SlideShare a Scribd company logo
1 of 47
Download to read offline
Invest	
  in	
  security	
  
to	
  secure	
  investments	
  
Assess	
  and	
  Monitor	
  SAP	
  
Security	
  with	
  ERPScan	
  
About	
  ERPScan	
  
•  The	
   only	
   360-­‐degree	
   SAP	
   Security	
   solu8on	
   -­‐	
   ERPScan	
   Security	
  
Monitoring	
  Suite	
  for	
  SAP	
  
•  Leader	
  by	
  the	
  number	
  of	
  acknowledgements	
  from	
  SAP	
  (	
  150+	
  )	
  
•  60+	
  presentaAons	
  key	
  security	
  conferences	
  worldwide	
  
•  25	
  Awards	
  and	
  nominaAons	
  
•  Research	
  team	
  -­‐	
  20	
  experts	
  with	
  experience	
  in	
  	
  different	
  areas	
  
of	
  security	
  
•  Headquarters	
  in	
  Palo	
  Alto	
  (US)	
  and	
  Amsterdam	
  (EU)	
  
	
  
	
  
2	
  
ERPScan	
  and	
  SAP	
  
“We	
  would	
  like	
  to	
  thank	
  the	
  world-­‐class	
  security	
  experts	
  of	
  
ERPScan	
  for	
  the	
  highly	
  qualified	
  job	
  performed	
  to	
  help	
  us	
  assess	
  
the	
  security	
  of	
  our	
  pre-­‐release	
  products”.	
  
Senior	
  Director,	
  Head	
  of	
  Global	
  Security	
  Alliance	
  Management	
  
Product	
  Security,	
  Technology	
  and	
  Innova8on	
  PlaWorm	
  
SAP	
  Labs,	
  Palo	
  Alto,	
  USA	
  
3	
  
Business	
  applicaAon	
  security	
  
	
  
	
  
All	
  business	
  processes	
  are	
  generally	
  contained	
  in	
  ERP	
  systems.	
  
	
  Any	
  informa8on	
  an	
  aYacker,	
  be	
  it	
  a	
  cybercriminal,	
  industrial	
  spy	
  
or	
  compe8tor,	
  might	
  want	
  is	
  stored	
  in	
  a	
  company’s	
  ERP.	
  	
  
This	
  informa8on	
  can	
  include	
  financial,	
  customer	
  or	
  public	
  
rela8ons,	
  intellectual	
  property,	
  personally	
  iden8fiable	
  informa8on	
  
and	
  more.	
  Industrial	
  espionage,	
  sabotage	
  and	
  fraud	
  or	
  insider	
  
embezzlement	
  may	
  be	
  very	
  effec8ve	
  if	
  targeted	
  at	
  a	
  vic8ms	
  ERP	
  
system	
  and	
  cause	
  significant	
  damage	
  to	
  the	
  business.	
  
4	
  
Big	
  companies	
  
	
  
Portal	
  
HR	
  
Logis8cs	
  
Warehouse	
  
ERP	
  
Billing	
  
Suppliers	
  
Customers	
  
Banks	
  
Insurance	
  Partners	
  
Branches	
  
BI	
  
Industry	
  
CRM	
  
SRM	
  
5	
  
SAP	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  
	
  
Вставьте	
  рисунок	
  на	
  слайд,	
  скруглите	
  верхний	
  левый	
  и	
  нижний	
  правый	
  угол	
  
(Формат	
  –	
  Формат	
  рисунка),	
  добавьте	
  контур	
  (оранжевый,	
  толщина	
  –	
  3)	
  
•  The	
  most	
  popular	
  business	
  applica8on	
  
•  More	
  than	
  250000	
  customers	
  worldwide	
  	
  
•  83%	
  Forbes	
  500	
  companies	
  run	
  SAP	
  
•  Main	
  system	
  –	
  ERP	
  
•  	
  PlaWorms	
  
-  NetWeaver	
  ABAP	
  
-  NetWeaver	
  J2EE	
  
-  BusinessObjects	
  
-  SAP	
  HANA	
  
6	
  
SAP	
  Security	
  threads	
  
Espionage	
  	
  
•  Financial	
  Data,	
  Financial	
  Planning	
  (FI)	
  	
  
•  HR	
  data,	
  personal,	
  contact	
  details	
  (HR)	
  	
  
•  Customer	
  Lists	
  	
  
•  Corporate	
  Secrets	
  (PLM)	
  	
  
•  Supplier	
  tenders	
  (SRM)	
  	
  
•  Customer	
  Lists	
  (CRM)	
  	
  
	
  
Cyber	
  criminals	
  need	
  only	
  to	
  gain	
  access	
  to	
  one	
  of	
  the	
  
described	
  systems	
  to	
  successfully	
  steal	
  cri8cal	
  informa8on.	
  
7	
  
SAP	
  Security	
  threads	
  
Sabotage	
  	
  	
  
•  Denial	
  of	
  Service	
  
–  Incurs	
  huge	
  costs	
  
•  Data	
  modifica8on	
  to	
  cause	
  damage	
  
–  	
  Delete	
  cri8cal	
  informa8on	
  
•  SCADA	
  Connec8ons	
  
–  Common	
  to	
  see	
  connec8ons	
  between	
  ERP	
  and	
  SCADA/MES/SmartGrid	
  
8	
  
SAP	
  Security	
  threads	
  
Fraud	
  
•  Manipulate	
  automated	
  transac8on	
  systems	
  
•  Generate	
  false	
  payments	
  
•  Move	
  money	
  
•  Salary	
  modifica8on	
  
•  Material	
  management	
  fraud	
  
•  Mistaken	
  transac8ons	
  
	
  
	
  
	
  	
  	
  	
  	
  Associa8on	
  of	
  Cer8fied	
  Fraud	
  Examiners	
  es8mates	
  that	
  
corpora8ons	
  average	
  lose	
  6%	
  of	
  revenue	
  to	
  fraud	
  (2013)	
  
9	
  
0	
  
100	
  
200	
  
300	
  
400	
  
500	
  
600	
  
700	
  
800	
  
900	
  
2001	
   2002	
   2003	
   2004	
   2005	
   2006	
   2007	
   2008	
   2009	
   2010	
   2011	
   2012	
   2013	
   2014	
  
By	
  April	
  2014	
  	
  -­‐	
  2974	
  SAP	
  Security	
  notes	
  
10	
  
SAP	
  Security	
  notes	
  
DEMO	
  
11	
  
ANacks?	
  
