The presentation describes 5 steps you should take to secure your SAP. There are: 1. Pentesting and Audit 2. Compliance 3. Internal security and SOD 4. ABAP Source code review 5. Forensics

1. Invest
in
security
to
secure
investments
Implemen'ng
SAP
security
in
5
steps
Alexander
Polyakov.
CTO,
ERPScan

2. About
ERPScan
• The
only
360-­‐degree
SAP
security
solu'on:
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgments
from
SAP
(
150+
)
• 60+
presenta=ons
at
key
security
conferences
worldwide
• 25
awards
and
nomina=ons
• Research
team
–
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2

3. Large
enterprise
sectors
• Oil
&
Gas
• Manufacturing
• Logis'cs
• Finance
• Nuclear
Power
• Retail
• Telecommunica'on
• etc.
3

4. • The
role
of
business
applica'ons
in
a
typical
work
environment
• The
need
to
control
them
to
op'mize
business
processes
• Scope
for
enormous
reduc'on
in
resource
overheads
and
other
direct
monetary
impact
• Poten'al
problems
that
one
can’t
overlook
• The
need
to
reflect
on
security
aspects
–
is
it
overstated?
• Why
is
it
a
REAL
and
existent
risk?
4
Business
applica=ons

5. • Espionage
– The^
of
financial
informa'on
– Corporate
secret
and
informa'on
the^
– Supplier
and
customer
list
the^
– HR
data
the^
• Sabotage
– Denial
of
service
– Tampering
of
financial
records
and
accoun'ng
data
– Access
to
technology
network
(SCADA)
by
trust
rela'ons
• Fraud
– False
transac'ons
– Modifica'on
of
master
data
5
What
can
the
implica=ons
be?

6. SAP
Вставьте
рисунок
на
слайд,
скруглите
верхний
левый
и
нижний
правый
угол
(Формат
–
Формат
рисунка),
добавьте
контур
(оранжевый,
толщина
–
3)
6
• The
most
popular
business
applica'on
• More
than
263000
customers
worldwide
• 83%
Forbes
500
companies
run
SAP
• Main
system
–
ERP
• Main
pla}orms
‒ SAP
NetWeaver
ABAP
‒ SAP
NetWeaver
J2EE
‒ SAP
BusinessObjects
‒ SAP
HANA
‒ SAP
Mobile
Pla}orm
(SUP)

7. SAP
security
• Complexity
Complexity
kills
security.
Many
different
vulnerabili'es
in
all
levels,
from
network
to
applica'on
• Customiza=on
Cannot
be
installed
out
of
the
box.
A
lot
of
(up
to
50
%)
custom
code
and
business
logic
• Risky
Rarely
updated
because
administrators
are
scared
of
crashes
and
down'me
• Unknown
Mostly
available
inside
the
company
(closed
world)
hƒp://erpscan.com/wp-­‐content/uploads/pres/Forgoƒen%20World%20-­‐%20Corporate%20Business%20Applica'on%20Systems%20Whitepaper.pdf
7

8. Securing
SAP
• Have
budget
– Find
people
and
tools
•
Don’t
have
budget
– Try
to
show
business
how
cri'cal
it
is
8

9. Ask
3rd
par=es
for
• Whitepapers
• Webinars
from
experts
• SAAS
scanning
of
external-­‐facing
systems
• SAP
penetra'on
tes'ng
• Deep
SAP
security
assessment
9

10. SAP
security
10
1.
Pentes'ng
and
Audit

11. Pentest
–
anonymous
scan
for
SAP
vulnerabili=es
and
ways
to
exploit
them
• Analysis
of
exposed
services
(more
than
20
possible)
• BlackBox
analysis
of
installed
applica'ons
and
vulnerabili'es
• Exploita'on
of
found
vulnerabili'es
• Privilege
escala'on
• Presenta'on
report
for
management
ü Pentest
can
be
a
star'ng
point
for
an
SAP
security
project
ü Pentest
can
also
be
a
final
test
a^er
implementa'on
11
Pentest

12. Analysis
of
running
services
• Scan
an
external
company
network
for
SAP
services
• Scan
internal
SAP
systems
from
the
user
or
guest
network
• Scan
internal
SAP
systems
from
the
admin
network
12

