Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge

Similar documents
Click to edit Master text styles

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Inception of the SAP Platform's Brain Attacks on SAP Solution Manager

SAP Security anno Tim Lynen, Manager axl & trax 2017

Copyright

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

PT Unified Application Security Enforcement. ptsecurity.com

Attacks based on security configurations

A (sample) computerized system for publishing the daily currency exchange rates

Onapsis: The CISO Imperative Taking Control of SAP

Aguascalientes Local Chapter. Kickoff

CIS 5373 Systems Security

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY:

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing

Building Resilience in a Digital Enterprise

Rootkits and Trojans on Your SAP Landscape

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

SAP Security In-Depth

The Top 6 WAF Essentials to Achieve Application Security Efficacy

mhealth SECURITY: STATS AND SOLUTIONS

RBS OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution of 5

epldt Web Builder Security March 2017

PROTECTION SERVICE FOR BUSINESS. Datasheet

HP 2012 Cyber Security Risk Report Overview

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

HOSTED SECURITY SERVICES

Configuring User Defined Patterns

Cyber fraud and its impact on the NHS: How organisations can manage the risk

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Vulnerabilities in online banking applications

C1: Define Security Requirements

Cyber security for digital substations. IEC Europe Conference 2017

CYBER SECURITY. formerly Wick Hill DOCUMENT* PRESENTED BY I nuvias.com/cybersecurity I

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

How NOT To Get Hacked

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Security Audit What Why

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

BUFFERZONE Advanced Endpoint Security

Presentation Overview

Deliver Strong Mobile App Security and the Ultimate User Experience

Cybersecurity Survey Results

Publishing Enterprise Web Applications to BYOD using a Granular. Trust Model. Shachaf Levi IT Client Security & Connectivity May 2013.

You knew the job was dangerous when you took it! Defending against CS malware

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Cyber-Threats and Countermeasures in Financial Sector

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

IBM Security Network Protection Solutions

Security

Outline. 1 Motivation. 2 Secure Software Development. 3 Enabling Developers: From (Mild) Pain to Success. 4 Lesson s Learned

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

Comprehensive Database Security

Application security : going quicker

Cyber Criminal Methods & Prevention Techniques. By

SAP Single Sign-On 2.0 Overview Presentation

Automating the Top 20 CIS Critical Security Controls

with Advanced Protection

BUFFERZONE Advanced Endpoint Security

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Layer Seven Security ADVISORY. SAP Security Notes

Security Communications and Awareness

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Introduction With the move to the digital enterprise, all organizations regulated or not, are required to provide customers and anonymous users alike

Layer Seven Security ADVISORY

EMPOWER PEOPLE IMPROVE LIVES INSPIRE SUCCESS

EAS- SEC: Framework for Securing Enterprise Business Applica;ons

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017

Improving Security in the Application Development Life-cycle

SOCIAL NETWORKING IN TODAY S BUSINESS WORLD

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

AKAMAI CLOUD SECURITY SOLUTIONS

Security Gap Analysis: Aggregrated Results

Building Security Into Applications

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 05/24/2017

The Ultimate Windows 10 Hardening Guide: What to Do to Make Hackers Pick Someone Else

Going Without CPU Patches on Oracle E-Business Suite 11i?

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

How to Secure Your Cloud with...a Cloud?

MOBILE THREAT LANDSCAPE. February 2018

FireMon Security manager

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Identity Intelligence

Securing Wireless Mobile Devices. Lamaris Davis. East Carolina University 11/15/2013

the SWIFT Customer Security

The Mobile Risk Management Company. Overview of Fixmo and Mobile Risk Management (MRM) Solutions

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

WEB APPLICATION VULNERABILITIES

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Transcription:

Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge

Agenda Mobile Trends and The New Threats The Forgotten Layer Benchmarks of Defects in Custom ABAP What Can Go Wrong? Security Standards

Virtual Forge Experts in the field of SAP system and application security and quality Founded in 2001 CodeProfiler released 2008, SystemProfiler released 2013 Patented Data and Control Flow Analysis for ABAP Gartner: Magic Quadrant for Application Security Testing Leading vendor for ABAP Security Cool Vendor 2011 Heidelberg, Weimar and Philadelphia

Agenda Mobile Trends and the new Threats The Forgotten Layer Benchmarks of Defects in Custom ABAP What Can Go Wrong? Security Standards

Going Mobile... and the Key Threats Access from anywhere Extensive access to corporate information New features added daily Hostile environment (public) Attractive target for attackers Increased attack surface Source: Dimension Research The impact of mobile devices on information security 5

Attack Vectors against Mobiles Source: Fraunhofer SIT: How Smartphones and Co. may be Cheating on you 6

Facts McAfee Threats Report: First Quarter 2013 the total number of samples in our mobile malware zoo reached 50,926, with 28 percent of that arriving in 2013 (source this is the Q1 report!) IP addresses in the United States are again both the source and the target of most malicious network activity. Q1 only! 7

Facts (continued) Attacks on Mobile devices focus either: Using the mobile to steal sensitive data Getting access data to backend systems Apple: 50% of smartphone users do not set up a passcode Phishing Companies from the United States are the most targeted, suffering 80 percent of all attacks. Phishing by country: 8

Agenda Mobile Trends and the new Threats The Forgotten Layer Benchmarks of Defects in Custom ABAP What Can Go Wrong? Security Standards

Where the data comes from Mobile Gateway C++ Application Java Application HTML Application ABAP RFC/BAdI SAP ALL Mobile apps eventually call ABAP programs

1 9 9 7 The Attack Surface of SAP

2 0 0 2 The Attack Surface of SAP

Since 2 0 0 7 The Attack Surface of SAP

The Attack Surface of SAP Since 2 0 11 NetWeaver Gateway

The Forgotten Layer Business Runtime SAP security must be addressed holistically Business Run-time Apps must properly enforce Business Logic GRC & SoD are only effective if they are enforced within the applications Business Logic Business Runtime Database Operating System

SAP System Security Tests Testing of >550 SAP Systems (including some of the largest organizations of the world) Over 95% of the systems analyzed were exposed to espionage, sabotage and fraud attacks None of the evaluated SAP systems were fully updated with the latest SAP security patches Most of these exploitable vulnerabilities have been publicly known to SAP customers for more than 5 years Source: Onapsis-BlackHat 2012

Increased External Access Points Increased External SAP Access Points

Never Trust the Other Side! - Security Paradigm Unsecured devices have access to sensitive backend systems (e.g. BYOD) 93% have mobile devices connected to their corporate networks The attacks against Mobiles continue to rise dramatically 52% of large companies say cost of mobile security incidents last year exceeded $500,000 45% have more than five times as many personal mobile devices as they had two years ago, a 36% increase from 2012 Best Practice: Stringently enforce device-level security Test and validate the complete application and data processing 18

Our SAP systems are secure

Agenda Mobile Trends and the new Threats The Forgotten Layer Benchmarks of Defects in Custom ABAP What Can Go Wrong? Security Standards

Source of Defects Source of Defects Little/no technical specifications Manual/Basic code reviews Testing focused on functional aspects External/3 rd Party development Limited/no code change monitoring

Definitions Average (Arithmetic Mean): Median: The value in the middle, when the numbers are sorted Example: 1,2,3,100,101 Median = 3 LOC = Lines of Code (without comments and empty lines) KLOC = 1 Thousand LOC MLOC = 1 Million LOC

Benchmark Data As of: July, 2013 # of Systems: 88 Total LOC: 156,443,087 Namespaces: Test Case Domains: All custom ABAP code (Y*,Z*, 3 rd -Party namespaces, BADIs, ) Security Compliance Performance Maintainability Robustness

Custom ABAP Benchmarks Benchmark Statistics Metric Average Median Source Code Lines (LOC) (without comments and empty lines) 1,862,418 1,032,539 Comments 596,059 325,931 Inline Comments 122,876 63,892 Percentage of Comments in Analyzed Lines 28% 28% Pragmas 5,119 1,621 Average Module Size (LOC) 53 52

Critical Defects at the Average Customer Metric Benchmarks of Critical Defects Average Median Source Code Lines (LOC) (without comments and empty lines) 1,862,418 1,032,539 Domain Average Median Pro KLOC (Average) Security (Critical only) 1,475 903 0,79 Compliance (Critical only) 270 93 0,14 Performance (Critical only) 1,171 1,016 0,63 Maintainability (Critical only) 415 0 0,22 Robustness (Critical only) 1,586 427 0,85

Critical Defects at the Average Customer 1 critical security or compliance defect in every ~1,000 lines of ABAP code Probabilities: ABAP Command Injection 50% Authorization Issue 100% Directory Traversal 93% 26

Test Case Missing AUTHORITY-CHECK before CALL TRANSACTION Missing AUTHORITY-CHECK in Reports Directory Traversal (Write Access) Hard-coded SAP System ID Checks (sy-sysid) Missing AUTHORITY-CHECK in RFC-Enabled Functions Dangerous ABAP Commands Directory Traversal (Read Access) File Upload (SAP GUI) Hard-coded SAP Client Checks (sy-mandt) File Download (SAP GUI) Generic RFC Destinations OSQL Injection (Read Access) Broken AUTHORITY-CHECKs Generic Table Query (Write Access) Generic ABAP Module Calls Exposed Kernel Calls Cross-Site Scripting ABAP Command Injection (report) ABAP Command Injection (program) Hard-coded Passwords Security Defects: Top 20

Agenda Mobile Trends and the new Threats The Forgotten Layer Benchmarks of Defects in Custom ABAP What Can Go Wrong? Security Standards

What Can Go Wrong? Free Benchmark Scan of Your ABAP Code Your ABAP code Security & Compliance Performance Robustness & Maintainability Data Loss Prevention Summary of findings Prioritization of found vulnerabilities Specific examples of findings from your own code Code metrics Benchmark (on request) Register Here for a Free Benchmark Scan

Agenda Mobile Trends and the new Threats The Forgotten Layer Benchmarks of Defects in Custom ABAP What Can Go Wrong? Security Standards

Security Guidelines for SAP Culture Increase awareness of the need for SAP Security (for example, though workshops) Provide security training (Developer, Administrator, User, etc) Organization Make SAP Security an integral part of your corporate security strategy Develop company and partner security standards and processes that are binding! Compliance Make security a pre-requisite for all SAP projects Test that all delivered applications comply with security standards Add SAP Security to your audit activities Seite

Security Guidelines for SAP continued Technology Implement automated testing into your change control process to enable faster detection and mediation of security and quality defects Cost Awareness The earlier that defects are found, the less they cost to correct Cost of a correcting a single defect when found in: Unit testing (DEV) = $100 User Testing (QA) = $1,000 In productive system (PROD) =$10,000 After System failure, attack, = $?????? 32

ID Vulnerability Description BIZEC APP/11 Standard Security Tests Protecting Against Security Defects APP-01 ABAP Command Injection Execution of arbitrary ABAP Commands APP-02 OS Command Injection Execution of arbitrary OS Commands APP-03 Native SQL Injection Execution of arbitrary SQL Commands APP-04 Improper Authorization (Missing, Broken, Proprietary, Generic) Missing or incorrect Authorization Checks APP-05 Directory Traversal Unauthorized write/read access to files (SAP Server) APP-06 Direct Database Modifications Unauthorized Access to SAP Standard Tables APP-07 Cross-Client Database Access Cross-Client Access to Business Data APP-08 Open SQL Injection Malicious Manipulation of OSQL Commands APP-09 Generic Module Execution Unauthorized Execution of Modules (Reports, FMs, etc.) APP-10 Cross-Site Scripting Manipulation of the Browser UI, Identity Theft APP-11 Obscure ABAP Code Hidden / untestable ABAP Code

LEARNING POINTS Attacks on mobile Devices are rising exponentially. The combination of increased external (Web, mobile, etc.) applications has increased the diligence required by companies to ensure that their SAP systems are safe and stable. Custom ABAP and 3rd party code often have a relatively high number of defects that can introduce serious risks to your SAP production systems. Manual code reviews and basic tools offer no real protection at a relatively high cost.

RETURN ON INVESTMENT Implementing automated testing into your change control process will enable faster detection and mediation of security and quality defects The earlier that defects are found, the less they cost to correct Cost of a correcting a single defect when found in: Unit testing (DEV) = $100 User Testing (QA) = $1,000 In productive system (PROD) =$10,000 After System failure, attack, = $??????

BEST PRACTICES Enforce stringent security and quality standards for all custom and 3rd party code add them to contracts! Implement change control procedures that include automatic testing of all ABAP changes before importing to productive systems.

Thank You! Stephen Lamy @Virtual_Forge stephen.lamy@virtualforge.com +1 610 864 0261

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback