The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
The document discusses SAP software for billing and revenue innovation management. It describes how the software provides a complete solution for the order-to-cash process that allows companies to quickly adapt pricing models while ensuring reliable operations. Key capabilities of the software include convergent mediation to simplify data collection across networks, convergent charging for flexible pricing, convergent invoicing for clear invoices, and analytics to help optimize strategies. The document emphasizes how the software supports scalability, speed of innovation, and real-time insights.
Grant Allen, CTO Chief Product Officer at Dow Jones explains how to deploy Flowable at scale in AWS.
It was presented at the Flowfest 2018 in Barcelona, Spain
Core Data Services (CDS) is a next generation data modeling tool introduced by SAP to define data models on the database server rather than the application server for SAP HANA applications. CDS offers conceptual modeling, built-in functions, and extensions beyond traditional data modeling. Originally only available in SAP HANA, CDS can now also be implemented in SAP NetWeaver AS ABAP. CDS includes data definition, query, manipulation, and control languages and allows a code-to-data paradigm where data models are defined as views in the ABAP dictionary and consumed via Open SQL.
Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented.
What's new on SAP HANA Workload ManagementSAP Technology
The document discusses new workload management features in SAP HANA SPS11. It introduces workload mapping, which allows dynamic mapping of system resources like thread limits, memory limits, and priority to different workload classes based on client context like application, user, and client. Administrators can create workload classes with specific resource profiles and mapping rules to assign classes based on connection properties. This helps optimize resource allocation and avoid abuse while maintaining performance for different workloads and users. The new features provide more flexibility and automation compared to static global settings.
Feeling bludgeoned by bullhorn messaging suggesting your monolithic behemoth should be put down (or sliced up) to make way for microservices? Without question, 'unicorn-style' microservices are the super-nova-hot flavor of the day, but what if teaching your tried and true monolith to be a nimble, fast-dancing elephant meant you could deploy every week versus every 6 to 9 months?
For most enterprises, weekly deployments (or something close) would fundamentally transform not only operations and business results, but also the inherent value of developers willing to step up to lead the dance lessons.
See beyond the hype to understand the deployment model your business case actually demands, and if weekly deployments courtesy of a dancing (or flying!) elephant fit the bill, love the one you're
The document discusses SAP software for billing and revenue innovation management. It describes how the software provides a complete solution for the order-to-cash process that allows companies to quickly adapt pricing models while ensuring reliable operations. Key capabilities of the software include convergent mediation to simplify data collection across networks, convergent charging for flexible pricing, convergent invoicing for clear invoices, and analytics to help optimize strategies. The document emphasizes how the software supports scalability, speed of innovation, and real-time insights.
Grant Allen, CTO Chief Product Officer at Dow Jones explains how to deploy Flowable at scale in AWS.
It was presented at the Flowfest 2018 in Barcelona, Spain
Core Data Services (CDS) is a next generation data modeling tool introduced by SAP to define data models on the database server rather than the application server for SAP HANA applications. CDS offers conceptual modeling, built-in functions, and extensions beyond traditional data modeling. Originally only available in SAP HANA, CDS can now also be implemented in SAP NetWeaver AS ABAP. CDS includes data definition, query, manipulation, and control languages and allows a code-to-data paradigm where data models are defined as views in the ABAP dictionary and consumed via Open SQL.
Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented.
What's new on SAP HANA Workload ManagementSAP Technology
The document discusses new workload management features in SAP HANA SPS11. It introduces workload mapping, which allows dynamic mapping of system resources like thread limits, memory limits, and priority to different workload classes based on client context like application, user, and client. Administrators can create workload classes with specific resource profiles and mapping rules to assign classes based on connection properties. This helps optimize resource allocation and avoid abuse while maintaining performance for different workloads and users. The new features provide more flexibility and automation compared to static global settings.
Feeling bludgeoned by bullhorn messaging suggesting your monolithic behemoth should be put down (or sliced up) to make way for microservices? Without question, 'unicorn-style' microservices are the super-nova-hot flavor of the day, but what if teaching your tried and true monolith to be a nimble, fast-dancing elephant meant you could deploy every week versus every 6 to 9 months?
For most enterprises, weekly deployments (or something close) would fundamentally transform not only operations and business results, but also the inherent value of developers willing to step up to lead the dance lessons.
See beyond the hype to understand the deployment model your business case actually demands, and if weekly deployments courtesy of a dancing (or flying!) elephant fit the bill, love the one you're
SAP HANA System Replication (HSR) versus SAP Replication Server (SRS)Gary Jackson MBCS
This document provides information about SAP HANA System Replication (HSR) and compares it to SAP Replication Server (SRS). HSR replicates transaction log entries from a primary HANA database to secondary databases. It supports synchronous and asynchronous replication and can be used for high availability and disaster recovery. The document outlines the initial setup process and ongoing administration of HSR configurations.