13. Remotely
exposed
services
13
0
5
10
15
20
25
30
35
SAP
HostControl
SAP
Dispatcher
SAP
MMC
SAP
Message
Server
hƒpd
SAP
Message
Server
SAP
Router
Exposed
services
2011
Exposed
services
2013

14. Internal
access
• Only
these
services
should
be
open
for
user
access
– Dispatcher
or
Message
Server
– Gateway
(for
some
users)
– ICM
(for
some
users,
if
used)
14

15. Pentest
JAVA
Examples
of
vulnerabili=es
• Auth
bypass
in
CTC
• Anonymous
user
crea'on
• Anonymous
file
read
• Informa'on
disclosure
• Unauthorized
access
to
KM
documents
15

16. Pentest
ABAP
Examples
of
vulnerabili=es:
• Reginfo/Secinfo
bypass
• Oracle
database
access
bypass
• Buffer
overflows
• Informa'on
disclosure
about
files
in
MMC
• Unauthorized
access
to
log
files
• Injec'on
of
OS
commands
in
SAPHostControl
• Dangerous
web
services
• Informa'on
disclosure
of
parameters
in
Message
Server
HTTP
16

17. Full
SAP
security
assessment
17
• BlackBox
vulnerability
scan
• Penetra'on
tes'ng
• WhiteBox
configura'on
scan
‒ Configura'on
analysis
‒ Access
control
checks
‒ SAP
Security
Notes
analysis
‒ Password
complexity
checks
(bruteforce)

18. Configura=on
analysis
18
• Authen'ca'on
(Password
policies,
SSO,
users
by
different
criteria)
• Access
control
(Access
to
different
web
services,
tables,
transac'ons,
insecure
test
services,
unnecessary
transac'ons
and
web
applica'ons)
• Encryp'on
(SSL
and
SNC
encryp'on)
• Monitoring
(security
audit
log,
system
log
and
others)
• Insecure
configura'on(all
other
security
checks
for
par'cular
services:
Gateway,
Message
Server,
ITS,
SAPGUI,
Web
Dispatcher,
MMC,
Host
Control,
Portal)

19. Access
control
19
• Users
with
cri'cal
profiles
• Users
with
cri'cal
roles
• Users
with
access
to
cri'cal
tables
• Users
with
access
to
transport
• Users
with
access
to
development
• Users
with
access
to
user
administra'on
• Users
with
access
to
system
administra'on
• Users
with
access
to
HR
func'ons
• Users
with
access
to
CRM
func'ons
• …Specific
access
control
checks
for
industry
solu'ons

20. Vulnerability
scan
20
• Check
for
latest
component
versions
• Check
for
missing
SAP
Security
Notes
• Correlate
patches
with
SAP
Security
Notes
• Exploit
vulnerabili'es
to
check
if
they
really
exist
• Risk
management

21. SAP
security
21
2.
Compliance

22. Compliance
First
of
all,
choose
the
one
you
want
• Technical
‒ EAS-­‐SEC
‒ SAP
NetWeaver
ABAP
Security
Configura'on
‒ ISACA
(ITAF)
‒ DSAG
• Industry
‒ PCI
DSS
‒ NERC
CIP
22

23. SAP
security
23
Why
do
we
need
a
new
guide?

24. 24
Business
logic
security
(SoD)
Prevents
a4acks
or
mistakes
made
by
insiders
Custom
code
security
Prevents
a4acks
or
mistakes
made
by
developers
Applica=on
pla^orm
security
Prevents
unauthorized
access
both
by
insiders
and
remote
a4ackers
3
areas
of
Business
Applica=on
Security

25. • For
web,
we
have
OWASP,
WASC
• For
network
and
OS,
we
have
NIST,
SANS
• But
what
about
Enterprise
Business
Applica'ons?
25
Security
guidelines

