
The document discusses penetration testing of SAP systems. It begins with an introduction to SAP concepts like systems, instances, clients and remote function calls. It then discusses the need for penetration testing business applications due to lack of security during implementations. The document outlines the phases of SAP penetration testing: discovery to find SAP targets, exploration to gather information, and vulnerability assessment to identify security threats.
Pen Testing SAP Critical Information ExposedOnapsis Inc.
The world's largest organizations process huge amounts of critical information. This information is essential for the proper functioning of your business processes. The systems responsible for administering and managing these processes are called ERP and SAP ERP is the most used ERP by large companies.
An attacker would perform acts of fraud, sabotage or espionage on one of these companies focusing its efforts on vulnerable systems and get direct access to the most critical and sensitive business information.
In this talk we will work backwards to see the different stages and attacks that could be performed to compromise a SAP system without any prior knowledge about the target and credentials to access the same system. Thus, by developing penetration testing, we can help companies solve problems and mitigate risk. All demo’s will be performed using open-source tools such as Onapsis Bizploit - the first ERP Penetration Testing framework. This will allow attendees to apply their knowledge to make these assessments in their companies.
How Hackers can Open the Safe and Take the JewelsOnapsis Inc.
The major organizations worldwide run their businesses thanks to the (Enterprise Resource Planning) ERP systems. In order to comply with government regulations, the anti-fraud laws, and specific industry requirements (such as NERC, PCI or HIPAA) security practices are usually confined to implement segregation of duties and access control users.
In recent years, attacks based on vulnerabilities and technical weaknesses in the implementation of ERP systems have gained a lot of attention. These revealed a wide range of surfaces attacks unexplored so far that are available for attackers to take advantage of. The ERP market is well defined and divided among a few players who provide ERP solutions to hundreds of government, military agencies and companies in a variety of industries.
In this talk, we will discuss the attack surface exposed by increased distribution ERP systems, and will conduct several live demonstrations of attacks that you will see if you run an ERP Penetration Test. We will focus on systems critical to the business world ERP: SAP, Oracle Siebel and Oracle JD Edwards. Analyze how it is possible for attackers, through exploiting technical vulnerabilities, aim your attack on the crown jewels and the most critical process of victims organizations, resulting in espionage, sabotage and financial fraud.
Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented.
Blended Web and Database Attacks on Real Time In-memory PlatformsOnapsis Inc.
hat is “in-memory” platform? Usually DBMS rely on disk to store their data but today they are solutions which store data in memory. Why? Memory is cheap today, there is an increase amount of data to process and performance is a key. Well-known solutions are Oracle, SQLserver and SAP HANA.
Ezequiel’s research focused on SAP HANA. The solution is based on many components (DB, HTTP server) and provide a nice attack surface. This is a blended architecture. Instead of an application using a DB connection with limited (or unrestricted) access, the application is the same as the database user. User privileges should be restricted at the DB level. This changes the impact of classic attacks:
SQLi are restricted to the user privileges (better)
XSS is more powerful (bad)
After the introduction, some attack vectors against HANA were reviewed. About SQL injections, HANA has a nice feature: history tables. If the user does not delete it, the information remains available! XSS attacks were reviewed as well as integration with the R-Server.
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
This presentation will highlight three attack vectors targeting SAP.
- SAP Portal Header Authentication
- Verb Tampering
- Abuse of JAVA Core Services
You will learn techniques to mitigate these threats.
SAP systems provides Business Intelligence platforms, which can be a promising target for business espionage. Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised?
What if an attacker has poisoned the system and changed the key indicators? SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence.
In this presentation we will discuss our recent research on SAP BusinessObjects security. Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.
This document discusses penetration testing of SAP systems. It begins with an introduction to SAP concepts like instances, clients, transactions, ABAP, and authorization. It then discusses why SAP penetration testing is important to identify security weaknesses before attackers can exploit them. The document outlines the phases of a penetration test including discovery of SAP systems on a network, exploration of systems to gather information, vulnerability assessment, and exploitation of vulnerabilities. It provides an example case study of assessing security of an SAProuter. The presentation emphasizes that many SAP implementations have default insecure configurations and a penetration test can help secure systems by finding vulnerabilities.
Attacks Based on Security ConfigurationsOnapsis Inc.
