SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
|
|
- Sherilyn Gregory
- 5 years ago
- Views:
Transcription
1 Welcome BIZEC IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge
2 2 SAP Security SAP security is a complex discipline. It must be addressed holistically: SoD controls (user roles and profiles) are necessary, but they are not enough. As covered by BIZEC APP/11, code-level security is a clear example of this. Reviewing the security of ABAP custom developments is critical. Another weak link: The SAP technical layer (NetWeaver/BASIS). Base framework in charge of critical tasks such as authentication, authorization, encryption, interfacing, auditing, logging, etc. Can be susceptible of security vulnerabilities that, if exploited, can lead to espionage, sabotage and fraud attacks to the business information.
3 3 BIZEC APP/11 BIZEC APP/11 Version 2.0 (Content and research contributed by Virtual Forge, Germany)
4 4 What is BIZEC APP/11? The BIZEC APP/11 standard comprises the most critical and the most common security defects in SAP ABAP applications. Its purpose is to give companies that plan to conduct ABAP code audits guidance which types of security defects should be covered at minimum by an audit.
5 5 Why (yet) another standard? Existing standards Cover risks that don t exist in ABAP Buffer overflows Authentication issues Don t cover risks that are specific to ABAP Authorization-related risks Client concept Have a different scope Web-specific (WASC, OWASP) Generic (SANS CWE) Facit: Other application security standards are not applicable to ERP systems.
6 6 Why we revised the APP/11 list New threat profile Research yielded new risks like Native SQL Injection New SAP technologies mitigate certain risks Substantial increase of analyzed code base More than 100 Mio lines of code More than 50 companies contributed code More contributors SAP security researchers SAP experts from the industry
7 7 Results of code analysis Priority based on Critical Findings, not Total Findings New items: SQL Injection (Native), Direct Database Modifications, Hidden ABAP Code Dropped items: File Upload (Malware), Cross-Site Request Forgery, Unmanaged SQL
8 8 BIZEC Protection goals for ERP Systems (#1) PG-1 Confidentiality of Business Data The confidentiality of business data must be protected. This is a key requirement in data protection laws and compliance standards, like e.g. PCI/DSS. Any read access to (sensitive) business data must be properly authorized. PG-2 Integrity of Business Data The integrity of all business data must be guaranteed. This is a key requirement for compliance and financial audits. Any (authorized) change of business data must also be accountable. PG-3 Privileges to execute Business Logic Execution of Business Logic must be protected by proper authorization controls. ABAP coding must duly enforce the required authorizations and must not bypass the authorization concept of the Business Runtime. Cascading effect: PG-1 and PG-2 will also be violated. PG-4 Accountability of the Business Logic All (authorized) actions performed by the Business Logic must be accountable. ABAP coding must not bypass the accountability features provided by the Business Runtime.
9 9 BIZEC Protection goals for ERP Systems (#2) PG-5 Integrity of the Business Logic The Integrity of the business logic must be protected in order to prevent manipulation. ABAP coding must neither accidentally nor intentionally bypass/undermine security features of the Business Runtime. Cascading effect: PG-1, PG-2, PG-3 and PG-4 will also be violated. PG-6 Availability of the Business Runtime The Business Runtime is the base platform for the execution of the Business Logic and Business Data layers. Therefore, the availability of the Business Runtime is a critical requirement for the overall operational health of the system. Successful DOS attacks to the components in this layer will result in unexpected downtimes, preventing the Organization's users or systems from using the entire SAP system. PG-7 Integrity of the Business Runtime The integrity of the components in this layer must be enforced and controlled, as any unauthorized modification in them imply high-level risks to the confidentiality, integrity and availability of the information used by the Business Data and Business layers. Cascading effect: All other protection goals will also be violated.