26. • Ques'ons
like
"why?"
and
"what
for?"
are
the
alpha
and
omega
of
every
research
• The
most
frequent
ques'on
we
were
asked:
“Guys,
you
are
awesome!
You
are
doing
a
great
job
so
far,
finding
so
many
problems
in
our
installaCons.
It's
absolutely
fantasCc,
but
we
don’t
know
where
to
start
solving
them.
Could
you
provide
us
with
top
10/20/50/100/[your
favorite
number]
most
criCcal
bugs
in
every
area?”
26
Why?
(1)

27. • We
had
to
do
something
completely
different
from
just
Top
10
most
cri'cal
bugs
• Even
if
you
patch
all
vulnerabili'es,
lots
of
problems
could
s'll
remain:
access
control,
configura'on,
logs
• The
number
one
challenge
is
to
understand
all
security
areas
of
EAS
and
to
have
the
opportunity
to
select
several
most
cri'cal
issues
for
every
area
27
Why?
(2)

28. Why?
(3)
• We
started
to
analyze
the
exis'ng
guidelines
and
standards
– High
level
policies:
NIST,SOX,ISO,PCI-­‐DSS
– Technical
guides:
OWASP,
WASC,
SANS
25,
CWE
– SAP
guides:
o Configura'on
of
SAP
NetWeaver®
Applica'on
Server
Using
ABAP
by
SAP
o ISACA
Assurance
(ITAF)
by
ISACA
o DSAG
by
German
SAP
User
Group
• Those
standards
are
great,
but,
unfortunately,
all
of
them
have
at
least
one
big
disadvantage
28

29. • Guidelines
made
by
SAP
• First
official
SAP
guide
for
technical
security
of
ABAP
stack
• Secure
Configura'on
of
SAP
NetWeaver®
Applica'on
Server
Using
ABAP
• First
version
in
2010,
version
1.2
in
2012
29
SAP
security
guidelines

30. • For
rapid
assessment
of
the
most
common
technical
pla}orm
misconfigura'ons
• Consists
of
9
areas
and
82
checks
• Ideal
as
a
second
step,
gives
more
details
for
some
standard
EAS-­‐SEC
areas
h4p://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/
f0d2445f-­‐509d-­‐2d10-­‐6fa7-­‐9d3608950fee?overridelayout=true
30
SAP
security
guidelines

31. • Advantages:
– Very
brief
but
quite
comprehensive
(only
9
pages)
– Covers
applica'on
pla}orm
issues
– Applicable
for
every
ABAP
based
pla}orm
(either
ERP
or
Solu'on
Manager
or
HR)
• Disadvantages:
– 82
checks
is
s'll
a
lot
for
a
first
brief
look
on
secure
configura'on
– Doesn’t
cover
access
control
issues
and
logging
and
misses
some
things
even
in
pla}orm
security
– Gives
people
false
sense
of
security
if
they
cover
all
checks.
But
it
wouldn’t
be
completely
true
31
SAP
security
guidelines

32. • Guidelines
made
by
ISACA
• Checks
cover
configura'on
and
access
control
areas
• The
first
most
complete
compliance
• There
were
3
versions
published
in
2002,
2006,
2009
(some
areas
are
outdated
now)
32
ISACA
Assurance
(ITAFF)

33. • Technical
part
covers
incomplete
access
control
info
and
misses
some
cri'cal
areas
• The
biggest
advantage
is
the
big
database
of
access
control
checks
• Consists
of
4
parts
and
more
than
160
checks
• Ideal
as
a
third-­‐step-­‐guide
and
very
useful
for
its
detailed
coverage
of
access
control
33
ISACA
Assurance
(ITAFF)

34. • Advantages:
– Detailed
coverage
of
access
control
checks
• Disadvantages:
– Outdated
– Technical
part
is
missing
– Too
many
checks,
can’t
be
easily
used
by
a
non-­‐SAP
specialist
– Can’t
be
applied
to
any
system
without
prior
understanding
of
the
business
processes
– Is
officially
available
only
as
part
of
the
book,
or
you
should
be
at
least
an
ISACA
member
to
get
it
34
ISACA
Assurance
(ITAFF)

35. • Set
of
recommenda'ons
from
Deutsche
SAP
Uses
Group
• Checks
cover
all
security
areas,
from
technical
configura'on
and
source
code
to
access
control
and
management
procedures
• Currently
the
biggest
guideline
about
SAP
security
35
DSAG

