SlideShare uma empresa Scribd logo

Importance of Applying SAP Security Notes

J
jvandevis

This document discusses the importance of applying SAP security notes to reduce risks in SAP systems. It provides background on ERP-SEC, an expert in SAP security assessments. SAP has released over 4,000 security patches to date, with 20+ added each month. However, many companies do not apply security notes on a monthly basis, leaving systems vulnerable for months or years. Automating the application of high priority security notes can help improve security while saving time and resources.

Tecnologia
1 de 21
Baixar para ler offline
The importance of applying SAP Security notes
Who we are WWW.PROTECT4S.COMWWW.PROTECT4S.COM “ERP-SEC works closely together with SAP to reduce risk in their customers systems. ERP-SEC was invited twice by SAP’s global security team in Walldorf to present on their ongoing SAP Security research” ERP Security • Experts in SAP Security assessments and hardening • Worldwide top 5 found SAP Security research • Regular presenters on SAP Security • Developer Protect4S • Founded in 2010 • Several business partners in BeNeLux • Our mission is to raise the level of security of mission-critical SAP platforms with a minimal impact on daily business. Affiliations: Partners:
The Why WWW.PROTECT4S.COMWWW.PROTECT4S.COM Introduction • SAP Security notes, patching and it’s part in securing SAP systems • People involved in patching in the room? • Results security assessments over the years • Why? Fraud Sabotage Theft
WWW.PROTECT4S.COMWWW.PROTECT4S.COM Something about SAP • Market leader in enterprise application software • ~ 300.000 customers worldwide • SAP customers include: – 87% of the Forbes Global 2000 companies – 98% of the 100 most valued brands • Headquarters: Walldorf, Germany, offices in more than 130 countries • Founded April 1, 1972 • Over 75.000 employees worldwide • 74% of the world’s transaction revenue touches an SAP system • Bottomline: Interesting Target! Source: http://www.sap.com/bin/sapcom/en_us/downloadasset.2016-01-jan-26-01.SAP-Corporate-Fact-Sheet-En-20160126-pdf.bypassReg.html
WWW.PROTECT4S.COMWWW.PROTECT4S.COM Some numbers SAP has released 4000+ security patches to date. Each month 20+ are added to that number In 2017 alone 268 Security notes were released where 44 have priority HIGH or HOTNEWS Over 90% of the SAP systems we have assessed over the past 7 years, contained vulnerabilities that could lead to a full compromise. Proper vulnerability management could have prevented this in most cases.
SAP Security notes WWW.PROTECT4S.COMWWW.PROTECT4S.COM 0 100 200 300 400 500 600 700 800 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 Findings of SAP and external researchers resulted in many patches: > 4000 SAP SECURITY NOTES in total to date
Demotime – Game Over WWW.PROTECT4S.COMWWW.PROTECT4S.COM Game over… Demotime
Just 1 missing SAP note… WWW.PROTECT4S.COMWWW.PROTECT4S.COM
Long Risk window WWW.PROTECT4S.COMWWW.PROTECT4S.COM Typically seen at customers (no joke) • Customers apply SP Stack once every year or less • Some do SAP Security notes in between • Many do not apply SAP Security notes on monthly basis • Risk-window is long; months or even years (Keep in mind: SAP Security notes are easy to Reverse Engineer)
Some numbers WWW.PROTECT4S.COMWWW.PROTECT4S.COM But what do they mean? • 42 • 895 Min. number of days it took SAP to fix one of our >70 reported issues Max. number of days it took SAP to fix one of our >70 reported issues
Long Risk window WWW.PROTECT4S.COMWWW.PROTECT4S.COM
Long Risk window WWW.PROTECT4S.COMWWW.PROTECT4S.COM
SAP Security notes survey WWW.PROTECT4S.COMWWW.PROTECT4S.COM
SAP Security notes survey WWW.PROTECT4S.COMWWW.PROTECT4S.COM
SAP Security notes survey WWW.PROTECT4S.COMWWW.PROTECT4S.COM
Patch management challenges WWW.PROTECT4S.COMWWW.PROTECT4S.COM A challenge for SAP customers • Testing • Securing SAP systems is complex and time consuming • Time-consuming task: implementing SAP Security notes • Up-to-now a manual, repetitive task • SAP notes released on a monthly base by dozens • Awareness • Time • Budget • Knowledge • ….
Solutions WWW.PROTECT4S.COMWWW.PROTECT4S.COM To know what SAP Security notes you are missing there are a few options: • SAP Marketplace – Security notes launchpad • SAP Solution Manager – System Recommendations • 3rd party tooling Check applicable SAP Security notes on a monthly basis and apply at least the high risk ones
SAP Security notes WWW.PROTECT4S.COMWWW.PROTECT4S.COM Concluding • SAP has the patches, customers need to take action • SAP Infrastructures and their security are often complex and work cannot be done manually (anymore). Automate this to be effective and efficient • 1 single missing SAP Security Note can lead to a fully compromised SAP system and all data it contains • Repetitive mitigation activities wrt SAP Security notes can be automated to some extend to save on time and money and to raise the level of security • But in order to secure SAP infrastructures do not solely focus on patching
Discussion WWW.PROTECT4S.COMWWW.PROTECT4S.COM Alternative solutions? The cloud? Managed cloud? SAP public cloud? ….
Disclaimer WWW.PROTECT4S.COMWWW.PROTECT4S.COM SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2017 ERP Security BV.
n WWW.PROTECT4S.COM