10 10 BIZEC APP/ in detail (#1) APP-01 ABAP Command Injection Critical Coding that dynamically creates and executes ABAP programs based on user input on a productive system, bypassing SE80 and the concept of a three-tier-system landscape. Violates: PG-1, PG-2, PG-3, PG-4, PG-5, PG-6, PG-7 Exemplary SAP Note: APP-02 OS Command Injection Critical Coding that executes arbitrary (input-based) commands on the operating system, bypassing the allowed commands specified in SM49/SM69 and S_LOG_COM authorizations. Violates: PG-6, PG-7 Exemplary SAP Note: APP-03 Native SQL Injection Critical Coding that executes arbitrary (input-based) native SQL commands on the SAP database, bypassing any Open SQL restriction. Violates: PG-1, PG-2, PG-4, PG-6, PG-7 Exemplary SAP Note:
11 11 BIZEC APP/ in detail (#2) APP-04 Improper Authorization (Missing, Broken, Proprietary, Generic) Common Coding that does not (properly) perform authorization checks based on the SAP standard for critical operations. Improper Authorization includes semantically incorrect authority checks, generic authority checks, missing as well as proprietary authorization checks. Violates: PG-3 (implicitly PG-1, PG-2) Exemplary SAP Note: APP-05 Directory Traversal Common Coding that performs server-side file/directory read/write access, where a file name or path is (partially) based on unvalidated user input. Such coding gives attackers read/write access to restricted files, e.g. OS configuration, SAP configuration and temporarily stored business data. Violates: PG-1, PG-6, PG-7 Exemplary SAP Note:
12 12 BIZEC APP/ in detail (#3) APP-06 Direct Database Modifications Common Coding that directly modifies (restricted SAP standard) database tables without proper authorizations, bypassing S_TABU_DIS, S_TABU_NAM and S_TABU_CLI authorizations. Violates: PG-2 Exemplary SAP Note: not known. Problem specific to custom code. APP-07 Cross-Client Database Access Common Coding that accesses business data on a different client, bypassing the SAP client separation mechanism. Violates: PG-5 (implicitly PG-1, PG-2, PG-3, PG-4) Exemplary SAP Note: not known
13 13 BIZEC APP/ in detail (#4) APP-08 Open SQL Injection Common Coding that makes use of dynamic Open SQL, where part of such a query is based on input. This defect enables malicious users to alter the SQL query in order to access restricted data without authorization. Violates: PG-5 (implicitly PG-1, PG-2, PG-3, PG-4) Exemplary SAP Note: APP-09 Generic Module Execution Common Coding that allows uncontrolled execution of SAP standard business modules. The SAP standard provides a large number of business modules in the basis as well as the business suite. Execution of these business modules is restricted by SAP standard security features, e.g. SE37, SE38/SA38 and SE80. Violates: PG-3 (implicitly PG-1, PG-2) Exemplary SAP Note:
14 14 BIZEC APP/ in detail (#5) APP-10 Cross-Site Scripting Common (BSP) Coding that does not properly encode data before rendering it as HTML. Cross-Site Scripting (XSS) attacks are targeted at users that run business applications in Web browsers. An XSS vulnerability compromises the security of the attacked user's client system, affecting any active SAP sessions. Violates: PG-1, PG-2, PG-3, PG-4, PG-5, PG-6, PG-7 Exemplary SAP Note: APP-11 Obscure ABAP Code Common Any coding that uses stealth techniques in order to obscure its true purpose. Violates: PG-4 Exemplary SAP Note: not known. Problem specific to custom code.
15 15 BIZEC TEC/11 BIZEC TEC/11 Version 2.0 (Content and research contributed by Onapsis, USA)
16 16 BIZEC TEC/11 (2012) The BIZEC TEC/11 project lists the most common and critical security defects and threats affecting the technical layer of SAP platforms. Several of the presented threats can be exploited by attackers who do not even have a valid SAP user in the system! Because of the technical layer being the foundation of the business logic, a successful exploitation of several of these vulnerabilities would usually result in a complete compromise of the business information and processes (SAP_ALL privileges or equivalent). Several affect both SAP ABAP and Java-based solutions. The first list was presented on May 2010, and it has been updated, after two additional years of real-world SAP security assessments and knowledge exchange with other experts.
