1. …Your SAP/Oracle Landscape Security Assurance
“There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting
undetected on our systems for extended periods of time. The threat is real.
You are compromised; you just don’t know it.” – Gartner, Inc., 2012
3. Protecting your Business Critical Applications
from Cyber-Attacks
Until now there were NO solutions capable of performing integral
assessment procedures in Oracle (PeopleSoft) applications.
More importantly, no solution in the market covers all three areas
of SAP Security/Cyber Security under one umbrella allowing you
also to correlate data from different areas thus giving a customer
360-degree view on SAP Security
11. 11
Who We Represent
ERPScan – Industry's most respected Solution in SAP/Oracle Security
• Anonymous scan (pentest)
• System enumeration / monitoring
• Misconfiguration analysis
• Vulnerability assessment
• Access control
• ABAP code security assessment
• SoD (segregation of duties)
• Compliance to SAP, ISACA, DSAG and
OWASP-EAS
• Risk assessment and prioritization
Award Wining Solution
The first and continue to be leading in
business application security research
Reveal 3 most critical issues in SAP
Leaders by the number of founded
vulnerabilities in SAP (over 500 CVE’s)
60+ Innovative Presentations in
security conference
Award-winning research papers “SAP
Security in figures”
2nd Place on Top Web Hacking
Techniques 2012
2007 reported vulnerabilities in SAP
and Oracle;
2008 Acknowledged for
vulnerabilities in SAP and Oracle;
2009 World-first public presentation
about SAP Frontend security;
2010 World-first public presentation
include attacks on Oracle JDE;
2010 reported vulnerabilities World-first
vulnerabilities in SAP BusnessObjects;
2011 World-first public presentation about
SAP J2EE security;
2011 World-first product to analyze SAP
J2EE Platform security;
2012 World-First public presentation about
Oracle PeopleSoft attacks;
2013 World-first Product to combine
vulnerability, Code and SOD checks in one
platform;
2013 Invented new type of attack against
SAP and other applications– SSRF;
2013 World-first vulnerabilities published in
SAP Mobile applications;
2014 World-first Training about Business
Application Security;
2015 World-first product to analyze Oracle
PeopleSoft Platform security;
2015 World-first public presentation about
SAP Mobile Platform security
12. 12
Who We Represent
ERPScan – Industry's most respected Solution in SAP/Oracle Security
• Anonymous scan (pentest)
• System enumeration / monitoring
• Misconfiguration analysis
• Vulnerability assessment
• Access control
• ABAP code security assessment
• SoD (segregation of duties)
• Compliance to SAP, ISACA, DSAG and
OWASP-EAS
• Risk assessment and prioritization
Award Wining Solution
20. Possible Exposed SAP Servers
in Africa
South Africa, Kenya, Nigeria
ShodanHQ Search: SAP
Google Search: SAP inurl:cmd=login
Google Search: peoplesoft inurl:cmd=login
Our Findings:
• Almost 5000 SAProuters were found on
Shodan and 85% of them vulnerable to
remote code execution
• Almost 30% growth of web-based SAP
solutions (90% growth of SAP Portal).
• Most popular release (35%) is still
NetWeaver 7.0, and it was released in
2005.
• One third of Internet-facing SAP web
services does not use SSL at all.
• 42%, of 549 PeopleSoft servers are
vulnerable to TokenChpoken attacks (18
Fortune 500 companies, and 25
enterprises included in Forbes’ Global
2000 list. One of the world’s largest
pharmaceutical companies is also at risk.)
• Number of internet-exposed services is 3-
5 times lower (depends on the service)
but still relevant.
May, 2015
21. Continuous Public Publishing
of Vulnerabilities
Global Security Researchers
BUT
No Pentest Information Available
CVE?
CVSS ??
Risk Prioritization
• CVE’s common identifiers enable
data exchange between security
products and provide a baseline
index point for evaluating coverage
of tools and services
• CVSS, is a vulnerability scoring
system designed to provide an open
and standardized method for rating
IT vulnerabilities. CVSS helps
organizations prioritize and
coordinate a joint response to
security vulnerabilities by
communicating the base, temporal
and environmental properties of a
vulnerability
23. ERPScan for
Enhance Security and Decrease TCO
All 3 Areas of SAP Security
Benefits Highlight
• Unique. The only award-winning
solution to address 360-degree sap
security protection.
• Enterprise. Continuous monitoring of
vast landscapes (fast
implementation, easy to use,
scalable). Detailed largest database
of 7500+ SAP Security Checks.
• Industry-specific. Include specific
checks for different Systems and
industry solutions such as Oil and
Gas, Retail, Banking and more.
• Cloud and SAAS support. Can be
implemented as a virtual appliance,
in cloud or as SAAS.
• Agent-less. Doesn’t require any
agents or modification of SAP
Platforms.
26. ERPScan for
Enhance Security and Decrease OPEX
Until now, NO other Solution
Benefits Highlight
• Unique. The only award-winning
solution to address Oracle security
protection.
• Enterprise. Continuous monitoring of
vast landscapes with Topological
maps
• Comprehensive Coverage Industry-
specific. and Largest database of
Oracle PeopleSoft Critical issues and
0-day .
• Cloud and SAAS support. Can be
implemented as a virtual appliance,
in cloud or as SAAS.
• Agent-less. Doesn’t require any
agents or modification of Oracle
PeopleSoft