12	
  
What	
  can	
  be	
  next?	
  
•  Just	
  imagine	
  what	
  could	
  be	
  done	
  by	
  breaking:	
  
•  One	
  ERP	
  system	
  
•  All	
  Business	
  applica8ons	
  of	
  a	
  company	
  
•  All	
  ERP	
  Systems	
  on	
  par8cular	
  country	
  
13	
  
Ease	
  of	
  development	
  
It	
  is	
  very	
  easy	
  by	
  the	
  way	
  	
  
•  Price	
  of	
  vulnerability	
  is	
  low	
  
•  Patching	
  is	
  nightmare	
  
•  Genera8ng	
  exploit	
  is	
  easy	
  
•  Interconnec8on	
  is	
  high	
  
•  Availability	
  via	
  internet	
  
14	
  
35%	
  
23%	
  
19%	
  
11%	
  
6%	
  
5%	
  
NetWeaver	
  ABAP	
  	
  versions	
  by	
  popularity	
  
7.0	
  EHP	
  0	
  	
  	
  (Nov	
  2005)	
  
7.0	
  EHP	
  2	
  	
  	
  (Apr	
  	
  2010)	
  	
  
7.0	
  EHP	
  1	
  	
  	
  (Oct	
  2008)	
  
7.3	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  (Jun	
  2011)	
  
6.2	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  (Dec	
  	
  2003)	
  
6.4	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  (Mar	
  2004)	
  
The	
  most	
  popular	
  release	
  (35%,	
  previously	
  45%)	
  is	
  	
  
sAll	
  NetWeaver	
  7.0,	
  and	
  it	
  was	
  released	
  in	
  2005!	
  
15	
  
SAP	
  NetWeaver	
  ABAP	
  -­‐	
  	
  versions	
  
Systems	
  are	
  highly	
  interconnected	
  	
  
•  Systems	
  are	
  highly	
  connected	
  with	
  each	
  other	
  by	
  trust	
  
rela8onship	
  	
  
•  Even	
  between	
  companies	
  they	
  are	
  connected	
  by	
  XI/PI	
  systems	
  
•  Remember	
  also	
  SSRF?	
  	
  (AYack	
  on	
  SAP	
  XI	
  from	
  BlackHat)	
  
•  hYp://cwe.mitre.org/data/defini8ons/918.html	
  
•  Second	
  place	
  in	
  Top	
  10	
  web	
  applica8on	
  techniques	
  2012	
  
•  Allows	
  to	
  bypass	
  firewall	
  restric8ons	
  and	
  directly	
  connect	
  to	
  
protected	
  systems	
  via	
  connected	
  systems	
  
16	
  
DEMO	
  
17	
  
Business	
  applicaAons	
  on	
  the	
  Internet	
  
•  Companies	
  have	
  Portals,	
  SRMs,	
  CRMs	
  remotely	
  accessible	
  
•  Companies	
  connect	
  different	
  offices	
  by	
  ESB	
  
•  SAP	
  users	
  are	
  connected	
  to	
  SAP	
  via	
  SAPRouter	
  
•  Administrators	
  open	
  management	
  interfaces	
  to	
  the	
  Internet	
  for	
  
remote	
  control	
  
	
  
18	
  
Business	
  applicaAons	
  on	
  the	
  Internet	
  
SAP	
  HTTP	
  Services	
  can	
  be	
  easily	
  found	
  on	
  the	
  Internet:	
  
•  inurl:/irj/portal
•  inurl:/IciEventService sap
•  inurl:/IciEventService/IciEventConf
•  inurl:/wsnavigator/jsps/test.jsp
•  inurl:/irj/go/km/docs/
19	
  
SAP	
  Router	
  
•  Special	
  applica8on	
  proxy	
  	
  
•  Transfers	
  requests	
  from	
  Internet	
  to	
  SAP	
  (and	
  not	
  only)	
  
•  Can	
  work	
  through	
  VPN	
  or	
  SNC	
  	
  
•  Almost	
  every	
  company	
  uses	
  it	
  for	
  connec8ng	
  to	
  SAP	
  to	
  
download	
  updates	
  
•  Usually	
  listens	
  to	
  port	
  3299	
  	
  
•  Internet	
  accessible	
  	
  (Approximately	
  5000	
  IP’s	
  )	
  
•  hYp://www.easymarketplace.de/saprouter.php	
  
20	
  
•  Absence	
  of	
  ACL	
  –	
  15%	
  
–  	
  Possible	
  to	
  proxy	
  any	
  request	
  to	
  any	
  internal	
  address	
  	
  
•  Informa8on	
  disclosure	
  about	
  internal	
  systems	
  –	
  19%	
  
–  Denial	
  of	
  service	
  by	
  specifying	
  many	
  connec8ons	
  to	
  any	
  of	
  the	
  listed	
  SAP	
  
servers	
  
–  Proxy	
  requests	
  to	
  internal	
  network	
  if	
  there	
  is	
  absence	
  of	
  ACL	
  
•  Insecure	
  configura8on,	
  authen8ca8on	
  bypass	
  –	
  5%	
  	
  
•  Heap	
  corrupAon	
  vulnerability	
  –	
  85%	
  
SAP	
  Router:	
  known	
  issues	
  
21	
  
Port	
  scan	
  results	
  
•  Are	
  you	
  sure	
  that	
  only	
  the	
  necessary	
  SAP	
  services	
  are	
  exposed	
  
to	
  the	
  Internet?	
  
