23
Invest in security to secure investments Securing and Assessing SAP Solu1ons Alexander Polyakov ERPScan CTO
Invest in security to secure investments
Securing and Assessing SAP Solu1ons
Alexander Polyakov ERPScan CTO
About ERPScan
• The only 360-‐degree SAP Security solu8on -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presenta1ons key security conferences worldwide • 25 Awards and nomina1ons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
SAP Security related costs
3
SAP
Audit related costs
Expenses on compliance
Addi8onal security training
costs
Losses caused by insider fraud
Losses caused by hackers
Problems
• How to automate security checks for different landscapes? • How to protect ourselves from fraud? • How to decrease costs? • Where to find informa1on about the latest threats?
4
Talks about SAP security
5
0
5
10
15
20
25
30
35
2006 2007 2008 2009 2010 2011 2012
Most popular: • BlackHat • HITB • Troopers • RSA • Source • DeepSec • etc.
New threats
2007 – Architecture vulnerabili8es in RFC protocol 2008 – A\acks via SAPGUI 2009 – SAP backdoors 2010 – A\acks via SAP WEB applica8ons 2010 – Stuxnet for SAP 2011 – Architecture and program vulnerabili8es in ABAP 2011 – A crushing blow in SAP J2EE engine 2012 – Vulnerabili8es in SAP solu8ons like SOLMAN 2012 – SSRF and XML Tunneling 2012 – Diag protocol aXacks; Message Server aXacks 2012 – Mul1ple XML issues
6
Are you familiar with them?
SAP Security notes
7
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
By September 2012, > 2500 security notes
Only one vulnerability is enough to get access to ALL business-‐cri:cal DATA
SAP vulnerabili1es by type
8
0 50 100 150 200 250 300 350
12 -‐SQL Inj
11 -‐ BOF
10 -‐ Denial of service
9 -‐ Remote Code Execu8on
8 -‐ Verb tampering
7 -‐ Code injec8on vulnerability
6 -‐ Hard-‐coded creden8als
5 -‐ Unauthorized usage of applica8on
4 -‐ Informa8on Disclosure
3 -‐ Missing Auth check
2 -‐ XSS/Unauthorised modifica8on of stored
1 -‐ Directory Traversal
Stats from: • 1Q 2012 • 1Q 2010 • 4Q 2009
Authen1ca1on bypass in J2EE
9
SAP on the Internet (web services)
10
621 SAP web services can be found on the Internet (In Germany)
SAP on the Internet
11
More than 5000 systems in the world More than 260 in Germany
including Dispatcher, Message Server, SapHostControl, etc.
SAP on the Internet (Germany)
12
% of companies that expose different services
0 1 2 3 4 5 6 7 8 9
SAP Dispatcher
SAP MMC SAP Message Server
SAP HostControl
SAP ITS Agate
SAP Message Server h\pd
Business risks
13
Espionage • Stealing financial informa8on • Stealing corporate secrets • Stealing suppliers and customers list • Stealing HR data
Sabotage • Denial of service • Modifica8on of financial reports • Access to technology network (SCADA) by trusted connec8ons Fraud • False transac8ons • Modifica8on of master data • etc.
14
3 areas of SAP Security
2010 Applica3on pla4orm security
Prevents unauthorized access both insiders and remote aPackers
Solu8on: Vulnerability Assessment and Monitoring
2008
ABAP Code security Prevents aPacks or mistakes made by developers Solu8on: Code audit
2002
Business logic security (SOD) Prevents aPacks or mistakes made Solu8on: GRC
Solu1on
15
We did not manage to find any solu:on that could resolve all of these and other security
problems described above so we created one ourselves
ERPScan
An innova8ve product for integrated assessment of SAP plamorm security and standard compliance. The system can monitor SAP servers for sonware vulnerabili8es, misconfigura8ons, cri8cal authoriza8ons, code security, and it performs assessment of compliance with current standards and best prac8ces including SAP best prac8ces.
16
ERPScan scheme
17
JAVA
Output
Connectors
Security audit module
ABAP code scan module
Control
SOD module
Анализ безопасности ABAP кода
Mul1level security monitoring tool
18
Connectors ABAP JAVA
Metrics
Risk assessment
Compliance
Reports
Output interfaces
Users Project management Inventory
Control func1ons
Misconfigura1ons Vulnerabili1es
Cri1cal access
Audit ABAP code scan Vulnerabili1es Backdoors
Efficiency
SAP Router SOAP HTTP
SoD Customized cri1cal du1es
Segrega1on of Du1es
Main func1ons
• Anonymous scan (pen-‐test) • System enumera8on / monitoring • Configura8on analysis • Search for vulnerabili8es • Access control • SOD conflicts • ABAP code audit • SAP / ISACA compliance • Risk assessment
19
Geqng beXer every day
More than 6400 configura8on checks More than 350 vulnerability checks More than 100 0-‐day checks More than 65 checks for ABAP source code issues
20
Analysis of misconfigura8ons, vulnerabili8es and cri8cal authoriza8ons for ABAP and JAVA
ERPScan’s success secret
21
We pay an enormous lot of a\en8on to gaps in security so that our clients are always one step ahead of the bad guys
ERPScan
Uniqueness
Research Exper:se
• One of the first in the world to research SAP security • The first in the world to research SAP J2EE Engine security • The only solu8on to assess 3 8ers of SAP security
About us
• Among leaders in SAP security assessment in the world since 2008
• More than 150 SAP vulnerabili1es discovered
• More than 50 acknowledges from SAP
• Were invited to speak and teach about SAP security at 20 key conferences worldwide including USA, EUROPE, ASIA, CEMEA like BlackHat, Defcon, RSA
• Conduc8ng SAP security workshops for SAP Security Response Team in SAP headquarters
22
Leading SAP AG partner in discovering and solving security vulnerabili1es
Contacts
23
Visit Booth #553 Tel: +7(812)7031547 web: www.erpscan.com e-‐mail: [email protected], [email protected]
