SAP Application Users: You can finally sleep at night!

Guest post from: Pete Nicoletti, CISO, Virtustream

As an SAP user, you’re well aware of and are enjoying the benefits of the world best ERP system. The information that you create and use contributes to your companies competitive advantage. Using SAP to make business decisions and report on all facets of your business is among the most critical functions in your company.

In addition to your internal users using this critical function, there is a very large community of… let’s call them “non-authorized users” to be PC. They would love to have access to your critical company data. Protecting your SAP systems and crown jewels information in “Internet time” from these unauthorized users (ok… hackers!) is extremely challenging. Think of all the SAP notes, patches, changes to your versions and landscapes, new mobile related threats, OS patching, network changes, acquisitions… all of these changes are occurring hundreds and thousands times a day! Each change to a system contributes to and increases risk.

Since you are smart security professional at RSA, you don’t use one of the risk mitigation strategies we have to delicately talk our executives out of called: “Ignore the Risk.” So, you are aware that your SAP system is undergoing constant change, and there are hackers working 24/7/365 to gain access to your data.

Those two nightmares should be keeping you up at night. So, let’s do a quick sleep study… you’re tossing and turning all night long… the recurring nightmare you have is that some bad actors are selling your information to your competition. What is the prescription to get a good night’s sleep? Onapsis.

Onapsis is the vulnerability scanner for SAP that identifies every security issue that your SAP system has. Before this tool, there was no way to know just how bad your nightmare is. Trust me… It’s bad. You should be having nightmares. As the world’s largest SAP hosting company we strive to reduce those above listed risks to our clients. How do we sleep at night hosting hundreds of the world’s largest SAP environments? Onapsis. It is the prescription for a restful night’s sleep. Know what your risks are, classify them, assign them to owners for remediation… and then validate they have been fixed. Standard security stuff right?

Before Onapsis there was just no way to do it. Come by booth 2109 here at RSA and let’s talk about we can secure your SAP world… and you can sleep better at night!

 

Guest post from:

Pete Nicoletti CISO
CISSP, CISA, CCSK, FCSE, CCSE
Virtustream Inc – www.virtustream.com

 

Share Button

Securing Your SAP Through Research

In the latest Notes Tuesday Onapsis was credited with discovering and reporting almost half (10 out of 23) of the vulnerabilities addressed by SAP (or alternatively three quarters or one third, depending on how you do the math: there were only 13 Notes that were attributed to third party security researchers of which Onapsis discovered 10. And SAP released 23 security notes on Notes Tuesday; but had also released an additional 10 notes since the last patch Tuesday; bringing the total released during that period to 33).

Having received a number of messages of appreciation and additional questions about the work done by Onapsis Labs to find so many of the vulnerabilities remediated by SAP this month, I thought people should know about the effort and work done to discover and responsibly report these risks every month.

So how do we find these issues in the first place? There are a number of possible ways. It could be a result of a number of activities that the Onapsis Research Labs team or Professional Services team perform. It might be we discover the vulnerability during a services engagement for a client; or as the output from a dedicated bug hunting activity (where our labs team will take a deep dive with SAP technology and attempt to find previously unknown issues in SAP modules and applications) or they are born out of ideas that lead to “What if” and other brain storming conversations that take place internally.

Continue reading

Share Button

Analyzing SAP Security Notes February 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or applying Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation and security patches, SAP releases their latest Security Notes information the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it is highly recommended to carry out periodic assessments on a monthly basis in the least.

At Onapsis we are very concerned about not only our client’s SAP system security but the state of SAP security in general, so to assist SAP’s customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 33 Security Notes were published by SAP. Of these 33 notes, Onapsis Research Labs reported 10 of the underlying issues that have been addressed by SAP:

  • 1791081 by Sergio Abraham
  • 1768049 by Sergio Abraham
  • 1920323 by Sergio Abraham
  • 1915873 by Sergio Abraham
  • 1914777 by Sergio Abraham
  • 1911174 by Sergio Abraham
  • 1795463 by Sergio Abraham
  • 1789569 by Sergio Abraham
  • 1738965 by Sergio Abraham
  • 1939334 by Juan Pablo Perez Etchegoyen, Jordan Santarsieri and Pablo Muller.

Continue reading

Share Button

Security Geeks Introduction to SAP – RFC Destinations

As means of a background, I have been in the security field, specifically the pro-active testing (penetration testing) side of security for over a decade. As part of my role I would present at public and private conferences, helping to educate organizations about the benefits of pen testing or helping to educate pen testing teams about the latest techniques.