36. • Last
version
in
Jan
2011
• Consists
of
8
areas
and
200+
checks
• Ideal
as
a
final
step
for
securing
SAP
but
consists
of
many
checks
which
needs
addi'onal
decision
making
(highly
depends
on
the
installa'on)
h4p://www.dsag.de/fileadmin/media/Lei[aeden/
110818_Lei[aden_Datenschutz_Englisch_final.pdf
36
DSAG

37. • Advantages:
– Ideal
as
a
final
step
for
securing
SAP.
– Great
for
SAP
security
administrators,
covers
almost
all
areas
• Disadvantages:
– Same
as
ISACA:
too
big
for
a
starter,
and
no
help
at
all
for
security
people
who
are
not
familiar
with
SAP
– Can’t
be
directly
applied
to
every
system
without
prior
understanding
of
business
processes.
Many
checks
are
recommenda'ons,
and
the
users
should
think
for
themselves
if
they
are
applicable
in
each
case
37
DSAG

38.
38
Compliance

39. • The
authors'
efforts
were:
– to
make
this
list
as
brief
as
possible
– to
cover
the
most
cri'cal
threats
for
each
area
– to
make
it
easily
used
not
only
by
SAP/ERP
security
experts
but
by
every
security
specialist
– to
provide
comprehensive
coverage
of
all
cri'cal
SAP
security
areas
• At
the
same
'me,
to
develop
the
most
complete
guide
would
be
a
never-­‐ending
story
• So
we
implemented
the
80/20
rule
for
SAP
security
39
EAS-­‐SEC

40. • Developed
by
ERPScan
• First
release
2010
• Second
edi'on
2013
(hƒp://eas-­‐sec.org
)
• 3
main
areas
– Implementa'on
assessment
– Code
review
– Awareness
• Rapid
assessment
of
Business
Applica'on
security
40
EAS-­‐SEC

41. 41
EASSEC-­‐PVAG
Access Cri=cality
Easy
to
exploit
%
of
vulnerable
systems
1.
Lack
of
patch
management Anonymous High High 99%
2.
Default
passwords
for
applica'on
access Anonymous High High 95%
3.
Unnecessary
enabled
func'onality Anonymous High High 90%
4.
Open
remote
management
interfaces Anonymous High Medium 90%
5.
Insecure
configura'on Anonymous Medium Medium 90%
6.
Unencrypted
communica'on
Anonymous Medium Medium 80%
7.
Access
control
and
SOD User High Medium 99%
8.
Insecure
trust
rela'ons User High Medium 80%
9.
Logging
and
monitoring Administrator High Medium 98%
EASSEC
Implementa=on
Assessment

42. EAS-­‐SEC
for
SAP
NetWeaver
ABAP
Enterprise
ApplicaCon
Systems
ApplicaCon
ImplementaCon
–
NetWeaver
ABAP
– Developed
by
ERPScan:
First
standard
in
the
EAS-­‐SEC
series
– Published
in
2013
hƒp://erpscan.com/publica'ons/the-­‐sap-­‐netweaver-­‐abap-­‐pla}orm-­‐
vulnerability-­‐assessment-­‐guide/
– Rapid
assessment
of
SAP
security
in
9
areas
– Contains
33
most
cri'cal
checks
– Ideal
as
a
first
step
– Also
contains
informa'on
for
next
steps
– Categorized
by
priority
and
cri'cality
42

43. Enterprise
ApplicaCon
Systems
Vulnerability
Assessment
–
for
NetWeaver
ABAP
– First
standard
in
the
EAS-­‐SEC
series
– Rapid
assessment
of
SAP
security
in
9
areas
– Contains
33
most
cri'cal
checks
– Ideal
as
a
first
step
– Also
contains
informa'on
for
next
steps
– Categorized
by
priority
and
cri'cality
43
EAS-­‐SEC
for
NetWeaver
(EASSEC-­‐PVAG-­‐ABAP)

44. • [EASAI-­‐NA-­‐01]
Component
updates
• [EASAI-­‐NA-­‐02]
Kernel
updated
What’s
next:
Other
components
should
be
be
updated
separately
–
SAProuter,
SAP
GUI,
SAP
NetWeaver
J2EE,
SAP
BusinessObjects.
Also,
OS
and
database
44
Lack
of
patch
management

