SlideShare une entreprise Scribd logo

Find Vulnerabilities Before Getting Hurt

akquinet enterprise solutions GmbH
akquinet enterprise solutions GmbH

The document summarizes the process and benefits of conducting an SAP security and compliance audit using the SAST SUITE tool. The audit focuses on authorization management, system configuration, and ABAP development/customizing. SAST SUITE comprehensively checks over 4,000 system settings and authorization rules. It generates a detailed report highlighting vulnerabilities and recommendations for remediation. On average, SAST SUITE can complete an audit in half the time required for a manual audit, reducing the resource burden on audited departments.

Technologie
1  sur  29
Télécharger pour lire hors ligne
SAP Security & Compliance Audits. Find your vulnerabilities before you get hurt.
WELCOME! Introducing your host today: - 2 - TIM KRÄNZKE Member of the Executive Board Fon: +49 40 88173-2735 Email: tim.kraenzke@akquinet.com Web: sast-solutions.com AXEL GIESE Senior Consultant SAP Security Fon: +49 40 88173-2709 Email: axel.giese@akquinet.com Web: sast-solutions.com
„From our project experiences we know: every system is vulnerable. It is a question of how difficult it is and how long it takes. We rarely find SAP systems in which the infrastructure is hardened in the best possible way and effective authorization management is lived out. Threats are almost always detected too late. With the right concept, the probability of a successful attack can be significantly reduced.“ Ralf Kempf CTO SAST SOLUTIONS - 6 -
A meaningful audit should consider the following aspects:  Comprehensiveness  Systematics  Assignment to system landscapes  Consideration of specific customer situations Scope of safty tests - 7 -
SAST CONSULTING SAP security and compliance know-how for your digital future : SAP SECURITY CONSULTING SAST CONSULTING for SAP ERP and S/4HANA Penetration Tests Security & Compliance Audits SAP Security Guidelines System Hardening & Optimization Source Code Analysis & Cleansing - 8 - Authorization Concepts Pilot Studies Roles & Authorization Optimization SAP AUTHORIZATION CONSULTING S/4HANA Migration GRC Workshops
4D IT-SECURITY: Comprehensive protection in real-time! Our process model - 9 - Security Level Validation System Hardening Security Monitoring ▪ Security assessment / Audit ▪ Penetration test System hardening on ALL levels ▪ OS / Network / Databases ▪ Basis system / Authorizations / Configurable controls ▪ Applications and transactions Access monitoring on ALL levels ▪ OS / Network / Databases ▪ Basis system / Authorizations / Configurable controls ▪ Applications and transactions
Passive Testing Security / Vulnerability Assessment (Quick Check)  Analysis of the test object for security deficiencies.  Use of automated tools. Objective: Identify ALL possible vulnerabilities. IT Security und Compliance Audit  Target/actual comparison of the test object: in-/external guidelines (BSI, ISO, SOX, PCI) or "state of the art".  Analysis of the test object for security deficiencies and deviations from standards. Objective: Validating processes, documentation and systems against guidelines. Definition of terms - 10 - ! ! Active Testing Penetration Test  Testing of IT components regarding the existence and effectiveness of security measures and active exploitation of weak points. Objective: Analysis of the system and break-in through active use of vulnerabilities.!
Audit focus and Audit Procedure Benefits Systemconfig./ Operations Development/ CustomizingAuthorizations Business Departments Through extensive analyses of the critical authorizations and SoD conflicts in various modules and processes (HR, FI/CO, P2P, O2C, etc.), misconduct in the authorization management can be found and subsequently eliminated in order to meet legal and internal requirements. Basis / IT Department The SAST Quick Check examines authorizations in the IT basis environment in more detail and examines them for SoD conflicts. In addition to the security-relevant system settings and parameters, various developments and customizing settings are also checked regarding their system security. Control Instances Analyses by the SAST Quick Check can support different control instances such as internal or external audits and lead to cost savings. - 11 -