I say all of this in order to communicate that I would grade myself as having an above average knowledge of the security space and significant familiarity with commonly used terms in the industry. So when I recently took a product manager roles at Onapsis and was told I would have to learn about SAP and the security and risk implications around SAP in the enterprise I smiled and thought “well, I guess I know what I am doing the first couple of days”. As it turns out SAP is a world unto itself, with a lot of history and complexity.

This blog is the third in a series that documents the self-education that I have been undertaking as I learn about SAP, assessing the security of a SAP system and then implementing secure practices.

This blog builds on a webcast I was fortunate to take part in. My colleague Sergio Abraham has spent a considerable amount of time research RFC Destinations, the common ways they are configured and how various SAP components install RFC Destinations in order to function. I recommend in addition to this blog you view the webcast recording here and the corresponding question and answer session it generated here.

Continue reading

Share Button

Analyzing SAP Security Notes January 2014 Edition

SAP is a complex and ever evolving implementation; whether that is through changes introduced to your SAP implementation to better serve the business or the newly disclosed vulnerabilities targeting SAP products. In order to provide a predictable and scheduled flow of security, vulnerability and mitigation information SAP releases their latest Notes and security information regarding their products on the second Tuesday of every month. Because of this regular disclosure of new issues that could potentially weaken an organizations security SAP security assessments should be carried out on a regular basis. In order to ensure our customers are testing for all the published vulnerabilities in their SAP implementations we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published.

CVSS distribution for the Security Notes released in January 2014

In January SAP released a total of 34 Security Notes, of those Notes, six were the result of reports made to SAP by the Onapsis Research Labs.
Notes 1918333, 1917381 and 1894049 were reported by Nahuel D. Sánchez, 1922547 and 1910914 by Jordan Santarsieri and note 1931399 by Willis Vandevanter all from Onapsis Research Labs.

Continue reading

Share Button

Analyzing SAP Security Notes December 2013 Edition

CVSS Distribution

CVSS distribution - SAP Security Notes December 2013

SAP is a complex and ever evolving implementation; whether that is through changes introduced to your SAP implementation to better serve the business or the newly disclosed vulnerabilities targeting SAP products. In order to provide a predictable and scheduled flow of security, vulnerability and mitigation information SAP releases their latest Notes and security information regarding their products on the second Tuesday of every month. Because of this regular disclosure of new issues that could potentially weaken an organizations security SAP security assessments should be carried out on a regular basis. In order to ensure our customers are testing for all the published vulnerabilities in their SAP implementations we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published.

To date this is been a service we have carried out quietly on behalf of our customers. However due to wider requests for better understanding regarding the information being published by SAP this will be the first in a monthly series of posts that summarize and explain the analysis we performed in order to promptly update our products with the latest security checks.

In December we analyzed a total of 35 SAP Security Notes. Notes 1926485, 1913554 and 1911523 were reported by Sergio Abraham, from Onapsis Research Labs.
Continue reading

Share Button

Complementing GRC – Testing the Forgotten Layer of SAP

For those of us old hands in the security industry we know that when security is done right processes flow smoothly, issues are rare, identified and mitigated before there is any real public perception of the potential for an issue; and businesses continue to achieve their goals of profitability and sustainability. In those circumstances security is often invisible; leading those not connected to the security team to speculate quietly or loudly about the value or worth of the security team to the business.

When security is done poorly the results are obvious and painful. Publicly announced loss of customer information or intellectual property; inefficient processes and costly internal remediation to shore up holes that are identified. Worse still is the effect on the relationship between security and the business; because security isn’t seen for the enablement function it can be the security team may have to force itself into projects – trying to force consistency and security where it didn’t previously exist. Because those (unfortunate) security teams are playing catchup the recommendations delivered for projects often come at the end of the project, causing delays in go-live dates and increased project costs. As a result the security team is seen as the “no-team”, gaining a negative imagine within the organization. So teams with projects try to hide them from security, only disclosing them to security at the last possible minute – causing the cycle of “security team generated delays” to continue.

When I am at conferences a common theme from my peers is to discuss how we can better show the business the positive results that a healthy relationship with security can bring. From more efficient processes, decreased risk and a healthier bottom line; consistently and intelligently applied security has numerous benefits any intelligent business would want to reap.

SAP is a company that understand the importance of security to its customers. It has introduced a regular monthly cycle of releasing patches, notes and other information about new vulnerabilities that effect their software components. Also, SAP proactively publishes security guidance for SAP software; providing customers with the information they need to ensure they are doing all they can to secure their SAP installations.

And for good reason, I am not sure it is possible to calculate the value of the business processed and enabled by SAP systems every day; but given the range of companies that run SAP I am sure it is a more than respectable percentage of the world’s GDP.

Continue reading

Share Button

Security Geeks Introduction to SAP – Vulnerabilities

As means of a background, I have been in the security field, specifically the pro-active testing (penetration testing) side of security for over a decade. As part of my role I would present at public and private conferences, helping to educate organizations about the benefits of pen testing or helping to educate pen testing teams about the latest techniques.

I say all of this in order to communicate that I would grade myself as having an above average knowledge of the security space and significant familiarity with commonly used terms in the industry. So when I recently took a product manager roles at Onapsis and was told I would have to learn about SAP and the security and risk implications around SAP in the enterprise I smiled and thought “well, I guess I know what I am doing the first couple of days”. As it turns out SAP is a world unto itself, with a lot of history and complexity.

This blog is the second in a series that documents the self-education that I have been undertaking as I learn about SAP, assessing the security of a SAP system and then implementing secure practices.

As I mentioned in my first post in this series, the typical reaction of a business when asked about the security of their SAP systems is to refer to the SoD checks they do. That is the testing they do to ensure proper Segregation of Duties is enforced; which is, the system has the logic in place to prevent fraud – so the person who submits an expense report cannot approve it as well, for example.

Given 10 years of dealing with buffer overflows, ClientSide attacks, SQLi and numerous other ways to exploit weaknesses in how systems have been coded and implemented, I was more than a little surprised to learn that the testing of the underlying SAP applications and their configuration was not common practice.

There are numerous presentations and articles online that talk about the day SAP released 500 notes; and those that talk about the current rate at which SAP releases their notes. Suffice it to say that SAP is a large and mature technology that has the typical amount of issues of any large and mature technology.

Continue reading

Share Button

Security Geeks Introduction to SAP

As means of a background, I have been in the security field, specifically the pro-active testing (penetration testing) side of security for over a decade. As part of my past role, I would present at public and private conferences, helping to educate organizations about the benefits of pen testing or helping to educate pen testing teams about the latest techniques.

I say all of this in order to communicate that I would grade myself as having an above average knowledge of the security space and significant familiarity with commonly used terms in the industry. So when I recently took a product manager role at Onapsis and was told I would have to learn about SAP and the security and risk implications around SAP in the enterprise I smiled and thought “well, I guess I know what I am doing the first couple of days”. As it turns out SAP is a world unto itself, with a lot of history and complexity.

I know that more and more ‘traditional’ security professionals are being asked to evaluate the security posture and risk of a business’s SAP system; which makes sense as SAP typically runs the most critical processes and workflows for an organization, as well as housing the most important data. Given the amount of time and effort it is taking me to learn SAP I thought it would be beneficial to publish a little resource for other professionals making the same jump.

So, SAP? For those like me who need to know what an acronym stands for it is Systems, Applications and Products in data processing, also it is never said as a single word, but spelled out S-A-P. It started in and is still based in Germany and according to Wikipedia has a revenue of over 16 billion Euro in 2012 – so not a small company by any stretch of the imagination.

Continue reading

Share Button

Securing SAP Mobile Platforms: Beyond the Device

Mobile security is definitely a hot topic in our industry. However, it’s quite hard to find people talking about mobile security beyond managing/securing the device itself. Most industry solutions are focused in deploying a secure BYOD strategy and ensuring the devices cannot be exploited with malware.

While this approach is highly important, I have found it difficult to find solutions that actually look at the security of the backend servers that are used by such mobile devices. These servers vary from simple Apache, IIS or Tomcat application servers with Web mobile apps to highly proprietary components.

If your company is using SAP mobile applications in you employees’ tablets or smartphones, then you have SAP servers exposed to the Internet to serve such devices, which already puts them in a more risky situation (Internal threats mentioned on previous blog). With 6000+ customers already using them and being one of the fastest growing product line for SAP AG, it’s highly likely that you are or soon will be empowering your users with SAP-branded apps.

In this scenario, an attacker only needs to perform an external scan to discover such components, and – be sure about it – he is not limited to the functionality that the SAP mobile app is providing your users. He can interface with such SAP servers with a variety of attack tools and try to exploit vulnerabilities in them. The result? He may be able to compromise your entire SAP infrastructure, remotely over the Internet.

This was a growing concern in many of our leading customers, and I’m glad to announce that we responded quickly: Onapsis X1 is now the first-and-only product in the market equipped to detect & assess vulnerabilities affecting SAP Mobile Platforms (Sybase Unwired Platforms), SAP NetWeaver Gateway and SAP Fiori apps.

We are going to be showcasing this new version at booth #231 during the Black Hat Conference this month in Las Vegas as well as hosting a 2 day SAP Security In-Depth training.

Remember that your mobile apps are probably connecting to a backend system in your network. If it’s SAP, we got you covered.

 

Share Button