Many large companies, as well as large government and defense organizations, have something in common: they rely on SAP platforms to process their business critical processes and information. Because of the sensitive nature of the information stored in these complex implementations, they are quickly becoming an attractive target for cyber-criminals looking to perform espionage, sabotage or financial fraud attacks by gaining access to the organizations’ crown jewels.
Securing these large and complex SAP implementations can be an ongoing, complicated and pain-staking task which requires specialized SAP security knowledge. This task encompasses managing the SoD process, patch (Security Note) management and implementation, analyzing interfaces and configuring the systems properly and securely (among many other things). One of the first and most important steps in starting the process of securing SAP implementations is the need to configure SAP application servers in a secure way. This task is not easy, as a SAP system has hundreds of different configurations which can be modified and a wrong setting or combination of settings can introduce large amounts of risk.
During this presentation, Onapsis CTO, Juan Perez-Etchegoyen explained some of the risks a default or insecure setting could introduce to the whole SAP infrastructure. You will see real life examples of these misconfigurations, and the threats introduced by them through several live demos. He will also explain how organizations can begin a process of securely configuring these systems.
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
Unbreakable oracle er_ps_siebel_jd_edwardsOnapsis Inc.
After a brief introduction into ERP systems such as Oracle Siebel and JD Edwards this presentation will cover attack scenarios that these systems are faced with.
Highway to Production Securing the SAP TMSOnapsis Inc.
In all SAP implementations there are numerous reasons why organizations would need to make changes and updates; from changes to legislation and compliance mandates to business growth and process evolution. The Transport Management System (TMS) is the backbone for properly executing these changes across a landscape (Dev, QA, PROD, etc). If TMS is not properly secured, a malicious attacker could initiate disruptive and negatively impactful changes to Productive systems.
In this presentation we will explain the main components and capabilities of TMS. We will then detail specific ways in which organizations can increase the protection of their SAP platforms by gaining visibility to the risks and securing TMS.
The presentation is based on the research contained in the latest SAP Security In-Depth publication: SAP TMS: A Highway to Production.
Distributed Object or Remote Method Invocation (RMI) frameworks facilitate the remote invocation of methods and creation of objects between systems. Conceptually RMI frameworks are similar to Remote Procedure Call (RPC) platforms. A main difference is that in RMI the client and the server work with the entire object lifecycle (i.e. creation, destruction) whereas RPC is typically limited to remote methods or procedures. RMI frameworks are interesting because they provide a remote method for object manipulation. Even though Web Services have taken the lead as the de-facto technology for communication in distributed applications, RMI frameworks are still widely used in many applications. Almost every programming language has support for one or, usually, more RMI frameworks. The proliferation of this technology made RMI interfaces very common among all sorts of software, especially across Enterprise Applications, and constitute a fruitful vector from an attacker's point of view. In this presentation we will discuss the architecture, security features and new vulnerabilities we have detected in two implementations of popular Enterprise RMI frameworks: CORBA and SAP RMI-P4. Through live demonstrations, we will demonstrate novel techniques for remote file read/write, arbitrary database access, session hijacking, and other critical bugs in large enterprise platforms, as well as the countermeasures in order to protect from these threats. We will walk you through the vulnerability research process we performed over these frameworks, enabling you to understand also how these attacks could be extended to other RMI implementations you may encounter.
Practical SAP pentesting workshop (NullCon Goa)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at NullCon Goa Conference is a practical SAP pentesting guide.
This document discusses security vulnerabilities in SAP systems. It notes that many SAP systems have non-web services exposed that could allow remote access. It also details how passwords are sometimes stored insecurely in SAP shortcuts, log files, and database tables, allowing attackers to gain access to systems and steal sensitive data. The document recommends steps companies can take to prevent such vulnerabilities, like patching systems, not storing passwords in shortcuts, and using more secure authentication methods.
SAP provides various business solutions including CRM, ERP, PLM, and SCM. It consists of integrated modules running on the Netweaver platform across multiple operating systems. While SAP systems store centralized information and communicate across systems, they are often not configured securely by default and the RFC interface presents a key vulnerability. Proper user access controls, password policies, database restrictions, patching, and network monitoring are needed to secure SAP systems from vulnerabilities and resulting business and financial losses.
5 real ways to destroy business by breaking SAP applicationsERPScan
This document discusses security risks related to SAP applications. It describes 5 ways that business applications can be broken into, including espionage, sabotage, and fraud. Specific risks discussed include theft of credit card data from SAP's SD module, and compromise of competitive bidding information from the SRM module. The document advocates for security measures like configuration checks, access controls and code scanning to help defend against attacks.
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerOnapsis Inc.
Global Fortune 1000 companies, major governmental organizations and defense agencies, share something in common: they all rely on SAP platforms to handle their most critical business processes and iinformation. In this scenario, any criminal cyber attacks seeking to conduct espionage, sabotage, or financial fraud, knows that these systems contain the jewels in the crown.
In all SAP implementations there is a special system that acts as the "brain" of the platform: the SAP Solution Manager. Using proprietary interfaces and protocols, the Solution Manager connects and manages all SAP "satellites" of implementation (ERP, CRM, SCM, etc.) systems. Therefore, if an attacker compromises the SolMan, might be able to expand its control over all environments that are under control. Moreover, because of weaknesses in architecture, a malicious group would be possible to start by compromising one of the first satellite systems, and use it as a pivot to control the SolMan.
In this talk we present, through various live demonstrations, novel attack vectors that a hacker can use in intrusion attempt to SAP Solution Manager, and result in a total compromise to the SAP implementation. We will analyze the technical origins of vulnerabilities that allow such attacks, and give you mitigation information about these threats in your organization.
Practical SAP pentesting (B-Sides San Paulo)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.
This document discusses security threats related to SAP systems. It notes that SAP is one of the most widely used business applications, with over 250,000 customers worldwide. However, SAP systems also contain a wealth of sensitive information and are targets for espionage, sabotage, and fraud. The document outlines how a single compromised SAP system could provide access to critical corporate data and processes. It emphasizes that many SAP instances have not been updated in years and contain thousands of known vulnerabilities. Additionally, SAP systems are highly interconnected both within and between companies, allowing threats to spread widely. Strong security is needed to protect SAP environments and the organizations that rely on them.
The document discusses incident response and SAP systems. It begins with an overview of Onapsis Inc. and the backgrounds of Juan Perez-Etchegoyen and Sergio Abraham. It then covers incident response concepts, including detection and classification of incidents, affected assets, legal actions, and impact analysis. The remainder provides an example case study of employee salaries being leaked and the analysis steps taken to investigate the incident.
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
This document discusses cyber attacks against SAP systems. It notes that while many organizations focus on segregation of duties controls for SAP security, the underlying business infrastructure is also vulnerable. The number of reported vulnerabilities in SAP systems has risen dramatically in recent years. The document outlines some of the external and internal threats facing SAP implementations, and reports that penetration tests conducted by the author's company routinely found major security issues in over 95% of SAP systems evaluated, leaving them exposed to espionage and sabotage attacks.
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usPROIDEA
Nowadays, everyone knows about the great importance of SAP systems and the critical data processed by them. Large companies install SAP Security Notes regularly so as not to repeat the mistake of Nvidia. One bug is not enough anymore to get access to all corporate SAP systems. Pentesters frequently find themselves in a situation where the OS of an SAP server has been compromised successfully, but they have not got an access to the ERP system. In addition, it is rather common to have an unprivileged account, which give them access to the encrypted password, but not to the whole system. Sometimes they even try to break into other systems with help of the passwords, which users usually use in the systems they’ve already broken, but they can’t, because they need them to be decrypted first. Where do we find the treasured password to access the financial transactions and revenues of NASDAQ monsters?
Where and how does SAP store user passwords? Are all passwords stored as hashes, or can attackers find passwords in plaintext?
This talk reviews the many places where SAP stores critical credentials, such as usernames and passwords, and, which is more interesting, the way it stores them. Methods of retrieving them will be described, and decryption utilities will be presented.
SAP GUI shortcuts, RFC connections, SAP Security Storage, logs, traces, Database links, SAP HANA Storage, you name it – all varieties of SAP modules will be discussed in this talk.
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
The document discusses security issues related to SAP applications. It outlines 13 ways that SAP systems can be exploited to damage businesses. It then provides recommendations on how to assess security risks, prioritize updates, and comply with regulations to better protect SAP systems. The document also notes that ERPScan has discovered over 3,000 vulnerabilities in SAP products since 2007 and discusses the business risks of espionage, sabotage, and fraud if SAP systems are compromised.
Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented.
Blended Web and Database Attacks on Real Time In-memory PlatformsOnapsis Inc.
hat is “in-memory” platform? Usually DBMS rely on disk to store their data but today they are solutions which store data in memory. Why? Memory is cheap today, there is an increase amount of data to process and performance is a key. Well-known solutions are Oracle, SQLserver and SAP HANA.
Ezequiel’s research focused on SAP HANA. The solution is based on many components (DB, HTTP server) and provide a nice attack surface. This is a blended architecture. Instead of an application using a DB connection with limited (or unrestricted) access, the application is the same as the database user. User privileges should be restricted at the DB level. This changes the impact of classic attacks:
SQLi are restricted to the user privileges (better)
XSS is more powerful (bad)
After the introduction, some attack vectors against HANA were reviewed. About SQL injections, HANA has a nice feature: history tables. If the user does not delete it, the information remains available! XSS attacks were reviewed as well as integration with the R-Server.
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
This presentation will highlight three attack vectors targeting SAP.
- SAP Portal Header Authentication
- Verb Tampering
- Abuse of JAVA Core Services
You will learn techniques to mitigate these threats.
SAP systems provides Business Intelligence platforms, which can be a promising target for business espionage. Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised?
What if an attacker has poisoned the system and changed the key indicators? SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence.
In this presentation we will discuss our recent research on SAP BusinessObjects security. Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.
This document discusses penetration testing of SAP systems. It begins with an introduction to SAP concepts like instances, clients, transactions, ABAP, and authorization. It then discusses why SAP penetration testing is important to identify security weaknesses before attackers can exploit them. The document outlines the phases of a penetration test including discovery of SAP systems on a network, exploration of systems to gather information, vulnerability assessment, and exploitation of vulnerabilities. It provides an example case study of assessing security of an SAProuter. The presentation emphasizes that many SAP implementations have default insecure configurations and a penetration test can help secure systems by finding vulnerabilities.
Attacks Based on Security ConfigurationsOnapsis Inc.
Many large companies, as well as large government and defense organizations, have something in common: they rely on SAP platforms to process their business critical processes and information. Because of the sensitive nature of the information stored in these complex implementations, they are quickly becoming an attractive target for cyber-criminals looking to perform espionage, sabotage or financial fraud attacks by gaining access to the organizations’ crown jewels.
Securing these large and complex SAP implementations can be an ongoing, complicated and pain-staking task which requires specialized SAP security knowledge. This task encompasses managing the SoD process, patch (Security Note) management and implementation, analyzing interfaces and configuring the systems properly and securely (among many other things). One of the first and most important steps in starting the process of securing SAP implementations is the need to configure SAP application servers in a secure way. This task is not easy, as a SAP system has hundreds of different configurations which can be modified and a wrong setting or combination of settings can introduce large amounts of risk.
During this presentation, Onapsis CTO, Juan Perez-Etchegoyen explained some of the risks a default or insecure setting could introduce to the whole SAP infrastructure. You will see real life examples of these misconfigurations, and the threats introduced by them through several live demos. He will also explain how organizations can begin a process of securely configuring these systems.
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
Unbreakable oracle er_ps_siebel_jd_edwardsOnapsis Inc.
After a brief introduction into ERP systems such as Oracle Siebel and JD Edwards this presentation will cover attack scenarios that these systems are faced with.
Highway to Production Securing the SAP TMSOnapsis Inc.
In all SAP implementations there are numerous reasons why organizations would need to make changes and updates; from changes to legislation and compliance mandates to business growth and process evolution. The Transport Management System (TMS) is the backbone for properly executing these changes across a landscape (Dev, QA, PROD, etc). If TMS is not properly secured, a malicious attacker could initiate disruptive and negatively impactful changes to Productive systems.
In this presentation we will explain the main components and capabilities of TMS. We will then detail specific ways in which organizations can increase the protection of their SAP platforms by gaining visibility to the risks and securing TMS.
The presentation is based on the research contained in the latest SAP Security In-Depth publication: SAP TMS: A Highway to Production.
