SITNL 2013Security update SAP Teched 2013

Agenda

Introduction

Update: what happened in 2013

SAP Teched 2013 Security topics (Too many to name them all)Read Access Logging

ABAP code scan

System Recommendations vs RSECNOTE

Some statistics

(Creating this presentation involved Shameless copying of SAP Teched materials, thank you SAP)

GuaranteedHANA-FREE

presentation

Who we are…

• A company specialized in securing SAP infrastructures

• Started by SAP basis specialists who are enthusiastic about platform security

• Our team consists of experienced SAP specialists and developers with 10+ years of experience

• We deliver SAP Security consulting services

• In the global top 5 of SAP researching companies

ERP Security

From SitNL last year…

SAP Security in the spotlight

New this year…

SAP Security in the spotlight

(Source: http://blogs.technet.com/b/mmpc/archive/2013/11/20/carberp-based-trojan-attacking-sap.aspx)

Read Access Logging

You probably knew the Security Audit Log, AIS or change documents

Where the AIS, Security Audit Log and change documents for masterdata all focused on

CHANGE/DELETE/UPDATE actions, RAL allows to log READ access.

Read Access Logging

Supported Channels

Read Access Logging

Availability

Read Access Logging

Also see SIS 104

ABAP Code Scanning

The challenge…

ABAP Code Scanning

Overview of Code check Tools

ABAP Test Cockpit (ATC)

Central place for all check tools, exemption handling, result storage

Code Inspector (SCI)

Open framework for customers, partners and SAP to develop code related checks

Extended Program Check (SLIN)

SAP NW add-on for code vulnerability analysis

Code checks for security vulnerabilities.

Main focus is to analyze the data flow and user input

ABAP Code Scanning

Overview of available checks

Abap Code Scanning

Also see SIS 261

ABAP Code Scan

Solman System Recommendations

SAP Solution Manager System Recommendations

Slow, not frequent implementing of support packages leave systems vulnerable

System Recommendations

System Recommendations vs RSECNOTE

Focus on Hotnews

ABAP only

limited functionality

Incomplete

OLDSKOOL

Recommendations for ABAP & JAVA

Extra functionality like ChaRM integration

Complete overview based on system

Not only Security notes

Way to go

System Recommendations

System Recommendations overview

System Recommendations

System Recommendations overview

System Recommendations

Also see SIS 103

System Recommendations

Some Statistics

Preliminary research statistics on internet connected systems; SAProuter

After scanning the entire IPv4 range we found: • 7746 SAProuters connected to the internet• Of which almost half (3693) are UNprotected bij ACL, giving access to the local intranet• Of the vulnerable SAProuters, most (85%) are running on Windows• 13 of the vulnerable SAProuters (0,35%) are located in NL

ACLProtected

52%

Open SAProuters running Windows;

85%

Open SAProuters running Unix/Linux;

15%

Open 48%

SAPROUTERS FOUND ON INTERNET

System Recommendations

Exploit SAP system via Internet via SAPRouter

Some Statistics

Security vulnerabilities found by SAP vs External Security Researchers

Source: http://erpscan.com/wp-content/uploads/2013/11/SAP-Security-in-Figures-A-Global-Survey-2013.pdf

The ratio of vulnerabilities found by External Researchers vs SAP internally is going up:

• SAP security is complex, but don’t let that be an excuse !

• Especially since SAP and external suppliers are providing more and better tools / solutions

• Do take special care when connecting systems to the internet

• Be aware that every aspect of an SAP infrastructure needs to be secured. Application server, OS, DB, network, Frontend, SoD, Custom Code, etc, etc…

• PATCH! PATCH! PATCH!

Join & contribute! www.bizec.org

Key takeaways

Summary

Questions?

Thank you

• More information needed? See www.erp-sec.com

• or follow @jvis / @erpsec

Need more info? Contact us...

SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only.

The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document.

SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.

No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2013 ERP Security BV.

Disclaimer