Attacks based on security configurations
|
|
- Joy McCoy
- 6 years ago
- Views:
Transcription
1 SAP Security 2014 Protecting Your SAP Systems Against Attacks based on security configurations Juan Perez-Etchegoyen March 18 th, 2014 BIZEC Workshop
2 Disclaimer This publication is copyright 2014 Onapsis Inc. All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xapps, xapp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. 2
3 Agenda Introduction Configurations Attacks Recommendations Conclusions 3
4 Who is Onapsis Inc.? Company focused in protecting ERP systems from cyber-attacks (SAP, Siebel, Oracle E-Business Suite TM, PeopleSoft, JD Edwards ). Working with Global Fortune-100 and large governmental organizations. What does Onapsis do? Innovative ERP security software (Onapsis X1, Onapsis IPS, Onapsis Bizploit). ERP security professional services. Trainings on ERP security. Who are we? Juan Perez-Etchegoyen (JP), CTO at Onapsis. Discovered several vulnerabilities in SAP and Oracle ERPs... Speakers/Trainers at the most important Security Conferences 4
5 Introduction 5
6 A Cyber-criminal & SAP systems If an attacker is after an SAP system, he s probably looking forward to perform: ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. SABOTAGE: Paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information, etc. FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc. 6
7 What is his goal? The SAP Production System TREASURY PAYROLL FINANCIAL PLANNING SALES INVOICING PRODUCTION LOGISTICS BILLING HUMAN RESOURCES PROCUREMENT 7
8 Where an attacker would probably hit SAP systems are built upon several layers. Segregation of Duties (SoD) controls apply at the Business Logic layer. The SAP Application Layer (NetWeaver/BASIS) is common to most modern SAP solutions, serving as the base technological framework. SAP Solution Base Infrastructure SAP Business Logic SAP Application Layer Database Operating System 8
9 Where an attacker would probably hit SAP systems are built upon several layers. Segregation of Duties (SoD) controls apply at the Business Logic layer. Successful attacks to this layer would result in The SAP Application Layer (NetWeaver/BASIS) is common to most a complete compromise of the SAP system modern SAP solutions, serving as the base technological framework. (SAP_ALL or equivalent) usually even withouth requiring a username or password SAP Solution SAP Business Logic SAP Application Layer Base Infrastructure Database Operating System 9
10 Configurations and SAP systems 10
11 Netweaver framework can be tuned SAP Systems can be configured through different mechanisms: Customizing (IMG) UME Settings (JAVA only) ACL settings Profile Parameters Transport profile User parameters RFC Destinations reginfo secinfo Webdispatcher Management Console Message Server ICM ACL SAPGui ACL 11
12 Profile parameters Conceptually each parameter is a key-value pair Depending on the kernel version, there are close to 1500 parameters Around 10% of them are security-relevant Parameters are configured within profiles: Default Non dynamic Instance Start* No security-relevant Non dynamic Dynamic parameters do not require a system restart Security-relevant Non dynamic Some examples: rdisp/wp_no_dia = 10 rsau/enable = 1 login/min_password_lng = 8 login/password_downwards_compatibility = 1 Security-relevant Dynamic Security-relevant 12
13 Challenges? 13
14 Challenges Each profile parameter seems to be defining simple concepts but It could be challenging to understand Many times little documentation is available For some situations parameters are related so behavior depends on many values parameters take precedence profiles take precedence (kernel default.pfl instance profile dynamic configuration) parameters could change from App. Server to App. Server parameters configuration depend on files/tables contents parameters are created and destroyed within new kernel versions Default values? 14
15 Attack scenarios 15
16 Attack #1 Emergency mechanism 16
17 Attack #1 Emergency mechanism An emergency mechanism to connect to the SAP systems: Enabled by a profile parameter login/no_automatic_user_sapstar User SAP* does not exist in the database Connection with full authorizations Default credentials SAP*:PASS Cross-client issue (could be affecting only one client) Cross-App-Srv issue (could affect a single application server) The connection to the system will be successful based on a profile parameter and the user master record. Impact: Full SAP system compromise. 17
18 Demo 18
19 Attack #1 Client SAP* Record in Database Server 1 (Central Instance) Server 2 (Dialog Instance) Server 3 (Dialog Instance) login/no_automatic_user_sapstar Yes No No No No 001 Yes No No No No 066 Yes No No No No 200 Yes No No No No 230 No No No Yes No 300 Yes No No No No Server 4 (Dialog Instance) 19
20 Attack #1 Client SAP* Record in Database Server 1 (Central Instance) Server 2 (Dialog Instance) Server 3 (Dialog Instance) login/no_automatic_user_sapstar Protection Yes / Countermeasure No No No No Do not delete the user SAP* from any client 001 Yes No No No No 066 Yes No No No No 200 Yes No No No No 230 No No No Yes No 300 Yes No No No No Server 4 (Dialog Instance) Secure the user SAP* for all the clients in the SAP system (including standard) configure login/no_automatic_user_sapstar to 1. 20
21 Attack #2 Load Balancing 21
22 Attack #2 Load Balancing The load balance on SAP systems is driven by new application servers registering on the Message Server, which is restricted by: Parameter ms/acl_info Contents of ms_acl_info file. The registration of a new application server will be successful based mainly on the contents of the acl file. Impact: Full SAP system compromise. 22
23 Demo 23
24 Demo Protection / Countermeasure Create and maintain the acl to restrict which SAP Application Servers are allowed to register in the Message Server. 24
25 Attack #3 Password policies 25
26 Attack #3 Password policies The ability for a user to connect to the system if password policies are enhanced will depend on: Type of connection (DIAG/RFC) User Type (service,system,dialog ) Parameter rfc/reject_expired_passwd Parameter login/password_compliance_to_current_policy The connection to the system will be successful based on two profile parameters, the user and the protocol. Impact: Effectiveness on brute-force attacks 26
27 Attack #3 # Parameters Dialg Serv Systm Comm 1 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=0 2 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=0 3 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=0 4 Connection Type: RFC rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=0 Yes Yes No No Yes Yes Yes Yes Yes Yes No No Yes Yes Yes Yes 27
28 Attack #3 # Parameters Dialg Serv Systm Comm 5 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 6 Connection Type: RFC rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 7 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 8 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No No Yes Yes No Pwd Chg Yes No No Yes Yes Yes Yes 28
29 Attack #3 # Parameters Dialg Serv Systm Comm 5 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 6 Connection Protection Type: / RFC Countermeasure rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 7 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No No Yes Yes No Secure both profile parameters according to business requirements without disrupting any pre-established interface. 8 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No Yes Yes Yes Yes 29
30 Attack #4 Interfaces 30
31 Attack #4 Interfaces The ability for a user to register, start and connect to an interface on the SAP system will depend on: Parameters gw/reg_info, gw/sec_info, gw/acl_mode, gw/sim_mode, gw/reg_no_conn_info Contents of reginfo and secinfo files. The registration of an interface will be successful based on several profile parameters and the proper acl file. Impact: Potential full SAP system compromise. 31
32 Attack #4 Simplified version of the configuration options acl file gw/acl_mode start/register File exists and is empty 0 or 1 No servers allowed File does not exists 0 Unrestricted File does not exists 1 Only local and internal File properly defined 0 or 1 Only servers defined in ACL If gw/sim_mode is enabled and no explicit denial is included in the ACL, everything is accepted. 32
33 Demo 33
34 Attack #4 Evil Twin: MITM Attacks ` SAP FE RESPONSE RCF Call External RFC Server SAP R/3 SAP GW RCF Modified Call Modified RESPONSE - So Here This we we time, have go again, the every same RFC blocking scenario, call received valid legitimate connections is Logged/Modified, client to and the and External innocent forwarded RFC External to Server, the original RCF the Server SAP external R/3 Server server. and the SAP Gateway - Now, the same malicious client/server connects with the SAP R/3 Gateway, and register itself with the same ID as the original external server. External RFC Malicius Server 34
35 Attack #4 Attacking the R/3 with a Registered Server ` SAP FE RESPONSE RCF Call External RFC Server SAP GW SAP R/3 Poisoned RCF Callback - Yes, Here Again, But now, again we the are when the same again, a same malicious RFC blocking scenario: call is client/server valid received, the valid connections we client, connects perform to the with a valid the External innocent SAP callback R/3 server, RFC External Server, and RCF register the Server. SAP R/3 itself Server with and the the ID SAP of the Gateway - SAP R/3 Application Server OWNED!! original external server. External RFC Malicius Server 35
36 Attack #4 Attacking the R/3 with a Registered Server ` SAP FE Protection / Countermeasure RCF Call SAP GW RESPONSE External RFC Server Create and maintain the proper acl files to restrict which servers can be registered and started and who can connect to those servers. Maintain profile parameters according to your security policies. SAP R/3 Poisoned RCF Callback - Yes, Here Again, But now, again we the are when the same again, a same malicious RFC blocking scenario: call is client/server valid received, the valid connections we client, connects perform to the with a valid the External innocent SAP callback R/3 server, RFC External Server, and RCF register the Server. SAP R/3 itself Server with and the the ID SAP of the Gateway - SAP R/3 Application Server OWNED!! original external server. External RFC Malicius Server 36
37 Wrapping up... 37
38 Bizec The BIZEC TEC/11, lists the most common and critical issues affecting the business runtime. BIZEC TEC-01: Vulnerable Software in Use BIZEC TEC-02: Standard Users with Default Passwords BIZEC TEC-03: Unsecured SAP Gateway BIZEC TEC-04: Unsecured SAP/Oracle authentication BIZEC TEC-05: Insecure RFC interfaces BIZEC TEC-06: Insufficient Security Audit Logging BIZEC TEC-07: Unsecured SAP Message Server BIZEC TEC-08: Dangerous SAP Web Applications Attack #4 Attack #1 Attack #2 BIZEC TEC-09: Unprotected Access to Administration Services BIZEC TEC-10: Insecure Network Environment BIZEC TEC-11: Unencrypted Communications 38
39 General recommendations Use RZ10 and keep track of profiles and parameter values through the database. Specify values in the default profile whenever possible, to define a value for all App. Servers. Pay attention to the values defined on the Instance profiles, as those will override the default profile. Keep special attention on the dynamic parameters, as the modification of those could remain unnoticed. Keep track of the profile parameters that are security-relevant, as those could have a big impact on the security. 39
40 Conclusions Configurations are complex on SAP systems and can have a huge impact on its security. Complex situations could expose the system. Proper controls in place and monitoring of all SAP configurations can help reducing the risk. Holistic security at the SAP Application Layer involves every landscape, every system, every instance and every client. 40
41 References SAP Runs SAP Remote Function Call: Gateway Hacking and Defense (Björn Brencher, SAP) Secure Configuration of SAP NetWeaver Application Server Using ABAP a114084/content.htm Special Thanks to the Onapsis Team ( Sergio Abraham, Pablo Muller, Jordan Santarsieri ) 41
42 Questions? 42
43 Thank you! Follow 43
Inception of the SAP Platform's Brain Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain Attacks on SAP Solution Manager Juan Perez-Etchegoyen Etchegoyen jppereze@onapsis.com September 20 th, 2012 Ekoparty, Buenos Aires Disclaimer This publication is copyright
More informationPreventing vulnerabilities in HANAbased MARCH TROOPERS SECURITY CONFERENCE
Preventing vulnerabilities in HANAbased deployments MARCH 2016 - TROOPERS SECURITY CONFERENCE Disclaimer This presentation contains references to the products of SAP SE. SAP, R/3, xapps, xapp, SAP NetWeaver,
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationAttacks to SAP. Web Applications Your crown jewels online. Mariano Nuñez Di Croce. DeepSec, Austria. November 18th,
Attacks to SAP Web Applications Your crown jewels online Mariano Nuñez Di Croce mnunez@onapsis.com November 18th, 2011 DeepSec, Austria Disclaimer This publication is copyright 2011 Onapsis SRL All rights
More informationSAP Forensics Detecting White-Collar Cyber-crime
Detecting White-Collar Cyber-crime Mariano Nunez mnunez@onapsis.com @marianonunezdc Juan Perez-Etchegoyen jppereze@onapsis.com @jp_pereze March 13 th, 2013 Troopers Security Conference Disclaimer This
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes October 2015 SAP released a batch of emergency fixes for the Download Manager (SDM) application through Notes 2235412 and 2233617 in October. The Notes
More informationSAP Security In-Depth
SAP Security In-Depth by Mariano Nunez Vol. 5 / May 2012 Abstract "SAP platforms are only accessible internally". While that was true in many organizations more than a decade ago, today, driven by modern
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes April 2015 The most critical patch released by SAP in April corrected a missing authentication check in Sybase Adaptive Server Enterprise (ASE). ASE is
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes March 2015 SAP released an important announcement on Patch Tuesday in March to spotlight Security Notes 2134905, 2132584, 2125513 and 2108161. The Notes
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes February 01 SAP Security Notes are rarely front page news. The exception was Note 1785761 which was singled out by SAP for a call to action in the Spotlight
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes May 2015 SAP released several significant patches in May for memory corruption vulnerabilities effecting multiple applications and components. Such weaknesses
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes November 01 SAP issued a critical bulletin in November to raise awareness of three Security Notes related to SAProuter and a new malware variant that is
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes July 2015 The most significant Security Note released by SAP in July deals with a critical missing authentication and authorization check in the XP Server
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes January 01 There were several Security Notes released by SAP in January for directory traversal vulnerabilities affecting a number of application areas.
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes January 01 There were several Security Notes released by SAP in January for directory traversal vulnerabilities affecting a number of application areas.
More informationMobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge
Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge Agenda Mobile Trends and The New Threats The Forgotten Layer Benchmarks of Defects in Custom
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes June 2014 SAP released an important notification in June to highlight a critical vulnerability in SAP Afaria, the Sybase platform that enables centralized
More informationRootkits and Trojans on Your SAP Landscape
Rootkits and Trojans on Your SAP Landscape SAP Security and the Enterprise Ertunga Arsal SAP systems are the heart of many enterprises. Most critical business functions run on SAP Applications and the
More informationYou ve got mail Owning an SAP running business via
You ve got mail Owning an SAP running business via email Agenda Introduction State of SAP security Mail & SAP Vulnerabilities Solutions Introduction Company specialised in securing SAP systems and infrastructures
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes August 2014 SAP released a Hot News fix in August for a critical vulnerability effecting the SAP Afaria Mobile Device Management (MDM) server. Note 2044175
More informationSAP Security anno Tim Lynen, Manager axl & trax 2017
SAP Security anno 2017 Tim Lynen, Manager axl & trax 2017 Agenda Introduction axl & trax Importance of landscape security Where to start Top items to focus on Security in the organization Q&A Introduction
More informationSAP Audit Guide for Basis
SAP Audit Guide for Basis This audit guide is designed to assist the review of middleware components that support the administration and integration of SAP applications, commonly referred to as SAP Basis.
More informationMessage Alerting for SAP NetWeaver PI Advanced Adapter Engine Extended
Message Alerting for SAP NetWeaver PI Advanced Adapter Engine Extended Applies to SAP NetWeaver PI Advanced Adapter Engine Extended 7.30. Summary This article explains how to set up Message Alerting for
More informationAttacking the Giants: Exploiting SAP Internals
Attacking the Giants: Exploiting SAP Internals Mariano Nuñez Di Croce mnunez [at] cybsec [dot] com 30 November, 2007 EKOPARTY, Buenos Aires Agenda SAP Connectivity SAP RFC Interface The RFC Library Security
More informationLayer Seven Security ADVISORY. SAP Security Notes
Layer Seven Security ADVISORY SAP Security Notes August 2017 Note 2381071 patches a critical cross-site Ajax vulnerability in the Prototype JS library of BusinessObjects. Ajax is a method often used by
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes September 2014 September s corrections included a number of patches for missing authorization checks in critical applications and components, most notably
More informationADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)
ADM960 SAP NetWeaver Application Server Security. COURSE OUTLINE Course Version: 10 Course Duration: 5 Day(s) SAP Copyrights and Trademarks 2013 SAP AG. All rights reserved. No part of this publication
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes July 01 In July, SAP released a crucial update for a vulnerability in the Archiving Workbench originally patched in February 011. Note 1561545 contains
More informationADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day
ADM960 SAP NetWeaver Application Server Security. COURSE OUTLINE Course Version: 15 Course Duration: 5 Day SAP Copyrights and Trademarks 2015 SAP SE. All rights reserved. No part of this publication may
More informationDisclosure Management. Default font on styles in Disclosure Management
Disclosure Management Default font on styles in Disclosure Management DISCLOSURE MANAGEMENT DEFAULT FONT IS STYLES (V1.1) TABLE OF CONTENT Introduction... 3 An example... 3 What happens in the system...
More informationHow-to Connect your HANA Cloud Platform Mobile Service Account to your On-Premise OData Service
How-to Connect your HANA Cloud Platform Mobile Service Account to your On-Premise OData Service How-to Connect your HANA Cloud Platform Mobile Service Account to your On-Premise OData Service How-to Provided
More informationProtecting SAP HANA from vulnerabilities and exploits. MARCH TROOPERS Security Conference, Heidelberg
Protecting SAP HANA from vulnerabilities and exploits MARCH 2017 - TROOPERS Security Conference, Heidelberg Disclaimer This presentation contains references to the products of SAP SE. SAP, R/3, xapps,
More informationAbout the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).
About the company 2 What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle). Agenda 3 Building a business case for SAP Vulnerability Management How to start
More informationPassing Parameters via Web Dynpro Application
Applies to: SAP ABAP Workbench that supports Web Dynpro development. For more information, visit the Web Dynpro ABAP homepage. Summary This article explains how to pass parameters via Web Dynpro Application.
More informationMoving BCM to different IP range
Moving BCM to different IP range PREREQUISITES This document describes how to move your BCM application server to a different IP range. The solution is for BCM system administrators who have basic knowledge
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes June 01 SAP released several patches for multiple vulnerabilities effecting Sybase EAServer in June. EAServer is used to create, deploy and configure Java
More informationADM950. Secure SAP System Management COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)
ADM950 Secure SAP System Management. COURSE OUTLINE Course Version: 15 Course Duration: 2 Day(s) SAP Copyrights and Trademarks 2015 SAP SE. All rights reserved. No part of this publication may be reproduced
More informationData Handling in the SAP NetWeaver System Landscape Directory Step by Step
Data Handling in the SAP NetWeaver System Landscape Directory Step by Step Applies to: SAP NetWeaver System Landscape Directory (SLD). In this document all main SLD's mechanisms to retrieve and distribute
More informationHow to Setup Notifications in Fiori 2.0 Step-by-Step
How to Setup Notifications in Fiori 2.0 Step-by-Step SAP S/4HANA 1610 Wilson Wei 2017 SAP AG. All rights reserved. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork,
More informationHow the Standard Integration between SAP EM and SAP TM Can Be Tested with SE37
How the Standard Integration between SAP EM and SAP TM Can Be Tested with SE37 Author: Daniel Härder Document Date: 04.02.2013 TABLE OF CONTENTS SUMMARY... 3 TESTING EM TM INTEGRATION WITH SE37... 3 DEFINING
More informationSAP NetWeaver Identity Management Identity Center Minimum System Requirements
SAP NetWeaver Identity Management Identity Center Minimum System Requirements Version 7.2 Rev 1 No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
More informationHow to Use a Customer Specific UIBB in MDG Application 'Create Change Request' Author: Matthias Hubert Company: SAP Created on 5th July 2013
How to Use a Customer Specific UIBB in MDG Application 'Create Change Request' Author: Matthias Hubert Company: SAP Created on 5th July 2013 TABLE OF CONTENTS 1 INTRODUCTION... 3 2 PREREQUISITES... 3 2.1
More informationBW Workspaces Data Cleansing during Flat File Upload
BW Workspaces Data Cleansing during Flat File Upload TABLE OF CONTENTS INTRODUCTION INTO THE TOPIC BW WORKSPACE... 3 HISTORY OF THE FILE UPLOAD... 3 NEW DATA CLEANSING FUNCTIONALITY... 3 Transfer File...
More informationExploiting new default accounts in SAP systems
Exploiting new default accounts in SAP systems Agenda Introduction Something about SAP security Unknown default accounts Impact Exploitation: combination with other vulnerabilities Research Solutions Concluding
More informationExploiting new default accounts in SAP systems
Exploiting new default accounts in SAP systems Introduction Who is ERP-SEC Company specialized in securing SAP systems and infrastructures SAP Security Research: Reported and credited for > 60 vulnerabilities
More informationDisclosure Management US SEC. Preview
Disclosure Management US SEC Preview TABLE OF CONTENT Introduction... 3 Creating the Preview... 4 Troubleshooting... 8 Alternative way of creating the Preview... 10 Useful Notes/KBAs... 14 2 Introduction
More informationHow to Guide to create Sample Application in IOS using SUP ODP 2.2
How to Guide to create Sample Application in IOS using SUP ODP 2.2 Applies to: SUP ODP 2.2. Summary This document provides a step-by-step description on how to use the IOS sample application using SUP
More informationCreate and run apps on HANA Cloud in SAP River RDE
SAP River Rapid Development Environment How-To Guide Provided by Customer Experience Group Create and run apps on HANA Cloud in SAP River RDE Applicable Releases: SAP River Rapid Development Environment
More informationCreating Application Definitions in Hana Cloud Platform Mobile Services
SAP Hana Cloud Platform Mobile Services How-To Guide Provided by SAP s Technology RIG Creating Application Definitions in Hana Cloud Platform Mobile Services Applicable Releases: Platform Mobile Services
More informationEP200. SAP NetWeaver Portal: System Administration COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)
EP200 SAP NetWeaver Portal: System Administration. COURSE OUTLINE Course Version: 10 Course Duration: 5 Day(s) SAP Copyrights and Trademarks 2013 SAP AG. All rights reserved. No part of this publication
More informationMIS 5121: Business Process, ERP Systems & Controls Week 9: Security: User Management, Segregation of Duties (SOD)
MIS 5121: Business Process, ERP Systems & Controls Week 9: Security: User Management, Segregation of Duties (SOD) Edward Beaver Edward.Beaver@temple.edu ff Video: Record the Class Discussion v Something
More informationUpgrade MS SQL 2005 to MS SQL 2008 (R2) for Non-High-Availability NW Mobile ABAP System
Upgrade MS SQL 2005 to MS SQL 2008 (R2) for Non-High-Availability NW Mobile ABAP System Applies to: SAP Netweaver Mobile 710/711 systems. For more information, visit the Mobile homepage. Summary This document
More informationHow To - Extend MDG-M content by new attributes for customer Z-fields in standard tables
How To - Extend MDG-M content by new attributes for customer Z-fields in standard tables Applicable Releases: From EHP6 FOR SAP ERP 6.0 and from SAP S/4HANA 1511 Version 3 March 2017 Document History Document
More informationOData Service in the SAP Backend System for CRUDQ Operations in Purchase Order Scenario
OData Service in the SAP Backend System for CRUDQ Operations in Purchase Order Scenario Applies to: Duet Enterprise 2.0 SP01 Summary This guide describes in detail how to create and test OData service
More informationAccess Control 5.3 Implementation Considerations for Superuser Privilege Management ID-Based Firefighting versus Role-Based Firefighting Applies to:
Access Control 5.3 Implementation Considerations for Superuser Privilege Management ID-Based Firefighting versus Role-Based Firefighting Applies to: Access Control 5.3 Summary GRC Access Control identifies
More informationSAP Fiori Toolkit. Marc Anderegg, RIG, SAP February, Provided by Rapid Innovation Group (RIG)
SAP Fiori Toolkit Marc Anderegg, RIG, SAP February, 2014 Provided by Rapid Innovation Group (RIG) Agenda 1 2 3 4 SAP Fiori Toolkit Overview SAP Fiori Extensibility Concept Overview Demo Useful Links SAP
More informationUsing Default Values in Backend Adapter
Using Default Values in Backend Adapter Applies to: SAP NetWeaver Mobile 7.1 applicable for all service packs Summary Background, concept and usage of default values in BAPI Wrapper based backend adapter
More informationA Sample PhoneGap Application Using SUP
This document summarizes the creation of a PhoneGap application on android platform which uses SUP server to fetch the data. This document also describes the basics of PhoneGap from the environment setup,
More informationGRC100. GRC Principles and Harmonization COURSE OUTLINE. Course Version: 10 Course Duration: 2 Day(s)
GRC100 GRC Principles and Harmonization. COURSE OUTLINE Course Version: 10 Course Duration: 2 Day(s) SAP Copyrights and Trademarks 2016 SAP SE. All rights reserved. No part of this publication may be reproduced
More informationTesting Your New Generated SAP NetWeaver Gateway Service
Testing Your New Generated SAP NetWeaver Gateway Service Applies to: SAP NetWeaver Gateway 2.0 SP02 Summary In this Article we will focus on how to test the NetWeaver Gateway Service you created using
More informationSales Order Inbound via EDI (289)
EHP3 for SAP ERP 6.0 March 2009 English Sales Order Inbound via EDI (289) Business Process Documentation SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany Copyright Copyright 2009 SAP AG. All rights
More informationQuality Inspection Engine (QIE) Security Guide
D O N. Q I E _ S E C G U I D E Quality Inspection Engine (QIE) Security Guide S AP E n h a n c e m e n t P a c k age 5 f o r S AP E R P 6. 0 Copyright Copyright 2010 SAP AG. All rights reserved. No part
More informationSDN Community Contribution
SDN Community Contribution (This is not an official SAP document.) Disclaimer & Liability Notice This document may discuss sample coding or other information that does not include SAP official interfaces
More informationBC410. Programming User Dialogs with Classical Screens (Dynpros) COURSE OUTLINE. Course Version: 10 Course Duration: 3 Day(s)
BC410 Programming User Dialogs with Classical Screens (Dynpros). COURSE OUTLINE Course Version: 10 Course Duration: 3 Day(s) SAP Copyrights and Trademarks 2013 SAP AG. All rights reserved. No part of this
More informationERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCE BY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES
ERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCE BY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES ROADMAP How to implement GDPR in SAP? 1. GDPR security requirements 2. How to discover personal data? 3. How
More informationADM800 AS Java 7.3 Administration
AS Java 7.3 Administration SAP NetWeaver Course Version: 99 Course Duration: 5 Day(s) Publication Date: 07-05-2013 Publication Time: 1141 Copyright Copyright SAP AG. All rights reserved. No part of this
More informationSAP Directory Content Migration Tool
This document describes SAP directory content migration which is used for migration and mass change functionality for PI scenarios and channels from Dual Stack to Single Stack system. This document explains
More informationManagement Console Guide SAP BusinessObjects Data Services 4.1 Support Package 1 ( )
Management Console Guide SAP BusinessObjects Data Services 4.1 Support Package 1 (14.1.1.0) Copyright 2012 SAP AG. All rights reserved.sap, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects
More informationAGILE AND CONTINUOUS THREAT MODELS
SESSION ID: DEV-R04 AGILE AND CONTINUOUS THREAT MODELS Nancy Davoust Vice President, Security Architecture and Technology Solutions Comcast CONTEXT FOR AGILE AND CONTINUOUS THREAT MODELING The Landscape
More informationBC100. Introduction to Programming with ABAP COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)
BC100 Introduction to Programming with ABAP. COURSE OUTLINE Course Version: 15 Course Duration: 2 Day(s) SAP Copyrights and Trademarks 2014 SAP AG. All rights reserved. No part of this publication may
More informationNET311. Advanced Web Dynpro for ABAP COURSE OUTLINE. Course Version: 10 Course Duration: 4 Day(s)
NET311 Advanced Web Dynpro for ABAP. COURSE OUTLINE Course Version: 10 Course Duration: 4 Day(s) SAP Copyrights and Trademarks 2015 SAP SE. All rights reserved. No part of this publication may be reproduced
More informationHow to Check or Derive an Attribute Value in MDG using BRFPlus
How to Check or Derive an Attribute Value in MDG using BRFPlus Applies to: SAP Master Data Governance, as of SAP Master Data Governance 6.1 (or lower). Summary With SAP Master Data Governance you can use
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes December 2013 SAP announced an important change to the release strategy for security patches in December. In order to respond more rapidly to externally
More informationManaging Substitutions in My Inbox 2.0 app
Managing Substitutions in My Inbox 2.0 app SAP NetWeaver (7.5) Gateway Joaquin Fornas 2016 SAP AG. All rights reserved. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,
More informationBC400 Introduction to the ABAP Workbench
BC400 Introduction to the ABAP Workbench. COURSE OUTLINE Course Version: 10 Course Duration: 5 Day(s) SAP Copyrights and Trademarks 2014 SAP AG. All rights reserved. No part of this publication may be
More informationUsing Xcelsius 2008 with SAP NetWeaver BW
Using Xcelsius 2008 with SAP NetWeaver BW Applies to: Xcelsius 2008 Enterprise Service Pack 02 (and higher) SAP NetWeaver BW 7.0 Enhancement package 01 Service Pack 05 (and higher) Summary In this short
More informationHow To Configure IDoc Adapters
How-to Guide SAP NetWeaver 04 How To Configure IDoc Adapters Version 1.00 Feb 2005 Applicable Releases: SAP NetWeaver 04 XI 3.0 SR1 and above Copyright 2005 SAP AG. All rights reserved. No part of this
More informationBC490 ABAP Performance Tuning
BC490 ABAP Performance Tuning. COURSE OUTLINE Course Version: 10 Course Duration: 5 Day(s) SAP Copyrights and Trademarks 2015 SAP SE. All rights reserved. No part of this publication may be reproduced
More informationADM100 AS ABAP - Administration
ADM100 AS ABAP - Administration. COURSE OUTLINE Course Version: 15 Course Duration: 5 Day(s) SAP Copyrights and Trademarks 2014 SAP AG. All rights reserved. No part of this publication may be reproduced
More informationCREATION AND CONFIGURATION OF WEB SERVICE FROM RFC AND DEPLOYMENT IN ANOTHER SYSTEM
CREATION AND CONFIGURATION OF WEB SERVICE FROM RFC AND DEPLOYMENT IN ANOTHER SYSTEM Applies to: SAP Summary The purpose of this document is to provide creation and configuration of web service from function
More informationADM920 SAP Identity Management
ADM920 SAP Identity Management. COURSE OUTLINE Course Version: 10 Course Duration: 5 Day(s) SAP Copyrights and Trademarks 2014 SAP AG. All rights reserved. No part of this publication may be reproduced
More informationWayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk
Wayward Wi-Fi How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk 288 MILLION There are more than 288 million unique Wi-Fi networks worldwide. Source: Wireless Geographic Logging
More informationCrystal Reports Family of Offerings
SAP Solution in Detail Crystal Reports Crystal Reports Family of Offerings Versatile Solutions for Developers For over 15 years, the Crystal Reports family of offerings has provided integrated reporting
More informationOnapsis: The CISO Imperative Taking Control of SAP
Onapsis: The CISO Imperative Taking Control of SAP Cyberattacks @onapsis 2016 Key SAP Cyber-Security Trends Over 95% of the SAP systems we have assessed, were exposed to vulnerabilities that could lead
More informationThis document applies to Sybase Unwired Platform For more information, visit the Mobile homepage.
Applies to: This document applies to Sybase Unwired Platform 1.5.2. For more information, visit the Mobile homepage. Summary As Enterprise Mobility is gaining more and more importance day by day, the acquisition
More informationHow to Enable Single Sign-On for Mobile Devices?
How to Enable Single Sign-On for Mobile Devices? Applies to: SAP Netweaver Mobile Client 7.11 and onwards. For more information, visit the Mobile homepage. Summary This guide explains how to enable Single
More informationInformation platform services Installation Guide Information platform services 4.0 Support Package 4
Information platform services Installation Guide Information platform services 4.0 Support Package 4 Copyright 2012 SAP AG. All rights reserved.sap, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
More informationBC400. ABAP Workbench Foundations COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day(s)
BC400 ABAP Workbench Foundations. COURSE OUTLINE Course Version: 15 Course Duration: 5 Day(s) SAP Copyrights and Trademarks 2014 SAP SE. All rights reserved. No part of this publication may be reproduced
More informationBusiness Add-Ins (BAdIs) for SD Jam Integration Document Version:
Document Version: 1.0 2014-08-22 Typographic Conventions Type Style Example Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names,
More informationHow to Find Suitable Enhancements in SAP Standard Applications
How to Find Suitable Enhancements in SAP Standard Applications Applies to: User Exits, Customer Exits, Business Add-Ins. For more information, visit the ABAP homepage. Summary ABAP developers will often
More informationKeep the Door Open for Users and Closed to Hackers
Keep the Door Open for Users and Closed to Hackers A Shift in Criminal Your Web site serves as the front door to your enterprise for many customers, but it has also become a back door for fraudsters. According
More informationADM950. Secure SAP System Management COURSE OUTLINE. Course Version: 10 Course Duration: 2 Day(s)
ADM950 Secure SAP System Management.. COURSE OUTLINE Course Version: 10 Course Duration: 2 Day(s) SAP Copyrights and Trademarks 2013 SAP AG. All rights reserved. No part of this publication may be reproduced
More informationEnterprise Search Extension for SAP Master Data Governance
Enterprise Search Extension for SAP Master Data Governance Applies to: ERP 6 EhP 5. For more information, visit the Master Data Management homepage. Summary This article explains the extensibility concept
More informationComplementary Demo Guide
Complementary Demo Guide SAP Business ByDesign SAP Business ByDesign Global October 23, 2017 1 Table of Content 1 About this Document... 3 1.1 Purpose... 3 1.2 Demo Business Context... 3 1.3 Prerequisites...
More informationSAP Single Sign-On 2.0 Overview Presentation
SAP Single Sign-On 2.0 Overview Presentation June 2014 Public Legal disclaimer This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue
More informationADM900 SAP System Security Fundamentals
ADM900 SAP System Security Fundamentals. COURSE OUTLINE Course Version: 15 Course Duration: 2 Day(s) SAP Copyrights and Trademarks 2015 SAP SE. All rights reserved. No part of this publication may be reproduced
More informationSAP Discovery System V5 Users and Passwords
SAP Discovery System V5 s and s SAP DISCOVERY SYSTEM V5 TABLE OF CONTENT SAP DISCOVERY SYSTEM USERS AND PASSWORDS... 3 PURPOSE... 3 USERS AND PASSWORDS... 3 1. OPERATING SYSTEM USERS AND PASSWORDS... 3
More informationSAP EXAM - C_TADM51_731. SAP Certified Technology Associate - System Administration (Oracle DB) with SAP NetWeaver 7.31.
SAP EXAM - C_TADM51_731 SAP Certified Technology Associate - System Administration (Oracle DB) with SAP NetWeaver 7.31 Buy Full Product http://www.examskey.com/c_tadm51_731.html Examskey SAP C_TADM51_731
More informationAbout ERPScan. ERPScan and Oracle. ERPScan researchers were acknowledged 20+ times during quarterly Oracle patch updates since 2008
1 2 About ERPScan 3 ERPScan and Oracle ERPScan researchers were acknowledged 20+ times during quarterly Oracle patch updates since 2008 Totally 100+ Vulnerabilities closed in Oracle Applications o Oracle
More informationVisual Composer for SAP NetWeaver Composition Environment - Connectors
Visual Composer for SAP NetWeaver Composition Environment - Connectors Applies to: Visual Composer for SAP enhancement package 1 for SAP NetWeaver Composition Environment 7.1 For more information, visit
More information