Distributed Object or Remote Method Invocation (RMI) frameworks facilitate the remote invocation of methods and creation of objects between systems. Conceptually RMI frameworks are similar to Remote Procedure Call (RPC) platforms. A main difference is that in RMI the client and the server work with the entire object lifecycle (i.e. creation, destruction) whereas RPC is typically limited to remote methods or procedures. RMI frameworks are interesting because they provide a remote method for object manipulation. Even though Web Services have taken the lead as the de-facto technology for communication in distributed applications, RMI frameworks are still widely used in many applications. Almost every programming language has support for one or, usually, more RMI frameworks. The proliferation of this technology made RMI interfaces very common among all sorts of software, especially across Enterprise Applications, and constitute a fruitful vector from an attacker's point of view. In this presentation we will discuss the architecture, security features and new vulnerabilities we have detected in two implementations of popular Enterprise RMI frameworks: CORBA and SAP RMI-P4. Through live demonstrations, we will demonstrate novel techniques for remote file read/write, arbitrary database access, session hijacking, and other critical bugs in large enterprise platforms, as well as the countermeasures in order to protect from these threats. We will walk you through the vulnerability research process we performed over these frameworks, enabling you to understand also how these attacks could be extended to other RMI implementations you may encounter.
Practical SAP pentesting workshop (NullCon Goa)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at NullCon Goa Conference is a practical SAP pentesting guide.
This document discusses security vulnerabilities in SAP systems. It notes that many SAP systems have non-web services exposed that could allow remote access. It also details how passwords are sometimes stored insecurely in SAP shortcuts, log files, and database tables, allowing attackers to gain access to systems and steal sensitive data. The document recommends steps companies can take to prevent such vulnerabilities, like patching systems, not storing passwords in shortcuts, and using more secure authentication methods.
SAP provides various business solutions including CRM, ERP, PLM, and SCM. It consists of integrated modules running on the Netweaver platform across multiple operating systems. While SAP systems store centralized information and communicate across systems, they are often not configured securely by default and the RFC interface presents a key vulnerability. Proper user access controls, password policies, database restrictions, patching, and network monitoring are needed to secure SAP systems from vulnerabilities and resulting business and financial losses.
5 real ways to destroy business by breaking SAP applicationsERPScan
This document discusses security risks related to SAP applications. It describes 5 ways that business applications can be broken into, including espionage, sabotage, and fraud. Specific risks discussed include theft of credit card data from SAP's SD module, and compromise of competitive bidding information from the SRM module. The document advocates for security measures like configuration checks, access controls and code scanning to help defend against attacks.
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerOnapsis Inc.
Global Fortune 1000 companies, major governmental organizations and defense agencies, share something in common: they all rely on SAP platforms to handle their most critical business processes and iinformation. In this scenario, any criminal cyber attacks seeking to conduct espionage, sabotage, or financial fraud, knows that these systems contain the jewels in the crown.
In all SAP implementations there is a special system that acts as the "brain" of the platform: the SAP Solution Manager. Using proprietary interfaces and protocols, the Solution Manager connects and manages all SAP "satellites" of implementation (ERP, CRM, SCM, etc.) systems. Therefore, if an attacker compromises the SolMan, might be able to expand its control over all environments that are under control. Moreover, because of weaknesses in architecture, a malicious group would be possible to start by compromising one of the first satellite systems, and use it as a pivot to control the SolMan.
In this talk we present, through various live demonstrations, novel attack vectors that a hacker can use in intrusion attempt to SAP Solution Manager, and result in a total compromise to the SAP implementation. We will analyze the technical origins of vulnerabilities that allow such attacks, and give you mitigation information about these threats in your organization.
Practical SAP pentesting (B-Sides San Paulo)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.
This document discusses security threats related to SAP systems. It notes that SAP is one of the most widely used business applications, with over 250,000 customers worldwide. However, SAP systems also contain a wealth of sensitive information and are targets for espionage, sabotage, and fraud. The document outlines how a single compromised SAP system could provide access to critical corporate data and processes. It emphasizes that many SAP instances have not been updated in years and contain thousands of known vulnerabilities. Additionally, SAP systems are highly interconnected both within and between companies, allowing threats to spread widely. Strong security is needed to protect SAP environments and the organizations that rely on them.
The document discusses incident response and SAP systems. It begins with an overview of Onapsis Inc. and the backgrounds of Juan Perez-Etchegoyen and Sergio Abraham. It then covers incident response concepts, including detection and classification of incidents, affected assets, legal actions, and impact analysis. The remainder provides an example case study of employee salaries being leaked and the analysis steps taken to investigate the incident.
