SlideShare a Scribd company logo

SAP security made easy

ERPScan
ERPScan

The document discusses security issues related to SAP applications. It outlines 13 ways that SAP systems can be exploited to damage businesses. It then provides recommendations on how to assess security risks, prioritize updates, and comply with regulations to better protect SAP systems. The document also notes that ERPScan has discovered over 3,000 vulnerabilities in SAP products since 2007 and discusses the business risks of espionage, sabotage, and fraud if SAP systems are compromised.

Software
1 of 25
Download to read offline
Invest  in  security   to  secure  investments   13  Real  ways  to  destroy  business  by  breaking     company’s  SAP  Applica<ons  and  a  guide  to   avoid  them     Alexander  Polyakov   CTO  ERPScan,  President  EAS-­‐SEC       SAP  Security  made  easy.     How  to  keep  your  SAP  systems  secure  
About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu<on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presentaAons  key  security  conferences  worldwide   •  25  Awards  and  nominaAons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquartered  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
•  Working  together  since  2007             Senior  Director,  Head  of  Global  Security  Alliance  Management   Product  Security,  Technology  and  Innova<on  PlaWorm   SAP  Labs,  Palo  Alto,  USA   3   “We  would  like  to  thank  the  world-­‐class   security  experts  of  ERPScan  for  the  highly   qualified  job  performed  to  help  us  assess  the   security  of  our  pre-­‐release  products”.   ERPScan  and  SAP  
•  How  to  protect  ourselves  from  fraud  and  cyber-­‐a^acks?   •  How  to  automate  security  monitoring  for  big  landscapes  and  get   smart  reports  ?   •  How  to  priori<ze  updates?   •  How  to  comply  with  regula<ons?   •  How  to  iden<fy  and  test  most  cri<cal  vulnerabili<es  in  SAP   •  How  to  address  industry-­‐specific  solu<ons’  security?       4   Client  needs  
2007  –  Architecture  vulnerabili<es  in  RFC  protocol   2008  –  A^acks  via  SAPGUI   2009  –  SAP  backdoors   2010  –  A^acks  via  SAP  WEB  applica<ons   2010  –  Stuxnet  for  SAP   2011  –  Architecture  and  program  vulnerabili<es  in  ABAP   2011  –  Vulnerabili<es  in    J2EE  engine   2012  –  Vulnerabili<es  in  SAP  solu<ons  (SolMan  ,Portal,  XI)  and  Services  Dispatcher,  Message  Server   2012  –  Vulnerabili<es  in  Protocols  -­‐  XML  ,  DIAG   2013  –  SAP  Forensics  and  An<-­‐forensics   2014  –  SAP  BusinessObjects,  SAP  HANA  and  other  specific  plaWorms     5   How  to  prevent?   New  threats   0   10   20   30   40   50   2006   2007   2008   2009   2010   2011   2012   2013   2014   Research  talks     about  SAP  security  in  technical  conferences  
•  3000+  Vulnerabili<es  in  all  SAP  Products   •  2368  Vulnerabili<es  were  found  in  SAP  NetWeaver  ABAP    based   systems   •  1050  Vulnerabili<es  were  found  in  basic  components  which  are   the  same  for  every  system   •  About  350  Vulnerabili<es  were  found  in  ECC  modules.     6   By  November  2014  –  3200+  notes   SAP  vulnerabiliAes   1   1   13   10   10   27   14   77   130   833   731   641   363   364   0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   2014  
7   Public  vulnerabiliAes  
8   Incidents  