•  We	
  were	
  not	
  
•  In	
  2011,	
  we	
  ran	
  a	
  global	
  project	
  to	
  scan	
  all	
  of	
  the	
  Internet	
  for	
  
SAP	
  services	
  
•  It	
  is	
  not	
  completely	
  finished	
  yet,	
  but	
  we	
  have	
  the	
  results	
  for	
  the	
  
top	
  1000	
  companies	
  
•  We	
  were	
  shocked	
  when	
  we	
  saw	
  them	
  first	
  
22	
  
Port	
  scan	
  results	
  
0	
  
5	
  
10	
  
15	
  
20	
  
25	
  
30	
  
35	
  
SAP	
  HostControl	
   SAP	
  Dispatcher	
   SAP	
  MMC	
   SAP	
  Message	
  Server	
  
hYpd	
  
SAP	
  Message	
  Server	
  	
   SAP	
  Router	
  
Exposed	
  services	
  2011	
  
Exposed	
  services	
  2013	
  
Listed	
  services	
  should	
  not	
  be	
  accessible	
  from	
  the	
  Internet	
  
23	
  
Why?	
  
	
  
Why	
  not	
  many	
  Public	
  examples	
  of	
  breaches	
  if	
  
situa8on	
  is	
  so	
  bad	
  
24	
  
Examples	
  
•  Fraud	
  –	
  very	
  popular	
  inside	
  companies	
  but	
  you	
  see	
  only	
  some	
  
incidents	
  (nobody	
  want	
  to	
  share)	
  
•  Sabotage	
  –	
  at	
  this	
  moment	
  maybe	
  easies	
  to	
  DDOS	
  then	
  DOS	
  but	
  
will	
  see	
  
•  Espionage	
  –	
  here	
  what	
  we	
  dont	
  see	
  many,	
  because	
  it	
  is	
  
designed	
  to	
  be	
  unseen.	
  You	
  never	
  know	
  how	
  about	
  it	
  especially	
  
if	
  you	
  don’t	
  enable	
  logging	
  	
  	
  
25	
  
SAP	
  Security	
  Forensics	
  
•  There	
  is	
  not	
  so	
  many	
  info	
  on	
  public	
  
•  Companies	
  are	
  not	
  interested	
  in	
  publica8on	
  of	
  compromise	
  
•  But	
  main	
  problem	
  is	
  here:	
  
–  How	
  can	
  you	
  be	
  sure	
  that	
  there	
  were	
  no	
  compromise?	
  
–  Only	
  10%	
  of	
  systems	
  have	
  Security	
  Audit	
  Log	
  enabled	
  
–  Only	
  few	
  of	
  them	
  analyze	
  those	
  logs	
  
–  And	
  much	
  less	
  do	
  central	
  storage	
  and	
  correla8on	
  
*	
  Based	
  on	
  the	
  assessment	
  of	
  over	
  250	
  servers	
  of	
  companies	
  that	
  
allowed	
  us	
  to	
  share	
  results.	
  
26	
  
Percent	
  of	
  enabled	
  log	
  opAons	
  
•  ICM	
  log	
  icm/HTTP/logging_0 	
   	
   	
  70%	
  	
  
•  Security	
  audit	
  log	
  in	
  ABAP 	
   	
   	
  10%	
  
•  Table	
  access	
  logging	
  rec/client	
  	
   	
   	
  	
  4%	
  
•  Message	
  Server	
  log	
  ms/audit 	
   	
   	
  	
  2%	
  
•  SAP	
  Gateway	
  access	
  lo	
  	
   	
   	
   	
  	
  2%	
  
*	
  Based	
  on	
  the	
  assessment	
  of	
  over	
  250	
  servers	
  of	
  companies	
  that	
  
allowed	
  us	
  to	
  share	
  results.	
  
27	
  
SAP	
  Security	
  Problems	
  
•  How	
  to	
  protect	
  ourselves	
  from	
  fraud	
  and	
  cyber-­‐ac8vi8es?	
  
•  How	
  to	
  automate	
  security	
  checks	
  for	
  big	
  landscapes?	
  
•  How	
  to	
  decrease	
  costs?	
  
•  How	
  to	
  priori8ze	
  updates?	
  
	
   	
  	
  
	
  
	
  
28	
  
3	
  areas	
  of	
  SAP	
  Security	
  
2002	
  
• Business	
  logic	
  security	
  (SOD)	
  
• Prevents	
  a>acks	
  	
  or	
  mistakes	
  made	
  by	
  insiders.	
  
• 	
  Solu8on:	
  GRC	
  
2008	
  
• ABAP	
  Code	
  security	
  
• Prevents	
  a>acks	
  or	
  mistakes	
  made	
  by	
  developers	
  
• Solu8on:	
  Code	
  audit	
  
2010	
  
• Applica3on	
  pla4orm	
  security.	
  	
  
• Prevents	
  unauthorized	
  access	
  both	
  within	
  corporate	
  network	
  and	
  from	
  remote	
  
a>ackers.	
  	
  
• Solu3on?	
  
