SlideShare a Scribd company logo

Holistic SAP Security View

Onapsis Inc.
Onapsis Inc.

Even “compliant” and “secure” Production systems can be compromised if the security of the platform has not been thought holistically.

Technology
1 of 19
Download to read offline
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough March 12th, 2013 BIZEC Workshop Mariano Nunez mnunez@onapsis.com @marianonunezdc Juan Perez-Etchegoyen jppereze@onapsis.com @jp_pereze
2www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Disclaimer This publication is copyright 2013 Onapsis Inc. – All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.
3www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved A Cyber-criminal & SAP systems ● If an attacker is after an SAP system, he’s probably looking forward to perform: ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. SABOTAGE: Paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information, etc. FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.
4www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved What is his goal? The SAP Production System SALES PRODUCTION FINANCIAL PLANNING INVOICING PROCUREMENT TREASURY LOGISTICS PAYROLL BILLING HUMAN RESOURCES
5www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Where an attacker would probably hit… • SAP systems are built upon several layers. • Segregation of Duties (SoD) controls apply at the Business Logic layer. • The SAP Application Layer (NetWeaver/BASIS) is common to most modern SAP solutions, serving as the base technological framework. Operating System Database SAP Business Logic SAP Application Layer SAP Solution Base Infrastructure
On October 30th 2012, Anonymous claimed intent to exploit SAP systems They claimed to have broken into the Greek Ministry of Finance (to be confirmed) and mentioned: "We have new guns in our arsenal. A sweet 0day SAP exploit is in our hands and oh boy we're gonna sploit the hell out of it."
So we know that the SAP Application Layer is the weak spot and where the attacker will hit. But… which system will he attack first?
8www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved PRD?
9www.onapsis.com – © 2013 Onapsis, Inc. – All rights reservedAttacks to SAP Web Applications Forensics on SAP systems QAS?
10www.onapsis.com – © 2013 Onapsis, Inc. – All rights reservedAttacks to SAP Web Applications Forensics on SAP systems DEV?
11www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Why attacking DEV? ● Production systems usually fall under the scope of internal/external audits  they are more “secure”. ● Development systems are not considered security- sensitive. ● Access controls and security settings are relaxed  high chances of exploiting SAP application-layer vulnerabilities. ● No Security Auditing features enabled  low chances of being detected. ● They usually have explicit and implicit relationships with target systems  they are the perfect “pivot”.
12www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved DEV – Explicit Relationships ● Injection of backdoors / rootkits in ABAP programs that get to PRD. ● Abuse of insecure RFC destinations. © SAP
13www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved DEV – Implicit Relationships ● Password Cracking & Shared Passwords ● SAP Administrators passwords tend to be the same across several systems. ● Once inside DEV, he would: 1. Access the USR02 table 2. Obtain the passwords hashes for users with SAP_ALL privileges 3. Crack the password hashes with John The Ripper 4. Login to SAP PRD simply using SAPGUI!
14www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Securing PRD Holistically ● Regular audits focus on: ● The Production System: ● Production Client ● Central Instance ● But.. what about the “other” clients? 000 001 066 400 Default Clients Production Client
15www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved D Securing PRD Holistically ● And... what about the “other” instances? D D D CI PRD
16www.onapsis.com – © 2013 Onapsis, Inc. – All rights reservedAttacks to SAP Web Applications Conclusions
17www.onapsis.com – © 2013 Onapsis, Inc. – All rights reservedAttacks to SAP Web Applications Conclusions ● Real-world attackers would likely not target the Production system directly, but rather go after the weakest link in the chain. ● Even “compliant” and “secure” Production systems can be compromised if the security of the platform has not been thought holistically. ● In order to do so, we have to think like a potential attacker and mitigate the vulnerabilities with the highest risk (easiest to exploit & resulting in high privileges). ● Holistic security at the SAP Application Layer involves every landscape, every system and every instance and client.
18www.onapsis.com – © 2013 Onapsis, Inc. – All rights reservedAttacks to SAP Web Applications Questions? Stay tuned! @onapsis @marianonunezdc @jp_pereze
19www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Thank you!

Recommended

Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsOnapsis Inc.
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerOnapsis Inc.
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)Onapsis Inc.
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...Onapsis Inc.
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsOnapsis Inc.
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis Inc.
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security ConfigurationsOnapsis Inc.
 

Recommended

Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsOnapsis Inc.
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerOnapsis Inc.
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)Onapsis Inc.
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...Onapsis Inc.
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsOnapsis Inc.
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis Inc.
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security ConfigurationsOnapsis Inc.
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedPen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedOnapsis Inc.
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsOnapsis Inc.
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects AttacksOnapsis Inc.
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthIgor Igoroshka
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSOnapsis Inc.
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksOnapsis Inc.
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsOnapsis Inc.
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP SystemsOnapsis Inc.
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerOnapsis Inc.
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsERPScan
 
Develop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANADevelop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANAVirtual Forge
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applicationsERPScan
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easyERPScan
 

More Related Content

What's hot

Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedPen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedOnapsis Inc.
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsOnapsis Inc.
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects AttacksOnapsis Inc.
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthIgor Igoroshka
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSOnapsis Inc.
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksOnapsis Inc.
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsOnapsis Inc.
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP SystemsOnapsis Inc.
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerOnapsis Inc.
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsERPScan
 
Develop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANADevelop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANAVirtual Forge
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
 

What's hot (20)

Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedPen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information Exposed
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory Platforms
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMS
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI Frameworks
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwards
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
 
Develop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANADevelop Stable, High-Performance Applications for SAP HANA
Develop Stable, High-Performance Applications for SAP HANA
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
 

Viewers also liked

5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applicationsERPScan
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easyERPScan
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Twan van den Broek
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessERPScan
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and bestERPScan
 
Digital%20 signatures%20overview
Digital%20 signatures%20overviewDigital%20 signatures%20overview
Digital%20 signatures%20overviewrajesh123
 
Understanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security StrategyUnderstanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security StrategyPriyanka Aash
 
Cybersecurity Five Facts in Five Minutes - IOD - London - 20161129
Cybersecurity Five Facts in Five Minutes - IOD - London - 20161129Cybersecurity Five Facts in Five Minutes - IOD - London - 20161129
Cybersecurity Five Facts in Five Minutes - IOD - London - 20161129Darren Wray
 
Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap securityyektek
 
Sap security webinar- dach
Sap security webinar- dachSap security webinar- dach
Sap security webinar- dachPanaya
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP securityERPScan
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and BestPositive Hack Days
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administrationnanda nanda
 
What's new in SAP HANA SPS 11 Security
What's new in SAP HANA SPS 11 SecurityWhat's new in SAP HANA SPS 11 Security
What's new in SAP HANA SPS 11 SecuritySAP Technology
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 

Viewers also liked (20)

5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security Strategy
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
 
Digital%20 signatures%20overview
Digital%20 signatures%20overviewDigital%20 signatures%20overview
Digital%20 signatures%20overview
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Understanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security StrategyUnderstanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security Strategy
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security Strategy
 
Cybersecurity Five Facts in Five Minutes - IOD - London - 20161129
Cybersecurity Five Facts in Five Minutes - IOD - London - 20161129Cybersecurity Five Facts in Five Minutes - IOD - London - 20161129
Cybersecurity Five Facts in Five Minutes - IOD - London - 20161129
 
Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap security
 
Sap security webinar- dach
Sap security webinar- dachSap security webinar- dach
Sap security webinar- dach
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and Best
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administration
 
What's new in SAP HANA SPS 11 Security
What's new in SAP HANA SPS 11 SecurityWhat's new in SAP HANA SPS 11 Security
What's new in SAP HANA SPS 11 Security
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 

Similar to Holistic SAP Security View

DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...Tunde Ogunkoya
 
SAP Tech Innovation for Business - 2014.05
SAP Tech Innovation for Business - 2014.05SAP Tech Innovation for Business - 2014.05
SAP Tech Innovation for Business - 2014.05Vitaliy Rudnytskiy
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 
Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015Tunde Ogunkoya
 
Service provider call_example
Service provider call_exampleService provider call_example
Service provider call_exampleBettyPeltroche
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNoSuchCon
 
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...CODE BLUE
 
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2jvandevis
 
Effective load testing_&_monitoring
Effective load testing_&_monitoringEffective load testing_&_monitoring
Effective load testing_&_monitoringganesh_barcamp
 
2009 06 worldtour_sme5_sap_fr
2009 06 worldtour_sme5_sap_fr2009 06 worldtour_sme5_sap_fr
2009 06 worldtour_sme5_sap_frSomayeh Jabbari
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"Kevin Cox
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016Twan van den Broek
 

Similar to Holistic SAP Security View (16)

DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
 
SAP Tech Innovation for Business - 2014.05
SAP Tech Innovation for Business - 2014.05SAP Tech Innovation for Business - 2014.05
SAP Tech Innovation for Business - 2014.05
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015
 
Service provider call_example
Service provider call_exampleService provider call_example
Service provider call_example
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
 
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
 
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
 
PSD Enablement Session: "News for SAP Platform Partners. The "Manage my Partn...
PSD Enablement Session: "News for SAP Platform Partners. The "Manage my Partn...PSD Enablement Session: "News for SAP Platform Partners. The "Manage my Partn...
PSD Enablement Session: "News for SAP Platform Partners. The "Manage my Partn...
 
SAP HANA
SAP HANASAP HANA
SAP HANA
 
Effective load testing_&_monitoring
Effective load testing_&_monitoringEffective load testing_&_monitoring
Effective load testing_&_monitoring
 
2009 06 worldtour_sme5_sap_fr
2009 06 worldtour_sme5_sap_fr2009 06 worldtour_sme5_sap_fr
2009 06 worldtour_sme5_sap_fr
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
The Cloud Platform Play
The Cloud Platform PlayThe Cloud Platform Play
The Cloud Platform Play
 
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016
 

Recently uploaded

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Recently uploaded (20)

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 

Holistic SAP Security View

  • 1. A Holistic View on SAP Security Why Securing Production Systems Is Not Enough March 12th, 2013 BIZEC Workshop Mariano Nunez mnunez@onapsis.com @marianonunezdc Juan Perez-Etchegoyen jppereze@onapsis.com @jp_pereze
  • 2. 2www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Disclaimer This publication is copyright 2013 Onapsis Inc. – All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.
  • 3. 3www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved A Cyber-criminal & SAP systems ● If an attacker is after an SAP system, he’s probably looking forward to perform: ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. SABOTAGE: Paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information, etc. FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.
  • 4. 4www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved What is his goal? The SAP Production System SALES PRODUCTION FINANCIAL PLANNING INVOICING PROCUREMENT TREASURY LOGISTICS PAYROLL BILLING HUMAN RESOURCES
  • 5. 5www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Where an attacker would probably hit… • SAP systems are built upon several layers. • Segregation of Duties (SoD) controls apply at the Business Logic layer. • The SAP Application Layer (NetWeaver/BASIS) is common to most modern SAP solutions, serving as the base technological framework. Operating System Database SAP Business Logic SAP Application Layer SAP Solution Base Infrastructure
  • 6. On October 30th 2012, Anonymous claimed intent to exploit SAP systems They claimed to have broken into the Greek Ministry of Finance (to be confirmed) and mentioned: "We have new guns in our arsenal. A sweet 0day SAP exploit is in our hands and oh boy we're gonna sploit the hell out of it."
  • 7. So we know that the SAP Application Layer is the weak spot and where the attacker will hit. But… which system will he attack first?
  • 8. 8www.onapsis.com – © 2012 Onapsis , Inc. – All rights reserved PRD?
  • 9. 9www.onapsis.com – © 2013 Onapsis, Inc. – All rights reservedAttacks to SAP Web Applications Forensics on SAP systems QAS?
  • 10. 10www.onapsis.com – © 2013 Onapsis, Inc. – All rights reservedAttacks to SAP Web Applications Forensics on SAP systems DEV?
  • 11. 11www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Why attacking DEV? ● Production systems usually fall under the scope of internal/external audits  they are more “secure”. ● Development systems are not considered security- sensitive. ● Access controls and security settings are relaxed  high chances of exploiting SAP application-layer vulnerabilities. ● No Security Auditing features enabled  low chances of being detected. ● They usually have explicit and implicit relationships with target systems  they are the perfect “pivot”.
  • 12. 12www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved DEV – Explicit Relationships ● Injection of backdoors / rootkits in ABAP programs that get to PRD. ● Abuse of insecure RFC destinations. © SAP
  • 13. 13www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved DEV – Implicit Relationships ● Password Cracking & Shared Passwords ● SAP Administrators passwords tend to be the same across several systems. ● Once inside DEV, he would: 1. Access the USR02 table 2. Obtain the passwords hashes for users with SAP_ALL privileges 3. Crack the password hashes with John The Ripper 4. Login to SAP PRD simply using SAPGUI!
  • 14. 14www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Securing PRD Holistically ● Regular audits focus on: ● The Production System: ● Production Client ● Central Instance ● But.. what about the “other” clients? 000 001 066 400 Default Clients Production Client
  • 15. 15www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved D Securing PRD Holistically ● And... what about the “other” instances? D D D CI PRD
  • 16. 16www.onapsis.com – © 2013 Onapsis, Inc. – All rights reservedAttacks to SAP Web Applications Conclusions
  • 17. 17www.onapsis.com – © 2013 Onapsis, Inc. – All rights reservedAttacks to SAP Web Applications Conclusions ● Real-world attackers would likely not target the Production system directly, but rather go after the weakest link in the chain. ● Even “compliant” and “secure” Production systems can be compromised if the security of the platform has not been thought holistically. ● In order to do so, we have to think like a potential attacker and mitigate the vulnerabilities with the highest risk (easiest to exploit & resulting in high privileges). ● Holistic security at the SAP Application Layer involves every landscape, every system and every instance and client.
  • 18. 18www.onapsis.com – © 2013 Onapsis, Inc. – All rights reservedAttacks to SAP Web Applications Questions? Stay tuned! @onapsis @marianonunezdc @jp_pereze
  • 19. 19www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Thank you!