Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber Attacks?
1. Mobile Trends And The New Threats
Is Your SAP System Vulnerable to Cyber Attacks?
Stephen Lamy, Virtual Forge
2. Agenda
Mobile Trends and The New Threats
The Forgotten Layer
Benchmarks of Defects in Custom ABAP
What Can Go Wrong?
Security Standards
3. Virtual Forge
Founded in 2001
CodeProfiler released 2008, SystemProfiler released 2013
Patented Data and Control Flow Analysis for ABAP
Gartner:
• Magic Quadrant for Application Security Testing
• Leading vendor for ABAP Security
• Cool Vendor 2011
Heidelberg, Weimar and Philadelphia
Experts in the field of SAP® system and application
security and quality
4. Mobile Trends and the new Threats
The Forgotten Layer
Benchmarks of Defects in Custom ABAP
What Can Go Wrong?
Security Standards
Agenda
5. Going Mobile ... and the Key Threats
Access from anywhere Hostile environment (public)
5
Source: Dimension Research – “The impact of mobile devices on information security”
Attractive target for attackers
Increased attack surface
Extensive access to
corporate information
New features added daily
6. Attack Vectors against Mobiles
6
Source: Fraunhofer SIT: „How Smartphones and Co. may be Cheating on you”
7. Facts
McAfee Threats Report: First Quarter 2013
“… the total number of samples in our mobile malware ‘zoo’
reached 50,926, with 28 percent of that arriving in 2013”
(source this is the Q1 report!)
“… IP addresses in the United States are again both the source
and the target of most malicious network activity.”
7
Q1 only!
8. Facts (continued)
Attacks on Mobile devices focus either:
Using the mobile to steal sensitive data
Getting access data to backend systems
Apple: “50% of smartphone users do not set up a passcode”
Phishing
“Companies from the United States are the most targeted, suffering 80
percent of all attacks.”
Phishing by country:
8
9. Mobile Trends and the new Threats
The Forgotten Layer
Benchmarks of Defects in Custom ABAP
What Can Go Wrong?
Security Standards
Agenda
10. ALL Mobile apps eventually call ABAP programs
Where the data comes from
Mobile Gateway
Java
Application
HTML
Application
SAP
…
C++
Application
ABAP
RFC/BAdI
15. SAP security must be
addressed holistically
Business Run-time Apps
must properly enforce
Business Logic
GRC & SoD are only
effective if they are
enforced within the
applications
Operating System
Database
Business Runtime
The Forgotten Layer – Business Runtime
Business Logic
16. SAP System Security Tests
Testing of >550 SAP Systems
(including some of the largest organizations of the world)
Over 95% of the systems analyzed were exposed to espionage,
sabotage and fraud attacks
None of the evaluated SAP systems were fully updated with
the latest SAP security patches
Most of these exploitable vulnerabilities have been publicly
known to SAP customers for more than 5 years
Source: Onapsis-BlackHat 2012
18. Never Trust the Other Side!
- Security Paradigm
Unsecured devices have access to sensitive backend
systems (e.g. BYOD)
93% have mobile devices connected to their corporate networks
The attacks against Mobiles continue to rise dramatically
52% of large companies say cost of mobile security incidents last
year exceeded $500,000
45% have more than five times as many personal mobile devices
as they had two years ago, a 36% increase from 2012
Best Practice:
Stringently enforce device-level security
Test and validate the complete application and data processing
18
20. Mobile Trends and the new Threats
The Forgotten Layer
Benchmarks of Defects in Custom ABAP
What Can Go Wrong?
Security Standards
Agenda
21. Source of Defects
Source of Defects
Little/no technical specifications
Manual/Basic code reviews
Testing focused on functional aspects
External/3rd Party development
Limited/no code change monitoring
22. Definitions
Average (Arithmetic Mean):
Median:
The value in the middle, when the numbers are sorted
Example: 1,2,3,100,101 Median = 3
LOC = Lines of Code (without comments and empty lines)
KLOC = 1 Thousand LOC
MLOC = 1 Million LOC
23. Benchmark Data
As of: July, 2013
# of Systems: 88
Total LOC: 156,443,087
Namespaces: All custom ABAP code
(Y*,Z*, 3rd-Party namespaces, BADIs,…)
Test Case Domains: Security
Compliance
Performance
Maintainability
Robustness
24. Custom ABAP Benchmarks
Benchmark StatisticsMetric Average Median
Source Code Lines (LOC)
(without comments and empty lines) 1,862,418 1,032,539
Comments 596,059 325,931
Inline Comments 122,876 63,892
Percentage of Comments
in Analyzed Lines 28% 28%
Pragmas 5,119 1,621
Average Module Size (LOC) 53 52
25. Critical Defects at the Average Customer
Benchmarks of Critical Defects
Domain Average Median Pro KLOC
(Average)
Security (Critical only) 1,475 903 0,79
Compliance (Critical only) 270 93 0,14
Performance (Critical only) 1,171 1,016 0,63
Maintainability (Critical only) 415 0 0,22
Robustness (Critical only) 1,586 427 0,85
Metric Average Median
Source Code Lines (LOC)
(without comments and empty lines) 1,862,418 1,032,539
26. Critical Defects at the Average Customer
1 critical security or compliance defect in every ~1,000
lines of ABAP code
Probabilities:
ABAP Command Injection 50%
Authorization Issue 100%
Directory Traversal 93%
26
27. Security Defects: Top 20
Test Case
Missing AUTHORITY-CHECK before CALL TRANSACTION
Missing AUTHORITY-CHECK in Reports
Directory Traversal (Write Access)
Hard-coded SAP System ID Checks (sy-sysid)
Missing AUTHORITY-CHECK in RFC-Enabled Functions
Dangerous ABAP Commands
Directory Traversal (Read Access)
File Upload (SAP GUI)
Hard-coded SAP Client Checks (sy-mandt)
File Download (SAP GUI)
Generic RFC Destinations
OSQL Injection (Read Access)
Broken AUTHORITY-CHECKs
Generic Table Query (Write Access)
Generic ABAP Module Calls
Exposed Kernel Calls
Cross-Site Scripting
ABAP Command Injection (report)
ABAP Command Injection (program)
Hard-coded Passwords
28. Mobile Trends and the new Threats
The Forgotten Layer
Benchmarks of Defects in Custom ABAP
What Can Go Wrong?
Security Standards
Agenda
29. Free Benchmark Scan
of Your ABAP Code
• Summary of findings
• Prioritization of found
vulnerabilities
• Specific examples of
findings from your
own code
• Code metrics
• Benchmark (on
request)
Robustness & Maintainability
Performance
Data Loss Prevention
Security & Compliance
Your
ABAP™
code
What Can Go Wrong?
Register Here for a
Free Benchmark Scan
30. Mobile Trends and the new Threats
The Forgotten Layer
Benchmarks of Defects in Custom ABAP
What Can Go Wrong?
Security Standards
Agenda
31. Security Guidelines for SAP
Culture
• Increase awareness of the need for SAP Security (for example,
though workshops)
• Provide security training (Developer, Administrator, User, etc)
Organization
• Make SAP Security an integral part of your corporate security
strategy
• Develop company and partner security standards and processes
that are binding!
Compliance
• Make security a pre-requisite for all SAP projects
• Test that all delivered applications comply with security
standards
• Add SAP Security to your audit activities
Seite
32. 32
Technology
• Implement automated testing into your change control process
to enable faster detection and mediation of security and quality
defects
Cost Awareness
• The earlier that defects are found, the less they cost to correct
Cost of a correcting a single defect when found in:
Unit testing (DEV) = $100
User Testing (QA) = $1,000
In productive system (PROD) =$10,000
After System failure, attack,… = $??????
Security Guidelines for SAP – continued
33. Protecting Against Security Defects
BIZEC APP/11 Standard Security Tests
ID Vulnerability Description
APP-01 ABAP Command Injection Execution of arbitrary ABAP Commands
APP-02 OS Command Injection Execution of arbitrary OS Commands
APP-03 Native SQL Injection Execution of arbitrary SQL Commands
APP-04 Improper Authorization
(Missing, Broken, Proprietary, Generic)
Missing or incorrect Authorization Checks
APP-05 Directory Traversal Unauthorized write/read access to files (SAP Server)
APP-06 Direct Database Modifications Unauthorized Access to SAP Standard Tables
APP-07 Cross-Client Database Access Cross-Client Access to Business Data
APP-08 Open SQL Injection Malicious Manipulation of OSQL Commands
APP-09 Generic Module Execution Unauthorized Execution of Modules (Reports, FMs, etc.)
APP-10 Cross-Site Scripting Manipulation of the Browser UI, Identity Theft
APP-11 Obscure ABAP Code Hidden / untestable ABAP Code
34. LEARNING POINTS
Attacks on mobile Devices are rising exponentially.
The combination of increased external (Web, mobile,
etc.) applications has increased the diligence required
by companies to ensure that their SAP systems are safe
and stable.
Custom ABAP and 3rd party code often have a relatively
high number of defects that can introduce serious risks
to your SAP production systems.
Manual code reviews and basic tools offer no real
protection at a relatively high cost.
35. RETURN ON INVESTMENT
Implementing automated testing into your change
control process will enable faster detection and
mediation of security and quality defects
The earlier that defects are found, the less they cost to
correct
Cost of a correcting a single defect when found in:
Unit testing (DEV) = $100
User Testing (QA) = $1,000
In productive system (PROD) =$10,000
After System failure, attack,… = $??????
36. BEST PRACTICES
Enforce stringent security and quality standards for all
custom and 3rd party code – add them to contracts!
Implement change control procedures that include
automatic testing of all ABAP changes before importing
to productive systems.