Trends, some live hacking, statistics, SAP Security topics from SAP TechEd 2013
Citation preview
1. SITNL 2013 Security update SAP Teched 2013
2. Agenda Guaranteed HANA-FREE presentation Introduction
Update: what happened in 2013 SAP Teched 2013 Security topics (Too
many to name them all) Read Access Logging ABAP code scan System
Recommendations vs RSECNOTE Some statistics (Creating this
presentation involved Shameless copying of SAP Teched materials,
thank you SAP)
3. Who we are ERP Security A company specialized in securing
SAP infrastructures Started by SAP basis specialists who are
enthusiastic about platform security Our team consists of
experienced SAP specialists and developers with 10+ years of
experience We deliver SAP Security consulting services In the
global top 5 of SAP researching companies
4. SAP Security in the spotlight From SitNL last year
5. SAP Security in the spotlight New this year (Source:
http://blogs.technet.com/b/mmpc/archive/2013/11/20/carberp-based-trojan-attacking-sap.aspx)
6. Read Access Logging You probably knew the Security Audit
Log, AIS or change documents Where the AIS, Security Audit Log and
change documents for masterdata all focused on CHANGE/DELETE/UPDATE
actions, RAL allows to log READ access.
7. Read Access Logging Supported Channels
8. Read Access Logging Availability
9. Read Access Logging Also see SIS 104
10. ABAP Code Scanning The challenge
11. ABAP Code Scanning Overview of Code check Tools ABAP Test
Cockpit (ATC) Central place for all check tools, exemption
handling, result storage Code Inspector (SCI) Open framework for
customers, partners and SAP to develop code related checks Extended
Program Check (SLIN) SAP NW add-on for code vulnerability analysis
Code checks for security vulnerabilities. Main focus is to analyze
the data flow and user input
12. ABAP Code Scanning Overview of available checks
13. Abap Code Scanning ABAP Code Scan Also see SIS 261
14. Solman System Recommendations SAP Solution Manager System
Recommendations Slow, not frequent implementing of support packages
leave systems vulnerable
15. System Recommendations System Recommendations vs RSECNOTE
Recommendations for ABAP & JAVA Extra functionality like ChaRM
integration Complete overview based on system Not only Security
notes Way to go Focus on Hotnews ABAP only limited functionality
Incomplete OLDSKOOL
16. System Recommendations System Recommendations overview
17. System Recommendations System Recommendations overview
18. System Recommendations System Recommendations Also see SIS
103
19. Some Statistics Preliminary research statistics on internet
connected systems; SAProuter After scanning the entire IPv4 range
we found: 7746 SAProuters connected to the internet Of which almost
half (3693) are UNprotected bij ACL, giving access to the local
intranet Of the vulnerable SAProuters, most (85%) are running on
Windows 13 of the vulnerable SAProuters (0,35%) are located in NL
SAPROUTERS FOUND ON INTERNET ACL Protected 52% Open 48% Open
SAProuters running Windows; 85% Open SAProuters running Unix/Linux;
15%
20. System Recommendations Exploit SAP system via Internet via
SAPRouter
21. Some Statistics Security vulnerabilities found by SAP vs
External Security Researchers The ratio of vulnerabilities found by
External Researchers vs SAP internally is going up: Source:
http://erpscan.com/wp-content/uploads/2013/11/SAP-Security-in-Figures-A-Global-Survey-2013.pdf
22. Key takeaways Summary SAP security is complex, but dont let
that be an excuse ! Especially since SAP and external suppliers are
providing more and better tools / solutions Do take special care
when connecting systems to the internet Be aware that every aspect
of an SAP infrastructure needs to be secured. Application server,
OS, DB, network, Frontend, SoD, Custom Code, etc, etc PATCH! PATCH!
PATCH! Join & contribute! www.bizec.org
23. Questions? Thank you
24. Need more info? Contact us... More information needed? See
www.erp-sec.com or follow @jvis / @erpsec
25. Disclaimer SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other
SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG
in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies. Data
contained in this document serves informational purposes only. The
authors assume no responsibility for errors or omissions in this
document. The authors do not warrant the accuracy or completeness
of the information, text, graphics, links, or other items contained
within this material. This document is provided without a warranty
of any kind, either express or implied, including but not limited
to the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. The authors shall have no
liability for damages of any kind including without limitation
direct, special, indirect, or consequential damages that may result
from the use of this document. SAP AG is neither the author nor the
publisher of this publication and is not responsible for its
content, and SAP Group shall not be liable for errors or omissions
with respect to the materials. No part of this document may be
reproduced without the prior written permission of ERP Security BV.
2013 ERP Security BV.