Recomendados

SPS Baltimore 2017 - Office 365 Security Hardening with cFocus Software
SPS Baltimore 2017 - Office 365 Security Hardening with cFocus SoftwareSPS Baltimore 2017 - Office 365 Security Hardening with cFocus Software
SPS Baltimore 2017 - Office 365 Security Hardening with cFocus SoftwareJasson Walker
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects AttacksOnapsis Inc.
 
Protect4S - Seguridad total en sus sistemas SAP
Protect4S - Seguridad total en sus sistemas SAPProtect4S - Seguridad total en sus sistemas SAP
Protect4S - Seguridad total en sus sistemas SAPTomas Martinez
 
How NetSuite Moves Financial Management of the Business From Tactical to Stra...
How NetSuite Moves Financial Management of the Business From Tactical to Stra...How NetSuite Moves Financial Management of the Business From Tactical to Stra...
How NetSuite Moves Financial Management of the Business From Tactical to Stra...Net at Work
 
D3NY17- Customizing Incapsula to Accommodate Single Sign-On
D3NY17- Customizing Incapsula to Accommodate Single Sign-OnD3NY17- Customizing Incapsula to Accommodate Single Sign-On
D3NY17- Customizing Incapsula to Accommodate Single Sign-OnImperva Incapsula
 
D3NY17 - Migrating to the Cloud
D3NY17 - Migrating to the CloudD3NY17 - Migrating to the Cloud
D3NY17 - Migrating to the CloudImperva Incapsula
 
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Symmetry™
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec TeamsDinis Cruz
 

Recomendados

SPS Baltimore 2017 - Office 365 Security Hardening with cFocus Software
SPS Baltimore 2017 - Office 365 Security Hardening with cFocus SoftwareSPS Baltimore 2017 - Office 365 Security Hardening with cFocus Software
SPS Baltimore 2017 - Office 365 Security Hardening with cFocus SoftwareJasson Walker
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects AttacksOnapsis Inc.
 
Protect4S - Seguridad total en sus sistemas SAP
Protect4S - Seguridad total en sus sistemas SAPProtect4S - Seguridad total en sus sistemas SAP
Protect4S - Seguridad total en sus sistemas SAPTomas Martinez
 
How NetSuite Moves Financial Management of the Business From Tactical to Stra...
How NetSuite Moves Financial Management of the Business From Tactical to Stra...How NetSuite Moves Financial Management of the Business From Tactical to Stra...
How NetSuite Moves Financial Management of the Business From Tactical to Stra...Net at Work
 
D3NY17- Customizing Incapsula to Accommodate Single Sign-On
D3NY17- Customizing Incapsula to Accommodate Single Sign-OnD3NY17- Customizing Incapsula to Accommodate Single Sign-On
D3NY17- Customizing Incapsula to Accommodate Single Sign-OnImperva Incapsula
 
D3NY17 - Migrating to the Cloud
D3NY17 - Migrating to the CloudD3NY17 - Migrating to the Cloud
D3NY17 - Migrating to the CloudImperva Incapsula
 
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Symmetry™
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec TeamsDinis Cruz
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 
Providence: rapid vulnerability prevention
Providence: rapid vulnerability preventionProvidence: rapid vulnerability prevention
Providence: rapid vulnerability preventionSalesforce Engineering
 
D3TLV17- You have Incapsula...now what?
D3TLV17- You have Incapsula...now what?D3TLV17- You have Incapsula...now what?
D3TLV17- You have Incapsula...now what?Imperva Incapsula
 
Devops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevSecCon
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPriyanka Aash
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksOnapsis Inc.
 
From rogue one to rebel alliance by Peter Chestna
From rogue one to rebel alliance by Peter ChestnaFrom rogue one to rebel alliance by Peter Chestna
From rogue one to rebel alliance by Peter ChestnaDevSecCon
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSOnapsis Inc.
 
SanerNow a platform for Endpoint security and systems Management
SanerNow a platform for Endpoint security and systems ManagementSanerNow a platform for Endpoint security and systems Management
SanerNow a platform for Endpoint security and systems ManagementSecPod Technologies
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsOnapsis Inc.
 
Shifting Left…AND Right to Ensure Full Application Security Coverage
Shifting Left…AND Right to Ensure Full Application Security CoverageShifting Left…AND Right to Ensure Full Application Security Coverage
Shifting Left…AND Right to Ensure Full Application Security CoverageDevOps.com
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresPriyanka Aash
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDrkadayam
 
GWAVACon 2015: GWAVA - Backup, manage & monitor your GroupWise server
GWAVACon 2015: GWAVA - Backup, manage & monitor your GroupWise serverGWAVACon 2015: GWAVA - Backup, manage & monitor your GroupWise server
GWAVACon 2015: GWAVA - Backup, manage & monitor your GroupWise serverGWAVA
 
GWAVACon 2015: GWAVA - Three dimensional security for Novell GroupWise
GWAVACon 2015: GWAVA - Three dimensional security for Novell GroupWiseGWAVACon 2015: GWAVA - Three dimensional security for Novell GroupWise
GWAVACon 2015: GWAVA - Three dimensional security for Novell GroupWiseGWAVA
 
12 Days of Coding Errors
12 Days of Coding Errors12 Days of Coding Errors
12 Days of Coding ErrorsErika Barron
 
D3TLV17- Keeping it Safe
D3TLV17- Keeping it SafeD3TLV17- Keeping it Safe
D3TLV17- Keeping it SafeImperva Incapsula
 
The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)Twan van den Broek
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
protect4s-product-sheet
protect4s-product-sheetprotect4s-product-sheet
protect4s-product-sheetFred van de Langenberg
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentAchim D. Brucker
 

Mais conteúdo relacionado

Mais procurados

Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 
Providence: rapid vulnerability prevention
Providence: rapid vulnerability preventionProvidence: rapid vulnerability prevention
Providence: rapid vulnerability preventionSalesforce Engineering
 
D3TLV17- You have Incapsula...now what?
D3TLV17- You have Incapsula...now what?D3TLV17- You have Incapsula...now what?
D3TLV17- You have Incapsula...now what?Imperva Incapsula
 
Devops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevSecCon
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPriyanka Aash
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksOnapsis Inc.
 
From rogue one to rebel alliance by Peter Chestna
From rogue one to rebel alliance by Peter ChestnaFrom rogue one to rebel alliance by Peter Chestna
From rogue one to rebel alliance by Peter ChestnaDevSecCon
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSOnapsis Inc.
 
SanerNow a platform for Endpoint security and systems Management
SanerNow a platform for Endpoint security and systems ManagementSanerNow a platform for Endpoint security and systems Management
SanerNow a platform for Endpoint security and systems ManagementSecPod Technologies
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsOnapsis Inc.
 
Shifting Left…AND Right to Ensure Full Application Security Coverage
Shifting Left…AND Right to Ensure Full Application Security CoverageShifting Left…AND Right to Ensure Full Application Security Coverage
Shifting Left…AND Right to Ensure Full Application Security CoverageDevOps.com
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresPriyanka Aash
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDrkadayam
 
GWAVACon 2015: GWAVA - Backup, manage & monitor your GroupWise server
GWAVACon 2015: GWAVA - Backup, manage & monitor your GroupWise serverGWAVACon 2015: GWAVA - Backup, manage & monitor your GroupWise server
GWAVACon 2015: GWAVA - Backup, manage & monitor your GroupWise serverGWAVA
 
GWAVACon 2015: GWAVA - Three dimensional security for Novell GroupWise
GWAVACon 2015: GWAVA - Three dimensional security for Novell GroupWiseGWAVACon 2015: GWAVA - Three dimensional security for Novell GroupWise
GWAVACon 2015: GWAVA - Three dimensional security for Novell GroupWiseGWAVA
 
12 Days of Coding Errors
12 Days of Coding Errors12 Days of Coding Errors
12 Days of Coding ErrorsErika Barron
 

Mais procurados (17)

Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
 
Providence: rapid vulnerability prevention
Providence: rapid vulnerability preventionProvidence: rapid vulnerability prevention
Providence: rapid vulnerability prevention
 
D3TLV17- You have Incapsula...now what?
D3TLV17- You have Incapsula...now what?D3TLV17- You have Incapsula...now what?
D3TLV17- You have Incapsula...now what?
 
Devops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter Chestna
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI Frameworks
 
From rogue one to rebel alliance by Peter Chestna
From rogue one to rebel alliance by Peter ChestnaFrom rogue one to rebel alliance by Peter Chestna
From rogue one to rebel alliance by Peter Chestna
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMS
 
SanerNow a platform for Endpoint security and systems Management
SanerNow a platform for Endpoint security and systems ManagementSanerNow a platform for Endpoint security and systems Management
SanerNow a platform for Endpoint security and systems Management
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwards
 
Shifting Left…AND Right to Ensure Full Application Security Coverage
Shifting Left…AND Right to Ensure Full Application Security CoverageShifting Left…AND Right to Ensure Full Application Security Coverage
Shifting Left…AND Right to Ensure Full Application Security Coverage
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CD
 
GWAVACon 2015: GWAVA - Backup, manage & monitor your GroupWise server
GWAVACon 2015: GWAVA - Backup, manage & monitor your GroupWise serverGWAVACon 2015: GWAVA - Backup, manage & monitor your GroupWise server
GWAVACon 2015: GWAVA - Backup, manage & monitor your GroupWise server
 
GWAVACon 2015: GWAVA - Three dimensional security for Novell GroupWise
GWAVACon 2015: GWAVA - Three dimensional security for Novell GroupWiseGWAVACon 2015: GWAVA - Three dimensional security for Novell GroupWise
GWAVACon 2015: GWAVA - Three dimensional security for Novell GroupWise
 
12 Days of Coding Errors
12 Days of Coding Errors12 Days of Coding Errors
12 Days of Coding Errors
 
D3TLV17- Keeping it Safe
D3TLV17- Keeping it SafeD3TLV17- Keeping it Safe
D3TLV17- Keeping it Safe
 

Semelhante a Importance of Applying SAP Security Notes

The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)Twan van den Broek
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentAchim D. Brucker
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksSAP Customer Experience
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Twan van den Broek
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security ConfigurationsOnapsis Inc.
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsAchim D. Brucker
 
Fin900 en col98_fv_co_a4 (1)
Fin900 en col98_fv_co_a4 (1)Fin900 en col98_fv_co_a4 (1)
Fin900 en col98_fv_co_a4 (1)Shailendra Surana
 
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2jvandevis
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easyERPScan
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016Twan van den Broek
 
DataVard SAPPHIRE Presentation - Canary Code (TM)
DataVard SAPPHIRE Presentation - Canary Code (TM)DataVard SAPPHIRE Presentation - Canary Code (TM)
DataVard SAPPHIRE Presentation - Canary Code (TM)Mike Nelson
 
Accelerating Time-to-Value With SAP Rapid Deployment Solutions for Ariba
Accelerating Time-to-Value With SAP Rapid Deployment Solutions for AribaAccelerating Time-to-Value With SAP Rapid Deployment Solutions for Ariba
Accelerating Time-to-Value With SAP Rapid Deployment Solutions for AribaSAP Ariba
 

Semelhante a Importance of Applying SAP Security Notes (20)

The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
protect4s-product-sheet
protect4s-product-sheetprotect4s-product-sheet
protect4s-product-sheet
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from Cyberattacks
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial Tools
 
Fin900 en col98_fv_co_a4 (1)
Fin900 en col98_fv_co_a4 (1)Fin900 en col98_fv_co_a4 (1)
Fin900 en col98_fv_co_a4 (1)
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016
 
DataVard SAPPHIRE Presentation - Canary Code (TM)
DataVard SAPPHIRE Presentation - Canary Code (TM)DataVard SAPPHIRE Presentation - Canary Code (TM)
DataVard SAPPHIRE Presentation - Canary Code (TM)
 
Accelerating Time-to-Value With SAP Rapid Deployment Solutions for Ariba
Accelerating Time-to-Value With SAP Rapid Deployment Solutions for AribaAccelerating Time-to-Value With SAP Rapid Deployment Solutions for Ariba
Accelerating Time-to-Value With SAP Rapid Deployment Solutions for Ariba
 
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
 

Último

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 

Último (20)

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 

Importance of Applying SAP Security Notes

  • 1. The importance of applying SAP Security notes
  • 2. Who we are WWW.PROTECT4S.COMWWW.PROTECT4S.COM “ERP-SEC works closely together with SAP to reduce risk in their customers systems. ERP-SEC was invited twice by SAP’s global security team in Walldorf to present on their ongoing SAP Security research” ERP Security • Experts in SAP Security assessments and hardening • Worldwide top 5 found SAP Security research • Regular presenters on SAP Security • Developer Protect4S • Founded in 2010 • Several business partners in BeNeLux • Our mission is to raise the level of security of mission-critical SAP platforms with a minimal impact on daily business. Affiliations: Partners:
  • 3. The Why WWW.PROTECT4S.COMWWW.PROTECT4S.COM Introduction • SAP Security notes, patching and it’s part in securing SAP systems • People involved in patching in the room? • Results security assessments over the years • Why? Fraud Sabotage Theft
  • 4. WWW.PROTECT4S.COMWWW.PROTECT4S.COM Something about SAP • Market leader in enterprise application software • ~ 300.000 customers worldwide • SAP customers include: – 87% of the Forbes Global 2000 companies – 98% of the 100 most valued brands • Headquarters: Walldorf, Germany, offices in more than 130 countries • Founded April 1, 1972 • Over 75.000 employees worldwide • 74% of the world’s transaction revenue touches an SAP system • Bottomline: Interesting Target! Source: http://www.sap.com/bin/sapcom/en_us/downloadasset.2016-01-jan-26-01.SAP-Corporate-Fact-Sheet-En-20160126-pdf.bypassReg.html
  • 5. WWW.PROTECT4S.COMWWW.PROTECT4S.COM Some numbers SAP has released 4000+ security patches to date. Each month 20+ are added to that number In 2017 alone 268 Security notes were released where 44 have priority HIGH or HOTNEWS Over 90% of the SAP systems we have assessed over the past 7 years, contained vulnerabilities that could lead to a full compromise. Proper vulnerability management could have prevented this in most cases.
  • 6. SAP Security notes WWW.PROTECT4S.COMWWW.PROTECT4S.COM 0 100 200 300 400 500 600 700 800 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 Findings of SAP and external researchers resulted in many patches: > 4000 SAP SECURITY NOTES in total to date
  • 7. Demotime – Game Over WWW.PROTECT4S.COMWWW.PROTECT4S.COM Game over… Demotime
  • 8. Just 1 missing SAP note… WWW.PROTECT4S.COMWWW.PROTECT4S.COM
  • 9. Long Risk window WWW.PROTECT4S.COMWWW.PROTECT4S.COM Typically seen at customers (no joke) • Customers apply SP Stack once every year or less • Some do SAP Security notes in between • Many do not apply SAP Security notes on monthly basis • Risk-window is long; months or even years (Keep in mind: SAP Security notes are easy to Reverse Engineer)
  • 10. Some numbers WWW.PROTECT4S.COMWWW.PROTECT4S.COM But what do they mean? • 42 • 895 Min. number of days it took SAP to fix one of our >70 reported issues Max. number of days it took SAP to fix one of our >70 reported issues
  • 13. SAP Security notes survey WWW.PROTECT4S.COMWWW.PROTECT4S.COM
  • 14. SAP Security notes survey WWW.PROTECT4S.COMWWW.PROTECT4S.COM
  • 15. SAP Security notes survey WWW.PROTECT4S.COMWWW.PROTECT4S.COM
  • 16. Patch management challenges WWW.PROTECT4S.COMWWW.PROTECT4S.COM A challenge for SAP customers • Testing • Securing SAP systems is complex and time consuming • Time-consuming task: implementing SAP Security notes • Up-to-now a manual, repetitive task • SAP notes released on a monthly base by dozens • Awareness • Time • Budget • Knowledge • ….
  • 17. Solutions WWW.PROTECT4S.COMWWW.PROTECT4S.COM To know what SAP Security notes you are missing there are a few options: • SAP Marketplace – Security notes launchpad • SAP Solution Manager – System Recommendations • 3rd party tooling Check applicable SAP Security notes on a monthly basis and apply at least the high risk ones
  • 18. SAP Security notes WWW.PROTECT4S.COMWWW.PROTECT4S.COM Concluding • SAP has the patches, customers need to take action • SAP Infrastructures and their security are often complex and work cannot be done manually (anymore). Automate this to be effective and efficient • 1 single missing SAP Security Note can lead to a fully compromised SAP system and all data it contains • Repetitive mitigation activities wrt SAP Security notes can be automated to some extend to save on time and money and to raise the level of security • But in order to secure SAP infrastructures do not solely focus on patching
  • 20. Disclaimer WWW.PROTECT4S.COMWWW.PROTECT4S.COM SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2017 ERP Security BV.