SAPUI5 (SAP user interface for HTML 5) is a collection of libraries that developers can use to build desktop and mobile applications that run in a browser. With SAP's SAPUI5 JavaScript toolkit, developers can build SAP web applications using HTML5 web development standards.
SAP Fiori, the company's line of web-based apps that have a device-agnostic user interface (UI ), have all been built using SAPUI5. There is also an open-source version of SAPUI5, called OpenUI5, which is available on Github.com.
This document provides an overview and introduction to SAPscript forms. It discusses what SAPscript forms are, how they are structured and processed. The guide is organized into multiple parts that cover learning SAPscript basics, modifying forms, and customizing applications for forms. Tools for working with forms like the Form Painter and PC Editor are also introduced. Standard and preconfigured SAPscript forms are examples.
This document provides an overview of the SAP Fiori user experience and architecture for SAP S/4HANA. It discusses how SAP Fiori apps are designed to provide a modern user interface across devices using web technologies. The architecture is centered around OData services that retrieve business data from SAP S/4HANA to power the task-focused apps. SAP Fiori can be used both on-premise with SAP S/4HANA deployed locally or in the cloud using the SAP HANA Cloud Platform.
The document outlines the content covered in an SAP Basis online training course. The course introduces students to SAP software, the SAP architecture including presentation and database interfaces, and installing and maintaining the SAP system. It covers topics such as user administration, system monitoring and performance tools, transporting changes between systems, and managing support packages and upgrades. The course also addresses administering the Oracle database and various administration utilities used to manage the SAP system.
This document provides a project report on developing business reports using ABAP programming. It includes an introduction to ABAP, its architecture and applications. Procedures for designing general reports and reports from two tables are described. The document also discusses topics like SAP, data types in ABAP, domains, transaction codes, and metadata.
Bentley Systems, a software company, used SAP Cloud Platform Integration to streamline their global sales process. This allowed them to provide an intuitive user interface and complete mobile solution while keeping sales data originating from their on-premise SAP CRM. SAP Cloud Platform Integration enabled real-time synchronization of sales data between SAP Cloud for Customer and SAP CRM, supporting Bentley's hybrid CRM model. The pre-packaged integration content and SAP HCI tooling helped provide a seamless transition to the cloud.
API Integration For Building Software Applications Powerpoint Presentation Sl...SlideTeam
Ensure smooth running of operations by using API Integration For Building Software Applications PowerPoint Presentation Slides. Present the major financial highlights before API implementation, application programming interface issues, solutions, etc, by employing API integration PowerPoint templates. Highlight the process of integration of application programming interface in business by using communication protocol PPT slideshow. The strategies for implementing API in business can be effectively discussed using our PPT themes. Showcase benefits related to API testing and time estimate to develop an API by using our visually attention-grabbing API integration service PPT infographics. It is easy to present an API roadmap with different time-intervals by employing our PPT slides. Our content-ready API integration platform PPT slides allow you to showcase the monthly API roadmap with the development process. Cover various API testing models for business, application programming interface value chain, and structure. Thus, understand technical architects by downloading our professionally designed application programming interface strategy. https://bit.ly/3vwNVGh
SAP Fiori is a new user interface for SAP applications that provides 300+ role-based applications across business functions like HR, manufacturing and finance. It has evolved from older SAP interfaces like R/3 in 1999 and Web Dynpro in 2010. SAP Fiori is designed according to principles of being role-based, responsive, simple, providing a seamless experience and being delightful for users. It includes transactional apps for tasks, fact sheets for key information, and analytical apps for real-time business insights. The architecture involves a web dispatcher, front-end server for UI components, back-end server for business logic, and SAP HANA database.
This document discusses event driven architecture using Kafka. It defines event driven architecture as a software paradigm that promotes the production, detection, consumption and reaction to events. Some benefits of this approach are loose coupling, lower costs, scalability and flexibility. It then explains how event driven architecture can be implemented using APIs and the command query responsibility segregation pattern. The document introduces Kafka as an open source stream processing platform and discusses how it uses topics and partitions to guarantee ordering. It also overview the Kafka connector for Mule and demonstrates how it can be used to synchronize events across applications.
Technical Overview of CDS View - SAP HANA Part IIAshish Saxena
It is very important that a developer understands that technically, CDS is an enhancement of SQL which provides a Data Definition Language (DDL) for defining semantically rich database tables/views (CDS entities) and user-defined types in the database. Unlike the SAP HANA CDS, ABAP CDS are independent of the database system. The entities of the models defined in ABAP CDS provide enhanced access functions compared with existing database tables and views defined in ABAP Dictionary, making it possible to optimize Open SQL-based applications. And it is because of these unparalleled advantages that ABAP CDS is the most preferred form of methodology when it comes to Code to Data paradigm.
Privacy by Design or Privacy by Re-engineeringAndre Cardinaal
This document discusses implementing privacy by design in software systems to comply with GDPR regulations. It recommends taking a proactive approach to privacy by embedding privacy principles into system design from the start. This includes performing data mapping and privacy impact assessments, considering privacy in requirements, design, development and deployment phases, and using techniques like anonymization, encryption and access controls. It emphasizes an iterative process of continuous evaluation and treating privacy as a non-functional requirement across the system development lifecycle.
This document discusses Spring transaction management. It introduces transactions and describes Spring's abstraction for transaction management. Spring supports both declarative and programmatic transaction management. Declarative transaction management uses annotations to separate transaction code from business methods, while programmatic transaction management includes transaction logic directly in code. The document also covers transaction concepts like isolation levels, propagation levels, and transaction definitions that control transaction properties.
SAP is an ERP software that offers a centralized system for businesses to manage processes. It has evolved over time from a one-tier architecture to a multi-tier system with presentation, application, and database layers. The application layer is where processing occurs and includes work processes that are distributed to by dispatchers. Key SAP modules include SRM for procurement, ARIBA which SAP acquired, SOLMAN for application management, and S/4HANA which is SAP's next generation ERP that leverages new technologies.
SAP Fiori is a new user experience for SAP applications that provides 300+ role-based apps for various business functions on desktops, smartphones, and tablets, and is built using SAP UI5. It includes transactional apps, fact sheets, and analytical apps that run on SAP NetWeaver Gateway and either an SAP HANA or other database, with fact sheets and analytical apps requiring HANA. SAP Fiori aims to provide a simple, responsive, and seamless experience across devices.
This document discusses SAP architecture and components. It describes homogeneous and heterogeneous SAP systems and the standard R/3 architecture with presentation, application, and database tiers. It outlines the main R/3 communication protocols and explains the installation process. It also provides an overview of core R/3 modules, supported platforms, and industry solutions.
The document discusses OAuth and its implementation for connected apps. It describes OAuth as a delegation protocol for conveying authorization across web apps and APIs. It then outlines the web server flow and user agent flow, including the different token types used. It demonstrates getting an access token via the web server flow and using it to query data. Finally, it provides information on refreshing access tokens before expired.
White collar crimes are committed by high-status professionals like CEOs, lawyers, and accountants through deception and non-violence. They include crimes like cybercrime, bribery, and insider trading. Blue collar crimes are committed by low-status hourly wage workers like electricians and plumbers through violent crimes like burglary, theft, and murder. Factors influencing white collar crimes include lenient attitudes and underestimating losses, while blue collar crimes are influenced by lower education, living standards, and socioeconomic factors. Ways to address the crimes include strictly enforcing laws against white collar crimes and improving living conditions and education for blue collar workers.
SAP HANA System Replication (HSR) versus SAP Replication Server (SRS)Gary Jackson MBCS
This document provides information about SAP HANA System Replication (HSR) and compares it to SAP Replication Server (SRS). HSR replicates transaction log entries from a primary HANA database to secondary databases. It supports synchronous and asynchronous replication and can be used for high availability and disaster recovery. The document outlines the initial setup process and ongoing administration of HSR configurations.
SAPUI5 (SAP user interface for HTML 5) is a collection of libraries that developers can use to build desktop and mobile applications that run in a browser. With SAP's SAPUI5 JavaScript toolkit, developers can build SAP web applications using HTML5 web development standards.
SAP Fiori, the company's line of web-based apps that have a device-agnostic user interface (UI ), have all been built using SAPUI5. There is also an open-source version of SAPUI5, called OpenUI5, which is available on Github.com.
This document provides an overview and introduction to SAPscript forms. It discusses what SAPscript forms are, how they are structured and processed. The guide is organized into multiple parts that cover learning SAPscript basics, modifying forms, and customizing applications for forms. Tools for working with forms like the Form Painter and PC Editor are also introduced. Standard and preconfigured SAPscript forms are examples.
This document provides an overview of the SAP Fiori user experience and architecture for SAP S/4HANA. It discusses how SAP Fiori apps are designed to provide a modern user interface across devices using web technologies. The architecture is centered around OData services that retrieve business data from SAP S/4HANA to power the task-focused apps. SAP Fiori can be used both on-premise with SAP S/4HANA deployed locally or in the cloud using the SAP HANA Cloud Platform.