•  Espionage   –  Thek  of  financial  informa<on   –  Corporate  trade  secret  thek     –  Thek  of  supplier  and  customer  lists   –  Stealing  HR  data  Employee  Data  Thek   •  Sabotage   –  Denial  of  service   –  Tampering  with  financial  reports   –  Access  to  technology  network  (SCADA)  by  trust  rela<ons   •  Fraud   –  False  transac<ons   –  Modifica<on  of  master  data   9   Why  should  we  care  
•  Manipulate  data  about  quan<ty  of  material  resources  (S)   •  Blocking  of  materials  for  pos<ng  (S)   •  Changing  the  goods’  price  (F,S)   •  Changing  tolerance  limits  for  opera<ons  (F,S)   •  Money  stealing  (F)   •  Changing  credit  limits     •  Modifica<on  of  price  by  changing  condi<ons  (F,S)   •  Stealing  credit  card  data  (E)   •  Modifica<on  of  financial  reports  (S)   Risks:  (S-­‐sabotage,  F  –  fraud,  E-­‐  espionage)     10   Other  risks  
•  SAP  is  owned  and  managed  by  business   •  Businesses  rarely  care  about  security  (only  SOD  )   •  CISO’s  some<mes  don’t  even  know  about  SAP   •  CISO’s  care  about  infrastructure  security   •  But  if  breach  will  happen  it  will  be  their  responsibility     11     Our  mission  is  to  close  this  gap.     Problem  
SAP  Security   •  Complexity      Complexity  kills  security.  Many  different  vulnerabili<es  in  all   levels,  from  network  to  applica<on   •  CustomizaAon    Cannot  be  installed  out  of  the  box.  They  have  many  (up  to  50%)   custom  codes  and  business  logic   •  Risky      Rarely  updated  because  administrators  are  scared  they  can  be   broken  during  updates;  also,  it  is  down<me   •  Unknown      SAP  is  Mostly  available  inside  the  company  (closed  world).   Research  and  Pentest  community  is  not  familiar  with  it       h^p://erpscan.com/wp-­‐content/uploads/pres/Forgo^en%20World%20-­‐%20Corporate%20Business%20Applica<on%20Systems%20Whitepaper.pdf   12  
Myths   13   Myth  1:  SAP  Systems   applica<ons  are  only   available  internally     what  means  no  threat   from  the  Internet   Myth  2:  SAP  security  is  a    vendor’s  problem   Myth  3:  SAP  applica<on   internals  are  very  specific   and  are  not  known  for   hackers   Myth  4  SAP  security  is    all  about  SOD  
14   Business  logic  security  (SOD)   Prevents  a/acks    or  mistakes  made  by  insiders     Custom  Code  security   Prevents  a/acks  or  mistakes  made  by  developers     ApplicaAon  plaorm  security   Prevents  unauthorized  access  both  within  corporate  network  and   from  remote  a/ackers     3  areas  of  SAP  Security  
SAP  Security   •  Current  security  solu<ons  like  VA,  SIEM,  AST  embody  very  li^le   SAP  coverage     •  Solu<ons  focused  on  SAP  Security  are  more  effec<ve  but  only   cover  any  one  of  listed  fields  each  and  they  are  not  “CISO-­‐ oriented”   •  We  see  solu<on     –  PlaWorm  for  everybody   –  Coverage  of  all  aspects   –  Complimentary  to  SAP  offerings  or  extend  them     15  
        The  only  award-­‐winning  solu<on  in  the  market  to  assess  3  <ers  of   SAP  Security   16   ERPScan  
Architecture           17   JAVA   Presenta<on        Connectors   Vulnerability     Management   module   Source  code   security     module   Control   SOD   module   ERP   CRM   SRM   HANA   BOBJ   Mobile   SAP   Admin   CISO   Risk   Manager   ABAP   Developer   Pentester   …   API   API   SIEM   IT  GRC   ITSM   Ticke<ng  
18               Connectors ABAP  JAVA   Security  Metrics   Export  Comparison   Reports   PresentaAon  level   Project  management   Risk  Management   Control  funcAons   Pentest   Patches   ExploitaAon   Vulnerability  Management   Source  Code  Security   VulnerabiliAes   Backdoors   SAP  Router  SOAP   HTTP   SegregaAon  of  DuAes   Role  opAmizaAon   SoD   Task  Management   CriAcal  privileges   HANA   Whitebox   Compliance   ABAP   JAVA   By  System   By  Module   By  Industry   ABAP   JAVA   HANA   Mobile   Sta<s<cs  (Trends)   Template  management   Landscape  management   No<fica<on  Management   Business  Objects   BOBJ   Oracle  DB   Passwords   Database   SUP   In  details  
How  to  automate  security  monitoring   for  big  landscapes?   19   •  Case:  CISO  of  large  Oil  company     •  Need:  To  automate  monitoring  and  get  high-­‐level  reports  for   100+  systems.   •  Solu<on:     –  Configure  weekly  scans  covering  most  cri<cal  assets   –  Export  results    to  IBM  Qradar  for  correla<on  and  a  consolidated  summary   of  relevant  indicators  at  a  glance.     –  Configure  PPTX  presenta<ons  email  with  the  ‘high-­‐level  overview’.    
20   •  Case:  BASIS  team  of  every  organiza<on     •  Need:  To  minimize  down<me  of  systems  during  updates  and   priori<ze  updates.     •  Solu<on:     –  Scan  for  missing  SAP  security    notes     –  Scan  for  remotely  exploitable  vulnerabili<es  (blackbox)   –  System  correlate  this  data,  an  you  can  filter  results  by  10+  different  criteria's  to  understand   risk   How  to  prioriAze  updates?  
21   •  Need:  To  comply  with  industry  regula<ons  and  chose  step  by   step  approach  for  be^er  technical  compliance   •  Solu<on:   –  Scan  to  address  PCI  DSS,    SOX  or  NERC  CIP  regula<ons     –  Step  by  step  technical  compliance  approach  EAS-­‐SEC,  SAP   Guidelines  ,ISACA,DSAG   –  Add  Industry-­‐related  checks  and  guidelines  (Oil  and  Gas,   Banking,  Retail),  make  your  own  template     We  have  included  templates  for  all  of  them     How  to  comply  with  regulaAons  
How  to  idenAfy  and  test  most  criAcal   vulnerabiliAes  in  SAP?   22   •  Case:  Security  consul<ng  company   •  Need:  To  provide  SAP  Security  assessment  and  penetra<on   tes<ng  services  with  minimum  <me   •  Solu<on:     –  Vulnerability  management  module     –  Blackbox  pentes<ng,  exploits,  business-­‐focused  payloads  
•  Advanced  user  management   •  Mul<ple  scans’  comparison  and  efficiency  analysis   •  Customizable  Templates  and  Landscapes   •  Ability  to  assign  tasks  to  users   •  Ability  to  manage  risks   •  Largest  Built-­‐in  knowledge  base   23   Matching  requirements  of  Enterprise   customers  
24   •  Only  360-­‐degree  approach  can  help  in  maximizing  security   •  Specific  checks  for  Industry  modules  and  solu<ons   •  Fast  release  cycles  to  address  client  needs   •  Combina<on  of  modules  gives  you  more  visibility  1+1+1=4   Strength  
Each  SAP  landscape  is  unique  and  we  pay  close  a/en@on  to  the  requirements  of   our   customers   and   prospects.   ERPScan   development   team   constantly   addresses   these  specific  needs  and  is  ac@vely  involved  in  product  advancement.  If  you  wish   to   know   whether   our   scanner   addresses   a   par@cular   aspect,   or   simply   have   a   feature  wish  list,  please  e-­‐mail  us  or  give  us  a  call.  We  will  be  glad  to  consider  your   sugges@ons  for  the  next  releases  or  monthly  updates.   25           About   228  Hamilton  Avenue,  Fl.  3,   Palo  Alto,  CA.  94301     USA  HQ   Luna  ArenA  238  Herikerbergweg,     1101  CM  Amsterdam       EU  HQ     www.erpscan.com    info@erpscan.com  

Recommended

Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 steps
ERPScan
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
ERPScan
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
ERPScan
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessERPScan
 
Sap Security Assessment V3 English
Sap Security Assessment V3 EnglishSap Security Assessment V3 English
Sap Security Assessment V3 English
guest5bd7a1
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
ERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
Sap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksSap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless Attacks
Ertunga Arsal
 

Recommended

Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 steps
ERPScan
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
ERPScan
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
ERPScan
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessERPScan
 
Sap Security Assessment V3 English
Sap Security Assessment V3 EnglishSap Security Assessment V3 English
Sap Security Assessment V3 English
guest5bd7a1
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
ERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
Sap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksSap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless Attacks
Ertunga Arsal
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
n|u - The Open Security Community
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
ERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
ERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
ERPScan
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP
ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
akquinet enterprise solutions GmbH
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP Mobile
ERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
ERPScan
 
Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]
akquinet enterprise solutions GmbH
 
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]
akquinet enterprise solutions GmbH
 
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]
akquinet enterprise solutions GmbH
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
ERPScan
 
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
akquinet enterprise solutions GmbH
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
ERPScan
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
ERPScan
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 

More Related Content

What's hot

Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
n|u - The Open Security Community
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
ERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
ERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
ERPScan
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP
ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
akquinet enterprise solutions GmbH
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP Mobile
ERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
ERPScan
 
Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]
akquinet enterprise solutions GmbH
 
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]
akquinet enterprise solutions GmbH
 
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]
akquinet enterprise solutions GmbH
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
ERPScan
 
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
akquinet enterprise solutions GmbH
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
ERPScan
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
ERPScan
 

What's hot (20)

Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP Mobile
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
 
Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]
 
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]
 
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
 
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
 

Viewers also liked

Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating ERPScan
 
Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)
ERPScan
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
ERPScan
 
What is sap security
What is sap securityWhat is sap security
What is sap security
grconlinetraining
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP Security
Nasir Gondal
 

Viewers also liked (7)

Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
 
Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
 
What is sap security
What is sap securityWhat is sap security
What is sap security
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP Security
 

Similar to SAP security made easy

EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC ProjectERPScan
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
ERPScan
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
Onapsis Inc.
 
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...
Dao Van Hang
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
Onapsis Inc.
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and BestPositive Hack Days
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
Onapsis Inc.
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...Tunde Ogunkoya
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
Onapsis Inc.
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
Olivier DASINI
 
How to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a buttonHow to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a button
Virtual Forge
 
Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015
Tunde Ogunkoya
 
Understanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security StrategyUnderstanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security Strategy
Priyanka Aash
 
SAP Landscape Security
SAP Landscape SecuritySAP Landscape Security
SAP Landscape SecurityJoachim Kaland
 
Providing a Holistic, Service-Oriented Infrastructure for Integration of Real...
Providing a Holistic, Service-Oriented Infrastructure for Integration of Real...Providing a Holistic, Service-Oriented Infrastructure for Integration of Real...
Providing a Holistic, Service-Oriented Infrastructure for Integration of Real...
mfrancis
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)Onapsis Inc.
 

Similar to SAP security made easy (20)

EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and Best
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
 
How to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a buttonHow to assess the risks in your SAP systems at the push of a button
How to assess the risks in your SAP systems at the push of a button
 
Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015
 
Understanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security StrategyUnderstanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security Strategy
 
SAP Landscape Security
SAP Landscape SecuritySAP Landscape Security
SAP Landscape Security
 
Providing a Holistic, Service-Oriented Infrastructure for Integration of Real...
Providing a Holistic, Service-Oriented Infrastructure for Integration of Real...Providing a Holistic, Service-Oriented Infrastructure for Integration of Real...
Providing a Holistic, Service-Oriented Infrastructure for Integration of Real...
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
 

More from ERPScan

Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
ERPScan
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
ERPScan
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
ERPScan
 
13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications
ERPScan
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
ERPScan
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
ERPScan
 
With big data comes big responsibility
With big data comes big responsibilityWith big data comes big responsibility
With big data comes big responsibility
ERPScan
 
Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)
ERPScan
 

More from ERPScan (8)

Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
 
13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
 
With big data comes big responsibility
With big data comes big responsibilityWith big data comes big responsibility
With big data comes big responsibility
 
Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)
 

Recently uploaded

Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Anthony Dahanne
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 

Recently uploaded (20)

Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 

SAP security made easy

  • 1. Invest  in  security   to  secure  investments   13  Real  ways  to  destroy  business  by  breaking     company’s  SAP  Applica<ons  and  a  guide  to   avoid  them     Alexander  Polyakov   CTO  ERPScan,  President  EAS-­‐SEC       SAP  Security  made  easy.     How  to  keep  your  SAP  systems  secure  
  • 2. About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu<on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presentaAons  key  security  conferences  worldwide   •  25  Awards  and  nominaAons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquartered  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
  • 3. •  Working  together  since  2007             Senior  Director,  Head  of  Global  Security  Alliance  Management   Product  Security,  Technology  and  Innova<on  PlaWorm   SAP  Labs,  Palo  Alto,  USA   3   “We  would  like  to  thank  the  world-­‐class   security  experts  of  ERPScan  for  the  highly   qualified  job  performed  to  help  us  assess  the   security  of  our  pre-­‐release  products”.   ERPScan  and  SAP  
  • 4. •  How  to  protect  ourselves  from  fraud  and  cyber-­‐a^acks?   •  How  to  automate  security  monitoring  for  big  landscapes  and  get   smart  reports  ?   •  How  to  priori<ze  updates?   •  How  to  comply  with  regula<ons?   •  How  to  iden<fy  and  test  most  cri<cal  vulnerabili<es  in  SAP   •  How  to  address  industry-­‐specific  solu<ons’  security?       4   Client  needs  
  • 5. 2007  –  Architecture  vulnerabili<es  in  RFC  protocol   2008  –  A^acks  via  SAPGUI   2009  –  SAP  backdoors   2010  –  A^acks  via  SAP  WEB  applica<ons   2010  –  Stuxnet  for  SAP   2011  –  Architecture  and  program  vulnerabili<es  in  ABAP   2011  –  Vulnerabili<es  in    J2EE  engine   2012  –  Vulnerabili<es  in  SAP  solu<ons  (SolMan  ,Portal,  XI)  and  Services  Dispatcher,  Message  Server   2012  –  Vulnerabili<es  in  Protocols  -­‐  XML  ,  DIAG   2013  –  SAP  Forensics  and  An<-­‐forensics   2014  –  SAP  BusinessObjects,  SAP  HANA  and  other  specific  plaWorms     5   How  to  prevent?   New  threats   0   10   20   30   40   50   2006   2007   2008   2009   2010   2011   2012   2013   2014   Research  talks     about  SAP  security  in  technical  conferences  
  • 6. •  3000+  Vulnerabili<es  in  all  SAP  Products   •  2368  Vulnerabili<es  were  found  in  SAP  NetWeaver  ABAP    based   systems   •  1050  Vulnerabili<es  were  found  in  basic  components  which  are   the  same  for  every  system   •  About  350  Vulnerabili<es  were  found  in  ECC  modules.     6   By  November  2014  –  3200+  notes   SAP  vulnerabiliAes   1   1   13   10   10   27   14   77   130   833   731   641   363   364   0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   2014  
  • 9. •  Espionage   –  Thek  of  financial  informa<on   –  Corporate  trade  secret  thek     –  Thek  of  supplier  and  customer  lists   –  Stealing  HR  data  Employee  Data  Thek   •  Sabotage   –  Denial  of  service   –  Tampering  with  financial  reports   –  Access  to  technology  network  (SCADA)  by  trust  rela<ons   •  Fraud   –  False  transac<ons   –  Modifica<on  of  master  data   9   Why  should  we  care  
  • 10. •  Manipulate  data  about  quan<ty  of  material  resources  (S)   •  Blocking  of  materials  for  pos<ng  (S)   •  Changing  the  goods’  price  (F,S)   •  Changing  tolerance  limits  for  opera<ons  (F,S)   •  Money  stealing  (F)   •  Changing  credit  limits     •  Modifica<on  of  price  by  changing  condi<ons  (F,S)   •  Stealing  credit  card  data  (E)   •  Modifica<on  of  financial  reports  (S)   Risks:  (S-­‐sabotage,  F  –  fraud,  E-­‐  espionage)     10   Other  risks  
  • 11. •  SAP  is  owned  and  managed  by  business   •  Businesses  rarely  care  about  security  (only  SOD  )   •  CISO’s  some<mes  don’t  even  know  about  SAP   •  CISO’s  care  about  infrastructure  security   •  But  if  breach  will  happen  it  will  be  their  responsibility     11     Our  mission  is  to  close  this  gap.     Problem  
  • 12. SAP  Security   •  Complexity      Complexity  kills  security.  Many  different  vulnerabili<es  in  all   levels,  from  network  to  applica<on   •  CustomizaAon    Cannot  be  installed  out  of  the  box.  They  have  many  (up  to  50%)   custom  codes  and  business  logic   •  Risky      Rarely  updated  because  administrators  are  scared  they  can  be   broken  during  updates;  also,  it  is  down<me   •  Unknown      SAP  is  Mostly  available  inside  the  company  (closed  world).   Research  and  Pentest  community  is  not  familiar  with  it       h^p://erpscan.com/wp-­‐content/uploads/pres/Forgo^en%20World%20-­‐%20Corporate%20Business%20Applica<on%20Systems%20Whitepaper.pdf   12  
  • 13. Myths   13   Myth  1:  SAP  Systems   applica<ons  are  only   available  internally     what  means  no  threat   from  the  Internet   Myth  2:  SAP  security  is  a    vendor’s  problem   Myth  3:  SAP  applica<on   internals  are  very  specific   and  are  not  known  for   hackers   Myth  4  SAP  security  is    all  about  SOD  
  • 14. 14   Business  logic  security  (SOD)   Prevents  a/acks    or  mistakes  made  by  insiders     Custom  Code  security   Prevents  a/acks  or  mistakes  made  by  developers     ApplicaAon  plaorm  security   Prevents  unauthorized  access  both  within  corporate  network  and   from  remote  a/ackers     3  areas  of  SAP  Security  
  • 15. SAP  Security   •  Current  security  solu<ons  like  VA,  SIEM,  AST  embody  very  li^le   SAP  coverage     •  Solu<ons  focused  on  SAP  Security  are  more  effec<ve  but  only   cover  any  one  of  listed  fields  each  and  they  are  not  “CISO-­‐ oriented”   •  We  see  solu<on     –  PlaWorm  for  everybody   –  Coverage  of  all  aspects   –  Complimentary  to  SAP  offerings  or  extend  them     15  
  • 16.         The  only  award-­‐winning  solu<on  in  the  market  to  assess  3  <ers  of   SAP  Security   16   ERPScan  
  • 17. Architecture           17   JAVA   Presenta<on        Connectors   Vulnerability     Management   module   Source  code   security     module   Control   SOD   module   ERP   CRM   SRM   HANA   BOBJ   Mobile   SAP   Admin   CISO   Risk   Manager   ABAP   Developer   Pentester   …   API   API   SIEM   IT  GRC   ITSM   Ticke<ng  
  • 18. 18               Connectors ABAP  JAVA   Security  Metrics   Export  Comparison   Reports   PresentaAon  level   Project  management   Risk  Management   Control  funcAons   Pentest   Patches   ExploitaAon   Vulnerability  Management   Source  Code  Security   VulnerabiliAes   Backdoors   SAP  Router  SOAP   HTTP   SegregaAon  of  DuAes   Role  opAmizaAon   SoD   Task  Management   CriAcal  privileges   HANA   Whitebox   Compliance   ABAP   JAVA   By  System   By  Module   By  Industry   ABAP   JAVA   HANA   Mobile   Sta<s<cs  (Trends)   Template  management   Landscape  management   No<fica<on  Management   Business  Objects   BOBJ   Oracle  DB   Passwords   Database   SUP   In  details  
  • 19. How  to  automate  security  monitoring   for  big  landscapes?   19   •  Case:  CISO  of  large  Oil  company     •  Need:  To  automate  monitoring  and  get  high-­‐level  reports  for   100+  systems.   •  Solu<on:     –  Configure  weekly  scans  covering  most  cri<cal  assets   –  Export  results    to  IBM  Qradar  for  correla<on  and  a  consolidated  summary   of  relevant  indicators  at  a  glance.     –  Configure  PPTX  presenta<ons  email  with  the  ‘high-­‐level  overview’.    
  • 20. 20   •  Case:  BASIS  team  of  every  organiza<on     •  Need:  To  minimize  down<me  of  systems  during  updates  and   priori<ze  updates.     •  Solu<on:     –  Scan  for  missing  SAP  security    notes     –  Scan  for  remotely  exploitable  vulnerabili<es  (blackbox)   –  System  correlate  this  data,  an  you  can  filter  results  by  10+  different  criteria's  to  understand   risk   How  to  prioriAze  updates?  
  • 21. 21   •  Need:  To  comply  with  industry  regula<ons  and  chose  step  by   step  approach  for  be^er  technical  compliance   •  Solu<on:   –  Scan  to  address  PCI  DSS,    SOX  or  NERC  CIP  regula<ons     –  Step  by  step  technical  compliance  approach  EAS-­‐SEC,  SAP   Guidelines  ,ISACA,DSAG   –  Add  Industry-­‐related  checks  and  guidelines  (Oil  and  Gas,   Banking,  Retail),  make  your  own  template     We  have  included  templates  for  all  of  them     How  to  comply  with  regulaAons  
  • 22. How  to  idenAfy  and  test  most  criAcal   vulnerabiliAes  in  SAP?   22   •  Case:  Security  consul<ng  company   •  Need:  To  provide  SAP  Security  assessment  and  penetra<on   tes<ng  services  with  minimum  <me   •  Solu<on:     –  Vulnerability  management  module     –  Blackbox  pentes<ng,  exploits,  business-­‐focused  payloads  
  • 23. •  Advanced  user  management   •  Mul<ple  scans’  comparison  and  efficiency  analysis   •  Customizable  Templates  and  Landscapes   •  Ability  to  assign  tasks  to  users   •  Ability  to  manage  risks   •  Largest  Built-­‐in  knowledge  base   23   Matching  requirements  of  Enterprise   customers  
  • 24. 24   •  Only  360-­‐degree  approach  can  help  in  maximizing  security   •  Specific  checks  for  Industry  modules  and  solu<ons   •  Fast  release  cycles  to  address  client  needs   •  Combina<on  of  modules  gives  you  more  visibility  1+1+1=4   Strength  
  • 25. Each  SAP  landscape  is  unique  and  we  pay  close  a/en@on  to  the  requirements  of   our   customers   and   prospects.   ERPScan   development   team   constantly   addresses   these  specific  needs  and  is  ac@vely  involved  in  product  advancement.  If  you  wish   to   know   whether   our   scanner   addresses   a   par@cular   aspect,   or   simply   have   a   feature  wish  list,  please  e-­‐mail  us  or  give  us  a  call.  We  will  be  glad  to  consider  your   sugges@ons  for  the  next  releases  or  monthly  updates.   25           About   228  Hamilton  Avenue,  Fl.  3,   Palo  Alto,  CA.  94301     USA  HQ   Luna  ArenA  238  Herikerbergweg,     1101  CM  Amsterdam       EU  HQ     www.erpscan.com    info@erpscan.com