This document discusses penetration testing of SAP systems. It begins with an introduction to SAP concepts like instances, clients, transactions, ABAP, and authorization. It then discusses why SAP penetration testing is important to identify security weaknesses before attackers can exploit them. The document outlines the phases of a penetration test including discovery of SAP systems on a network, exploration of systems to gather information, vulnerability assessment, and exploitation of vulnerabilities. It provides an example case study of assessing security of an SAProuter. The presentation emphasizes that many SAP implementations have default insecure configurations and a penetration test can help secure systems by finding vulnerabilities.
SAP systems provides Business Intelligence platforms, which can be a promising target for business espionage. Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised?
What if an attacker has poisoned the system and changed the key indicators? SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence.
In this presentation we will discuss our recent research on SAP BusinessObjects security. Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.
Business applications like ERP, CRM, SRM, and others are one of the major topics in the field of computer security as these applications store business data and any vulnerabilities in these applications can cause a significant monetary and reputational loss or even stoppage of business.
Nonetheless, people still do not pay much attention to the technical side of SAP security.
As for SAP, we saw different vulnerabilities at all levels (architecture, software vulnerabilities and implementation).
Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented.
Practical SAP pentesting workshop (NullCon Goa)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at NullCon Goa Conference is a practical SAP pentesting guide.
How Hackers can Open the Safe and Take the JewelsOnapsis Inc.
The major organizations worldwide run their businesses thanks to the (Enterprise Resource Planning) ERP systems. In order to comply with government regulations, the anti-fraud laws, and specific industry requirements (such as NERC, PCI or HIPAA) security practices are usually confined to implement segregation of duties and access control users.
In recent years, attacks based on vulnerabilities and technical weaknesses in the implementation of ERP systems have gained a lot of attention. These revealed a wide range of surfaces attacks unexplored so far that are available for attackers to take advantage of. The ERP market is well defined and divided among a few players who provide ERP solutions to hundreds of government, military agencies and companies in a variety of industries.
In this talk, we will discuss the attack surface exposed by increased distribution ERP systems, and will conduct several live demonstrations of attacks that you will see if you run an ERP Penetration Test. We will focus on systems critical to the business world ERP: SAP, Oracle Siebel and Oracle JD Edwards. Analyze how it is possible for attackers, through exploiting technical vulnerabilities, aim your attack on the crown jewels and the most critical process of victims organizations, resulting in espionage, sabotage and financial fraud.
SAP systems provides Business Intelligence platforms, which can be a promising target for business espionage. Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised?
What if an attacker has poisoned the system and changed the key indicators? SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence.
In this presentation we will discuss our recent research on SAP BusinessObjects security. Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.
Business applications like ERP, CRM, SRM, and others are one of the major topics in the field of computer security as these applications store business data and any vulnerabilities in these applications can cause a significant monetary and reputational loss or even stoppage of business.
Nonetheless, people still do not pay much attention to the technical side of SAP security.
As for SAP, we saw different vulnerabilities at all levels (architecture, software vulnerabilities and implementation).
Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented.
Practical SAP pentesting workshop (NullCon Goa)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at NullCon Goa Conference is a practical SAP pentesting guide.
How Hackers can Open the Safe and Take the JewelsOnapsis Inc.
The major organizations worldwide run their businesses thanks to the (Enterprise Resource Planning) ERP systems. In order to comply with government regulations, the anti-fraud laws, and specific industry requirements (such as NERC, PCI or HIPAA) security practices are usually confined to implement segregation of duties and access control users.
In recent years, attacks based on vulnerabilities and technical weaknesses in the implementation of ERP systems have gained a lot of attention. These revealed a wide range of surfaces attacks unexplored so far that are available for attackers to take advantage of. The ERP market is well defined and divided among a few players who provide ERP solutions to hundreds of government, military agencies and companies in a variety of industries.
In this talk, we will discuss the attack surface exposed by increased distribution ERP systems, and will conduct several live demonstrations of attacks that you will see if you run an ERP Penetration Test. We will focus on systems critical to the business world ERP: SAP, Oracle Siebel and Oracle JD Edwards. Analyze how it is possible for attackers, through exploiting technical vulnerabilities, aim your attack on the crown jewels and the most critical process of victims organizations, resulting in espionage, sabotage and financial fraud.
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
Practical SAP pentesting (B-Sides San Paulo)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.
5 real ways to destroy business by breaking SAP applicationsERPScan
SAP is the most popular business application with more than 263000 customers worldwide.
SAP risks can be divided into three groups: Espionage, Sabotage and Fraud.
The presentation provides a review of 5 most dangerous risks any business may face with. For every risk, there is its type, attack scenario, affected sector, and vulnerable module.
Blended Web and Database Attacks on Real Time In-memory PlatformsOnapsis Inc.
hat is “in-memory” platform? Usually DBMS rely on disk to store their data but today they are solutions which store data in memory. Why? Memory is cheap today, there is an increase amount of data to process and performance is a key. Well-known solutions are Oracle, SQLserver and SAP HANA.
Ezequiel’s research focused on SAP HANA. The solution is based on many components (DB, HTTP server) and provide a nice attack surface. This is a blended architecture. Instead of an application using a DB connection with limited (or unrestricted) access, the application is the same as the database user. User privileges should be restricted at the DB level. This changes the impact of classic attacks:
SQLi are restricted to the user privileges (better)
XSS is more powerful (bad)
After the introduction, some attack vectors against HANA were reviewed. About SQL injections, HANA has a nice feature: history tables. If the user does not delete it, the information remains available! XSS attacks were reviewed as well as integration with the R-Server.
Preventing Vulnerabilities in SAP HANA based DeploymentsOnapsis Inc.
Companies nowadays are choosing in between on-premise, cloud and hybrid deployment models. The common factor across all these scenarios is the underlying platform, used in the background to run all on-premise and cloud-based applications developed by SAP. This platform is called SAP HANA, which is an in-memory database and application server, that serves an increasing number of business applications, providing cutting edge features and performance.
Vulnerabilities affecting SAP HANA have now an increased attack surface, as these could be abused to compromise many diverse deployments and many customers, if the customers are not properly taking care of this risks.
Join us on this presentation to learn about diverse attack vectors affecting current SAP solutions, on-premise and cloud-based. You will not only learn technical details about these vulnerabilities, but also understand how to prevent and detect attacks to our crown jewels, running on HANA.
There is a myth that SAP is not accessible and cannot be attacked from the Internet. The system becomes more and more popular, cloud services and mobile solutions appear, so more and more SAP services become accessible from the Internet.
Why are vulnerabilities which allow to read any file from SAP OS important? Because SAP stores a lot of sensitive information in files. It can be log files, traces files, some configurations or properties files. Of course, most of them have protection like encryption, but the presentation shows how you can easily bypass this encryption.
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
The increasing number of talks about SAP Security and SAP Security notes indicates that it becomes a hot topic nowadays.
The presentation describes top types of SAP vulnerabilities, the number of SAP systems available on the Internet and different risks business may face.
We did not manage to find any solution that could resolve all of these security problems described there, so we created one ourselves.
SAP Mobile infrastructure consists of multiple systems such as SAP Mobile Platform (formerly Sybase Unwired Platform) also SAP Afaria MDM solution, Sybase SQL Anywhere Database, and hundreds of SAP's mobile applications. They even have their own store for mobile apps that can be developed by third parties. This talk highlights how one can hack SAP Mobile.
In this popular platform, we have discovered a lot of typical vulnerabilities - XSS, XXE, hardcoded static encryption keys, and vulnerabilities that are specific to this platform - logic vulnerabilities and privilege escalations. As a result, after compromising the SAP Mobile platform, we demonstrated how to get access to compromised mobile phones.
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
Practical pentesting of ERPs and business applicationsERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in the company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.
The presentation describes the specificity of ERP pentesting and focuses on SAP NetWeaver JAVA and Oracle PeopleSoft pentesting.
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerOnapsis Inc.
Global Fortune 1000 companies, major governmental organizations and defense agencies, share something in common: they all rely on SAP platforms to handle their most critical business processes and iinformation. In this scenario, any criminal cyber attacks seeking to conduct espionage, sabotage, or financial fraud, knows that these systems contain the jewels in the crown.
In all SAP implementations there is a special system that acts as the "brain" of the platform: the SAP Solution Manager. Using proprietary interfaces and protocols, the Solution Manager connects and manages all SAP "satellites" of implementation (ERP, CRM, SCM, etc.) systems. Therefore, if an attacker compromises the SolMan, might be able to expand its control over all environments that are under control. Moreover, because of weaknesses in architecture, a malicious group would be possible to start by compromising one of the first satellite systems, and use it as a pivot to control the SolMan.
In this talk we present, through various live demonstrations, novel attack vectors that a hacker can use in intrusion attempt to SAP Solution Manager, and result in a total compromise to the SAP implementation. We will analyze the technical origins of vulnerabilities that allow such attacks, and give you mitigation information about these threats in your organization.
If I want a perfect cyberweapon, I'll target ERPERPScan
ERP Systems are widely used in Oil and Gas, Manufacturing, Logistics, Financials
Nuclear, Retail, Telecommunication and other industries. All mission-critical data are stored in ERP Systems, so attacks against them may result in Espionage, Sabotage and Fraud.
The presentation gives examples of real and potential attacks and describes important details of ERP Security.
Alexander Polyakov, CTO of ERPScan, presented this talk at RSA Conference Europe 2013.
SAP Test automation - fully automatic test of complex business processes incl...Tobias Trapp
We take the wording "automation" very seriously. Our version of test automation is indeed fully automatic. No one has to modify test data or any other input parameter in order to conduct regression tests. We support different kinds of input interfaces - Dialogues, IDOC-interface, Batch processing, files are generated and submitted all of it automatically. Even the checks in order to evaluate if the test was successful are performed automatically.
A recent feature of out automatic test system is the controlled generation of XSF and RDI output files, and the automatic evaluation of the correctness of the file content. Our setup consists of large number of isolated units which can be linked exchanging parameters. The isolated units are linked together through table entries. We have been up and running for some years
We are looking forward to displaying our setup and discuss different aspects of automatic testing with you. In case you don't believe us - we aren't surprised, but please give us the chance to convince you
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
Practical SAP pentesting (B-Sides San Paulo)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.
5 real ways to destroy business by breaking SAP applicationsERPScan
SAP is the most popular business application with more than 263000 customers worldwide.
SAP risks can be divided into three groups: Espionage, Sabotage and Fraud.
The presentation provides a review of 5 most dangerous risks any business may face with. For every risk, there is its type, attack scenario, affected sector, and vulnerable module.
Blended Web and Database Attacks on Real Time In-memory PlatformsOnapsis Inc.
hat is “in-memory” platform? Usually DBMS rely on disk to store their data but today they are solutions which store data in memory. Why? Memory is cheap today, there is an increase amount of data to process and performance is a key. Well-known solutions are Oracle, SQLserver and SAP HANA.
Ezequiel’s research focused on SAP HANA. The solution is based on many components (DB, HTTP server) and provide a nice attack surface. This is a blended architecture. Instead of an application using a DB connection with limited (or unrestricted) access, the application is the same as the database user. User privileges should be restricted at the DB level. This changes the impact of classic attacks:
SQLi are restricted to the user privileges (better)
XSS is more powerful (bad)
After the introduction, some attack vectors against HANA were reviewed. About SQL injections, HANA has a nice feature: history tables. If the user does not delete it, the information remains available! XSS attacks were reviewed as well as integration with the R-Server.
Preventing Vulnerabilities in SAP HANA based DeploymentsOnapsis Inc.
Companies nowadays are choosing in between on-premise, cloud and hybrid deployment models. The common factor across all these scenarios is the underlying platform, used in the background to run all on-premise and cloud-based applications developed by SAP. This platform is called SAP HANA, which is an in-memory database and application server, that serves an increasing number of business applications, providing cutting edge features and performance.
Vulnerabilities affecting SAP HANA have now an increased attack surface, as these could be abused to compromise many diverse deployments and many customers, if the customers are not properly taking care of this risks.
Join us on this presentation to learn about diverse attack vectors affecting current SAP solutions, on-premise and cloud-based. You will not only learn technical details about these vulnerabilities, but also understand how to prevent and detect attacks to our crown jewels, running on HANA.
There is a myth that SAP is not accessible and cannot be attacked from the Internet. The system becomes more and more popular, cloud services and mobile solutions appear, so more and more SAP services become accessible from the Internet.
Why are vulnerabilities which allow to read any file from SAP OS important? Because SAP stores a lot of sensitive information in files. It can be log files, traces files, some configurations or properties files. Of course, most of them have protection like encryption, but the presentation shows how you can easily bypass this encryption.
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
The increasing number of talks about SAP Security and SAP Security notes indicates that it becomes a hot topic nowadays.
The presentation describes top types of SAP vulnerabilities, the number of SAP systems available on the Internet and different risks business may face.
We did not manage to find any solution that could resolve all of these security problems described there, so we created one ourselves.
SAP Mobile infrastructure consists of multiple systems such as SAP Mobile Platform (formerly Sybase Unwired Platform) also SAP Afaria MDM solution, Sybase SQL Anywhere Database, and hundreds of SAP's mobile applications. They even have their own store for mobile apps that can be developed by third parties. This talk highlights how one can hack SAP Mobile.
In this popular platform, we have discovered a lot of typical vulnerabilities - XSS, XXE, hardcoded static encryption keys, and vulnerabilities that are specific to this platform - logic vulnerabilities and privilege escalations. As a result, after compromising the SAP Mobile platform, we demonstrated how to get access to compromised mobile phones.
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
Practical pentesting of ERPs and business applicationsERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in the company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.
The presentation describes the specificity of ERP pentesting and focuses on SAP NetWeaver JAVA and Oracle PeopleSoft pentesting.
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerOnapsis Inc.
Global Fortune 1000 companies, major governmental organizations and defense agencies, share something in common: they all rely on SAP platforms to handle their most critical business processes and iinformation. In this scenario, any criminal cyber attacks seeking to conduct espionage, sabotage, or financial fraud, knows that these systems contain the jewels in the crown.
In all SAP implementations there is a special system that acts as the "brain" of the platform: the SAP Solution Manager. Using proprietary interfaces and protocols, the Solution Manager connects and manages all SAP "satellites" of implementation (ERP, CRM, SCM, etc.) systems. Therefore, if an attacker compromises the SolMan, might be able to expand its control over all environments that are under control. Moreover, because of weaknesses in architecture, a malicious group would be possible to start by compromising one of the first satellite systems, and use it as a pivot to control the SolMan.
In this talk we present, through various live demonstrations, novel attack vectors that a hacker can use in intrusion attempt to SAP Solution Manager, and result in a total compromise to the SAP implementation. We will analyze the technical origins of vulnerabilities that allow such attacks, and give you mitigation information about these threats in your organization.
If I want a perfect cyberweapon, I'll target ERPERPScan
ERP Systems are widely used in Oil and Gas, Manufacturing, Logistics, Financials
Nuclear, Retail, Telecommunication and other industries. All mission-critical data are stored in ERP Systems, so attacks against them may result in Espionage, Sabotage and Fraud.
The presentation gives examples of real and potential attacks and describes important details of ERP Security.
Alexander Polyakov, CTO of ERPScan, presented this talk at RSA Conference Europe 2013.
SAP Test automation - fully automatic test of complex business processes incl...Tobias Trapp
We take the wording "automation" very seriously. Our version of test automation is indeed fully automatic. No one has to modify test data or any other input parameter in order to conduct regression tests. We support different kinds of input interfaces - Dialogues, IDOC-interface, Batch processing, files are generated and submitted all of it automatically. Even the checks in order to evaluate if the test was successful are performed automatically.
A recent feature of out automatic test system is the controlled generation of XSF and RDI output files, and the automatic evaluation of the correctness of the file content. Our setup consists of large number of isolated units which can be linked exchanging parameters. The isolated units are linked together through table entries. We have been up and running for some years
We are looking forward to displaying our setup and discuss different aspects of automatic testing with you. In case you don't believe us - we aren't surprised, but please give us the chance to convince you
Dariusz Szybowski, Aspediens Director of Technology, held this presentation at the Knowledge11, ServiceNow’s user conference taking place in Frankfurt. He discussed cases that we have achieved to date on how to integrate with SAP solution manager.
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
This presentation will highlight three attack vectors targeting SAP.
- SAP Portal Header Authentication
- Verb Tampering
- Abuse of JAVA Core Services
You will learn techniques to mitigate these threats.
Managed Services: "The choice is yours: a make or buy approach to SAP security and compliance?"
-------------------------------------------------------------------------------------
Checking for vulnerabilities, flawed configurations, and critical authorizations on a regular basis is the only way to ensure SAP system security. However, efforts like these are technically complex, which is why they require so much time and personnel. Decision-makers thus face a fundamental question: Should they "make" or “buy" their way to SAP security and compliance? Our SAST MANAGED SERVICES offer a holistic solution that can assist you in both on-site and remote environments.
--------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
Systems, Applications, Products in data processing or SAP was originally introduced in the 1980s as SAP R/2, which was a system that provided users with a soft-real-time business application that could be used with multiple currencies and languages. As Client-servers began to be introduced SAP brought out a server based version of their software called SAP R/3, henceforth referred to as SAP, which was launched in 1992. SAP also developed a graphical user interface, or GUI, to make the system more user friendly and to move away from the mainframe style user interface.
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
SCA, if used for finding vulnerabilities also called SAST, is an
important technique for detecting software vulnerabilities already
at an early stage in the software development life-cycle. As such,
SCA is adopted by an increasing number of software vendors.
The wide-spread introduction of SCA at a large software vendor,
such as SAP, creates both technical as well as non-technical
challenges. Technical challenges include high false positive and
false negative rates. Examples of non-technical challenges are the
insufficient security awareness among the developers and managers
or the integration of SCA into a software development life-cycle
that facilitates agile development. Moreover, software is not
developed following a greenfield approach: SAP's security
standards need to be passed to suppliers and partners in the same
manner as SAP's customers begin to pass their security standards
to SAP.
In this paper, we briefly present how the SAP's Central Code
Analysis Team introduced SCA at SAP and discuss open problems in
using SCA both inside SAP as well as across the complete software
production line, i.e., including suppliers and partners.
sPlatform Security: "Are you really that attached to your ABAP security flaws, or can they go?"
-------------------------------------------------------------------------------------
Attacks on companies have increased exponentially in recent years. Not uncommonly, these were made possible by software vulnerabilities. SAP systems are particularly critical for many core business processes and should receive corresponding protections.
However, you'll only achieve a basic level of security that can weather stress tests and remain consistent if you take a truly head-to-toe approach to security. And that includes your ABAP code. In our experience to date, many companies balk at audits of their custom developments or 3rd-party add-ons, or are unsatisfied with the nearly unmanageable number of findings. How can this mass of supposedly critical security flaws be evaluated reliably? Where do you even start to clean up?
The newest module in our SAST SUITE, the Code Security Advisor, offers a solution. It is directly integrated into your SAP system and has a risk assessment enriched by key figures such as usage statistics for prioritization, an option to easily decommission obsolete code and a comprehensive set of rules with test cases developed by our SAP security and compliance consultants based on their years of experience.
-------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
Attacks Based on Security ConfigurationsOnapsis Inc.
