SlideShare uma empresa Scribd logo

sitNL Security Update from SAP TechEd 2013

Twan van den Broek
Twan van den Broek

Trends, some live hacking, statistics, SAP Security topics from SAP TechEd 2013

Tecnologia
1 de 26
Baixar para ler offline
SITNL 2013 Security update SAP Teched 2013
Agenda Guaranteed HANA-FREE presentation Introduction Update: what happened in 2013 SAP Teched 2013 Security topics (Too many to name them all) Read Access Logging ABAP code scan System Recommendations vs RSECNOTE Some statistics (Creating this presentation involved Shameless copying of SAP Teched materials, thank you SAP)
Who we are… ERP Security • • • • • A company specialized in securing SAP infrastructures Started by SAP basis specialists who are enthusiastic about platform security Our team consists of experienced SAP specialists and developers with 10+ years of experience We deliver SAP Security consulting services In the global top 5 of SAP researching companies
SAP Security in the spotlight From SitNL last year…
SAP Security in the spotlight New this year… (Source: http://blogs.technet.com/b/mmpc/archive/2013/11/20/carberp-based-trojan-attacking-sap.aspx)
Read Access Logging You probably knew the Security Audit Log, AIS or change documents Where the AIS, Security Audit Log and change documents for masterdata all focused on CHANGE/DELETE/UPDATE actions, RAL allows to log READ access.
Read Access Logging Supported Channels
Read Access Logging Availability
Read Access Logging Also see SIS 104
ABAP Code Scanning The challenge…
ABAP Code Scanning Overview of Code check Tools ABAP Test Cockpit (ATC) Central place for all check tools, exemption handling, result storage Code Inspector (SCI) Open framework for customers, partners and SAP to develop code related checks Extended Program Check (SLIN) SAP NW add-on for code vulnerability analysis Code checks for security vulnerabilities. Main focus is to analyze the data flow and user input
ABAP Code Scanning Overview of available checks
Abap Code Scanning ABAP Code Scan Also see SIS 261
Solman System Recommendations SAP Solution Manager System Recommendations Slow, not frequent implementing of support packages leave systems vulnerable
System Recommendations System Recommendations vs RSECNOTE Recommendations for ABAP & JAVA Extra functionality like ChaRM integration Complete overview based on system Not only Security notes Way to go Focus on Hotnews ABAP only limited functionality Incomplete OLDSKOOL
System Recommendations System Recommendations overview
System Recommendations System Recommendations overview
System Recommendations System Recommendations Also see SIS 103
Some Statistics Preliminary research statistics on internet connected systems; SAProuter After scanning the entire IPv4 range we found: • 7746 SAProuters connected to the internet • Of which almost half (3693) are UNprotected bij ACL, giving access to the local intranet • Of the vulnerable SAProuters, most (85%) are running on Windows • 13 of the vulnerable SAProuters (0,35%) are located in NL SAPROUTERS FOUND ON INTERNET ACL Protected 52% Open 48% Open SAProuters running Windows; 85% Open SAProuters running Unix/Linux; 15%
System Recommendations Exploit SAP system via Internet via SAPRouter
Some Statistics Security vulnerabilities found by SAP vs External Security Researchers The ratio of vulnerabilities found by External Researchers vs SAP internally is going up: Source: http://erpscan.com/wp-content/uploads/2013/11/SAP-Security-in-Figures-A-Global-Survey-2013.pdf
Key takeaways Summary • • • • • SAP security is complex, but don’t let that be an excuse ! Especially since SAP and external suppliers are providing more and better tools / solutions Do take special care when connecting systems to the internet Be aware that every aspect of an SAP infrastructure needs to be secured. Application server, OS, DB, network, Frontend, SoD, Custom Code, etc, etc… PATCH! PATCH! PATCH! Join & contribute! www.bizec.org
Questions? Thank you
Need more info? Contact us... • • More information needed? See www.erp-sec.com or follow @jvis / @erpsec
Disclaimer SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2013 ERP Security BV.
sitNL Security Update from SAP TechEd 2013

Recomendados

Highlights SAPphire NOW 2014
Highlights SAPphire NOW 2014Highlights SAPphire NOW 2014
Highlights SAPphire NOW 2014
Twan van den Broek
 
Design Thinking with Field Service Engineers (VNSG UX)
Design Thinking with Field Service Engineers (VNSG UX)Design Thinking with Field Service Engineers (VNSG UX)
Design Thinking with Field Service Engineers (VNSG UX)
Twan van den Broek
 
SAP communties rock!
SAP communties rock!SAP communties rock!
SAP communties rock!
Twan van den Broek
 
Chg3
Chg3Chg3
Chg3
Hue College of Economics, Hue University
 
Sitnl 2012 erp security
Sitnl 2012 erp securitySitnl 2012 erp security
Sitnl 2012 erp security
Twan van den Broek
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)
Twan van den Broek
 
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
jvandevis
 
Sap ha240 col10 - hana sp10 version latest sample
Sap ha240 col10 - hana sp10 version latest sampleSap ha240 col10 - hana sp10 version latest sample
Sap ha240 col10 - hana sp10 version latest sample
Sap Materials
 

Recomendados

Highlights SAPphire NOW 2014
Highlights SAPphire NOW 2014Highlights SAPphire NOW 2014
Highlights SAPphire NOW 2014
Twan van den Broek
 
Design Thinking with Field Service Engineers (VNSG UX)
Design Thinking with Field Service Engineers (VNSG UX)Design Thinking with Field Service Engineers (VNSG UX)
Design Thinking with Field Service Engineers (VNSG UX)
Twan van den Broek
 
SAP communties rock!
SAP communties rock!SAP communties rock!
SAP communties rock!
Twan van den Broek
 
Chg3
Chg3Chg3
Chg3
Hue College of Economics, Hue University
 
Sitnl 2012 erp security
Sitnl 2012 erp securitySitnl 2012 erp security
Sitnl 2012 erp security
Twan van den Broek
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)
Twan van den Broek
 
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
jvandevis
 
Sap ha240 col10 - hana sp10 version latest sample
Sap ha240 col10 - hana sp10 version latest sampleSap ha240 col10 - hana sp10 version latest sample
Sap ha240 col10 - hana sp10 version latest sample
Sap Materials
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial Tools
Achim D. Brucker
 
Migración sap(procedimientos)
Migración sap(procedimientos)Migración sap(procedimientos)
Migración sap(procedimientos)
ricardopabloasensio
 
White papersap sollandscape
White papersap sollandscapeWhite papersap sollandscape
White papersap sollandscape
Giuseppe Caselli
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
Onapsis Inc.
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
Onapsis Inc.
 
Testing SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HPTesting SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HP
SAP Solution Extensions
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...
Ganesh Kumar
 
The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)
Twan van den Broek
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...
Jaime Marchant Benavides
 
SAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editionsSAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editions
Juan Frias
 
OWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościOWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatności
klagrz
 
How to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bwHow to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bw
Luc Vanrobays
 
How to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchHow to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratch
Ganesh Kumar
 
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
Kevin Cox
 
SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018
jvandevis
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016
Twan van den Broek
 
Ac409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511faAc409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511fa
Nagendra Babu
 
Jenkins world 2018
Jenkins world 2018Jenkins world 2018
Jenkins world 2018
Lowell Young
 
Itm110 how does sap solution manager support sap hana
Itm110 how does sap solution manager support sap hanaItm110 how does sap solution manager support sap hana
Itm110 how does sap solution manager support sap hana
Olivier Bilger
 
Smau Roma 2010 Massimo Sala
Smau Roma 2010 Massimo SalaSmau Roma 2010 Massimo Sala
Smau Roma 2010 Massimo Sala
SMAU
 
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
Twan van den Broek
 
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Twan van den Broek
 

Mais conteúdo relacionado

Semelhante a sitNL Security Update from SAP TechEd 2013

White papersap sollandscape
White papersap sollandscapeWhite papersap sollandscape
White papersap sollandscape
Giuseppe Caselli
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
Onapsis Inc.
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...
Ganesh Kumar
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...
Jaime Marchant Benavides
 
How to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchHow to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratch
Ganesh Kumar
 
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
Kevin Cox
 

Semelhante a sitNL Security Update from SAP TechEd 2013 (20)

SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial Tools
 
Migración sap(procedimientos)
Migración sap(procedimientos)Migración sap(procedimientos)
Migración sap(procedimientos)
 
White papersap sollandscape
White papersap sollandscapeWhite papersap sollandscape
White papersap sollandscape
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 
Testing SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HPTesting SAP HANA applications with SAP LoadRunner by HP
Testing SAP HANA applications with SAP LoadRunner by HP
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...
 
The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)
 
How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...How to build an agentry based mobile app from scratch connecting to an sap ba...
How to build an agentry based mobile app from scratch connecting to an sap ba...
 
SAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editionsSAP BI BO roadmap BO analytics editions
SAP BI BO roadmap BO analytics editions
 
OWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościOWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatności
 
How to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bwHow to use abap cds for data provisioning in bw
How to use abap cds for data provisioning in bw
 
How to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratchHow to part 2 build an agentry based app from scratch
How to part 2 build an agentry based app from scratch
 
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
2011 BtoB Magazine Net Marketer Seminar "Digital branded experiences"
 
SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016
 
Ac409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511faAc409c27 5a7c-0010-82c7-eda71af511fa
Ac409c27 5a7c-0010-82c7-eda71af511fa
 
Jenkins world 2018
Jenkins world 2018Jenkins world 2018
Jenkins world 2018
 
Itm110 how does sap solution manager support sap hana
Itm110 how does sap solution manager support sap hanaItm110 how does sap solution manager support sap hana
Itm110 how does sap solution manager support sap hana
 
Smau Roma 2010 Massimo Sala
Smau Roma 2010 Massimo SalaSmau Roma 2010 Massimo Sala
Smau Roma 2010 Massimo Sala
 

Mais de Twan van den Broek

How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
Twan van den Broek
 
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Twan van den Broek
 
Building an innovation culture - Powered by diversity
Building an innovation culture - Powered by diversityBuilding an innovation culture - Powered by diversity
Building an innovation culture - Powered by diversity
Twan van den Broek
 

Mais de Twan van den Broek (20)

How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
 
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
 
SAP Data Hub – What is it, and what’s new? (Sefan Linders)
SAP Data Hub – What is it, and what’s new? (Sefan Linders)SAP Data Hub – What is it, and what’s new? (Sefan Linders)
SAP Data Hub – What is it, and what’s new? (Sefan Linders)
 
SAP HANA SQL Data Warehousing (Sefan Linders)
SAP HANA SQL Data Warehousing (Sefan Linders)SAP HANA SQL Data Warehousing (Sefan Linders)
SAP HANA SQL Data Warehousing (Sefan Linders)
 
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
 
Beyond OData introducing the xmla model for ui5 (Roland Bouwman)
Beyond OData introducing the xmla model for ui5 (Roland Bouwman)Beyond OData introducing the xmla model for ui5 (Roland Bouwman)
Beyond OData introducing the xmla model for ui5 (Roland Bouwman)
 
Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)
Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)
Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)
 
SQL Data Warehousing in SAP HANA (Sefan Linders)
SQL Data Warehousing in SAP HANA (Sefan Linders)SQL Data Warehousing in SAP HANA (Sefan Linders)
SQL Data Warehousing in SAP HANA (Sefan Linders)
 
SAP Predictive Analytics (Nico van der Hoeven)
SAP Predictive Analytics (Nico van der Hoeven)SAP Predictive Analytics (Nico van der Hoeven)
SAP Predictive Analytics (Nico van der Hoeven)
 
Blockchain for the Enterprise
Blockchain for the EnterpriseBlockchain for the Enterprise
Blockchain for the Enterprise
 
DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)
DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)
DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)
 
Building an innovation culture - Powered by diversity
Building an innovation culture - Powered by diversityBuilding an innovation culture - Powered by diversity
Building an innovation culture - Powered by diversity
 
SAP Leonardo / Machine Learning (Iver van de Zand)
SAP Leonardo / Machine Learning (Iver van de Zand)SAP Leonardo / Machine Learning (Iver van de Zand)
SAP Leonardo / Machine Learning (Iver van de Zand)
 
SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)
SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)
SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)
 
Masterclass Mendix (Jan Penninkhof / Twan van den Broek)
Masterclass Mendix (Jan Penninkhof / Twan van den Broek)Masterclass Mendix (Jan Penninkhof / Twan van den Broek)
Masterclass Mendix (Jan Penninkhof / Twan van den Broek)
 
Masterclass Machine Learning (Ronald Kleijn)
Masterclass Machine Learning (Ronald Kleijn)Masterclass Machine Learning (Ronald Kleijn)
Masterclass Machine Learning (Ronald Kleijn)
 
SAP Run Live Truck - SAP Cloud Platform use cases
SAP Run Live Truck - SAP Cloud Platform use casesSAP Run Live Truck - SAP Cloud Platform use cases
SAP Run Live Truck - SAP Cloud Platform use cases
 
Recap SAP Inside Track NL (sitNL)
Recap SAP Inside Track NL (sitNL)Recap SAP Inside Track NL (sitNL)
Recap SAP Inside Track NL (sitNL)
 
Welcome at SAP Inside Track NL (sitNL)
Welcome at SAP Inside Track NL (sitNL)Welcome at SAP Inside Track NL (sitNL)
Welcome at SAP Inside Track NL (sitNL)
 
Finding ABAP
Finding ABAPFinding ABAP
Finding ABAP
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

sitNL Security Update from SAP TechEd 2013

  • 1. SITNL 2013 Security update SAP Teched 2013
  • 2. Agenda Guaranteed HANA-FREE presentation Introduction Update: what happened in 2013 SAP Teched 2013 Security topics (Too many to name them all) Read Access Logging ABAP code scan System Recommendations vs RSECNOTE Some statistics (Creating this presentation involved Shameless copying of SAP Teched materials, thank you SAP)
  • 3. Who we are… ERP Security • • • • • A company specialized in securing SAP infrastructures Started by SAP basis specialists who are enthusiastic about platform security Our team consists of experienced SAP specialists and developers with 10+ years of experience We deliver SAP Security consulting services In the global top 5 of SAP researching companies
  • 4. SAP Security in the spotlight From SitNL last year…
  • 5. SAP Security in the spotlight New this year… (Source: http://blogs.technet.com/b/mmpc/archive/2013/11/20/carberp-based-trojan-attacking-sap.aspx)
  • 6. Read Access Logging You probably knew the Security Audit Log, AIS or change documents Where the AIS, Security Audit Log and change documents for masterdata all focused on CHANGE/DELETE/UPDATE actions, RAL allows to log READ access.
  • 10. ABAP Code Scanning The challenge…
  • 11. ABAP Code Scanning Overview of Code check Tools ABAP Test Cockpit (ATC) Central place for all check tools, exemption handling, result storage Code Inspector (SCI) Open framework for customers, partners and SAP to develop code related checks Extended Program Check (SLIN) SAP NW add-on for code vulnerability analysis Code checks for security vulnerabilities. Main focus is to analyze the data flow and user input
  • 12. ABAP Code Scanning Overview of available checks
  • 13. Abap Code Scanning ABAP Code Scan Also see SIS 261
  • 14. Solman System Recommendations SAP Solution Manager System Recommendations Slow, not frequent implementing of support packages leave systems vulnerable
  • 15. System Recommendations System Recommendations vs RSECNOTE Recommendations for ABAP & JAVA Extra functionality like ChaRM integration Complete overview based on system Not only Security notes Way to go Focus on Hotnews ABAP only limited functionality Incomplete OLDSKOOL
  • 19. Some Statistics Preliminary research statistics on internet connected systems; SAProuter After scanning the entire IPv4 range we found: • 7746 SAProuters connected to the internet • Of which almost half (3693) are UNprotected bij ACL, giving access to the local intranet • Of the vulnerable SAProuters, most (85%) are running on Windows • 13 of the vulnerable SAProuters (0,35%) are located in NL SAPROUTERS FOUND ON INTERNET ACL Protected 52% Open 48% Open SAProuters running Windows; 85% Open SAProuters running Unix/Linux; 15%
  • 20. System Recommendations Exploit SAP system via Internet via SAPRouter
  • 21. Some Statistics Security vulnerabilities found by SAP vs External Security Researchers The ratio of vulnerabilities found by External Researchers vs SAP internally is going up: Source: http://erpscan.com/wp-content/uploads/2013/11/SAP-Security-in-Figures-A-Global-Survey-2013.pdf
  • 22. Key takeaways Summary • • • • • SAP security is complex, but don’t let that be an excuse ! Especially since SAP and external suppliers are providing more and better tools / solutions Do take special care when connecting systems to the internet Be aware that every aspect of an SAP infrastructure needs to be secured. Application server, OS, DB, network, Frontend, SoD, Custom Code, etc, etc… PATCH! PATCH! PATCH! Join & contribute! www.bizec.org
  • 24. Need more info? Contact us... • • More information needed? See www.erp-sec.com or follow @jvis / @erpsec
  • 25. Disclaimer SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2013 ERP Security BV.