29	
  
Long-­‐awaited	
  product	
  
	
  
	
  	
  
The	
  only	
  solu8on	
  in	
  the	
  market	
  to	
  assess	
  3	
  8ers	
  of	
  SAP	
  Security	
  
30	
  
JAVA	
  
Output	
  
	
  	
  
Connectors	
  
Security	
  audit	
  
module	
  
ABAP	
  code	
  scan	
  
module	
  
Control	
  
SOD	
  
module	
  
31	
  
	
  ERPScan	
  security	
  Monitoring	
  Suite	
  
Анализ	
  безопасности	
  ABAP	
  кода	
  
	
  	
  
	
  	
  
	
  	
  
Connectors	
  
ABAP	
   JAVA	
  
Metrics	
  
Risk	
  assessment	
  
Compliance	
  
Reports	
  
Output	
  interfaces	
  
Users	
  Projects	
  Inventory	
  
Control	
  funcAons	
  
MisconfiguraAons	
   VulnerabiliAes	
  
CriAcal	
  access	
  
Audit	
   ABAP	
  code	
  scan	
  
VulnerabiliAes	
   Backdoors	
  
Efficiency	
  
Router	
  HANA	
  
SoD	
  
Role	
  opAmizaAon	
   SoD	
  
Monitoring	
  
CriAcal	
  privileges	
  
Oracle	
  
32	
  
ERPScan	
  in	
  details	
  
Audit	
  Module	
  
•  System	
  enumera8on	
  	
  
•  Anonymous	
  scan	
  (pentest)	
  
•  Exploita8on	
  	
  
•  Whitebox	
  scan	
  
•  Configura8on	
  analysis	
  
•  Access	
  Control	
  
•  Search	
  for	
  vulnerabili8es	
  
•  Compliance	
  SAP,ISACA,DSAG,EAS-­‐SEC,	
  PCIDSS,	
  
Industry(OilAndGas)	
  
Incredible	
  Speed	
  	
  Our	
  completely	
  revised	
  engine	
  can	
  now	
  analyze	
  
an	
  SAP	
  system	
  with	
  5000	
  users	
  for	
  cri8cal	
  access	
  and	
  SOD	
  matrix	
  in	
  
5-­‐10	
  minutes	
  on	
  good	
  PC!	
  	
  
33	
  
34	
  
DEMO	
  ABAP	
  code	
  audit	
  module	
  
ABAP	
  Source	
  code	
  checks	
  	
  	
  (120	
  different	
  issues)	
  
	
  
1. Cri8cal	
  kernel	
  calls	
  
2. Missing	
  Auth	
  in	
  
1. Transac8on	
  calls	
  
2. Report	
  calls	
  
3. Table	
  Reads	
  
3. SQL	
  Injec8ons	
  
4. Backdoors	
  
5. Access	
  to	
  OS	
  
6. Missing	
  comments	
   +	
  Preconfigured	
  cri8cal	
  func8ons	
  	
  
+	
  Improved	
  datafow	
  analysis	
  
+	
  Customizable	
  cri8cal	
  func8ons	
  	
  
35	
  
DEMO	
  SOD	
  
•  Cri8cal	
  authoriza8ons	
  by	
  business	
  area	
  
–  BASIS	
  (ISACA	
  list)	
  
–  Revenue	
  (ISACA	
  list)	
  
–  Fixed	
  Assets	
  (mixed	
  list)	
  
–  HR	
  (mixed	
  list)	
  
•  SOD	
  	
  
–  Predefined	
  matrix	
  
–  Custom	
  matrix	
  
•  Role	
  Op8miza8on	
  
+	
  Industry	
  Solu8ons	
  	
  
36	
  
Monitor	
  
37	
  
Monitor	
  
•  Compare	
  results	
  from	
  different	
  scans	
  
•  Obtain	
  high-­‐level	
  stats	
  
•  Monitor	
  security	
  events	
  
	
  
built-­‐in	
  monitoring	
  capability	
  	
  
	
  helps	
  you	
  to	
  effec8vely	
  manage	
  the	
  dynamics	
  between	
  different	
  
scans.	
  You	
  can	
  schedule	
  monitoring	
  for	
  the	
  most	
  cri8cal	
  
parameters	
  of	
  SAP	
  systems.	
  
38	
  
Prevent	
  from	
  cybercriminals	
  
Business	
  benefits:	
  Stay	
  secure	
  
Prevent	
  from	
  insiders	
  
Prevent	
  from	
  developer	
  mistakes	
  	
  
by	
  conEnuously	
  monitoring	
  key	
  security	
  areas	
  and	
  
automaEc	
  vulnerability	
  assessment.	
  
By	
  using	
  our	
  SOD	
  module	
  and	
  analyzing	
  all	
  criEcal	
  
privileges	
  and	
  their	
  segregaEons.	
  
by	
  code	
  review	
  of	
  custom	
  transacEons	
  and	
  reports	
  
39	
  
Easy	
  implementa8on	
  
Business	
  benefits:	
  Save	
  Ame	
  
Fast	
  scans	
  
Scalability	
  
in	
  less	
  than	
  one	
  hour	
  you	
  can	
  start	
  work	
  aHer	
  installing	
  
system	
  as	
  a	
  soHware,	
  virtual	
  appliance	
  or	
  SAAS.	
  
with	
  our	
  new	
  engine	
  you	
  can	
  analyze	
  more	
  than	
  7000	
  
parameters	
  in	
  5	
  minutes	
  
you	
  can	
  effecEvely	
  monitor	
  huge	
  amount	
  of	
  systems	
  
from	
  various	
  locaEons	
  and	
  easily	
  manage	
  them	
  from	
  
every	
  place	
  using	
  web-­‐browser	
  
40	
  
Save	
  on	
  Compliance	
  
Save	
  on	
  manual	
  assessment	
  
Save	
  on	
  SAP	
  security	
  educa8on	
  
with	
  integrated	
  compliance	
  modules	
  on	
  key	
  
recommendaEons	
  from	
  SAP	
  ,ISACA,DSAG	
  and	
  OWASP	
  
with	
  automaEc	
  monitoring	
  all	
  security-­‐related	
  opEons	
  
by	
  using	
  integrated	
  	
  Built-­‐in	
  knowledge	
  base	
  about	
  SAP	
  
Security	
  	
  with	
  detailed	
  informaEon	
  and	
  remediaEon	
  
steps	
  
41	
  
Business	
  benefits:	
  Decrease	
  expanses	
  
Geung	
  beNer	
  every	
  day	
  
More	
  than	
  7300	
  configura8on	
  checks	
  
	
  
More	
  than	
  2600	
  vulnerability	
  checks	
  
	
  
More	
  than	
  110	
  issues	
  in	
  ABAP	
  
	
  
Analysis	
  of	
  misconfigura8ons,	
  vulnerabili8es	
  and	
  
cri8cal	
  authoriza8ons	
  for	
  ABAP,	
  JAVA,	
  HANA	
  
42	
  
Sponsoring	
  and	
  PresenAng	
  
43	
  
ERPScan	
  featured	
  in	
  	
  
44	
  
Awards	
  
45	
  
About	
  us	
  	
  
• 	
  Leading	
  SAP	
  AG	
  partner	
  in	
  discovering	
  and	
  solving	
  security	
  vulnerabili8es	
  
• 	
  	
  Found	
  more	
  than	
  250	
  (120	
  published)	
  security	
  vulnerabiliAes	
  in	
  SAP	
  	
  	
  
• 	
  	
  Frequent	
  speakers	
  in 50+ top	
  security	
  conferences:	
  BlackHat,	
  RSA	
  
• 	
  	
  Leads	
  EAS-­‐SEC	
  project	
  focused	
  on	
  technical	
  aspects	
  of	
  ERP	
  security	
  
	
  
The	
  company	
  experEse	
  is	
  based	
  on	
  research	
  conducted	
  by	
  
the	
  	
  ERPScan	
  research	
  center	
  	
  	
  
46	
  
And	
  also	
  	
  
We	
  devote	
  a>enEon	
  to	
  the	
  requirements	
  of	
  our	
  customers	
  and	
  
prospects,	
  and	
  constantly	
  improve	
  our	
  product.	
  If	
  you	
  presume	
  
that	
  our	
  scanner	
  lacks	
  a	
  parEcular	
  funcEon,	
  you	
  can	
  e-­‐mail	
  us	
  
or	
  give	
  us	
  a	
  call.	
  We	
  will	
  be	
  glad	
  to	
  consider	
  your	
  suggesEons	
  
for	
  the	
  next	
  releases	
  or	
  monthly	
  updates.	
  
web:	
  erpscan.com	
  
e-­‐mail:	
  info@erpscan.com,	
  sales@erpscan.com	
  
47	
  

More Related Content

What's hot

Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeERPScan
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 stepsERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP MobileERPScan
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easyERPScan
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figuresERPScan
 
Sap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksSap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksErtunga Arsal
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthIgor Igoroshka
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects AttacksOnapsis Inc.
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...ERPScan
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsERPScan
 

What's hot (20)

Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 steps
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP Mobile
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
 
Sap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksSap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless Attacks
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
 

Viewers also liked

Danielle Tronnes 2016 resume
Danielle Tronnes 2016 resumeDanielle Tronnes 2016 resume
Danielle Tronnes 2016 resumeDanielle Tronnes
 
Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)ERPScan
 
Media pembelajaran usaha dan energi
Media pembelajaran usaha dan energiMedia pembelajaran usaha dan energi
Media pembelajaran usaha dan energirahmiyati95
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERPScan
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...ERPScan
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
 
Our Tuataras
Our TuatarasOur Tuataras
Our TuatarasCPS_Rm09
 

Viewers also liked (8)

Danielle Tronnes 2016 resume
Danielle Tronnes 2016 resumeDanielle Tronnes 2016 resume
Danielle Tronnes 2016 resume
 
B&G Guide (Final)
B&G Guide (Final)B&G Guide (Final)
B&G Guide (Final)
 
Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)
 
Media pembelajaran usaha dan energi
Media pembelajaran usaha dan energiMedia pembelajaran usaha dan energi
Media pembelajaran usaha dan energi
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
 
Our Tuataras
Our TuatarasOur Tuataras
Our Tuataras
 

Similar to Assess and monitor SAP security

EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC ProjectERPScan
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating ERPScan
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP securityERPScan
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsERPScan
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsERPScan
 
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...Dao Van Hang
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerOnapsis Inc.
 
How to See and Resolve Office 365 Performance Challenges
How to See and Resolve Office 365 Performance Challenges How to See and Resolve Office 365 Performance Challenges
How to See and Resolve Office 365 Performance Challenges ThousandEyes
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsOlivier DASINI
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...Tunde Ogunkoya
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
 
Providing a Holistic, Service-Oriented Infrastructure for Integration of Real...
Providing a Holistic, Service-Oriented Infrastructure for Integration of Real...Providing a Holistic, Service-Oriented Infrastructure for Integration of Real...
Providing a Holistic, Service-Oriented Infrastructure for Integration of Real...mfrancis
 
AppSphere 15 - AppDynamics: Beyond APM - Building an Operations Center
AppSphere 15 - AppDynamics: Beyond APM - Building an Operations CenterAppSphere 15 - AppDynamics: Beyond APM - Building an Operations Center
AppSphere 15 - AppDynamics: Beyond APM - Building an Operations CenterAppDynamics
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsOnapsis Inc.
 
How To Optimize Data And Processes with AI/ ML and SAP Fiori
How To Optimize Data And Processes with AI/ ML and SAP Fiori How To Optimize Data And Processes with AI/ ML and SAP Fiori
How To Optimize Data And Processes with AI/ ML and SAP Fiori Precisely
 
Top 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & TricksTop 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & TricksAppDynamics
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerOnapsis Inc.
 
RPA Webinar Wise Men Solutions
RPA Webinar  Wise Men SolutionsRPA Webinar  Wise Men Solutions
RPA Webinar Wise Men SolutionsWise Men
 

Similar to Assess and monitor SAP security (20)

EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
 
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...
2309 sap enterprise architecture in the era of sap hana, infrastructure, plat...
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
 
How to See and Resolve Office 365 Performance Challenges
How to See and Resolve Office 365 Performance Challenges How to See and Resolve Office 365 Performance Challenges
How to See and Resolve Office 365 Performance Challenges
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
 
Providing a Holistic, Service-Oriented Infrastructure for Integration of Real...
Providing a Holistic, Service-Oriented Infrastructure for Integration of Real...Providing a Holistic, Service-Oriented Infrastructure for Integration of Real...
Providing a Holistic, Service-Oriented Infrastructure for Integration of Real...
 
