sap inside track nl 2013, sap security update
DESCRIPTION
This presentation was presented on the SAP Inside Track The Netherlands 2013 in Eindhoven, Ciber. It discussed some new presented SAP Security features as well as some other SAP Security related information,TRANSCRIPT
SITNL 2013Security update SAP Teched 2013
Agenda
Introduction
Update: what happened in 2013
SAP Teched 2013 Security topics (Too many to name them all)Read Access Logging
ABAP code scan
System Recommendations vs RSECNOTE
Some statistics
(Creating this presentation involved Shameless copying of SAP Teched materials, thank you SAP)
GuaranteedHANA-FREE
presentation
Who we are…
• A company specialized in securing SAP infrastructures
• Started by SAP basis specialists who are enthusiastic about platform security
• Our team consists of experienced SAP specialists and developers with 10+ years of experience
• We deliver SAP Security consulting services
• In the global top 5 of SAP researching companies
ERP Security
From SitNL last year…
SAP Security in the spotlight
New this year…
SAP Security in the spotlight
(Source: http://blogs.technet.com/b/mmpc/archive/2013/11/20/carberp-based-trojan-attacking-sap.aspx)
Read Access Logging
You probably knew the Security Audit Log, AIS or change documents
Where the AIS, Security Audit Log and change documents for masterdata all focused on
CHANGE/DELETE/UPDATE actions, RAL allows to log READ access.
Read Access Logging
Supported Channels
Read Access Logging
Availability
Read Access Logging
Also see SIS 104
ABAP Code Scanning
The challenge…
ABAP Code Scanning
Overview of Code check Tools
ABAP Test Cockpit (ATC)
Central place for all check tools, exemption handling, result storage
Code Inspector (SCI)
Open framework for customers, partners and SAP to develop code related checks
Extended Program Check (SLIN)
SAP NW add-on for code vulnerability analysis
Code checks for security vulnerabilities.
Main focus is to analyze the data flow and user input
ABAP Code Scanning
Overview of available checks
Abap Code Scanning
Also see SIS 261
ABAP Code Scan
Solman System Recommendations
SAP Solution Manager System Recommendations
Slow, not frequent implementing of support packages leave systems vulnerable
System Recommendations
System Recommendations vs RSECNOTE
Focus on Hotnews
ABAP only
limited functionality
Incomplete
OLDSKOOL
Recommendations for ABAP & JAVA
Extra functionality like ChaRM integration
Complete overview based on system
Not only Security notes
Way to go
System Recommendations
System Recommendations overview
System Recommendations
System Recommendations overview
System Recommendations
Also see SIS 103
System Recommendations
Some Statistics
Preliminary research statistics on internet connected systems; SAProuter
After scanning the entire IPv4 range we found: • 7746 SAProuters connected to the internet• Of which almost half (3693) are UNprotected bij ACL, giving access to the local intranet• Of the vulnerable SAProuters, most (85%) are running on Windows• 13 of the vulnerable SAProuters (0,35%) are located in NL
ACLProtected
52%
Open SAProuters running Windows;
85%
Open SAProuters running Unix/Linux;
15%
Open 48%
SAPROUTERS FOUND ON INTERNET
System Recommendations
Exploit SAP system via Internet via SAPRouter
Some Statistics
Security vulnerabilities found by SAP vs External Security Researchers
Source: http://erpscan.com/wp-content/uploads/2013/11/SAP-Security-in-Figures-A-Global-Survey-2013.pdf
The ratio of vulnerabilities found by External Researchers vs SAP internally is going up:
• SAP security is complex, but don’t let that be an excuse !
• Especially since SAP and external suppliers are providing more and better tools / solutions
• Do take special care when connecting systems to the internet
• Be aware that every aspect of an SAP infrastructure needs to be secured. Application server, OS, DB, network, Frontend, SoD, Custom Code, etc, etc…
• PATCH! PATCH! PATCH!
Join & contribute! www.bizec.org
Key takeaways
Summary
Questions?
Thank you
• More information needed? See www.erp-sec.com
• or follow @jvis / @erpsec
Need more info? Contact us...
SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only.
The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document.
SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.
No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2013 ERP Security BV.
Disclaimer