Downloaded 21 times
Uploaded byPanaya
SAP Security Chat Tips to Improve SAP ERP Security
The document discusses the current state and challenges of SAP security, highlighting vulnerabilities and the high potential costs of security breaches. It emphasizes the critical need for robust security measures across various aspects of SAP systems, including access control, application security, and ongoing monitoring. The text also introduces Panaya's solutions aimed at enhancing SAP security and simplifying compliance audits.
More Related Content
Similar to SAP Security Chat Tips to Improve SAP ERP Security
![Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]](https://cdn.slidesharecdn.com/ss_thumbnails/codedagentsdeck-251215155422-5497c599-thumbnail.jpg?width=640&height=640&fit=bounds)
SAP Security Chat Tips to Improve SAP ERP Security
- 1. © Panaya |An Infosys Company1 SAP Security Chat Infosys and Panaya
- 2. © Panaya |An Infosys Company2 Today’s Speakers Gordon Muehl Vice President at Infosys Rasmi Swain, Principal Risk Management & GRC; Information Security at Infosys Guy Vago SAP Project Manager at Panaya Rafi Kretchmer Vice President at Panaya
- 3. © Panaya |An Infosys Company3 The State of SAP Security Business practices for SAP security Best practice to simplify security audits The Panaya solution Demo
- 4. © Panaya |An Infosys Company PANAYA POLL 1/ 4 PANAYA
- 5. © Panaya |An Infosys Company The Importance of Safety 95% of SAP Systems are exposed to vulnerabilities 60% feared an attack on their SAP applications would be catastrophic $4.5 Million is the average estimated cost of SAP systems taken offline** 24% of worldwide ERP software market share belongs to SAP, double their largest competitor*** *Based on Onapsis Research 5/2015 ** Ponemon Institute Research 2/16 *** Forbes 5/2014 SAP - the ERP Market Leader 5
- 6. © Panaya |An Infosys Company6 The Underestimated Security Threat* *Based on Ponemon Institute Research 2/16 ERP ranked in the top 5 SAP applications most vulnerable to attack 75% believe SAP platforms have at least one and possibly more malware infections 70% of enterprises skip security and compliance audits of their ABAP code 47% expect an increase in attacks against SAP infrastructure over the next 2 years. Only 34% say their companies have visibility into the security of SAP Applications
- 7. © Panaya |An Infosys Company7 *Based on Ponemon Institute Research 2/16 63% say C-level execs underestimate the risk associated with insecure SAP applications 21% of senior leadership were aware or shared the concern of an attack on their SAP application Senior Leadership and the Security Risk
- 8. © Panaya |An Infosys Company Security is a hassle but it needs to be done 8
- 9. © Panaya |An Infosys Company9 What you need to secure your landscape You need to ensure 6 areas Access control Application security Infrastructure GRC Data Security On-going monitoring
- 10. PANAYA© Panaya |An Infosys Company PANAYA POLL 2/ 4 PANAYA
- 11. © Panaya |An Infosys Company Information Security at Infosys
- 12. © Panaya |An Infosys Company (iCRM) - Security Solutions and Services 12
- 13. © Panaya |An Infosys Company SAP Landscape Complexity
- 14. © Panaya |An Infosys Company14 SAP Environment -SAP R/3 and SAP Business Suite - On-cloud
- 15. © Panaya |An Infosys Company SAP Security Risks & Vulnerabilities
- 16. © Panaya |An Infosys Company16 Top 10 SAP Vulnerabilities Authentication Bypass via Verb tampering1. Authentication Bypass via the Invoker servlet Buffer overflow in ABAP Kernel Code execution via TH_GREP MMC read SESSIONID Remote ports can Encryption in SAPGUI BAPI XSS/SMBRELAY XML Blowup DOS GUI Scripting DOS Top 10 vulnerabilities Source : ERPScan Default passwords for DB access Lack of DB patch management Unnecessary Enabled DB features Lack of password lockout/complexity checks Unencrypted sensitive data transport / data Lack or misconfigured network access control Extensive user and group privileges Lack or misconfigured audit Insecure trust relations Open additional interfaces Top 10 vulnerabilities Source : http://www.cvedetails.com/vendor/797/SAP.html
- 17. © Panaya |An Infosys Company Infosys iCRM & PANAYA- SAP Security Offering
- 18. © Panaya |An Infosys Company Network Server OS Basis Controls IT Controls Business Process Review Configuration Review IT Application Controls Role & Authorization Review Access Review SoD Review Authorization/ SoD Controls Process Controls Infrastructure Controls Technical Controls Types of Controls in SAP Inherent or Default controls Default Controls – Sales order cannot be created without a valid customer Configurable controls Implemented through IMG Settings. Example- Tolerance for three way match or PO Approval Hierarchy Procedural Controls IT dependent Controls: Review of Exception reports Security Checks Review Configuration Settings Procedural Controls Exception Reports SAP Layers of Security & Types of Controls 18
- 19. © Panaya |An Infosys Company19 Infosys-Panaya- SAP Landscape Security offering Governance Security Review and Monitoring Review of Audit Logs Change & Transport Management Access Control and Roles management Users & Authorizations Authentication and Single Sign on Roles Management SAP Infrastructure Security Operating Systems and Database Security Network Security ( SAP Router), Data Security Source Code and Custom Code Security Secure Maintenance of ABAP Code & Custom code Security VA and PT Front End Security ( FIORI, SAP Enterprise Portal, SAP-Gui ) SAP New Technologies SAP HANA appliance & HANA Security SAP Mobile Middleware ( MDM, MAM, ) SAP Cloud Security Application Security Infrastructure Security Identity & Access Management Data Security Governance, Risk and Compliance Panaya Cloud Quality Project InfosysSecurityOfferingPanayaOffering
- 20. © Panaya |An Infosys Company PANAYA POLL 3/ 4 PANAYA
- 21. © Panaya |An Infosys Company Panaya CloudQualityTM Suite 21
- 22. © Panaya |An Infosys Company Increase ERP agility with zero riskPanaya CloudQuality™ Suite SCOPE TEST ANALYZE Any ERP Change COLLABORATION Functional Security Performance What to fix What to test Manage Automate Document & Report 22
- 23. © Panaya |An Infosys Company Train developers to write secure code Automate Integrate security in ongoing ERP maintenance Simplify Security audits Make it simple with Panaya 23
- 24. © Panaya |An Infosys Company24 Ongoing seamless security Security is integrated into ongoing change management Secure go-live!