45. • [EASAI-­‐NA-­‐03]
Default
password
check
for
user
SAP*
• [EASAI-­‐NA-­‐04]
Default
password
check
for
user
DDIC
• [EASAI-­‐NA-­‐05]
Default
password
check
for
user
SAPCPIC
• [EASAI-­‐NA-­‐06]
Default
password
check
for
user
MSADM
• [EASAI-­‐NA-­‐07]
Default
password
check
for
user
EARLYWATCH
What’s
next:
A
couple
of
addiConal
SAP
components,
like
old
versions
of
SAP
SDM
and
SAP
ITS,
have
default
passwords.
Ajer
you
check
all
default
passwords,
you
can
start
bruteforcing
for
simple
passwords
45
Default
passwords

46. • [EASAI-­‐NA-­‐08]
Access
to
RFC-­‐func'ons
using
SOAP
interface
• [EASAI-­‐NA-­‐09]
Access
to
RFC-­‐func'ons
using
FORM
interface
• [EASAI-­‐NA-­‐10]
Access
to
XI
service
using
SOAP
interface
What’s
next:
Analyze
about
1500
other
services
which
are
remotely
enabled
to
see
if
they
are
really
needed.
Disable
unused
transacCons,
programs
and
reports
46
Unnecessary
enabled
func=onality

47. • [EASAI-­‐NA-­‐11]
Unauthorized
access
to
SAPControl
service
• [EASAI-­‐NA-­‐12]
Unauthorized
access
to
SAPHostControl
service
• [EASAI-­‐NA-­‐13]
Unauthorized
access
to
Message
Server
service
• [EASAI-­‐NA-­‐14]
Unauthorized
access
to
Oracle
database
What’s
next:
Full
list
of
SAP
services
is
available
here:
TCP/IP
Ports
Used
by
SAP
ApplicaCons.
Also,
take
care
of
3rd
party
services
which
can
be
enabled
on
this
server
47
Open
remote
management
interfaces

48. • [EASAI-­‐NA-­‐15]
Minimum
password
length
• [EASAI-­‐NA-­‐16]
User
locking
policy
• [EASAI-­‐NA-­‐17]
Password
compliance
to
current
standards
• [EASAI-­‐NA-­‐18]
Access
control
to
RFC
(reginfo.dat)
• [EASAI-­‐NA-­‐19]
Access
control
to
RFC
(secinfo.dat)
What’s
next:
First
of
all,
look
to
Secure
ConfiguraCon
of
SAP
NetWeaver®
ApplicaCon
Server
Using
ABAP
for
detailed
configuraCon
checks.
Ajerwards,
pass
through
detailed
documents
for
each
and
every
SAP
service
and
module
h4p://help.sap.com/saphelp_nw70/helpdata/en/8c/
2ec59131d7f84ea514a67d628925a9/frameset.htm
48
Insecure
configura=on

49. • [EASAI-­‐NA-­‐20]
Users
with
SAP_ALL
profile
• [EASAI-­‐NA-­‐21]
Users
which
can
run
any
program
• [EASAI-­‐NA-­‐22]
Users
which
can
modify
cri'cal
table
USR02
• [EASAI-­‐NA-­‐23]
Users
which
can
execute
any
OS
command
• [EASAI-­‐NA-­‐24]
Disabled
authoriza'on
checks
What’s
next:
There
are
at
least
100
criCcal
transacCons
only
in
BASIS
and
approximately
the
same
number
in
any
other
module.
Detailed
informaCon
can
be
found
in
ISACA
guidelines.
Ajer
that,
you
can
start
SegregaCon
of
DuCes
49
Access
control
and
SoD
conflicts

50. • [EASAI-­‐NA-­‐25]
Use
of
SSL
for
securing
HTTP
connec'ons
• [EASAI-­‐NA-­‐26]
Use
of
SNC
for
securing
SAP
GUI
connec'ons
• [EASAI-­‐NA-­‐27]
Use
of
SNC
for
securing
RFC
connec'ons
What’s
next:
Even
if
you
use
encrypCon,
check
how
it
is
configured
for
every
encrypCon
type
and
for
every
service
because
there
are
different
complex
configuraCons
for
each
encrypCon
type.
For
example,
the
latest
a4acks
on
SSL
(BEAST
and
CRIME)
require
companies
to
use
more
complex
SSL
configuraCons
50
Unencrypted
connec=ons

51. • [EASAI-­‐NA-­‐28]
RFC
connec'ons
with
stored
authen'ca'on
data
• [EASAI-­‐NA-­‐29]
Trusted
systems
with
lower
security
What’s
next:
Check
other
ways
to
get
access
to
trusted
systems,
such
as
database
links,
use
of
the
same
OS
user,
or
use
of
similar
passwords
for
different
systems
51
Insecure
trusted
connec=ons

52. • [EASAI-­‐NA-­‐30]
Logging
of
security
events
• [EASAI-­‐NA-­‐31]
Logging
of
HTTP
requests
• [EASAI-­‐NA-­‐32]
Logging
of
table
changes
• [EASAI-­‐NA-­‐33]
Logging
of
access
to
Gateway
What’s
next:
There
are
about
30
different
types
of
log
files
in
SAP.
Upon
properly
enabling
the
main
ones,
you
should
properly
configure
complex
opCons,
such
as
which
specific
tables
to
monitor
for
changes,
what
kind
of
events
to
analyze
in
security
events
log,
what
types
of
Gateway
a4acks
should
be
collected.
Next
step
is
to
enable
their
centralized
collecCon
and
storage
and
then
add
other
log
events
52
Logging
and
monitoring

53. 53
Results

54. • SAP
Security
in
Figures
2011
• SAP
Security
in
Figures
2013
• 3000
vulnerabili'es
in
SAP
• SAP
Security
in
Figures
2014
(coming
soon)
54
Awareness

55. SAP
security
55
3.
Internal
security
and
SoD

56. Internal
security
• Simple
steps
and
sta's'cs
• Cri'cal
access
• Segrega'on
of
Du'es
• Op'miza'on
and
maintenance
56

57. Simple
steps
• Analyze
sta's'cs
– Number
of
users
in
a
role
o
0
–
Role
is
not
used
o >100
–
Divide
into
different
roles,
check
for
cri'cal
authoriza'ons
– Number
of
authoriza'ons
in
a
role
– Number
of
authoriza'on
objects
in
a
role
57

58. Cri=cal
access
• There
are
different
areas:
HR,
Basis,
Fixed
Assets,
Material
Management
• Each
of
those
roles
has
a
list
of
cri'cal
transac'ons
and
authoriza'ons
(available
in
ISACA
guidelines)
• First
of
all,
decrease
the
number
of
cri'cal
roles
• For
example,
users
who
can
only
modify
the
table
USR02
can
do
everything
they
want!
58

59. Example
of
ac=ons
and
transac=ons
59

60. Cri=cal
access
op=miza=on
• Obtain
the
list
of
roles
with
cri'cal
access
to
par'cular
transac'ons
• Minimize
roles
• Obtain
the
list
of
users
with
cri'cal
access
to
par'cular
transac'ons
• Sort
them
by
type/locking
status/etc.
• Exclude
administrators
and
superusers
(and
minimize
them)
• Minimize
users
60

61. SoD
analysis
• Use
default
templates
or
customize
them
• Obtain
the
list
of
business
roles
in
a
company
• Obtain
the
list
of
ac'ons
in
a
par'cular
role
• Assign
transac'ons
and
authoriza'on
objects
to
ac'ons
• Create
or
modify
matrix
(add
risk
values)
61

62. Business
roles
and
ac=ons
62

63. Risk
values
63

64. Analyzing
SoD
results
• Result:
– List
of
users
with
cri'cal
conflicts
– List
of
roles
with
cri'cal
conflicts
• Solving:
– Obtain
roles
with
maximum
number
of
segrega'ons
– Op'mize
them
– Obtain
users
with
maximum
number
of
segrega'ons
– Op'mize
them
64

65. Op=miza=on
• You
will
get
thousands
of
conflicts
the
first
'me
• How
to
solve
them
quickly:
– Exclude
all
administrators
(SAP_ALL)
– Look
at
HOW
exactly
rights
are
assigned
(all
*
values
should
be
excluded)
– Look
at
the
history
of
executed
transac'ons
65

66. SAP
security
66
4.
Source
code
security

67. ABAP
• SAP
uses
ABAP,
JAVA,
and
XSJX
(for
HANA)
• ABAP,
as
any
other
language,
can
have
vulnerabili'es
• It
can
also
be
used
for
wri'ng
backdoors
• Development
inside
the
company
is
almost
uncontrolled
• Developer
access
to
system
==
god
in
SAP
67

68. Source
code
review
• EASAD-­‐9
standard
from
a
series
of
standards
designed
for
Enterprise
Applica'on
Systems
Security
Assessment
(EAS-­‐SEC)
• Full
name:
– Enterprise
Applica'on
Systems
Applica'on
Development
• Describes
9
areas
of
source
code
issues
for
business
languages
• Universal
categories
for
different
languages
and
systems
(SAP,
Oracle,
Dynamix,
Infor,
…)
• Categorized
based
on
cri'cality
and
exploita'on
probability
68

69. EASAD
–
9
categories
1. Code
injec'ons
2. Cri'cal
calls
3. Missing
authoriza'on
checks
4. Path
traversal
5. Modifica'on
of
displayed
content
6. Backdoors
7. Covert
channels
8. Informa'on
disclosure
9. Obsolete
statements
69

70. SAP
security
70
5.
Log
management

71. 71
SAP
aeacks

72. Aeacks
• It
is
very
hard
to
make
everything
secure,
so
you
need
addi'onal
monitoring
• ACFE
published
a
report
about
7
%
revenue
losses
from
fraud
in
the
USA
• Examples
that
we
saw:
– Salary
modifica'on
– Material
management
fraud
– Mistakes
72

73. Backdoors
in
custom
source
code
73

74. SAP
forensics
• Real
aƒacks
exist
• But
there
is
not
so
much
public
info
• Companies
are
not
interested
in
the
publica'on
of
compromise
• But
the
main
problem
is
here:
– How
can
you
be
sure
there
was
no
compromise?
– Only
10%
of
systems
have
Security
Audit
Log
enabled
– Only
a
few
of
them
analyze
those
logs
– And
much
fewer
do
central
storage
and
correla'on
74

75. Log
sta=s=cs
• Web
access
70%
• Security
audit
log
10%
• Table
logging
4%
• Message
Server
2%
• SAP
Gateway
2%
75

76. Log
types
• SAP
Web
Dispatcher
–
Security
log
• SAP
Web
Dispatcher
–
HTTP
log
• SAProuter
log
• SAP
Gateway
log
• SAP
Message
Server
log
• SAP
Message
Server
HTTP
Log
• SAP
security
audit
log
• ABAP
user
changes
log
• ABAP
table
changes
log
• ABAP
document
changes
log
• Trace
files
76

77. SAP
Security
Logs
77
Name
Default
Central
storage
SAP
Web
Dispatcher
–
Security
Log
Enabled
No
SAP
Web
Dispatcher
–
HTTP
log
Disabled
No
SAProuter
log
Disabled
No
SAP
Gateway
log
Disabled
No
SAP
Message
Server
log
Disabled
No
SAP
Message
Server
HTTP
log
Disabled
No
SAP
security
audit
log
Disabled
CCMS?
ABAP
user
changes
log
Enabled
No
ABAP
table
changes
log
Disabled
No
ABAP
document
changes
log
Disabled
No
Trace
files
Disabled
No
Developer
trace
Enabled
No

78. • EAS-­‐SEC:
Recourse
which
combines
– Guidelines
for
assessing
enterprise
applica'on
security
– Guidelines
for
assessing
custom
code
– Surveys
about
enterprise
applica'on
security
78
Defense

79. • Cri'cal
networks
are
complex
• System
is
as
secure
as
its
most
insecure
component
• Holis'c
approach
• Check
out
eas-­‐sec.org
• Check
out
erpscan.com
79
Conclusion