AppSphere 15 - AppDynamics: Beyond APM - Building an Operations Center
AppSphere 15 - AppDynamics: Beyond APM - Building an Operations CenterAppSphere 15 - AppDynamics: Beyond APM - Building an Operations Center
AppSphere 15 - AppDynamics: Beyond APM - Building an Operations Center
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwards
 
How To Optimize Data And Processes with AI/ ML and SAP Fiori
How To Optimize Data And Processes with AI/ ML and SAP Fiori How To Optimize Data And Processes with AI/ ML and SAP Fiori
How To Optimize Data And Processes with AI/ ML and SAP Fiori
 
Top 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & TricksTop 5 .NET Challenges, Performance Monitoring Tips & Tricks
Top 5 .NET Challenges, Performance Monitoring Tips & Tricks
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
 
RPA Webinar Wise Men Solutions
RPA Webinar  Wise Men SolutionsRPA Webinar  Wise Men Solutions
RPA Webinar Wise Men Solutions
 

Recently uploaded

Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmonyelliciumsolutionspun
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdfMeon Technology
 
Kubernetes go-live checklist for your microservices.pptx
Kubernetes go-live checklist for your microservices.pptxKubernetes go-live checklist for your microservices.pptx
Kubernetes go-live checklist for your microservices.pptxPrakarsh -
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampVICTOR MAESTRE RAMIREZ
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIIvo Andreev
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsJaydeep Chhasatia
 
About .NET 8 and a first glimpse into .NET9
About .NET 8 and a first glimpse into .NET9About .NET 8 and a first glimpse into .NET9
About .NET 8 and a first glimpse into .NET9Jürgen Gutsch
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesShyamsundar Das
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfBrain Inventory
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 

Recently uploaded (20)

Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdf
 
Program with GUTs
Program with GUTsProgram with GUTs
Program with GUTs
 
Kubernetes go-live checklist for your microservices.pptx
Kubernetes go-live checklist for your microservices.pptxKubernetes go-live checklist for your microservices.pptx
Kubernetes go-live checklist for your microservices.pptx
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - Datacamp
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
 
About .NET 8 and a first glimpse into .NET9
About .NET 8 and a first glimpse into .NET9About .NET 8 and a first glimpse into .NET9
About .NET 8 and a first glimpse into .NET9
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security Challenges
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdf
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 