Many large companies, as well as large government and defense organizations, have something in common: they rely on SAP platforms to process their business critical processes and information. Because of the sensitive nature of the information stored in these complex implementations, they are quickly becoming an attractive target for cyber-criminals looking to perform espionage, sabotage or financial fraud attacks by gaining access to the organizations’ crown jewels.
Securing these large and complex SAP implementations can be an ongoing, complicated and pain-staking task which requires specialized SAP security knowledge. This task encompasses managing the SoD process, patch (Security Note) management and implementation, analyzing interfaces and configuring the systems properly and securely (among many other things). One of the first and most important steps in starting the process of securing SAP implementations is the need to configure SAP application servers in a secure way. This task is not easy, as a SAP system has hundreds of different configurations which can be modified and a wrong setting or combination of settings can introduce large amounts of risk.
During this presentation, Onapsis CTO, Juan Perez-Etchegoyen explained some of the risks a default or insecure setting could introduce to the whole SAP infrastructure. You will see real life examples of these misconfigurations, and the threats introduced by them through several live demos. He will also explain how organizations can begin a process of securely configuring these systems.
It has long been no secret that cyber criminals particularly like to attack SAP systems. After all, they are perfectly suited as a backdoor for a company's highly sensitive data, and there is no better way to make money.
You can't prevent attacks, but with the right cyber threat detection strategy, you can be prepared, detect anomalies immediately and respond to security incidents immediately.
We'll show you how to properly assess threats, identify and neutralize real cyber-attacks before they can cause serious damage.
Topics of Focus:
• Building an SAP cyber security strategy you can trust
• Protection of your SAP systems on platform and authorization level
• Identification of weak points in real time
• Importance of security dashboards to analyze suspicious user activity
• Advantages of the SAST SUITE for your SAP Threat Detection measures
• Best practice tips for typical attack scenarios
-----------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
Monitoring for Operational Outcomes and Application Insights: Best Practices ...Amazon Web Services
There are two goals of monitoring: achieve situational awareness to provide timely and effective responses and gain insights for the business and operations that enable proactive courses of action. In this workshop, we take you through the process of developing and implementing a workload monitoring plan to achieve these objectives. You utilize logs, metrics, dashboards, events, and alarms within the definition of your plan, and then you implement it using AWS tools, services, and features. You also alert on the major categories of events, monitor for operational outcomes, trigger responses, and deliver insights. To participate in this workshop, bring your laptop and have a nonproduction AWS account.
IT audits are a universally accepted quality measure and have become indispensable. As such, internal audits are increasingly being used in addition to annual reviews by external auditors, to check the configuration of SAP landscapes and user authorizations. Their benefits: They can analyze individual aspects in shorter intervals, help prepare for and follow up on annual audits, and provide optimal support to internal control systems.
It must be noted, however, that any audit merely provides a snapshot of the current situation. But what about analyses of transactions, changes, and system behavior? When and where have employees deviated from the specified working methods? Were differing settings intentionally changed back to the “target” state?
Take the initiative and round out your spot checks with automated real-time monitoring. Stop limiting your SAP security analyses to a single point in time and instead identify risks holistically, over freely definable periods. In our webinar, we’ll show you the new possibilities and describe how the SAST SUITE can help you optimize your internal control systems, while at the same time establishing reliable real-time monitoring of your SAP systems.
Topics of focus:
• The most frequently underestimated activities
• How to optimize cyclical analyses of the system configuration and user settings
• Why real-time analyses are so important for your IT security concept
• Benefits of tool-based checks using SAST SUITE
• Best practice recommendations
-------------------------------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
Your efforts to protect your SAP systems won't be complete until you have reliable way to keep a constant eye on your transactions and applications. When you detect critical incidents right when they occur, you'll be able take immediate action in response. When you're under attack, your reaction time has a significant impact on the level of damage you can expect. It's not hard to see how a real-time solution like AKQUINET's SAST Security Radar pays for itself in short order.
Detecting attacks based on log files and analyzing network traffic requires in-depth knowledge of the potential paths and patterns such incursions can follow. This is because events relevant to security have to be filtered out of a sea of data and placed in the proper context.