The document outlines the content covered in an SAP Basis online training course. The course introduces students to SAP software, the SAP architecture including presentation and database interfaces, and installing and maintaining the SAP system. It covers topics such as user administration, system monitoring and performance tools, transporting changes between systems, and managing support packages and upgrades. The course also addresses administering the Oracle database and various administration utilities used to manage the SAP system.
This document provides a project report on developing business reports using ABAP programming. It includes an introduction to ABAP, its architecture and applications. Procedures for designing general reports and reports from two tables are described. The document also discusses topics like SAP, data types in ABAP, domains, transaction codes, and metadata.
Bentley Systems, a software company, used SAP Cloud Platform Integration to streamline their global sales process. This allowed them to provide an intuitive user interface and complete mobile solution while keeping sales data originating from their on-premise SAP CRM. SAP Cloud Platform Integration enabled real-time synchronization of sales data between SAP Cloud for Customer and SAP CRM, supporting Bentley's hybrid CRM model. The pre-packaged integration content and SAP HCI tooling helped provide a seamless transition to the cloud.
API Integration For Building Software Applications Powerpoint Presentation Sl...SlideTeam
Ensure smooth running of operations by using API Integration For Building Software Applications PowerPoint Presentation Slides. Present the major financial highlights before API implementation, application programming interface issues, solutions, etc, by employing API integration PowerPoint templates. Highlight the process of integration of application programming interface in business by using communication protocol PPT slideshow. The strategies for implementing API in business can be effectively discussed using our PPT themes. Showcase benefits related to API testing and time estimate to develop an API by using our visually attention-grabbing API integration service PPT infographics. It is easy to present an API roadmap with different time-intervals by employing our PPT slides. Our content-ready API integration platform PPT slides allow you to showcase the monthly API roadmap with the development process. Cover various API testing models for business, application programming interface value chain, and structure. Thus, understand technical architects by downloading our professionally designed application programming interface strategy. https://bit.ly/3vwNVGh
SAP Fiori is a new user interface for SAP applications that provides 300+ role-based applications across business functions like HR, manufacturing and finance. It has evolved from older SAP interfaces like R/3 in 1999 and Web Dynpro in 2010. SAP Fiori is designed according to principles of being role-based, responsive, simple, providing a seamless experience and being delightful for users. It includes transactional apps for tasks, fact sheets for key information, and analytical apps for real-time business insights. The architecture involves a web dispatcher, front-end server for UI components, back-end server for business logic, and SAP HANA database.
This document discusses event driven architecture using Kafka. It defines event driven architecture as a software paradigm that promotes the production, detection, consumption and reaction to events. Some benefits of this approach are loose coupling, lower costs, scalability and flexibility. It then explains how event driven architecture can be implemented using APIs and the command query responsibility segregation pattern. The document introduces Kafka as an open source stream processing platform and discusses how it uses topics and partitions to guarantee ordering. It also overview the Kafka connector for Mule and demonstrates how it can be used to synchronize events across applications.
Technical Overview of CDS View - SAP HANA Part IIAshish Saxena
It is very important that a developer understands that technically, CDS is an enhancement of SQL which provides a Data Definition Language (DDL) for defining semantically rich database tables/views (CDS entities) and user-defined types in the database. Unlike the SAP HANA CDS, ABAP CDS are independent of the database system. The entities of the models defined in ABAP CDS provide enhanced access functions compared with existing database tables and views defined in ABAP Dictionary, making it possible to optimize Open SQL-based applications. And it is because of these unparalleled advantages that ABAP CDS is the most preferred form of methodology when it comes to Code to Data paradigm.
Privacy by Design or Privacy by Re-engineeringAndre Cardinaal
This document discusses implementing privacy by design in software systems to comply with GDPR regulations. It recommends taking a proactive approach to privacy by embedding privacy principles into system design from the start. This includes performing data mapping and privacy impact assessments, considering privacy in requirements, design, development and deployment phases, and using techniques like anonymization, encryption and access controls. It emphasizes an iterative process of continuous evaluation and treating privacy as a non-functional requirement across the system development lifecycle.
This document discusses Spring transaction management. It introduces transactions and describes Spring's abstraction for transaction management. Spring supports both declarative and programmatic transaction management. Declarative transaction management uses annotations to separate transaction code from business methods, while programmatic transaction management includes transaction logic directly in code. The document also covers transaction concepts like isolation levels, propagation levels, and transaction definitions that control transaction properties.
SAP is an ERP software that offers a centralized system for businesses to manage processes. It has evolved over time from a one-tier architecture to a multi-tier system with presentation, application, and database layers. The application layer is where processing occurs and includes work processes that are distributed to by dispatchers. Key SAP modules include SRM for procurement, ARIBA which SAP acquired, SOLMAN for application management, and S/4HANA which is SAP's next generation ERP that leverages new technologies.
SAP Fiori is a new user experience for SAP applications that provides 300+ role-based apps for various business functions on desktops, smartphones, and tablets, and is built using SAP UI5. It includes transactional apps, fact sheets, and analytical apps that run on SAP NetWeaver Gateway and either an SAP HANA or other database, with fact sheets and analytical apps requiring HANA. SAP Fiori aims to provide a simple, responsive, and seamless experience across devices.
This document discusses SAP architecture and components. It describes homogeneous and heterogeneous SAP systems and the standard R/3 architecture with presentation, application, and database tiers. It outlines the main R/3 communication protocols and explains the installation process. It also provides an overview of core R/3 modules, supported platforms, and industry solutions.
The document discusses OAuth and its implementation for connected apps. It describes OAuth as a delegation protocol for conveying authorization across web apps and APIs. It then outlines the web server flow and user agent flow, including the different token types used. It demonstrates getting an access token via the web server flow and using it to query data. Finally, it provides information on refreshing access tokens before expired.
White collar crimes are committed by high-status professionals like CEOs, lawyers, and accountants through deception and non-violence. They include crimes like cybercrime, bribery, and insider trading. Blue collar crimes are committed by low-status hourly wage workers like electricians and plumbers through violent crimes like burglary, theft, and murder. Factors influencing white collar crimes include lenient attitudes and underestimating losses, while blue collar crimes are influenced by lower education, living standards, and socioeconomic factors. Ways to address the crimes include strictly enforcing laws against white collar crimes and improving living conditions and education for blue collar workers.
This document provides an overview of resources for researching corporate crime law in the United Kingdom. It outlines the legal research process and identifies relevant secondary sources, legislation, cases, and commentary. Specifically, it recommends using Halsbury's Laws of England, Hansard records, and key cases like Tesco Supermarkets v Nattrass to understand corporate criminal liability under UK law. A variety of database and research tools are also introduced, including Westlaw, Lexis, i-Law, and Google Scholar to locate applicable legislation, cases, journal articles, and news on this topic.
This document discusses several examples of corporate crimes and their human costs, including the Love Canal disaster where toxic waste was dumped, contaminating a residential area and causing health issues for residents; the Imperial Food Products fire where locked doors led to the deaths of 25 employees; and ValuJet Flight 592 that crashed due to improperly stored hazardous materials, killing all onboard. It examines the legal outcomes for these events and how they relate to conflict theory perspectives on corporate crime.
The document discusses various types of identity theft such as financial, medical, criminal, and theft targeting seniors and children. It explains how identity thieves can steal personal information to commit crimes like credit card and loan fraud that damage a victim's credit and finances. Prevention tips are provided such as shredding documents, checking credit reports, and being wary of sharing personal details online or over the phone.
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
Pen Testing SAP Critical Information ExposedOnapsis Inc.
The world's largest organizations process huge amounts of critical information. This information is essential for the proper functioning of your business processes. The systems responsible for administering and managing these processes are called ERP and SAP ERP is the most used ERP by large companies.
An attacker would perform acts of fraud, sabotage or espionage on one of these companies focusing its efforts on vulnerable systems and get direct access to the most critical and sensitive business information.
In this talk we will work backwards to see the different stages and attacks that could be performed to compromise a SAP system without any prior knowledge about the target and credentials to access the same system. Thus, by developing penetration testing, we can help companies solve problems and mitigate risk. All demo’s will be performed using open-source tools such as Onapsis Bizploit - the first ERP Penetration Testing framework. This will allow attendees to apply their knowledge to make these assessments in their companies.
The document discusses penetration testing of SAP systems. It begins with an introduction to SAP concepts like systems, instances, clients and remote function calls. It then discusses the need for penetration testing business applications due to lack of security during implementations. The document outlines the phases of SAP penetration testing: discovery to find SAP targets, exploration to gather information, and vulnerability assessment to identify security threats.
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)Onapsis Inc.
The document discusses security vulnerabilities in SAP web applications. It describes how attackers can identify SAP components and versions through server banners and error messages. Some SAP web services like the "Info Service" are publicly accessible by default and return sensitive system information without authentication. Most SAP web services require authentication but have weak authorization checks by default, allowing authenticated users to execute many functionalities without proper authorization. The document provides recommendations to disable server banners, customize error pages, and strengthen authorization checks for SAP web services.
Attacks Based on Security ConfigurationsOnapsis Inc.
Many large companies, as well as large government and defense organizations, have something in common: they rely on SAP platforms to process their business critical processes and information. Because of the sensitive nature of the information stored in these complex implementations, they are quickly becoming an attractive target for cyber-criminals looking to perform espionage, sabotage or financial fraud attacks by gaining access to the organizations’ crown jewels.
Securing these large and complex SAP implementations can be an ongoing, complicated and pain-staking task which requires specialized SAP security knowledge. This task encompasses managing the SoD process, patch (Security Note) management and implementation, analyzing interfaces and configuring the systems properly and securely (among many other things). One of the first and most important steps in starting the process of securing SAP implementations is the need to configure SAP application servers in a secure way. This task is not easy, as a SAP system has hundreds of different configurations which can be modified and a wrong setting or combination of settings can introduce large amounts of risk.
During this presentation, Onapsis CTO, Juan Perez-Etchegoyen explained some of the risks a default or insecure setting could introduce to the whole SAP infrastructure. You will see real life examples of these misconfigurations, and the threats introduced by them through several live demos. He will also explain how organizations can begin a process of securely configuring these systems.
SAP systems provides Business Intelligence platforms, which can be a promising target for business espionage. Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised?
What if an attacker has poisoned the system and changed the key indicators? SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence.
In this presentation we will discuss our recent research on SAP BusinessObjects security. Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
This presentation will highlight three attack vectors targeting SAP.
- SAP Portal Header Authentication
- Verb Tampering
- Abuse of JAVA Core Services
You will learn techniques to mitigate these threats.
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
This document discusses cyber attacks against SAP systems. It notes that while many organizations focus on segregation of duties controls for SAP security, the underlying business infrastructure is also vulnerable. The number of reported vulnerabilities in SAP systems has risen dramatically in recent years. The document outlines some of the external and internal threats facing SAP implementations, and reports that penetration tests conducted by the author's company routinely found major security issues in over 95% of SAP systems evaluated, leaving them exposed to espionage and sabotage attacks.
- SAP systems are critical to many large businesses but contain inherent vulnerabilities that could allow backdoors to be installed.
- Several technical vulnerabilities in SAP systems and their databases could allow an attacker to gain high privileges and modify code, including the authentication process.
- Onapsis has developed a tool called Integrity Analyzer for SAP that can detect modifications to SAP code that may indicate backdoors, as it is difficult to detect them from within the compromised SAP system itself. Regular monitoring and security assessments are needed to minimize risks.
How Hackers can Open the Safe and Take the JewelsOnapsis Inc.
The major organizations worldwide run their businesses thanks to the (Enterprise Resource Planning) ERP systems. In order to comply with government regulations, the anti-fraud laws, and specific industry requirements (such as NERC, PCI or HIPAA) security practices are usually confined to implement segregation of duties and access control users.
In recent years, attacks based on vulnerabilities and technical weaknesses in the implementation of ERP systems have gained a lot of attention. These revealed a wide range of surfaces attacks unexplored so far that are available for attackers to take advantage of. The ERP market is well defined and divided among a few players who provide ERP solutions to hundreds of government, military agencies and companies in a variety of industries.
In this talk, we will discuss the attack surface exposed by increased distribution ERP systems, and will conduct several live demonstrations of attacks that you will see if you run an ERP Penetration Test. We will focus on systems critical to the business world ERP: SAP, Oracle Siebel and Oracle JD Edwards. Analyze how it is possible for attackers, through exploiting technical vulnerabilities, aim your attack on the crown jewels and the most critical process of victims organizations, resulting in espionage, sabotage and financial fraud.
The document discusses incident response and SAP systems. It begins with an overview of Onapsis Inc. and the backgrounds of Juan Perez-Etchegoyen and Sergio Abraham. It then covers incident response concepts, including detection and classification of incidents, affected assets, legal actions, and impact analysis. The remainder provides an example case study of employee salaries being leaked and the analysis steps taken to investigate the incident.
Practical SAP pentesting workshop (NullCon Goa)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at NullCon Goa Conference is a practical SAP pentesting guide.
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerOnapsis Inc.
Global Fortune 1000 companies, major governmental organizations and defense agencies, share something in common: they all rely on SAP platforms to handle their most critical business processes and iinformation. In this scenario, any criminal cyber attacks seeking to conduct espionage, sabotage, or financial fraud, knows that these systems contain the jewels in the crown.
In all SAP implementations there is a special system that acts as the "brain" of the platform: the SAP Solution Manager. Using proprietary interfaces and protocols, the Solution Manager connects and manages all SAP "satellites" of implementation (ERP, CRM, SCM, etc.) systems. Therefore, if an attacker compromises the SolMan, might be able to expand its control over all environments that are under control. Moreover, because of weaknesses in architecture, a malicious group would be possible to start by compromising one of the first satellite systems, and use it as a pivot to control the SolMan.
In this talk we present, through various live demonstrations, novel attack vectors that a hacker can use in intrusion attempt to SAP Solution Manager, and result in a total compromise to the SAP implementation. We will analyze the technical origins of vulnerabilities that allow such attacks, and give you mitigation information about these threats in your organization.
The document discusses security issues related to SAP applications. It outlines 13 ways that SAP systems can be exploited to damage businesses. It then provides recommendations on how to assess security risks, prioritize updates, and comply with regulations to better protect SAP systems. The document also notes that ERPScan has discovered over 3,000 vulnerabilities in SAP products since 2007 and discusses the business risks of espionage, sabotage, and fraud if SAP systems are compromised.
Practical SAP pentesting (B-Sides San Paulo)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.
Blended Web and Database Attacks on Real Time In-memory PlatformsOnapsis Inc.
hat is “in-memory” platform? Usually DBMS rely on disk to store their data but today they are solutions which store data in memory. Why? Memory is cheap today, there is an increase amount of data to process and performance is a key. Well-known solutions are Oracle, SQLserver and SAP HANA.
Ezequiel’s research focused on SAP HANA. The solution is based on many components (DB, HTTP server) and provide a nice attack surface. This is a blended architecture. Instead of an application using a DB connection with limited (or unrestricted) access, the application is the same as the database user. User privileges should be restricted at the DB level. This changes the impact of classic attacks:
SQLi are restricted to the user privileges (better)
XSS is more powerful (bad)
After the introduction, some attack vectors against HANA were reviewed. About SQL injections, HANA has a nice feature: history tables. If the user does not delete it, the information remains available! XSS attacks were reviewed as well as integration with the R-Server.
- DeltaGRiC Consulting is an SAP partner focused on helping organizations detect cybersecurity risks and compliance violations affecting their SAP and Oracle systems using ERPScan Monitoring Suite.
- Traditional approaches to SAP security like segregation of duties matrices are insufficient as advanced attacks are targeting application vulnerabilities. Widespread SAP systems expose critical business data to unauthorized access through vulnerabilities.
- Organizations struggle to effectively manage security risks from unpatched vulnerabilities in complex SAP landscapes that include new technologies like HANA and connections to IoT devices. Continuous monitoring of configurations and vulnerabilities is needed to protect SAP systems.
The interconnected nature of modern business systems means that successful companies with critical business on SAP software must effectively manage exposure to external and internal threats. SAP Enterprise Threat Detection helps you identify the real attacks as they are happening and analyze the threats quickly enough to neutralize them before serious damage occurs. More information: http://scn.sap.com/community/security
This document discusses security threats related to SAP systems. It notes that SAP is one of the most widely used business applications, with over 250,000 customers worldwide. However, SAP systems also contain a wealth of sensitive information and are targets for espionage, sabotage, and fraud. The document outlines how a single compromised SAP system could provide access to critical corporate data and processes. It emphasizes that many SAP instances have not been updated in years and contain thousands of known vulnerabilities. Additionally, SAP systems are highly interconnected both within and between companies, allowing threats to spread widely. Strong security is needed to protect SAP environments and the organizations that rely on them.
Similar to SAP Forensics Detecting White Collar Cyber-crime (20)
Preventing Vulnerabilities in SAP HANA based DeploymentsOnapsis Inc.
Companies nowadays are choosing in between on-premise, cloud and hybrid deployment models. The common factor across all these scenarios is the underlying platform, used in the background to run all on-premise and cloud-based applications developed by SAP. This platform is called SAP HANA, which is an in-memory database and application server, that serves an increasing number of business applications, providing cutting edge features and performance.
Vulnerabilities affecting SAP HANA have now an increased attack surface, as these could be abused to compromise many diverse deployments and many customers, if the customers are not properly taking care of this risks.
Join us on this presentation to learn about diverse attack vectors affecting current SAP solutions, on-premise and cloud-based. You will not only learn technical details about these vulnerabilities, but also understand how to prevent and detect attacks to our crown jewels, running on HANA.
Onapsis Security Platform: Detection and ResponseOnapsis Inc.
The document describes the Onapsis Detection and Response solution, which helps organizations gain real-time visibility into threats facing their SAP infrastructure through continuous monitoring. It proactively detects issues like attacks, malware, and unauthorized access to ensure SAP applications remain secure. Detection and Response provides assurance that critical applications stay running despite threats by detecting exploits quickly and automating responses based on asset importance and business needs.
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...Onapsis Inc.
This presentation covers the evolution of threats targeting SAP systems, SAP Web Servers. We will cover attacks to Web Dispatcher while also showing live demo's of Business data ex-filtration and Authentication bypass in enterprise portals.
Also, countermeasures to prevent these attacks will be discussed.
Unbreakable oracle er_ps_siebel_jd_edwardsOnapsis Inc.
After a brief introduction into ERP systems such as Oracle Siebel and JD Edwards this presentation will cover attack scenarios that these systems are faced with.
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerOnapsis Inc.
Global Fortune 1000 companies, major governmental organizations and defense agencies, share something in common: they all rely on SAP platforms to handle their most critical business processes and iinformation. In this scenario, any criminal cyber attacks seeking to conduct espionage, sabotage, or financial fraud, knows that these systems contain the jewels in the crown.
In all SAP implementations there is a special system that acts as the "brain" of the platform: the SAP Solution Manager. Using proprietary interfaces and protocols, the Solution Manager connects and manages all SAP "satellites" of implementation (ERP, CRM, SCM, etc.) systems. Therefore, if an attacker compromises the SolMan, might be able to expand its control over all environments that are under control. Moreover, because of weaknesses in architecture, a malicious group would be possible to start by compromising one of the first satellite systems, and use it as a pivot to control the SolMan.
In this talk we present, through various live demonstrations, novel attack vectors that a hacker can use in intrusion attempt to SAP Solution Manager, and result in a total compromise to the SAP implementation. We will analyze the technical origins of vulnerabilities that allow such attacks, and give you mitigation information about these threats in your organization.
Highway to Production Securing the SAP TMSOnapsis Inc.
In all SAP implementations there are numerous reasons why organizations would need to make changes and updates; from changes to legislation and compliance mandates to business growth and process evolution. The Transport Management System (TMS) is the backbone for properly executing these changes across a landscape (Dev, QA, PROD, etc). If TMS is not properly secured, a malicious attacker could initiate disruptive and negatively impactful changes to Productive systems.
In this presentation we will explain the main components and capabilities of TMS. We will then detail specific ways in which organizations can increase the protection of their SAP platforms by gaining visibility to the risks and securing TMS.
The presentation is based on the research contained in the latest SAP Security In-Depth publication: SAP TMS: A Highway to Production.
Distributed Object or Remote Method Invocation (RMI) frameworks facilitate the remote invocation of methods and creation of objects between systems. Conceptually RMI frameworks are similar to Remote Procedure Call (RPC) platforms. A main difference is that in RMI the client and the server work with the entire object lifecycle (i.e. creation, destruction) whereas RPC is typically limited to remote methods or procedures. RMI frameworks are interesting because they provide a remote method for object manipulation. Even though Web Services have taken the lead as the de-facto technology for communication in distributed applications, RMI frameworks are still widely used in many applications. Almost every programming language has support for one or, usually, more RMI frameworks. The proliferation of this technology made RMI interfaces very common among all sorts of software, especially across Enterprise Applications, and constitute a fruitful vector from an attacker's point of view. In this presentation we will discuss the architecture, security features and new vulnerabilities we have detected in two implementations of popular Enterprise RMI frameworks: CORBA and SAP RMI-P4. Through live demonstrations, we will demonstrate novel techniques for remote file read/write, arbitrary database access, session hijacking, and other critical bugs in large enterprise platforms, as well as the countermeasures in order to protect from these threats. We will walk you through the vulnerability research process we performed over these frameworks, enabling you to understand also how these attacks could be extended to other RMI implementations you may encounter.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
10. Over 95% of the SAP systems we
evaluated were exposed to espionage,
sabotage and fraud attacks due to
vulnerabilities in the SAP Application
Layer.
Unlike SoD gaps, attackers do not need access
credentials to exploit this kind of vulnerabilities…
13. Our SAP systems have
never been hacked…
ƒGreat! I’m glad we have
configured the audit trails and
are reviewing the logs…
Audit trails? Logs? What
are you talking about?
We are doomed.
14. On October 30th
2012, Anonymous
claimed intent to exploit SAP systems
They claimed to have broken into the Greek Ministry of Finance
(to be confirmed) and mentioned:
"We have new guns in our arsenal. A
sweet 0day
SAP exploit is in our hands and oh boy
we're gonna sploit the hell out of it."