Assess and monitor SAP security

  • 1. Invest  in  security   to  secure  investments   Assess  and  Monitor  SAP   Security  with  ERPScan  
  • 2. About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu8on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presentaAons  key  security  conferences  worldwide   •  25  Awards  and  nominaAons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
  • 3. ERPScan  and  SAP   “We  would  like  to  thank  the  world-­‐class  security  experts  of   ERPScan  for  the  highly  qualified  job  performed  to  help  us  assess   the  security  of  our  pre-­‐release  products”.   Senior  Director,  Head  of  Global  Security  Alliance  Management   Product  Security,  Technology  and  Innova8on  PlaWorm   SAP  Labs,  Palo  Alto,  USA   3  
  • 4. Business  applicaAon  security       All  business  processes  are  generally  contained  in  ERP  systems.    Any  informa8on  an  aYacker,  be  it  a  cybercriminal,  industrial  spy   or  compe8tor,  might  want  is  stored  in  a  company’s  ERP.     This  informa8on  can  include  financial,  customer  or  public   rela8ons,  intellectual  property,  personally  iden8fiable  informa8on   and  more.  Industrial  espionage,  sabotage  and  fraud  or  insider   embezzlement  may  be  very  effec8ve  if  targeted  at  a  vic8ms  ERP   system  and  cause  significant  damage  to  the  business.   4  
  • 5. Big  companies     Portal   HR   Logis8cs   Warehouse   ERP   Billing   Suppliers   Customers   Banks   Insurance  Partners   Branches   BI   Industry   CRM   SRM   5  
  • 6. SAP                         Вставьте  рисунок  на  слайд,  скруглите  верхний  левый  и  нижний  правый  угол   (Формат  –  Формат  рисунка),  добавьте  контур  (оранжевый,  толщина  –  3)   •  The  most  popular  business  applica8on   •  More  than  250000  customers  worldwide     •  83%  Forbes  500  companies  run  SAP   •  Main  system  –  ERP   •   PlaWorms   -  NetWeaver  ABAP   -  NetWeaver  J2EE   -  BusinessObjects   -  SAP  HANA   6  
  • 7. SAP  Security  threads   Espionage     •  Financial  Data,  Financial  Planning  (FI)     •  HR  data,  personal,  contact  details  (HR)     •  Customer  Lists     •  Corporate  Secrets  (PLM)     •  Supplier  tenders  (SRM)     •  Customer  Lists  (CRM)       Cyber  criminals  need  only  to  gain  access  to  one  of  the   described  systems  to  successfully  steal  cri8cal  informa8on.   7  
  • 8. SAP  Security  threads   Sabotage       •  Denial  of  Service   –  Incurs  huge  costs   •  Data  modifica8on  to  cause  damage   –   Delete  cri8cal  informa8on   •  SCADA  Connec8ons   –  Common  to  see  connec8ons  between  ERP  and  SCADA/MES/SmartGrid   8  
  • 9. SAP  Security  threads   Fraud   •  Manipulate  automated  transac8on  systems   •  Generate  false  payments   •  Move  money   •  Salary  modifica8on   •  Material  management  fraud   •  Mistaken  transac8ons                Associa8on  of  Cer8fied  Fraud  Examiners  es8mates  that   corpora8ons  average  lose  6%  of  revenue  to  fraud  (2013)   9  
  • 10. 0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   2014   By  April  2014    -­‐  2974  SAP  Security  notes   10   SAP  Security  notes  
  • 13. What  can  be  next?   •  Just  imagine  what  could  be  done  by  breaking:   •  One  ERP  system   •  All  Business  applica8ons  of  a  company   •  All  ERP  Systems  on  par8cular  country   13  
  • 14. Ease  of  development   It  is  very  easy  by  the  way     •  Price  of  vulnerability  is  low   •  Patching  is  nightmare   •  Genera8ng  exploit  is  easy   •  Interconnec8on  is  high   •  Availability  via  internet   14  
  • 15. 35%   23%   19%   11%   6%   5%   NetWeaver  ABAP    versions  by  popularity   7.0  EHP  0      (Nov  2005)   7.0  EHP  2      (Apr    2010)     7.0  EHP  1      (Oct  2008)   7.3                              (Jun  2011)   6.2                              (Dec    2003)   6.4                            (Mar  2004)   The  most  popular  release  (35%,  previously  45%)  is     sAll  NetWeaver  7.0,  and  it  was  released  in  2005!   15   SAP  NetWeaver  ABAP  -­‐    versions  
  • 16. Systems  are  highly  interconnected     •  Systems  are  highly  connected  with  each  other  by  trust   rela8onship     •  Even  between  companies  they  are  connected  by  XI/PI  systems   •  Remember  also  SSRF?    (AYack  on  SAP  XI  from  BlackHat)   •  hYp://cwe.mitre.org/data/defini8ons/918.html   •  Second  place  in  Top  10  web  applica8on  techniques  2012   •  Allows  to  bypass  firewall  restric8ons  and  directly  connect  to   protected  systems  via  connected  systems   16  
  • 18. Business  applicaAons  on  the  Internet   •  Companies  have  Portals,  SRMs,  CRMs  remotely  accessible   •  Companies  connect  different  offices  by  ESB   •  SAP  users  are  connected  to  SAP  via  SAPRouter   •  Administrators  open  management  interfaces  to  the  Internet  for   remote  control     18  
  • 19. Business  applicaAons  on  the  Internet   SAP  HTTP  Services  can  be  easily  found  on  the  Internet:   •  inurl:/irj/portal •  inurl:/IciEventService sap •  inurl:/IciEventService/IciEventConf •  inurl:/wsnavigator/jsps/test.jsp •  inurl:/irj/go/km/docs/ 19  
  • 20. SAP  Router   •  Special  applica8on  proxy     •  Transfers  requests  from  Internet  to  SAP  (and  not  only)   •  Can  work  through  VPN  or  SNC     •  Almost  every  company  uses  it  for  connec8ng  to  SAP  to   download  updates   •  Usually  listens  to  port  3299     •  Internet  accessible    (Approximately  5000  IP’s  )   •  hYp://www.easymarketplace.de/saprouter.php   20  
  • 21. •  Absence  of  ACL  –  15%   –   Possible  to  proxy  any  request  to  any  internal  address     •  Informa8on  disclosure  about  internal  systems  –  19%   –  Denial  of  service  by  specifying  many  connec8ons  to  any  of  the  listed  SAP   servers   –  Proxy  requests  to  internal  network  if  there  is  absence  of  ACL   •  Insecure  configura8on,  authen8ca8on  bypass  –  5%     •  Heap  corrupAon  vulnerability  –  85%   SAP  Router:  known  issues   21  
  • 22. Port  scan  results   •  Are  you  sure  that  only  the  necessary  SAP  services  are  exposed   to  the  Internet?   •  We  were  not   •  In  2011,  we  ran  a  global  project  to  scan  all  of  the  Internet  for   SAP  services   •  It  is  not  completely  finished  yet,  but  we  have  the  results  for  the   top  1000  companies   •  We  were  shocked  when  we  saw  them  first   22  
  • 23. Port  scan  results   0   5   10   15   20   25   30   35   SAP  HostControl   SAP  Dispatcher   SAP  MMC   SAP  Message  Server   hYpd   SAP  Message  Server     SAP  Router   Exposed  services  2011   Exposed  services  2013   Listed  services  should  not  be  accessible  from  the  Internet   23  