--------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
Thousands of security-relevant settings in a common SAP system do not make it easy to implement a comprehensive security check. Although the DSAG test guide and other standards explain what should be checked, they do not show how this can be done, and certainly not what the ideal approach is. Therefore, in this webinar we will show you how you can effectively and efficiently control the security status of your SAP ERP and S/4HANA systems and what advantages a tool-based check offers you.
Topics of focus:
• Challenges with the implementation of security guidelines
• Overview of relevant regulations
• Project methodology for a security management process
• Advantages of tool-supported checks with the SAST SUITE
• Best practice tips
-------------------------------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
Security testing is an important part of any security development lifecycle (SDL) and, thus, should be a part of any software (development) lifecycle. Still, security testing is often understood as an activity done by security testers in the time between "end of development'" and "offering the product to customers.'"
On the one hand, learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, security testing should be integrated into the daily development activities. On the other hand, developing software for the cloud and offering software in the cloud raises the need for security testing in a "close-to-production" or even production environment. Consequently, we need an end-to-end integration of security testing into the software lifecycle.
In this talk, we will report on our experiences on integrating security testing ``end-to-end'' into SAP's software development lifecycle in general and, in particular, SAP's Secure Software Development Lifecycle (S2DL). Moreover, we will discuss different myths, challenges, and opportunities in the are security testing.
For almost a decade I (and I am sure, all ABAPers) have been happily using the loop holes in SAP security to access the forbidden transactions, with no malicious intension though, only for speedy analysis and ethical debugging.
But today I am wondering, is it really a loop hole or has SAP provided these small windows to the developers knowingly?
SAP Security Guys!! Hope you are reading this.
Architecting for Real-Time Insights with Amazon Kinesis (ANT310) - AWS re:Inv...Amazon Web Services
Amazon Kinesis makes it easy to speed up the time it takes for you to get valuable, real-time insights from your streaming data. In this session, we walk through the most popular applications that customers implement using Amazon Kinesis, including streaming extract-transform-load, continuous metric generation, and responsive analytics. Our customer Autodesk joins us to describe how they created real-time metrics generation and analytics using Amazon Kinesis and Amazon Elasticsearch Service. They walk us through their architecture and the best practices they learned in building and deploying their real-time analytics solution.
Pen Testing SAP Critical Information ExposedOnapsis Inc.
The world's largest organizations process huge amounts of critical information. This information is essential for the proper functioning of your business processes. The systems responsible for administering and managing these processes are called ERP and SAP ERP is the most used ERP by large companies.
An attacker would perform acts of fraud, sabotage or espionage on one of these companies focusing its efforts on vulnerable systems and get direct access to the most critical and sensitive business information.
In this talk we will work backwards to see the different stages and attacks that could be performed to compromise a SAP system without any prior knowledge about the target and credentials to access the same system. Thus, by developing penetration testing, we can help companies solve problems and mitigate risk. All demo’s will be performed using open-source tools such as Onapsis Bizploit - the first ERP Penetration Testing framework. This will allow attendees to apply their knowledge to make these assessments in their companies.
In order to maintain compliance in SAP systems, a well-established authorization management and a well-founded analysis of the separation of functions is necessary. This becomes all the more complex the more non-system solutions are available in your SAP ERP or S/4HANA landscape, because such systems usually have their own authorization structures.
It is therefore necessary to think about a reliable, cross-system authorization management in good time so that roles and authorizations are synchronized across all your SAP and non-SAP applications.
In this webinar, we will show you how to master comprehensive SoD analyses, business process analyses and the identification of authorization conflicts in the future – tool-supported and with a feasible administrative effort.
Topics of Focus:
• SoD analysis for SAP and non-SAP systems
• Cross-system authorization management with a central identity
• Evaluation of assigned roles and rights
• Advantages of the SAST User Access Management
• Best practice tips
-----------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
Similar to Sap penetration testing_defense_in_depth (20)
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps