1. SITNL 2013 Security update SAP Teched 2013

2. Agenda Guaranteed HANA-FREE presentation Introduction Update: what happened in 2013 SAP Teched 2013 Security topics (Too many to name them all) Read Access Logging ABAP code scan System Recommendations vs RSECNOTE Some statistics (Creating this presentation involved Shameless copying of SAP Teched materials, thank you SAP)

3. Who we are ERP Security A company specialized in securing SAP infrastructures Started by SAP basis specialists who are enthusiastic about platform security Our team consists of experienced SAP specialists and developers with 10+ years of experience We deliver SAP Security consulting services In the global top 5 of SAP researching companies

4. SAP Security in the spotlight From SitNL last year

5. SAP Security in the spotlight New this year (Source: http://blogs.technet.com/b/mmpc/archive/2013/11/20/carberp-based-trojan-attacking-sap.aspx)

6. Read Access Logging You probably knew the Security Audit Log, AIS or change documents Where the AIS, Security Audit Log and change documents for masterdata all focused on CHANGE/DELETE/UPDATE actions, RAL allows to log READ access.

7. Read Access Logging Supported Channels

8. Read Access Logging Availability

9. Read Access Logging Also see SIS 104

10. ABAP Code Scanning The challenge

11. ABAP Code Scanning Overview of Code check Tools ABAP Test Cockpit (ATC) Central place for all check tools, exemption handling, result storage Code Inspector (SCI) Open framework for customers, partners and SAP to develop code related checks Extended Program Check (SLIN) SAP NW add-on for code vulnerability analysis Code checks for security vulnerabilities. Main focus is to analyze the data flow and user input

12. ABAP Code Scanning Overview of available checks

13. Abap Code Scanning ABAP Code Scan Also see SIS 261

14. Solman System Recommendations SAP Solution Manager System Recommendations Slow, not frequent implementing of support packages leave systems vulnerable

15. System Recommendations System Recommendations vs RSECNOTE Recommendations for ABAP & JAVA Extra functionality like ChaRM integration Complete overview based on system Not only Security notes Way to go Focus on Hotnews ABAP only limited functionality Incomplete OLDSKOOL

16. System Recommendations System Recommendations overview

17. System Recommendations System Recommendations overview

18. System Recommendations System Recommendations Also see SIS 103

19. Some Statistics Preliminary research statistics on internet connected systems; SAProuter After scanning the entire IPv4 range we found: 7746 SAProuters connected to the internet Of which almost half (3693) are UNprotected bij ACL, giving access to the local intranet Of the vulnerable SAProuters, most (85%) are running on Windows 13 of the vulnerable SAProuters (0,35%) are located in NL SAPROUTERS FOUND ON INTERNET ACL Protected 52% Open 48% Open SAProuters running Windows; 85% Open SAProuters running Unix/Linux; 15%

20. System Recommendations Exploit SAP system via Internet via SAPRouter

21. Some Statistics Security vulnerabilities found by SAP vs External Security Researchers The ratio of vulnerabilities found by External Researchers vs SAP internally is going up: Source: http://erpscan.com/wp-content/uploads/2013/11/SAP-Security-in-Figures-A-Global-Survey-2013.pdf

22. Key takeaways Summary SAP security is complex, but dont let that be an excuse ! Especially since SAP and external suppliers are providing more and better tools / solutions Do take special care when connecting systems to the internet Be aware that every aspect of an SAP infrastructure needs to be secured. Application server, OS, DB, network, Frontend, SoD, Custom Code, etc, etc PATCH! PATCH! PATCH! Join & contribute! www.bizec.org

23. Questions? Thank you

24. Need more info? Contact us... More information needed? See www.erp-sec.com or follow @jvis / @erpsec

25. Disclaimer SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. No part of this document may be reproduced without the prior written permission of ERP Security BV. 2013 ERP Security BV.