  • 24. Why?     Why  not  many  Public  examples  of  breaches  if   situa8on  is  so  bad   24  
  • 25. Examples   •  Fraud  –  very  popular  inside  companies  but  you  see  only  some   incidents  (nobody  want  to  share)   •  Sabotage  –  at  this  moment  maybe  easies  to  DDOS  then  DOS  but   will  see   •  Espionage  –  here  what  we  dont  see  many,  because  it  is   designed  to  be  unseen.  You  never  know  how  about  it  especially   if  you  don’t  enable  logging       25  
  • 26. SAP  Security  Forensics   •  There  is  not  so  many  info  on  public   •  Companies  are  not  interested  in  publica8on  of  compromise   •  But  main  problem  is  here:   –  How  can  you  be  sure  that  there  were  no  compromise?   –  Only  10%  of  systems  have  Security  Audit  Log  enabled   –  Only  few  of  them  analyze  those  logs   –  And  much  less  do  central  storage  and  correla8on   *  Based  on  the  assessment  of  over  250  servers  of  companies  that   allowed  us  to  share  results.   26  
  • 27. Percent  of  enabled  log  opAons   •  ICM  log  icm/HTTP/logging_0      70%     •  Security  audit  log  in  ABAP      10%   •  Table  access  logging  rec/client          4%   •  Message  Server  log  ms/audit        2%   •  SAP  Gateway  access  lo            2%   *  Based  on  the  assessment  of  over  250  servers  of  companies  that   allowed  us  to  share  results.   27  
  • 28. SAP  Security  Problems   •  How  to  protect  ourselves  from  fraud  and  cyber-­‐ac8vi8es?   •  How  to  automate  security  checks  for  big  landscapes?   •  How  to  decrease  costs?   •  How  to  priori8ze  updates?             28  
  • 29. 3  areas  of  SAP  Security   2002   • Business  logic  security  (SOD)   • Prevents  a>acks    or  mistakes  made  by  insiders.   •   Solu8on:  GRC   2008   • ABAP  Code  security   • Prevents  a>acks  or  mistakes  made  by  developers   • Solu8on:  Code  audit   2010   • Applica3on  pla4orm  security.     • Prevents  unauthorized  access  both  within  corporate  network  and  from  remote   a>ackers.     • Solu3on?   29  
  • 30. Long-­‐awaited  product         The  only  solu8on  in  the  market  to  assess  3  8ers  of  SAP  Security   30  
  • 31. JAVA   Output       Connectors   Security  audit   module   ABAP  code  scan   module   Control   SOD   module   31    ERPScan  security  Monitoring  Suite  
  • 32. Анализ  безопасности  ABAP  кода               Connectors   ABAP   JAVA   Metrics   Risk  assessment   Compliance   Reports   Output  interfaces   Users  Projects  Inventory   Control  funcAons   MisconfiguraAons   VulnerabiliAes   CriAcal  access   Audit   ABAP  code  scan   VulnerabiliAes   Backdoors   Efficiency   Router  HANA   SoD   Role  opAmizaAon   SoD   Monitoring   CriAcal  privileges   Oracle   32   ERPScan  in  details  
  • 33. Audit  Module   •  System  enumera8on     •  Anonymous  scan  (pentest)   •  Exploita8on     •  Whitebox  scan   •  Configura8on  analysis   •  Access  Control   •  Search  for  vulnerabili8es   •  Compliance  SAP,ISACA,DSAG,EAS-­‐SEC,  PCIDSS,   Industry(OilAndGas)   Incredible  Speed    Our  completely  revised  engine  can  now  analyze   an  SAP  system  with  5000  users  for  cri8cal  access  and  SOD  matrix  in   5-­‐10  minutes  on  good  PC!     33  
  • 34. 34  
  • 35. DEMO  ABAP  code  audit  module   ABAP  Source  code  checks      (120  different  issues)     1. Cri8cal  kernel  calls   2. Missing  Auth  in   1. Transac8on  calls   2. Report  calls   3. Table  Reads   3. SQL  Injec8ons   4. Backdoors   5. Access  to  OS   6. Missing  comments   +  Preconfigured  cri8cal  func8ons     +  Improved  datafow  analysis   +  Customizable  cri8cal  func8ons     35  
  • 36. DEMO  SOD   •  Cri8cal  authoriza8ons  by  business  area   –  BASIS  (ISACA  list)   –  Revenue  (ISACA  list)   –  Fixed  Assets  (mixed  list)   –  HR  (mixed  list)   •  SOD     –  Predefined  matrix   –  Custom  matrix   •  Role  Op8miza8on   +  Industry  Solu8ons     36  
  • 38. Monitor   •  Compare  results  from  different  scans   •  Obtain  high-­‐level  stats   •  Monitor  security  events     built-­‐in  monitoring  capability      helps  you  to  effec8vely  manage  the  dynamics  between  different   scans.  You  can  schedule  monitoring  for  the  most  cri8cal   parameters  of  SAP  systems.   38  
  • 39. Prevent  from  cybercriminals   Business  benefits:  Stay  secure   Prevent  from  insiders   Prevent  from  developer  mistakes     by  conEnuously  monitoring  key  security  areas  and   automaEc  vulnerability  assessment.   By  using  our  SOD  module  and  analyzing  all  criEcal   privileges  and  their  segregaEons.   by  code  review  of  custom  transacEons  and  reports   39  
  • 40. Easy  implementa8on   Business  benefits:  Save  Ame   Fast  scans   Scalability   in  less  than  one  hour  you  can  start  work  aHer  installing   system  as  a  soHware,  virtual  appliance  or  SAAS.   with  our  new  engine  you  can  analyze  more  than  7000   parameters  in  5  minutes   you  can  effecEvely  monitor  huge  amount  of  systems   from  various  locaEons  and  easily  manage  them  from   every  place  using  web-­‐browser   40  
  • 41. Save  on  Compliance   Save  on  manual  assessment   Save  on  SAP  security  educa8on   with  integrated  compliance  modules  on  key   recommendaEons  from  SAP  ,ISACA,DSAG  and  OWASP   with  automaEc  monitoring  all  security-­‐related  opEons   by  using  integrated    Built-­‐in  knowledge  base  about  SAP   Security    with  detailed  informaEon  and  remediaEon   steps   41   Business  benefits:  Decrease  expanses  
  • 42. Geung  beNer  every  day   More  than  7300  configura8on  checks     More  than  2600  vulnerability  checks     More  than  110  issues  in  ABAP     Analysis  of  misconfigura8ons,  vulnerabili8es  and   cri8cal  authoriza8ons  for  ABAP,  JAVA,  HANA   42  
  • 44. ERPScan  featured  in     44  
  • 46. About  us     •   Leading  SAP  AG  partner  in  discovering  and  solving  security  vulnerabili8es   •     Found  more  than  250  (120  published)  security  vulnerabiliAes  in  SAP       •     Frequent  speakers  in 50+ top  security  conferences:  BlackHat,  RSA   •     Leads  EAS-­‐SEC  project  focused  on  technical  aspects  of  ERP  security     The  company  experEse  is  based  on  research  conducted  by   the    ERPScan  research  center       46  
  • 47. And  also     We  devote  a>enEon  to  the  requirements  of  our  customers  and   prospects,  and  constantly  improve  our  product.  If  you  presume   that  our  scanner  lacks  a  parEcular  funcEon,  you  can  e-­‐mail  us   or  give  us  a  call.  We  will  be  glad  to  consider  your  suggesEons   for  the  next  releases  or  monthly  updates.   web:  erpscan.com   e-­‐mail:  info@erpscan.com,  sales@erpscan.com   47