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
This document discusses cyber attacks against SAP systems. It notes that while many organizations focus on segregation of duties controls for SAP security, the underlying business infrastructure is also vulnerable. The number of reported vulnerabilities in SAP systems has risen dramatically in recent years. The document outlines some of the external and internal threats facing SAP implementations, and reports that penetration tests conducted by the author's company routinely found major security issues in over 95% of SAP systems evaluated, leaving them exposed to espionage and sabotage attacks.
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usPROIDEA
Nowadays, everyone knows about the great importance of SAP systems and the critical data processed by them. Large companies install SAP Security Notes regularly so as not to repeat the mistake of Nvidia. One bug is not enough anymore to get access to all corporate SAP systems. Pentesters frequently find themselves in a situation where the OS of an SAP server has been compromised successfully, but they have not got an access to the ERP system. In addition, it is rather common to have an unprivileged account, which give them access to the encrypted password, but not to the whole system. Sometimes they even try to break into other systems with help of the passwords, which users usually use in the systems they’ve already broken, but they can’t, because they need them to be decrypted first. Where do we find the treasured password to access the financial transactions and revenues of NASDAQ monsters?
Where and how does SAP store user passwords? Are all passwords stored as hashes, or can attackers find passwords in plaintext?
This talk reviews the many places where SAP stores critical credentials, such as usernames and passwords, and, which is more interesting, the way it stores them. Methods of retrieving them will be described, and decryption utilities will be presented.
SAP GUI shortcuts, RFC connections, SAP Security Storage, logs, traces, Database links, SAP HANA Storage, you name it – all varieties of SAP modules will be discussed in this talk.
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
The document discusses security issues related to SAP applications. It outlines 13 ways that SAP systems can be exploited to damage businesses. It then provides recommendations on how to assess security risks, prioritize updates, and comply with regulations to better protect SAP systems. The document also notes that ERPScan has discovered over 3,000 vulnerabilities in SAP products since 2007 and discusses the business risks of espionage, sabotage, and fraud if SAP systems are compromised.
Sap fundamentals overview_for_sap_minorsCenk Ersoy
The document discusses an EMC Corporation SAP Minors Program training series. It provides information on the SAP Minors Program and community page where the training path and modules can be found. It also lists SAP champions for EMC employees in different countries to contact for assistance.
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNoSuchCon
The document discusses blended web and database attacks on in-memory platforms like SAP HANA, outlining potential threat vectors such as SQL injection, cross-site scripting, integration with R server, and post-exploitation using C/C++. It notes that SAP HANA uses a blended web and database architecture, with code and data stored directly in the database, and that vulnerabilities could allow an attacker to access sensitive business and customer data, disrupt operations, or enable fraud. The presentation covers the architecture of SAP HANA, programming languages used, and how attacks may have a greater impact or different execution compared to traditional web application scenarios.
This document provides information about CoreToEdge, a technology services company. It details CoreToEdge's mission, vision, history, services, products, customers, and partners. CoreToEdge's services include SAP hosting, cloud services, training, and technology services. Their products include BasisCockpit for real-time SAP system monitoring and Verilista for predictive maintenance. The document shares CoreToEdge's numbers, locations, and social media accounts.
The document discusses how SAP Solution Manager can be used to manage custom code. It describes how Solution Manager provides transparency into an organization's custom code through tools that create a central repository. It also allows for control of custom code through reporting, governance, and testing tools. Solution Manager offers optimization of custom code through capabilities like clone finding and code inspection. It provides reporting and governance over custom code through business intelligence reports and dashboards.
Fiori and S/4 authorizations: "What are the biggest challenges, and where do the risks lie?"
-------------------------------------------------------------------------------------Many SAP customers are currently planning to implement SAP S/4HANA or are already making the transition. Besides the extensive new architectural aspects involved, implementing S/4HANA and Fiori also changes quite a few longstanding rules in the area of SAP authorizations.
A number of transactions - some of which veteran SAP ERP users have come to hold dear - have either been integrated into other transactions, replaced by Fiori apps, or simply eliminated. Meanwhile, the consistent use of OData services in the context of Fiori has resulted in a variety of ramifications with regard to security design in both the front and back end.
------------------------------------------------------------------------------------- Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
Fiori for s4 hana troubleshooting tips and tricksJasbir Khanuja
The document provides tips for troubleshooting Fiori applications. It discusses learning the basics of the Fiori integration flow and ABAP programming model. Common errors with OData services, authorizations, and CDS views are explained. Steps for starting a troubleshooting session are outlined, such as clearing caches, analyzing errors, and performing corrective measures. The document also covers identifying what backend objects like Enterprise Search, CDS views, and ABAP code are being consumed by OData services.
The document discusses SAP NetWeaver Gateway, which allows organizations to connect their data, workforce, customers and partners. It addresses challenges like integrating teams, supporting modern user interfaces, and developing applications faster. SAP NetWeaver Gateway provides a standardized way to access SAP data through open standards like OData and REST APIs. It allows for simplified and accelerated development of applications across platforms to engage customers, employees and partners.
ProAppSys Software Company Overview Case studies and expertise.Pradeep Gudipati
ProAppSys Software provides SAP consulting and enterprise mobility solutions. It has over 60 years of combined experience in product development and high-end consulting. It focuses on developing enterprise applications for SAP products. ProAppSys has expertise in areas like SAP mobile platforms, identity and access management, and SAP services including ABAP, CRM, ERP and BI. It offers solutions for enterprise mobility, transportation management, and developing mobile apps for iOS, Android and other platforms. ProAppSys engages with customers using business models like onsite/offshore development, staff augmentation and fixed cost/time and material models.
The document provides an agenda and presentation for a kickoff meeting between a customer and SAP to discuss a project related to data consistency management (DCM). The presentation outlines the objectives to identify risks and issues regarding DCM, define actions for risk mitigation, and introduce SAP's methodology and deliverables for the project. Key points of the project include assessing the customer's core business processes and system landscape, documenting any existing issues, and creating a detailed project plan to address issues and optimize daily operations.
The document discusses a new partner type called a Platform Partner. It describes how Platform Partners can manage their partnership using SAP's Partner Relationship Management (PRM) system, which provides functionality for partner recruitment, solution development, and lifecycle management. The PRM system also offers data consistency, automation, and interfaces with other SAP systems. The document provides instructions for Platform Partners to access and use the PRM system to create partner contacts, add partner functions, and track solution statuses through the various stages of the lifecycle.
This document outlines new features in SAP CRM 7.0, including an improved web 2.0 user interface with simplified search and navigation, task-based workflows, graphical representations of data, and integrated communication tools. It also describes enhanced processes for real-time offer management, loyalty programs, customer segmentation, and interactive reporting. Feedback from customers highlights the improved ease of use provided by the new user interface.
- DeltaGRiC Consulting is an SAP partner focused on helping organizations detect cybersecurity risks and compliance violations affecting their SAP and Oracle systems using ERPScan Monitoring Suite.
- Traditional approaches to SAP security like segregation of duties matrices are insufficient as advanced attacks are targeting application vulnerabilities. Widespread SAP systems expose critical business data to unauthorized access through vulnerabilities.
- Organizations struggle to effectively manage security risks from unpatched vulnerabilities in complex SAP landscapes that include new technologies like HANA and connections to IoT devices. Continuous monitoring of configurations and vulnerabilities is needed to protect SAP systems.
Default accounts are commonly exploited to gain unauthorized access to SAP systems. The presentation identifies several new default accounts in SAP Solution Manager with the password "init1234" that can be used to retrieve passwords, execute operating system commands, and fully compromise associated SAP systems. It provides examples of how these accounts can be exploited and advises customers to use available tools to detect and remediate exposed default accounts.
The document discusses SAP's mobile platform, which allows businesses to develop both native and hybrid mobile apps that connect to SAP and non-SAP backends. It provides an integrated development environment for designing, building, testing and deploying responsive mobile apps. SAP is a market leader in mobile application development platforms, with 48.9% market share in revenue. The platform offers tools to securely connect apps to various backends through integration gateways and supports development for both on-premise and cloud deployments.
Similar to Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager (17)
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
1. Inception of the SAP®
Platform's Brain
Attacks on SAP Solution Manager
May 23rd, 2012
HITB Conference, Amsterdam
Juan Perez-Etchegoyen
jppereze@onapsis.com
8. Over 95% of the SAP systems we
evaluated were exposed to
espionage, sabotage and fraud
cyber attacks.
Attackers do not need access credentials to perform
these attacks!