17 17 BIZEC TEC/11 (2012) The BIZEC TEC/11 BIZEC TEC-01: Missing SAP Security Notes BIZEC TEC-02: Standard SAP Users with Default Passwords BIZEC TEC-03: Dangerous SAP Web Applications BIZEC TEC-04: Unsecured SAP Gateway BIZEC TEC-05: Unsecured SAP/Oracle authentication BIZEC TEC-06: Insecure SAP RFC interfaces BIZEC TEC-07: Unsecured SAP Message Server BIZEC TEC-08: Insecure SAP Administration and Monitoring Services BIZEC TEC-09: Insecure SAP Network Filtering BIZEC TEC-10: Insecure SAProuter Implementation BIZEC TEC-11: Unencrypted SAP Communications
18 18 BIZEC TEC/11 (2012) BIZEC TEC-01: Missing SAP Security Patches Risk The SAP platform is running based on technological components whose versions are affected by reported security vulnerabilities and the respective SAP Security Notes have not been applied. Business Impact Attackers would be able to exploit reported security vulnerabilities and perform unauthorized activities over the business information processed by the affected SAP system.
19 19 BIZEC TEC/11 (2012) BIZEC TEC-01: Missing SAP Security Patches
20 20 BIZEC TEC/11 (2012) BIZEC TEC-02: Standard Users with Default Passwords Risk Users created automatically during the SAP system installation, or other administrative procedures, are configured with default, publicly known passwords. Business Impact Attackers would be able to login to the affected SAP system using a standard SAP user account. As these accounts are usually highly privileged, the business information would be exposed to espionage, sabotage and fraud attacks.
21 21 BIZEC TEC/11 (2012) BIZEC TEC-03: Dangerous SAP Web Applications Risk The SAP Application Server is providing Web applications with reported security vulnerabilities or sensitive functionality (XSS, SQL Injection, Invoker Servlet detour, Verb Tampering, XXE Tunneling, etc.) Business Impact Attackers would be able to exploit vulnerabilities in SAP Web applications, enabling them to perform unauthorized activities over the business information processed by the affected SAP system. Should these SAP Web Applications be accessible from untrusted networks, such as the Internet, the probability of attacks is highly increased.
22 23 BIZEC TEC/11 (2012) BIZEC TEC-04: Unsecured SAP Gateway Risk The SAP Application Server s Gateway is not restricting the starting, registration and/or cancellation of external RFC servers. Business Impact Attackers would be able to obtain full control of the SAP system. Furthermore, they would be able to intercept and manipulate RFC interfaces used for transmitting sensitive business information.
23 24 BIZEC TEC/11 (2012) BIZEC TEC-05: Unsecured SAP/Oracle authentication Risk The SAP ABAP Application Server authenticates to the Oracle database through the external OS authentication scheme, and the Oracle s listener has not been secured. Business Impact Attackers would be able to obtain full control of the affected SAP system s database, enabling them to create, visualize, modify and/or delete any business information processed by the system.
24 25 BIZEC TEC/11 (2012) BIZEC TEC-06: Insecure SAP RFC interfaces Risk The SAP environment is using insecure RFC connections from systems of lower security-classification level to systems with higher securityclassification levels (i.e. from Development to Production). Business Impact Attackers would be able to perform RFC pivoting attacks, by first compromising an SAP system with low security-classification and, subsequently, abusing existing insecure RFC interfaces to compromise SAP systems with higher security-classification levels.
25 26 BIZEC TEC/11 (2012) BIZEC TEC-06: Insecure SAP RFC interfaces
26 27 BIZEC TEC/11 (2012) BIZEC TEC-07: Unsecured SAP Message Server Risk The SAP System s Message Server is not restricting the registration of SAP Application Servers, therefore allowing access to unauthorized systems. Business Impact Attackers would be able to register malicious SAP Application Servers and perform man-in-the-middle attacks, being able to obtain valid user access credentials and sensitive business information. Attacks against the SAP system's user workstations would also be possible.
27 28 BIZEC TEC/11 (2012) BIZEC TEC-08: Insecure SAP Administration and Monitoring Services Risk The SAP platform is not protected against unauthorized access to sensitive administration or monitoring services, such as the SAP Management Console, the P4 interface, SDM, Solution Manager, Transport Management System, etc. Business Impact Attackers would be able to access sensitive functionality of the SAP system, which could lead to unauthorized activities over the business information processed by the affected SAP system.
28 29 BIZEC TEC/11 (2012) BIZEC TEC-09: Insecure SAP Network Filtering Risk The SAP platform network is not properly isolated from untrusted networks, both external and internal, and intrusion detection/prevention systems have not been implemented. Business Impact Attackers would be able to access administration or monitoring services and perform unauthorized activities over the affected SAP components, possibly leading to a full compromise of the SAP system. Due to the lack of IDS/IPS solutions, these attacks could stay undetected.
29 30 BIZEC TEC/11 (2012) BIZEC TEC-10: Insecure SAProuter Implementation Risk The SAProuter Route Permission Table is not properly configured to allow connections only from/to authorized systems, restricting the use of native protocols and/or logging features are not properly configured. Business Impact Attackers would be able to access SAP (and possibly non-sap) systems located in the Company's network.
30 31 BIZEC TEC/11 (2012) BIZEC TEC-10: Insecure SAProuter Implementation
31 32 BIZEC TEC/11 (2012) BIZEC TEC-11: Unencrypted SAP Communications Risk The confidentiality and integrity of communications in the SAP landscape is not enforced. These communications comprise SAP-to-SAP connections as well as interactions between SAP servers and external systems, such as user workstations and third-party systems. Business Impact Attackers would be able to access sensitive technical and business information being transferred to/from the SAP environment.
32 33 Thank you for your feedback We are looking forward to meeting you at our next event. Further information on BIZEC and BIZEC events:
33 34 Disclaimer SAP, ABAP and other named SAP products and services and their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries worldwide. All other names of products and services are trademarks of their respective companies / owners. Information contained in this publication is not binding and serves information purposes only. All information can be changed without notice.
Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge
Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge Agenda Mobile Trends and The New Threats The Forgotten Layer Benchmarks of Defects in Custom
More informationInception of the SAP Platform's Brain Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain Attacks on SAP Solution Manager Juan Perez-Etchegoyen Etchegoyen jppereze@onapsis.com September 20 th, 2012 Ekoparty, Buenos Aires Disclaimer This publication is copyright
More informationAttacks based on security configurations
SAP Security 2014 Protecting Your SAP Systems Against Attacks based on security configurations Juan Perez-Etchegoyen jppereze@onapsis.com March 18 th, 2014 BIZEC Workshop Disclaimer This publication is
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationClick to edit Master text styles
Frederik Weidemann TITEL bearbeiten Dr. Markus Schumacher Five years of ABAP TM -Code-Reviews A retrospective 2011 2012 Virtual Forge GmbH www.virtualforge.com All rights reserved. TITEL About bearbeiten
More informationAbout the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).
About the company 2 What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle). Agenda 3 Building a business case for SAP Vulnerability Management How to start
More informationWeb Application Vulnerabilities: OWASP Top 10 Revisited
Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationVULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED
AUTOMATED CODE ANALYSIS WEB APPLICATION VULNERABILITIES IN 2017 CONTENTS Introduction...3 Testing methods and classification...3 1. Executive summary...4 2. How PT AI works...4 2.1. Verifying vulnerabilities...5
More informationA (sample) computerized system for publishing the daily currency exchange rates
A (sample) computerized system for publishing the daily currency exchange rates The Treasury Department has constructed a computerized system that publishes the daily exchange rates of the local currency
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More information1 About Web Security. What is application security? So what can happen? see [?]
1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi
More informationBank Infrastructure - Video - 1
Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation
More informationSecure coding practices
Secure coding practices www.infosys.com/finacle Universal Banking Solution Systems Integration Consulting Business Process Outsourcing Secure coding practices Writing good code is an art but equally important
More informationEngineering Your Software For Attack
Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.
More informationTIBCO Cloud Integration Security Overview
TIBCO Cloud Integration Security Overview TIBCO Cloud Integration is secure, best-in-class Integration Platform as a Service (ipaas) software offered in a multi-tenant SaaS environment with centralized
More informationDrone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created
Drone - 2 04/12/2018 Threat Model Description Threats Threat Source Risk Status Date Created Mobile Phone: Sensitive Data Leakage Smart Devices Mobile Phone: Session Hijacking Smart Devices Mobile Phone:
More informationSOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications
Enabling and Securing Digital Business in Economy Protect s Serving Business Critical Applications 40 percent of the world s web applications will use an interface Most enterprises today rely on customers
More informationAguascalientes Local Chapter. Kickoff
Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark
More informationSecure Programming Techniques
Secure Programming Techniques Meelis ROOS mroos@ut.ee Institute of Computer Science Tartu University spring 2014 Course outline Introduction General principles Code auditing C/C++ Web SQL Injection PHP
More informationCoreMax Consulting s Cyber Security Roadmap
CoreMax Consulting s Cyber Security Roadmap What is a Cyber Security Roadmap? The CoreMax consulting cyber security unit has created a simple process to access the unique needs of each client and allows
More informationThe Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA
The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA March 19, 2008 Contents Executive Summary...3 Introduction...4 Target Audience...4
More informationSymlink attacks. Do not assume that symlinks are trustworthy: Example 1
Symlink attacks Do not assume that symlinks are trustworthy: Example 1 Application A creates a file for writing in /tmp. It assumes that since the file name is unusual, or because it encodes A's name or
More informationSecuring Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software
Securing Your Web Application against security vulnerabilities Alvin Wong, Brand Manager IBM Rational Software Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational
More informationPreventing vulnerabilities in HANAbased MARCH TROOPERS SECURITY CONFERENCE
Preventing vulnerabilities in HANAbased deployments MARCH 2016 - TROOPERS SECURITY CONFERENCE Disclaimer This presentation contains references to the products of SAP SE. SAP, R/3, xapps, xapp, SAP NetWeaver,
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes November 01 SAP issued a critical bulletin in November to raise awareness of three Security Notes related to SAProuter and a new malware variant that is
More informationSAP Security In-Depth
SAP Security In-Depth by Mariano Nunez Vol. 5 / May 2012 Abstract "SAP platforms are only accessible internally". While that was true in many organizations more than a decade ago, today, driven by modern
More informationTop 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy
Top 10 Database Security Threats and How to Stop Them Rob Rachwald Director of Security Strategy Data Has Value Data Has Value Top 7 Attacks Discussed in Hacker Forums 11% 9% 12% 12% 15% 21% 20% dos/ddos
More informationTHREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda
THREAT MODELING IN SOCIAL NETWORKS Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda INTRODUCTION Social Networks popular web service. 62% adults worldwide use social media 65% of world top companies
More informationSecure Development Guide
Secure Development Guide Oracle Health Sciences InForm 6.1.1 Part number: E72493-01 Copyright 2016, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationSDR Guide to Complete the SDR
I. General Information You must list the Yale Servers & if Virtual their host Business Associate Agreement (BAA ) in place. Required for the new HIPAA rules Contract questions are critical if using 3 Lock
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationKishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009
Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application
More information(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection
Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department
More informationRootkits and Trojans on Your SAP Landscape
Rootkits and Trojans on Your SAP Landscape SAP Security and the Enterprise Ertunga Arsal SAP systems are the heart of many enterprises. Most critical business functions run on SAP Applications and the
More information"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary
Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based
More informationCOPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51
Acknowledgments Introduction Part I: The Basics in Depth 1 Chapter 1: Windows Attacks 3 Attack Classes 3 Automated versus Dedicated Attacker 4 Remote versus Local 7 Types of Attacks 8 Dedicated Manual
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationINNOV-09 How to Keep Hackers Out of your Web Application
INNOV-09 How to Keep Hackers Out of your Web Application Michael Solomon, CISSP PMP CISM Solomon Consulting Inc. www.solomonconsulting.com What is a Web Application? Any access to your data via the Internet
More informationProtecting Against Online Fraud. F5 EMEA Webinar August 2014
Protecting Against Online Fraud F5 EMEA Webinar August 2014 Agenda Fraud threat trends and business challenges Web fraud protection Mobile fraud protection Security operations center Example architecture
More informationMobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing
Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More informationComputer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks
Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications
More informationHP 2012 Cyber Security Risk Report Overview
HP 2012 Cyber Security Risk Report Overview September 2013 Paras Shah Software Security Assurance - Canada Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationF5 Application Security. Radovan Gibala Field Systems Engineer
1 F5 Application Security Radovan Gibala Field Systems Engineer r.gibala@f5.com +420 731 137 223 2007 2 Agenda Challenge Websecurity What are the problems? Building blocks of Web Applications Vulnerabilities
More informationEnterprise Cybersecurity Best Practices Part Number MAN Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationApplication Security Introduction. Tara Gu IBM Product Security Incident Response Team
Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -
More informationWeb Application & Web Server Vulnerabilities Assessment Pankaj Sharma
Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology 1 Agenda Introduction What are Web Applications?
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationExploiting new default accounts in SAP systems
Exploiting new default accounts in SAP systems Introduction Who is ERP-SEC Company specialized in securing SAP systems and infrastructures SAP Security Research: Reported and credited for > 60 vulnerabilities
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationPenetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant
Penetration Testing following OWASP Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant За Лирекс Penetration testing A method of compromising the security of a computer system or network by
More informationCIS 700/002 : Special Topics : OWASP ZED (ZAP)
CIS 700/002 : Special Topics : OWASP ZED (ZAP) Hitali Sheth CIS 700/002: Security of EMBS/CPS/IoT Department of Computer and Information Science School of Engineering and Applied Science University of
More informationApplication Layer Security
Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side
More informationIT Services IT LOGGING POLICY
IT LOGGING POLICY UoW IT Logging Policy -Restricted- 1 Contents 1. Overview... 3 2. Purpose... 3 3. Scope... 3 4. General Requirements... 3 5. Activities to be logged... 4 6. Formatting, Transmission and
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationOWASP TOP 10. By: Ilia
OWASP TOP 10 By: Ilia Alshanetsky @iliaa ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado WEB SECURITY THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN WEB
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes January 01 There were several Security Notes released by SAP in January for directory traversal vulnerabilities affecting a number of application areas.
More informationLayer Seven Security ADVISORY. SAP Security Notes
Layer Seven Security ADVISORY SAP Security Notes August 2017 Note 2381071 patches a critical cross-site Ajax vulnerability in the Prototype JS library of BusinessObjects. Ajax is a method often used by
More informationINF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015
INF3700 Informasjonsteknologi og samfunn Application Security Audun Jøsang University of Oslo Spring 2015 Outline Application Security Malicious Software Attacks on applications 2 Malicious Software 3
More informationSECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS
SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS Contents Introduction...3 1. Research Methodology...4 2. Executive Summary...5 3. Participant Portrait...6 4. Vulnerability Statistics...8 4.1.
More informationEXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT
EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT FEBRUARY 18, 2016 This engagement was performed in accordance with the Statement of Work, and the procedures were limited to those described
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationDEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology
DEFENSIVE PROGRAMMING Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology Traditional Programming When writing a program, programmers typically
More informationSecure Application Development. OWASP September 28, The OWASP Foundation
Secure Application Development September 28, 2011 Rohini Sulatycki Senior Security Consultant Trustwave rsulatycki@trustwave.com Copyright The Foundation Permission is granted to copy, distribute and/or
More informationYour Turn to Hack the OWASP Top 10!
OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1 https://www.owasp.org/index.php/main_page The Open Web Application
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationWeb Application Whitepaper
Page 1 of 16 Web Application Whitepaper Prepared by Simone Quatrini and Isa Shorehdeli Security Advisory EMEAR 6 th September, 2017 1.0 General Release Page 2 of 16 1. Introduction In this digital age,
More informationApplication Security Approach
Technical Approach Page 1 CONTENTS Section Page No. 1. Introduction 3 2. What is Application Security 7 3. Typical Approaches 9 4. Methodology 11 Page 2 1. INTRODUCTION Page 3 It is a Unsafe Cyber world..
More informationOWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13
Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes October 2015 SAP released a batch of emergency fixes for the Download Manager (SDM) application through Notes 2235412 and 2233617 in October. The Notes
More informationAndrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West
Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew
More informationTOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION
INFORMATION TECHNOLOGY SECURITY GUIDANCE TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION ITSM.10.189 October 2017 INTRODUCTION The Top 10 Information Technology (IT) Security
More informationFortify Software Security Content 2017 Update 4 December 15, 2017
Software Security Research Release Announcement Micro Focus Security Fortify Software Security Content 2017 Update 4 December 15, 2017 About Micro Focus Security Fortify SSR The Software Security Research
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (1 st Week) Outline Course Information and Policies Course Syllabus 1. Overview Course Information Instructor: Prof. Dr. Hasan H. BALIK, balik@yildiz.edu.tr,
More informationKaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity
Kaspersky Enterprise Cybersecurity Kaspersky Security Assessment Services www.kaspersky.com #truecybersecurity Security Assessment Services Security Assessment Services from Kaspersky Lab. the services
More informationExploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,
More informationChrome Extension Security Architecture
Chrome Extension Security Architecture Presenter: Jienan Liu Network, Intelligence & security Lab outline Chrome extension introduction Threats towards extension Chrome extension s security architecture
More informationEAS- SEC: Framework for Securing Enterprise Business Applica;ons
Invest in security to secure investments EAS- SEC: Framework for Securing Enterprise Business Applica;ons Alexander Polyakov CTO ERPScan About ERPScan The only 360- degree SAP Security solu8on - ERPScan
More informationApplications Security
Applications Security OWASP Top 10 PyCon Argentina 2018 Objectives Generate awareness and visibility on web-apps security Set a baseline of shared knowledge across the company Why are we here / Trigger
More informationW e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s
W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes June 2014 SAP released an important notification in June to highlight a critical vulnerability in SAP Afaria, the Sybase platform that enables centralized
More informationWeb Application Threats and Remediation. Terry Labach, IST Security Team
Web Application Threats and Remediation Terry Labach, IST Security Team IST Security Team The problem While we use frewalls and other means to prevent attackers from access to our networks, we encourage
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More information6-Points Strategy to Get Your Application in Security Shape
6-Points Strategy to Get Your Application in Security Shape Sherif Koussa OWASP Ottawa Chapter Leader Static Analysis Technologies Evaluation Criteria Project Leader Application Security Specialist - Software
More informationOPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES
OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES What is the OWASP Top 10? A list of the top ten web application vulnerabilities Determined by OWASP and the security community at large
More informationWhy bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?
Jeroen van Beek 1 Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2 In many cases the web application stores: Credit card details Personal information Passwords
More informationTrustwave Managed Security Testing
Trustwave Managed Security Testing DON T GUESS. TEST. Trustwave Managed Security Testing reveals your vulnerabilities and alerts you to the consequences of exploitation. If you re concerned about cyberattacks
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationLayer Seven Security ADVISORY
Layer Seven Security ADVISORY SAP Security Notes July 01 In July, SAP released a crucial update for a vulnerability in the Archiving Workbench originally patched in February 011. Note 1561545 contains
More informationGUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.
Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.
More information