Use case: Migration SAP ERP / AnyDB -> SAP HANA & S/4HANA A good time for a safety check. SAP ERP 6.0 EhP7 AnyDB (Oracle, SQL Server, DB2) SAP ERP AnyDB (Oracle, SQL Server, DB2) SAP ERP 6.0 EhP7 SAP HANA on Linux SAP S/4HANA SAP HANA on Linux EhP System Copy S/4HANA Conversion Starting State + EhP7 SUITE on HANA S/4HANA 1. Security Gap: Application Server ▪ Parameter ▪ Auditing ▪ Security Patches ▪ … 2. Security Gap: Operating System ▪ Authentification Settings ▪ Network Settings ▪ Service and File Permissions ▪ Logging and Reporting ▪ … 3. Security Gap: Database ▪ Authentification Parameters ▪ HANA Authorizations ▪ Audit Settings ▪ Security Patches ▪ … 4. Security Gap: S/4HANA Authorizations ▪ Critical Authorizations ▪ SoD Conflicts - 12 -
Procedure of Security / Vulnerability Assessments (Quick Check): Implementation SAST SUITE Configuration Functional test Reconciliation Test focus Definition of check policy Job scheduling for analysis Configuration check Verification of check results Authorization check Summery of vulnerabilities Creation of work list System hardening Security review Fixing recommendations Handover of result lists Preparation Execution Result Follow-up - 13 -
- Michael Trautwein - “Thanks to the SAP Security Quick Audit conducted by the SAST team, we have identified the areas where we need to take action in order to meet the requirements of the IT security law.“
Procedure of IT Security and Compliance Audits: Preparation Execution Result Follow-upData Analysis Creation of work list System hardening Security review Definition of testing policy Job scheduling for analysis Configuration test Evaluation of check results Authorization test Summary of vulnerabilities Creation of audit report Management presentation Execution of interviews - Platform- and Application security - Authorizations / SoD - Processes/Documentation Judgement of check results - 15 - Implementation SAST SUITE Configuration Functional test Reconciliation test focus Kick-Off meeting SAP security responsible persons
“With the SAST SUITE, we save around 20 working days for an audit. This hugely relieves the burden on our departments and on IT security. We therefore have greater security and compliance but spend less time to achieve it.“ - Matthias Endrich -
Procedure of penetration tests: Preparation Execution e.g. Blackbox test Results Follow-up - 17 - Reconciliation objectives - Confirmation / increase IT safety - Identification weaknesses Preparation of tools Access test Classification pentest - Blackbox test - Graybox test - Whitebox test Creation of work list System hardening Security review Fixing recommendations Handover of result list Reporting - Test methodology - Identified weaknesses Search for information about target system Scan of the target system for offered services System and application recognition Exploitation of weak spots Vulnerability test
1) Preparation: Classification of pen testing methods - 18 -
 Security / Vulnerability Assessment  Components of SAST SUITE  IT Security und Compliance Audit  Components of SAST SUITE  Manual test inside SAP  Review of regulations / concepts 1) Preparation: Methods and tools - 19 -  Penetration test examples Metasploit: Pen testing framework Nessus: Vulnerability scanner Nmap: Network scanner BurpSuite: Pentest / Vulnerability framework John the Ripper: Password SAST SUITE: Penetration test reports
Authorizations Development/ Customizing System configuration The audit focus is divided into the following areas: Critical authorizations  Critical profiles and user master data  Critical authorizations  SoD analysis ABAP development and customizing  Critical ABAP statements  Applications without authorization check  Critical authorizations of developers  Various customizing settings System configuration and operations  Operating system and databases  Update Status of SAP systems  Various security relevant SAP parameters 2) Execution: Audit focus and procedure - 20 -
Comprehensive check of system settings  More than 4.000 checks included in standard delivery  Automated validation of security relevant settings and parameters  Analyses on all basis platforms  Consideration of NetWeaver releases 2) Execution: Advantages of SAST SUITE for audit use - 21 - Comprehensive authorization check using certified rule sets  Cross client and cross system authorization check  Validation of user master data  SoD test for users, profiles and roles in real-time  Predefined rule set for SoD violations and confidential access  Up-to-date rule framework based on SAP Security Guides, BSI, DSAG Audit Guideline Comparison of the actual values against the current leading practice values  Security Report with clear guidelines for the elimination of vulnerabilities
2) Execution: Definition of a testing policy with SAST SUITE Definition of a customer specific testing SAST policy Consideration of characteristic system parameters - 22 -
3) Results: Management summary and detailed report System configuration: - 23 -
3) Results: List of vulnerabilities security / vulnerability assessment Critical authorizations and SoD conflicts: - 24 -
3) Results: Audit report IT security & compliance audit - 25 - The tests carried out have shown that there is an urgent need for action to secure the underlying systems in its current configuration and system characteristics. Compared to the test results from 2015, however, it is evident that the security level has improved significantly. This is due to the measures taken to improve the security level, which were implemented on all systems in the system landscape. The distribution of the vulnerabilities regarding criticality is as follows: Statistik System AMP (ERP) Risk of vulnerabilities Anzahl Erklärung Critical 132 Extreme risk, to be principle avoided High 180 Highly increased risk, without measures not tolerable Medium 91 Increased risk, temporarily tolerable Statistik System BWP (BI and BO) Risk of vulnerabilities Anzahl Erklärung Critical 114 Extreme risk, to be principle avoided High 139 Highly increased risk, without measures not tolerable Medium 76 Increased risk, temporarily tolerable Statistik System BJP (BI Frontend) Risk of vulnerabilities Anzahl Erklärung Critical 10 Extreme risk, to be principle avoided High 30 Highly increased risk, without measures not tolerable Medium 5 Increased risk, temporarily tolerable Statistik System SSM incl. SAP WebDispatcher and SAP Router Risk of vulnerabilities Anzahl Erklärung Critical 125 Extreme risk, to be principle avoided High 149 Highly increased risk, without measures not tolerable Medium 76 Increased risk, temporarily tolerable
3) Results: Testing report - 26 -
3) Results: Presentation of identified weaknesses - 27 -
3) Results: Management summary and detailed report ABAP Development:  A total of 280 Z programs with at least one critical ABAP statement were identified.  A total of 1,500 identified Z programs do not have an authorization check.  About 50% of these have not been changed for at least 10 years.  And about 70% of these have not been changed for at least 5 years. - 28 - Critical Statement Quantity
Average implementation times in comparison: 0,5 MD Tool: SAST SUITE 0,5 MD Tool: SAST SUITE 0,5 – 1,0 MD Tools: Various 2,0 MD 2,0 MD 3,0 MD -- 1,0 MD -- Reconciliation Software Configuration Tool-added check Additional test Verification Concepts Reporting Presentation Results Recommendation - 29 - Preparation Execution Results Follow-upData analysis 0,5 MD 4,0 MD 1,0 MD -- 0,5 MD 0,5 MD Sec. Assessment = 4,0 MD Audit = 8,0 MD Penetration test = 5 MD
4) Follow-up support: What happens after the security check? - 30 - Creation of work lists System hardening bases on issue clusters important andurgent urgentbutnotimportant unimportant andnoturgent important butnoturgent
Define in advance, which goal you are pursuing with the building contract. Think about exactly which accents you want to set within the safety analysis (possibly an in-depth interface analysis, code scanning, SoD analysis, etc.). Only then, choose the security service that best suits your situation. Let the expert of your confidence support you. If you are already using SAST SUITE, a subsequent "hardening" can be effectively supported by the tool. A tool like SAST SUITE will also provide optimal support for future re-tests and make your tasks considerably easier. SAP Security & Compliance Audits Take Home Messages - 31 - ✓ ✓ ✓ ✓ ✓
DO YOU HAVE ANY QUESTIONS? WE ANSWER. FOR SURE. © Copyright AKQUINET AG. All rights reserved. This publication is protected by copyright. All rights, in particular the right of reproduction, distribution, and translation, are reserved. No part of this document may be reproduced in any form (photocopy, microfilm or other process) or processed, copied, or distributed using electronic systems without the prior written agreement of AKQUINET AG. Some of the names mentioned in this publication are registered trademarks of the respective provider and as such are subject to legal provisions. The information in this publication has been compiled with the greatest care. However, no guarantee can be given for its applicability, correctness, and completeness. AKQUINET AG shall assume no liability for losses arising from use of the information. TIM KRÄNZKE Member of the Executive Board Fon: +49 40 88173-2735 Email: tim.kraenzke@akquinet.com Web: sast-solutions.com

Recommandé

Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]akquinet enterprise solutions GmbH
 
Effective Cyber Security – the difference between “point in time” and “period...
Effective Cyber Security – the difference between “point in time” and “period...Effective Cyber Security – the difference between “point in time” and “period...
Effective Cyber Security – the difference between “point in time” and “period...akquinet enterprise solutions GmbH
 
Rectify your top findings before the external auditors arrive! [Webinar]
Rectify your top findings before the external auditors arrive! [Webinar]Rectify your top findings before the external auditors arrive! [Webinar]
Rectify your top findings before the external auditors arrive! [Webinar]akquinet enterprise solutions GmbH
 
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]akquinet enterprise solutions GmbH
 
Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...akquinet enterprise solutions GmbH
 
How Linde identifies and tracks security incidents in its SAP systems. [Webinar]
How Linde identifies and tracks security incidents in its SAP systems. [Webinar]How Linde identifies and tracks security incidents in its SAP systems. [Webinar]
How Linde identifies and tracks security incidents in its SAP systems. [Webinar]akquinet enterprise solutions GmbH
 
SAST Threat Detection for SAP [Webinar]
SAST Threat Detection for SAP [Webinar]SAST Threat Detection for SAP [Webinar]
SAST Threat Detection for SAP [Webinar]akquinet enterprise solutions GmbH
 
SAST Authorization Management: How to integrate your SoD analysis into the SA...
SAST Authorization Management: How to integrate your SoD analysis into the SA...SAST Authorization Management: How to integrate your SoD analysis into the SA...
SAST Authorization Management: How to integrate your SoD analysis into the SA...akquinet enterprise solutions GmbH
 

Recommandé

Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]akquinet enterprise solutions GmbH
 
Effective Cyber Security – the difference between “point in time” and “period...
Effective Cyber Security – the difference between “point in time” and “period...Effective Cyber Security – the difference between “point in time” and “period...
Effective Cyber Security – the difference between “point in time” and “period...akquinet enterprise solutions GmbH
 
Rectify your top findings before the external auditors arrive! [Webinar]
Rectify your top findings before the external auditors arrive! [Webinar]Rectify your top findings before the external auditors arrive! [Webinar]
Rectify your top findings before the external auditors arrive! [Webinar]akquinet enterprise solutions GmbH
 
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]akquinet enterprise solutions GmbH
 
Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...Best Practice Guide Security: How to check your SAP systems for security. [We...
Best Practice Guide Security: How to check your SAP systems for security. [We...akquinet enterprise solutions GmbH
 
How Linde identifies and tracks security incidents in its SAP systems. [Webinar]
How Linde identifies and tracks security incidents in its SAP systems. [Webinar]How Linde identifies and tracks security incidents in its SAP systems. [Webinar]
How Linde identifies and tracks security incidents in its SAP systems. [Webinar]akquinet enterprise solutions GmbH
 
SAST Threat Detection for SAP [Webinar]
SAST Threat Detection for SAP [Webinar]SAST Threat Detection for SAP [Webinar]
SAST Threat Detection for SAP [Webinar]akquinet enterprise solutions GmbH
 
SAST Authorization Management: How to integrate your SoD analysis into the SA...
SAST Authorization Management: How to integrate your SoD analysis into the SA...SAST Authorization Management: How to integrate your SoD analysis into the SA...
SAST Authorization Management: How to integrate your SoD analysis into the SA...akquinet enterprise solutions GmbH
 
What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...akquinet enterprise solutions GmbH
 
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]akquinet enterprise solutions GmbH
 
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...akquinet enterprise solutions GmbH
 
SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...
SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...
SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...akquinet enterprise solutions GmbH
 
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]akquinet enterprise solutions GmbH
 
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]akquinet enterprise solutions GmbH
 
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...akquinet enterprise solutions GmbH
 
SAST Interface Management for SAP systems [Webinar]
SAST Interface Management for SAP systems [Webinar]SAST Interface Management for SAP systems [Webinar]
SAST Interface Management for SAP systems [Webinar]akquinet enterprise solutions GmbH
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...akquinet enterprise solutions GmbH
 
SAST Safe Go-Live Management for SAP authorizations [Webinar]
SAST Safe Go-Live Management for SAP authorizations [Webinar]SAST Safe Go-Live Management for SAP authorizations [Webinar]
SAST Safe Go-Live Management for SAP authorizations [Webinar]akquinet enterprise solutions GmbH
 
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...akquinet enterprise solutions GmbH
 
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]akquinet enterprise solutions GmbH
 
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...akquinet enterprise solutions GmbH
 
Tips for the secure conversion of your SAP ERP roles to S/4HANA. [Webinar]
Tips for the secure conversion of your SAP ERP roles to S/4HANA. [Webinar]Tips for the secure conversion of your SAP ERP roles to S/4HANA. [Webinar]
Tips for the secure conversion of your SAP ERP roles to S/4HANA. [Webinar]akquinet enterprise solutions GmbH
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP securityERPScan
 
Sap Security Assessment V3 English
Sap Security Assessment V3 EnglishSap Security Assessment V3 English
Sap Security Assessment V3 Englishguest5bd7a1
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figuresERPScan
 
Sap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksSap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksErtunga Arsal
 
Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks ProceduresInprise Group
 
Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4CrispnCrunch
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 

Contenu connexe

Tendances

What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...akquinet enterprise solutions GmbH
 
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]akquinet enterprise solutions GmbH
 
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...akquinet enterprise solutions GmbH
 
SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...
SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...
SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...akquinet enterprise solutions GmbH
 
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]akquinet enterprise solutions GmbH
 
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...akquinet enterprise solutions GmbH
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...akquinet enterprise solutions GmbH
 
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...akquinet enterprise solutions GmbH
 
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...akquinet enterprise solutions GmbH
 
Tips for the secure conversion of your SAP ERP roles to S/4HANA. [Webinar]
Tips for the secure conversion of your SAP ERP roles to S/4HANA. [Webinar]Tips for the secure conversion of your SAP ERP roles to S/4HANA. [Webinar]
Tips for the secure conversion of your SAP ERP roles to S/4HANA. [Webinar]akquinet enterprise solutions GmbH
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP securityERPScan
 
Sap Security Assessment V3 English
Sap Security Assessment V3 EnglishSap Security Assessment V3 English
Sap Security Assessment V3 Englishguest5bd7a1
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figuresERPScan
 
Sap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksSap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksErtunga Arsal
 
Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks ProceduresInprise Group
 

Tendances (20)

What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...
 
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]
 
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
 
SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...
SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...
SAP Security Dashboards: Gain complete transparency for your SAP systems. [We...
 
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]
 
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]
 
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
SAP HANA & S/4HANA: How hackers are compromising S/4HANA and how you can prot...
 
SAST Interface Management for SAP systems [Webinar]
SAST Interface Management for SAP systems [Webinar]SAST Interface Management for SAP systems [Webinar]
SAST Interface Management for SAP systems [Webinar]
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
 
SAST Safe Go-Live Management for SAP authorizations [Webinar]
SAST Safe Go-Live Management for SAP authorizations [Webinar]SAST Safe Go-Live Management for SAP authorizations [Webinar]
SAST Safe Go-Live Management for SAP authorizations [Webinar]
 
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
 
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
 
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
 
Tips for the secure conversion of your SAP ERP roles to S/4HANA. [Webinar]
Tips for the secure conversion of your SAP ERP roles to S/4HANA. [Webinar]Tips for the secure conversion of your SAP ERP roles to S/4HANA. [Webinar]
Tips for the secure conversion of your SAP ERP roles to S/4HANA. [Webinar]
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
 
Sap Security Assessment V3 English
Sap Security Assessment V3 EnglishSap Security Assessment V3 English
Sap Security Assessment V3 English
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
 
Sap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksSap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless Attacks
 
Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks Procedures
 

Similaire à Find Vulnerabilities Before Getting Hurt

Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4CrispnCrunch
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less workIevgenii Katsan
 
Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxtienboileau
 
Revealing the 2016 State of IBM i Security
Revealing the 2016 State of IBM i SecurityRevealing the 2016 State of IBM i Security
Revealing the 2016 State of IBM i SecurityHelpSystems
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelnooralmousa
 
Advanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of IIIAdvanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of IIINextLabs, Inc.
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
IT GRC with Symantec
IT GRC with SymantecIT GRC with Symantec
IT GRC with SymantecArrow ECS UK
 
ICAB - ITA Chapter 5 class 9-10 - Controls and Standards
ICAB - ITA Chapter 5 class 9-10 - Controls and StandardsICAB - ITA Chapter 5 class 9-10 - Controls and Standards
ICAB - ITA Chapter 5 class 9-10 - Controls and StandardsMohammad Abdul Matin Emon
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Lunch and Learn: June 29, 2010
Lunch and Learn: June 29, 2010Lunch and Learn: June 29, 2010
Lunch and Learn: June 29, 2010prevalentnetworks
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxMardhaniAR
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...John Gilligan
 

Similaire à Find Vulnerabilities Before Getting Hurt (20)

Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work
 
Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docx
 
Revealing the 2016 State of IBM i Security
Revealing the 2016 State of IBM i SecurityRevealing the 2016 State of IBM i Security
Revealing the 2016 State of IBM i Security
 
Corporate Cyber Program
Corporate Cyber ProgramCorporate Cyber Program
Corporate Cyber Program
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity model
 
Advanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of IIIAdvanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of III
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
IT GRC with Symantec
IT GRC with SymantecIT GRC with Symantec
IT GRC with Symantec
 
ICAB - ITA Chapter 5 class 9-10 - Controls and Standards
ICAB - ITA Chapter 5 class 9-10 - Controls and StandardsICAB - ITA Chapter 5 class 9-10 - Controls and Standards
ICAB - ITA Chapter 5 class 9-10 - Controls and Standards
 
Security audit
Security auditSecurity audit
Security audit
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Lunch and Learn: June 29, 2010
Lunch and Learn: June 29, 2010Lunch and Learn: June 29, 2010
Lunch and Learn: June 29, 2010
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
 
DSS RMF Training.pptx
DSS RMF Training.pptxDSS RMF Training.pptx
DSS RMF Training.pptx
 

Dernier

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 

Dernier (20)

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Find Vulnerabilities Before Getting Hurt

  • 1. SAP Security & Compliance Audits. Find your vulnerabilities before you get hurt.
  • 2. WELCOME! Introducing your host today: - 2 - TIM KRÄNZKE Member of the Executive Board Fon: +49 40 88173-2735 Email: tim.kraenzke@akquinet.com Web: sast-solutions.com AXEL GIESE Senior Consultant SAP Security Fon: +49 40 88173-2709 Email: axel.giese@akquinet.com Web: sast-solutions.com
  • 3. „From our project experiences we know: every system is vulnerable. It is a question of how difficult it is and how long it takes. We rarely find SAP systems in which the infrastructure is hardened in the best possible way and effective authorization management is lived out. Threats are almost always detected too late. With the right concept, the probability of a successful attack can be significantly reduced.“ Ralf Kempf CTO SAST SOLUTIONS - 6 -
  • 4. A meaningful audit should consider the following aspects:  Comprehensiveness  Systematics  Assignment to system landscapes  Consideration of specific customer situations Scope of safty tests - 7 -
  • 5. SAST CONSULTING SAP security and compliance know-how for your digital future : SAP SECURITY CONSULTING SAST CONSULTING for SAP ERP and S/4HANA Penetration Tests Security & Compliance Audits SAP Security Guidelines System Hardening & Optimization Source Code Analysis & Cleansing - 8 - Authorization Concepts Pilot Studies Roles & Authorization Optimization SAP AUTHORIZATION CONSULTING S/4HANA Migration GRC Workshops
  • 6. 4D IT-SECURITY: Comprehensive protection in real-time! Our process model - 9 - Security Level Validation System Hardening Security Monitoring ▪ Security assessment / Audit ▪ Penetration test System hardening on ALL levels ▪ OS / Network / Databases ▪ Basis system / Authorizations / Configurable controls ▪ Applications and transactions Access monitoring on ALL levels ▪ OS / Network / Databases ▪ Basis system / Authorizations / Configurable controls ▪ Applications and transactions
  • 7. Passive Testing Security / Vulnerability Assessment (Quick Check)  Analysis of the test object for security deficiencies.  Use of automated tools. Objective: Identify ALL possible vulnerabilities. IT Security und Compliance Audit  Target/actual comparison of the test object: in-/external guidelines (BSI, ISO, SOX, PCI) or "state of the art".  Analysis of the test object for security deficiencies and deviations from standards. Objective: Validating processes, documentation and systems against guidelines. Definition of terms - 10 - ! ! Active Testing Penetration Test  Testing of IT components regarding the existence and effectiveness of security measures and active exploitation of weak points. Objective: Analysis of the system and break-in through active use of vulnerabilities.!
  • 8. Audit focus and Audit Procedure Benefits Systemconfig./ Operations Development/ CustomizingAuthorizations Business Departments Through extensive analyses of the critical authorizations and SoD conflicts in various modules and processes (HR, FI/CO, P2P, O2C, etc.), misconduct in the authorization management can be found and subsequently eliminated in order to meet legal and internal requirements. Basis / IT Department The SAST Quick Check examines authorizations in the IT basis environment in more detail and examines them for SoD conflicts. In addition to the security-relevant system settings and parameters, various developments and customizing settings are also checked regarding their system security. Control Instances Analyses by the SAST Quick Check can support different control instances such as internal or external audits and lead to cost savings. - 11 -
  • 9. Use case: Migration SAP ERP / AnyDB -> SAP HANA & S/4HANA A good time for a safety check. SAP ERP 6.0 EhP7 AnyDB (Oracle, SQL Server, DB2) SAP ERP AnyDB (Oracle, SQL Server, DB2) SAP ERP 6.0 EhP7 SAP HANA on Linux SAP S/4HANA SAP HANA on Linux EhP System Copy S/4HANA Conversion Starting State + EhP7 SUITE on HANA S/4HANA 1. Security Gap: Application Server ▪ Parameter ▪ Auditing ▪ Security Patches ▪ … 2. Security Gap: Operating System ▪ Authentification Settings ▪ Network Settings ▪ Service and File Permissions ▪ Logging and Reporting ▪ … 3. Security Gap: Database ▪ Authentification Parameters ▪ HANA Authorizations ▪ Audit Settings ▪ Security Patches ▪ … 4. Security Gap: S/4HANA Authorizations ▪ Critical Authorizations ▪ SoD Conflicts - 12 -
  • 10. Procedure of Security / Vulnerability Assessments (Quick Check): Implementation SAST SUITE Configuration Functional test Reconciliation Test focus Definition of check policy Job scheduling for analysis Configuration check Verification of check results Authorization check Summery of vulnerabilities Creation of work list System hardening Security review Fixing recommendations Handover of result lists Preparation Execution Result Follow-up - 13 -
  • 11. - Michael Trautwein - “Thanks to the SAP Security Quick Audit conducted by the SAST team, we have identified the areas where we need to take action in order to meet the requirements of the IT security law.“
  • 12. Procedure of IT Security and Compliance Audits: Preparation Execution Result Follow-upData Analysis Creation of work list System hardening Security review Definition of testing policy Job scheduling for analysis Configuration test Evaluation of check results Authorization test Summary of vulnerabilities Creation of audit report Management presentation Execution of interviews - Platform- and Application security - Authorizations / SoD - Processes/Documentation Judgement of check results - 15 - Implementation SAST SUITE Configuration Functional test Reconciliation test focus Kick-Off meeting SAP security responsible persons
  • 13. “With the SAST SUITE, we save around 20 working days for an audit. This hugely relieves the burden on our departments and on IT security. We therefore have greater security and compliance but spend less time to achieve it.“ - Matthias Endrich -
  • 14. Procedure of penetration tests: Preparation Execution e.g. Blackbox test Results Follow-up - 17 - Reconciliation objectives - Confirmation / increase IT safety - Identification weaknesses Preparation of tools Access test Classification pentest - Blackbox test - Graybox test - Whitebox test Creation of work list System hardening Security review Fixing recommendations Handover of result list Reporting - Test methodology - Identified weaknesses Search for information about target system Scan of the target system for offered services System and application recognition Exploitation of weak spots Vulnerability test
  • 15. 1) Preparation: Classification of pen testing methods - 18 -
  • 16.  Security / Vulnerability Assessment  Components of SAST SUITE  IT Security und Compliance Audit  Components of SAST SUITE  Manual test inside SAP  Review of regulations / concepts 1) Preparation: Methods and tools - 19 -  Penetration test examples Metasploit: Pen testing framework Nessus: Vulnerability scanner Nmap: Network scanner BurpSuite: Pentest / Vulnerability framework John the Ripper: Password SAST SUITE: Penetration test reports
  • 17. Authorizations Development/ Customizing System configuration The audit focus is divided into the following areas: Critical authorizations  Critical profiles and user master data  Critical authorizations  SoD analysis ABAP development and customizing  Critical ABAP statements  Applications without authorization check  Critical authorizations of developers  Various customizing settings System configuration and operations  Operating system and databases  Update Status of SAP systems  Various security relevant SAP parameters 2) Execution: Audit focus and procedure - 20 -
  • 18. Comprehensive check of system settings  More than 4.000 checks included in standard delivery  Automated validation of security relevant settings and parameters  Analyses on all basis platforms  Consideration of NetWeaver releases 2) Execution: Advantages of SAST SUITE for audit use - 21 - Comprehensive authorization check using certified rule sets  Cross client and cross system authorization check  Validation of user master data  SoD test for users, profiles and roles in real-time  Predefined rule set for SoD violations and confidential access  Up-to-date rule framework based on SAP Security Guides, BSI, DSAG Audit Guideline Comparison of the actual values against the current leading practice values  Security Report with clear guidelines for the elimination of vulnerabilities
  • 19. 2) Execution: Definition of a testing policy with SAST SUITE Definition of a customer specific testing SAST policy Consideration of characteristic system parameters - 22 -
  • 20. 3) Results: Management summary and detailed report System configuration: - 23 -
  • 21. 3) Results: List of vulnerabilities security / vulnerability assessment Critical authorizations and SoD conflicts: - 24 -
  • 22. 3) Results: Audit report IT security & compliance audit - 25 - The tests carried out have shown that there is an urgent need for action to secure the underlying systems in its current configuration and system characteristics. Compared to the test results from 2015, however, it is evident that the security level has improved significantly. This is due to the measures taken to improve the security level, which were implemented on all systems in the system landscape. The distribution of the vulnerabilities regarding criticality is as follows: Statistik System AMP (ERP) Risk of vulnerabilities Anzahl Erklärung Critical 132 Extreme risk, to be principle avoided High 180 Highly increased risk, without measures not tolerable Medium 91 Increased risk, temporarily tolerable Statistik System BWP (BI and BO) Risk of vulnerabilities Anzahl Erklärung Critical 114 Extreme risk, to be principle avoided High 139 Highly increased risk, without measures not tolerable Medium 76 Increased risk, temporarily tolerable Statistik System BJP (BI Frontend) Risk of vulnerabilities Anzahl Erklärung Critical 10 Extreme risk, to be principle avoided High 30 Highly increased risk, without measures not tolerable Medium 5 Increased risk, temporarily tolerable Statistik System SSM incl. SAP WebDispatcher and SAP Router Risk of vulnerabilities Anzahl Erklärung Critical 125 Extreme risk, to be principle avoided High 149 Highly increased risk, without measures not tolerable Medium 76 Increased risk, temporarily tolerable
  • 23. 3) Results: Testing report - 26 -
  • 24. 3) Results: Presentation of identified weaknesses - 27 -
  • 25. 3) Results: Management summary and detailed report ABAP Development:  A total of 280 Z programs with at least one critical ABAP statement were identified.  A total of 1,500 identified Z programs do not have an authorization check.  About 50% of these have not been changed for at least 10 years.  And about 70% of these have not been changed for at least 5 years. - 28 - Critical Statement Quantity
  • 26. Average implementation times in comparison: 0,5 MD Tool: SAST SUITE 0,5 MD Tool: SAST SUITE 0,5 – 1,0 MD Tools: Various 2,0 MD 2,0 MD 3,0 MD -- 1,0 MD -- Reconciliation Software Configuration Tool-added check Additional test Verification Concepts Reporting Presentation Results Recommendation - 29 - Preparation Execution Results Follow-upData analysis 0,5 MD 4,0 MD 1,0 MD -- 0,5 MD 0,5 MD Sec. Assessment = 4,0 MD Audit = 8,0 MD Penetration test = 5 MD
  • 27. 4) Follow-up support: What happens after the security check? - 30 - Creation of work lists System hardening bases on issue clusters important andurgent urgentbutnotimportant unimportant andnoturgent important butnoturgent
  • 28. Define in advance, which goal you are pursuing with the building contract. Think about exactly which accents you want to set within the safety analysis (possibly an in-depth interface analysis, code scanning, SoD analysis, etc.). Only then, choose the security service that best suits your situation. Let the expert of your confidence support you. If you are already using SAST SUITE, a subsequent "hardening" can be effectively supported by the tool. A tool like SAST SUITE will also provide optimal support for future re-tests and make your tasks considerably easier. SAP Security & Compliance Audits Take Home Messages - 31 - ✓ ✓ ✓ ✓ ✓
  • 29. DO YOU HAVE ANY QUESTIONS? WE ANSWER. FOR SURE. © Copyright AKQUINET AG. All rights reserved. This publication is protected by copyright. All rights, in particular the right of reproduction, distribution, and translation, are reserved. No part of this document may be reproduced in any form (photocopy, microfilm or other process) or processed, copied, or distributed using electronic systems without the prior written agreement of AKQUINET AG. Some of the names mentioned in this publication are registered trademarks of the respective provider and as such are subject to legal provisions. The information in this publication has been compiled with the greatest care. However, no guarantee can be given for its applicability, correctness, and completeness. AKQUINET AG shall assume no liability for losses arising from use of the information. TIM KRÄNZKE Member of the Executive Board Fon: +49 40 88173-2735 Email: tim.kraenzke@akquinet.com Web: sast-solutions.com