- 25. © Panaya |An Infosys Company25
- 26. © Panaya |An Infosys Company PANAYA POLL 4/ 4 PANAYA
- 27. © Panaya |An Infosys Company Established 2006, Acquired by Infosys - 2014 Quality Automation SaaS Solution for ERP Powered by: ERP Domain expertise Crowd based customer insights Proven with over 2000+ Customers 50 HANA Migrations Over 9,000 projects (5,000 business process implementations) 2000+ Stay-current projects (upgrade, patches) Over 5,000,000 test scripts 27
- 28. © Panaya |An Infosys Company Information Security at Infosys 28
- 29. © Panaya |An Infosys Company Get your own complimentary assessment from upload to Panaya Code Box ERP Health-check & simulation of your upgrade project < 20 min. < 48 hrs.* Upload Get Run a simple ABAP report and * Estimate time based on business days
- 30. © Panaya |An Infosys Company
Editor's Notes
- #4 Gordon, handles the state of security slides 4-6 Rafi will moderate 7-8 Rasmi will then talk to slides 9-14 Guy will take panaya and demo Rafi will come back at slide 23 thank guy and moderate
- #5 How do you handle ABAP security in SAP system today? Have not yet secured/do not have resources for security Not concerned with ABAP security right now Currently evaluating available security tools Already have a security tool in place We will wait a few moments allow everyone to answer the question
- #6 95% of ERP Systems are exposed to vulnerabilities 60% of IT & IT security professionals feared the impact of a an attack on their SAP applications would be catastrophic The average estimated cost of SAP systems taken offline $4.5 Million
- #7 Ponemon Institute Research report Feb 2016. surveyed IT & IT security practitioners involved in the security of SAP applications 75% of IT and IT security professionals think that it is likely their sap platforms have at least one and possibly more malware infections SAP ERP applications were ranked within the top 5 SAP applications most vulnerable to attack While 70 % of enterprises skip security and compliance audits of their ABAP code Only 25% of respondents were confident that they could immediately discover a SAP application breach 47% of those surveyed expect the frequency of attacks against SAP infrastructure to increase over the next 2 years. *Based on Ponemon Institute Research 2/16
- #8 A Key take way from Ponemon’s research was that senior leadership values the importance of and the criticality of SAP installations to profitability. Yet, 63% say C-level executives tend to underestimate the risk associated with insecure SAP applications and only 21% of senior leadership were aware or shared the concern of an attack on their SAP application.
- #11 But before we carry on, let me ask you another question…. Do you think your organization would favor A one time security project – handled by internal resources A one time security project – using staff augmentation, consultants or outsourced Ongoing security practice built into daily releases and change management One time internal project and ongoing automatic review One time aided project and ongoing automatic review
- #21 Do you think your organization would favor Strict approach - Fixing all security issues and making sure no new issues are added Practical approach - Fixing only the critical security threats Trust and improve approach - Reviewing the current state and making sure no new issues are added Not sure - we need to review the issues 1st and then decide
- #22 Panaya CloudQuality Suite has simplified the remediation of security issues, by streamlining the automation of code security audits into the ongoing ERP maintenance activities. Organizations no longer need to take on major security projects that require extra IT time, budgets and manpower. PCQ will provide a code quality assessment that pinpoints critical vulnerabilities in ABAP® program code, identifying core security and quality issues, guidance on how to correct and integration with development processes
- #23 Manage Automation Evidence
- #24 General – best practice Automate Integrate security in ongoing ERP maintenance Train developers to write secure code
- #25 Guy’s visuals
- #27 Would you like a Panaya representative to contact you to set up a free assessment? We will wait a few moments allow everyone to answer the question…
- #28 For those of you who don’t know, Panaya is the leading organization when it comes to implementinf your SAP changes. With more that 2000 customers and 9000 projects, we know how to deliver change faster, better, safer.
- #32 Landscape Health check assessment Customization and usage mapping Market trend analysis Details and accurate simulation of change impact , fix and test Alerts on Recommended Patches and security breaches Real-time reporting and project tracking Crowd wisdom insights
- #33 Eliminate initial testing to identify defects Actionable, task-based plan for all code fixes and tests Automated and prioritized tasks for efficient execution Ability to work in parallel for test and development activities Tight workflow with collaboration between all project participants
- #34 Automation of project assessment, plan, impact analysis, testing and validation processes to avoid human prone errors Proven and standardized processes based on the experience of thousands of projects analyzed with Panaya Machine learning algorithm continuously identifies break patterns and transforms them into best practices for the Panaya community Static code analysis of ABAP code identifies, prioritizes vulenerabilitie sand performance issues