SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Similar documents
Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge

Inception of the SAP Platform's Brain Attacks on SAP Solution Manager

Attacks based on security configurations

C1: Define Security Requirements

Copyright

Click to edit Master text styles

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

Web Application Vulnerabilities: OWASP Top 10 Revisited

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

OWASP Top 10 The Ten Most Critical Web Application Security Risks

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

A (sample) computerized system for publishing the daily currency exchange rates

Solutions Business Manager Web Application Security Assessment

1 About Web Security. What is application security? So what can happen? see [?]

Bank Infrastructure - Video - 1

Secure coding practices

Engineering Your Software For Attack

TIBCO Cloud Integration Security Overview

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Aguascalientes Local Chapter. Kickoff

Secure Programming Techniques

CoreMax Consulting s Cyber Security Roadmap

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Preventing vulnerabilities in HANAbased MARCH TROOPERS SECURITY CONFERENCE

Layer Seven Security ADVISORY

SAP Security In-Depth

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Secure Development Guide

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

SDR Guide to Complete the SDR

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Evaluating the Security Risks of Static vs. Dynamic Websites

CS 356 Operating System Security. Fall 2013

Web Application Security. Philippe Bogaerts

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Rootkits and Trojans on Your SAP Landscape

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

INNOV-09 How to Keep Hackers Out of your Web Application

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

HP 2012 Cyber Security Risk Report Overview

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

F5 Application Security. Radovan Gibala Field Systems Engineer

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Web Application Penetration Testing

Exploiting new default accounts in SAP systems

Automating the Top 20 CIS Critical Security Controls

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Application Layer Security

IT Services IT LOGGING POLICY

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

OWASP TOP 10. By: Ilia

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY. SAP Security Notes

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Secure Application Development. OWASP September 28, The OWASP Foundation

Your Turn to Hack the OWASP Top 10!

CSWAE Certified Secure Web Application Engineer

Web Application Whitepaper

Application Security Approach

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Layer Seven Security ADVISORY

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Fortify Software Security Content 2017 Update 4 December 15, 2017

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

COMPUTER NETWORK SECURITY

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Exploiting and Defending: Common Web Application Vulnerabilities

Chrome Extension Security Architecture

EAS- SEC: Framework for Securing Enterprise Business Applica;ons

Applications Security

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

EasyCrypt passes an independent security audit

Layer Seven Security ADVISORY

Web Application Threats and Remediation. Terry Labach, IST Security Team

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

6-Points Strategy to Get Your Application in Security Shape

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Trustwave Managed Security Testing

Information Security Policy

Layer Seven Security ADVISORY

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Transcription:

Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge

2 SAP Security SAP security is a complex discipline. It must be addressed holistically: SoD controls (user roles and profiles) are necessary, but they are not enough. As covered by BIZEC APP/11, code-level security is a clear example of this. Reviewing the security of ABAP custom developments is critical. Another weak link: The SAP technical layer (NetWeaver/BASIS). Base framework in charge of critical tasks such as authentication, authorization, encryption, interfacing, auditing, logging, etc. Can be susceptible of security vulnerabilities that, if exploited, can lead to espionage, sabotage and fraud attacks to the business information.

3 BIZEC APP/11 BIZEC APP/11 Version 2.0 (Content and research contributed by Virtual Forge, Germany)

4 What is BIZEC APP/11? The BIZEC APP/11 standard comprises the most critical and the most common security defects in SAP ABAP applications. Its purpose is to give companies that plan to conduct ABAP code audits guidance which types of security defects should be covered at minimum by an audit.

5 Why (yet) another standard? Existing standards Cover risks that don t exist in ABAP Buffer overflows Authentication issues Don t cover risks that are specific to ABAP Authorization-related risks Client concept Have a different scope Web-specific (WASC, OWASP) Generic (SANS CWE) Facit: Other application security standards are not applicable to ERP systems.

6 Why we revised the APP/11 list New threat profile Research yielded new risks like Native SQL Injection New SAP technologies mitigate certain risks Substantial increase of analyzed code base More than 100 Mio lines of code More than 50 companies contributed code More contributors SAP security researchers SAP experts from the industry

7 Results of code analysis Priority based on Critical Findings, not Total Findings New items: SQL Injection (Native), Direct Database Modifications, Hidden ABAP Code Dropped items: File Upload (Malware), Cross-Site Request Forgery, Unmanaged SQL

8 BIZEC Protection goals for ERP Systems (#1) PG-1 Confidentiality of Business Data The confidentiality of business data must be protected. This is a key requirement in data protection laws and compliance standards, like e.g. PCI/DSS. Any read access to (sensitive) business data must be properly authorized. PG-2 Integrity of Business Data The integrity of all business data must be guaranteed. This is a key requirement for compliance and financial audits. Any (authorized) change of business data must also be accountable. PG-3 Privileges to execute Business Logic Execution of Business Logic must be protected by proper authorization controls. ABAP coding must duly enforce the required authorizations and must not bypass the authorization concept of the Business Runtime. Cascading effect: PG-1 and PG-2 will also be violated. PG-4 Accountability of the Business Logic All (authorized) actions performed by the Business Logic must be accountable. ABAP coding must not bypass the accountability features provided by the Business Runtime.

9 BIZEC Protection goals for ERP Systems (#2) PG-5 Integrity of the Business Logic The Integrity of the business logic must be protected in order to prevent manipulation. ABAP coding must neither accidentally nor intentionally bypass/undermine security features of the Business Runtime. Cascading effect: PG-1, PG-2, PG-3 and PG-4 will also be violated. PG-6 Availability of the Business Runtime The Business Runtime is the base platform for the execution of the Business Logic and Business Data layers. Therefore, the availability of the Business Runtime is a critical requirement for the overall operational health of the system. Successful DOS attacks to the components in this layer will result in unexpected downtimes, preventing the Organization's users or systems from using the entire SAP system. PG-7 Integrity of the Business Runtime The integrity of the components in this layer must be enforced and controlled, as any unauthorized modification in them imply high-level risks to the confidentiality, integrity and availability of the information used by the Business Data and Business layers. Cascading effect: All other protection goals will also be violated.

10 BIZEC APP/11 2012 in detail (#1) APP-01 ABAP Command Injection Critical Coding that dynamically creates and executes ABAP programs based on user input on a productive system, bypassing SE80 and the concept of a three-tier-system landscape. Violates: PG-1, PG-2, PG-3, PG-4, PG-5, PG-6, PG-7 Exemplary SAP Note: 1589919 APP-02 OS Command Injection Critical Coding that executes arbitrary (input-based) commands on the operating system, bypassing the allowed commands specified in SM49/SM69 and S_LOG_COM authorizations. Violates: PG-6, PG-7 Exemplary SAP Note: 1520462 APP-03 Native SQL Injection Critical Coding that executes arbitrary (input-based) native SQL commands on the SAP database, bypassing any Open SQL restriction. Violates: PG-1, PG-2, PG-4, PG-6, PG-7 Exemplary SAP Note: 1456569

11 BIZEC APP/11 2012 in detail (#2) APP-04 Improper Authorization (Missing, Broken, Proprietary, Generic) Common Coding that does not (properly) perform authorization checks based on the SAP standard for critical operations. Improper Authorization includes semantically incorrect authority checks, generic authority checks, missing as well as proprietary authorization checks. Violates: PG-3 (implicitly PG-1, PG-2) Exemplary SAP Note: 1576763 APP-05 Directory Traversal Common Coding that performs server-side file/directory read/write access, where a file name or path is (partially) based on unvalidated user input. Such coding gives attackers read/write access to restricted files, e.g. OS configuration, SAP configuration and temporarily stored business data. Violates: PG-1, PG-6, PG-7 Exemplary SAP Note: 1595074

12 BIZEC APP/11 2012 in detail (#3) APP-06 Direct Database Modifications Common Coding that directly modifies (restricted SAP standard) database tables without proper authorizations, bypassing S_TABU_DIS, S_TABU_NAM and S_TABU_CLI authorizations. Violates: PG-2 Exemplary SAP Note: not known. Problem specific to custom code. APP-07 Cross-Client Database Access Common Coding that accesses business data on a different client, bypassing the SAP client separation mechanism. Violates: PG-5 (implicitly PG-1, PG-2, PG-3, PG-4) Exemplary SAP Note: not known

13 BIZEC APP/11 2012 in detail (#4) APP-08 Open SQL Injection Common Coding that makes use of dynamic Open SQL, where part of such a query is based on input. This defect enables malicious users to alter the SQL query in order to access restricted data without authorization. Violates: PG-5 (implicitly PG-1, PG-2, PG-3, PG-4) Exemplary SAP Note: 1447616 APP-09 Generic Module Execution Common Coding that allows uncontrolled execution of SAP standard business modules. The SAP standard provides a large number of business modules in the basis as well as the business suite. Execution of these business modules is restricted by SAP standard security features, e.g. SE37, SE38/SA38 and SE80. Violates: PG-3 (implicitly PG-1, PG-2) Exemplary SAP Note: 1683644

14 BIZEC APP/11 2012 in detail (#5) APP-10 Cross-Site Scripting Common (BSP) Coding that does not properly encode data before rendering it as HTML. Cross-Site Scripting (XSS) attacks are targeted at users that run business applications in Web browsers. An XSS vulnerability compromises the security of the attacked user's client system, affecting any active SAP sessions. Violates: PG-1, PG-2, PG-3, PG-4, PG-5, PG-6, PG-7 Exemplary SAP Note: 1337913 APP-11 Obscure ABAP Code Common Any coding that uses stealth techniques in order to obscure its true purpose. Violates: PG-4 Exemplary SAP Note: not known. Problem specific to custom code.

15 BIZEC TEC/11 BIZEC TEC/11 Version 2.0 (Content and research contributed by Onapsis, USA)

16 BIZEC TEC/11 (2012) The BIZEC TEC/11 project lists the most common and critical security defects and threats affecting the technical layer of SAP platforms. Several of the presented threats can be exploited by attackers who do not even have a valid SAP user in the system! Because of the technical layer being the foundation of the business logic, a successful exploitation of several of these vulnerabilities would usually result in a complete compromise of the business information and processes (SAP_ALL privileges or equivalent). Several affect both SAP ABAP and Java-based solutions. The first list was presented on May 2010, and it has been updated, after two additional years of real-world SAP security assessments and knowledge exchange with other experts.

17 BIZEC TEC/11 (2012) The BIZEC TEC/11 BIZEC TEC-01: Missing SAP Security Notes BIZEC TEC-02: Standard SAP Users with Default Passwords BIZEC TEC-03: Dangerous SAP Web Applications BIZEC TEC-04: Unsecured SAP Gateway BIZEC TEC-05: Unsecured SAP/Oracle authentication BIZEC TEC-06: Insecure SAP RFC interfaces BIZEC TEC-07: Unsecured SAP Message Server BIZEC TEC-08: Insecure SAP Administration and Monitoring Services BIZEC TEC-09: Insecure SAP Network Filtering BIZEC TEC-10: Insecure SAProuter Implementation BIZEC TEC-11: Unencrypted SAP Communications

18 BIZEC TEC/11 (2012) BIZEC TEC-01: Missing SAP Security Patches Risk The SAP platform is running based on technological components whose versions are affected by reported security vulnerabilities and the respective SAP Security Notes have not been applied. Business Impact Attackers would be able to exploit reported security vulnerabilities and perform unauthorized activities over the business information processed by the affected SAP system.

19 BIZEC TEC/11 (2012) BIZEC TEC-01: Missing SAP Security Patches

20 BIZEC TEC/11 (2012) BIZEC TEC-02: Standard Users with Default Passwords Risk Users created automatically during the SAP system installation, or other administrative procedures, are configured with default, publicly known passwords. Business Impact Attackers would be able to login to the affected SAP system using a standard SAP user account. As these accounts are usually highly privileged, the business information would be exposed to espionage, sabotage and fraud attacks.

21 BIZEC TEC/11 (2012) BIZEC TEC-03: Dangerous SAP Web Applications Risk The SAP Application Server is providing Web applications with reported security vulnerabilities or sensitive functionality (XSS, SQL Injection, Invoker Servlet detour, Verb Tampering, XXE Tunneling, etc.) Business Impact Attackers would be able to exploit vulnerabilities in SAP Web applications, enabling them to perform unauthorized activities over the business information processed by the affected SAP system. Should these SAP Web Applications be accessible from untrusted networks, such as the Internet, the probability of attacks is highly increased.

23 BIZEC TEC/11 (2012) BIZEC TEC-04: Unsecured SAP Gateway Risk The SAP Application Server s Gateway is not restricting the starting, registration and/or cancellation of external RFC servers. Business Impact Attackers would be able to obtain full control of the SAP system. Furthermore, they would be able to intercept and manipulate RFC interfaces used for transmitting sensitive business information.

24 BIZEC TEC/11 (2012) BIZEC TEC-05: Unsecured SAP/Oracle authentication Risk The SAP ABAP Application Server authenticates to the Oracle database through the external OS authentication scheme, and the Oracle s listener has not been secured. Business Impact Attackers would be able to obtain full control of the affected SAP system s database, enabling them to create, visualize, modify and/or delete any business information processed by the system.

25 BIZEC TEC/11 (2012) BIZEC TEC-06: Insecure SAP RFC interfaces Risk The SAP environment is using insecure RFC connections from systems of lower security-classification level to systems with higher securityclassification levels (i.e. from Development to Production). Business Impact Attackers would be able to perform RFC pivoting attacks, by first compromising an SAP system with low security-classification and, subsequently, abusing existing insecure RFC interfaces to compromise SAP systems with higher security-classification levels.

26 BIZEC TEC/11 (2012) BIZEC TEC-06: Insecure SAP RFC interfaces

27 BIZEC TEC/11 (2012) BIZEC TEC-07: Unsecured SAP Message Server Risk The SAP System s Message Server is not restricting the registration of SAP Application Servers, therefore allowing access to unauthorized systems. Business Impact Attackers would be able to register malicious SAP Application Servers and perform man-in-the-middle attacks, being able to obtain valid user access credentials and sensitive business information. Attacks against the SAP system's user workstations would also be possible.

28 BIZEC TEC/11 (2012) BIZEC TEC-08: Insecure SAP Administration and Monitoring Services Risk The SAP platform is not protected against unauthorized access to sensitive administration or monitoring services, such as the SAP Management Console, the P4 interface, SDM, Solution Manager, Transport Management System, etc. Business Impact Attackers would be able to access sensitive functionality of the SAP system, which could lead to unauthorized activities over the business information processed by the affected SAP system.

29 BIZEC TEC/11 (2012) BIZEC TEC-09: Insecure SAP Network Filtering Risk The SAP platform network is not properly isolated from untrusted networks, both external and internal, and intrusion detection/prevention systems have not been implemented. Business Impact Attackers would be able to access administration or monitoring services and perform unauthorized activities over the affected SAP components, possibly leading to a full compromise of the SAP system. Due to the lack of IDS/IPS solutions, these attacks could stay undetected.

30 BIZEC TEC/11 (2012) BIZEC TEC-10: Insecure SAProuter Implementation Risk The SAProuter Route Permission Table is not properly configured to allow connections only from/to authorized systems, restricting the use of native protocols and/or logging features are not properly configured. Business Impact Attackers would be able to access SAP (and possibly non-sap) systems located in the Company's network.

31 BIZEC TEC/11 (2012) BIZEC TEC-10: Insecure SAProuter Implementation

32 BIZEC TEC/11 (2012) BIZEC TEC-11: Unencrypted SAP Communications Risk The confidentiality and integrity of communications in the SAP landscape is not enforced. These communications comprise SAP-to-SAP connections as well as interactions between SAP servers and external systems, such as user workstations and third-party systems. Business Impact Attackers would be able to access sensitive technical and business information being transferred to/from the SAP environment.

33 Thank you for your feedback We are looking forward to meeting you at our next event. Further information on BIZEC and BIZEC events: http://bizec.org.

34 Disclaimer SAP, ABAP and other named SAP products and services and their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries worldwide. All other names of products and services are trademarks of their respective companies / owners. Information contained in this publication is not binding and serves information purposes only. All information can be changed without notice.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback