Bypassing SAP HANA XSS Filter

Last week we were doing some tests on the HANA XS engine trying to understand how an attacker could bypass the XSS filter provided by the ICM.

For what purpose?

As discussed in previous post, a Cross Site Scripting attack could be more effective than a SQL injection due to the SAP HANA inherent design. Continue reading

Share Button

SAP Security and the Risk to the Value Chain

There is a lot of discussion in risk management circles on how risks within the value chain can often be ignored. Paul Proctor, Vice President of Research at Gartner, recently presented a webcast titled “Digital Business and the CIO’s Relationship with Risk.” He indicates:

“If businesses start to address risks within the value chain, they will become more competitive, grow faster and add value to the business decision makers.”

Take a moment and think about how SAP supports an organization’s value chain. Organizations use SAP to track and manage, in real-time, sales, production, finance accounting and human resources in an enterprise.

Specific examples include:

  • Finance: General Ledger (GL), Account Payable (AP), Account Receivable (AR) and Asset Accounting.
  • Controlling: Includes Cost Center Accounting, Profit Center Accounting (PCA) Product Costing, Profitability Analysis and Internal Order (IO).
  • Sales and Distribution: Customer master data, sales, plants, sales organizations and sales conditions.
  • Human Resource: Resource hiring, salary, employee benefits etc. It is highly integrated with finance and controlling (FICO) modules.
  • Project Systems: Budgeting, planning, forecasting.
Industrial Value Chain via http://practicalanalytics.wordpress.com/

Industrial Value Chain via http://practicalanalytics.wordpress.com/

Other key systems such as email, web front end apps, and Microsoft applications also support the value chain and are of focus for many traditional perimeter and archaic security technologies. However, though these systems are important, are they as critical to the value chain as SAP?

Continue reading

Share Button

5 Questions CISOs Should Ask About SAP Security

Over the last few weeks, Adrian Lane, CTO & Analyst from Securosis, a leading cyber-security analyst firm, published two blog posts from his ongoing series called “Building an Enterprise Application Security Program.” In his current posts, Adrian describes how key business applications running on SAP and Oracle have security and compliance gaps that are not covered by traditional security measures.

This is a problem that tends to be overlooked by many organizations. In the second blog Adrian outlines the critical need for enterprise application security by presenting analysis on key use cases. These include compliance, transaction verification, usage of sensitive information, potential security threats from both inside and outside of an organization, and necessary changes for management and policy enforcement.

In the blog Adrian states:

“None of these drivers are likely to surprise you. But skimming the top-line does not do the requirements justice – you also need to understand why enterprise applications offer different challenges for data collection and analysis, to fully appreciate why off-the-shelf security tools leave coverage gaps.”

This statement had me thinking… a majority of the current problem around SAP security stems from a lack of understanding around why it’s critical to implement new, more adaptive security solutions. Since joining Onapsis I’ve engaged with many of my friends in the cyber-security industry and have found that most CISOs and their teams do not have visibility into their SAP infrastructure, nor do they understand how connections are set-up between their SAP systems. There is truly a lack of insight into what SAP teams are doing to solve security issues. I have also found that when leaders in security ask their SAP counterparts in IT, they receive “old school” security answers like – “We have it covered as we use SAP GRC for access controls and separation of duties measures.”

Continue reading

Share Button

Welcome to the New Onapsis

I’m pleased to announce that today we’ve launched both a new product, a re-design of our website and ultimately – a new brand. This is a very exciting day for Onapsis!

Detection Dashboard

Detection Dashboard

After having great success with the Onapsis X1 product, we worked closely with our customers and partners over the last several years to produce this next-generation platform. Combining the unique knowledge and outstanding dedication of our researchers and engineers with the expertise of our product management team, we are confident that we’re delivering not only exactly what our customers and partners require, but the most advanced business-critical application security solution on the market.

Our new product, Onapsis Security Platform, is the first SAP-certified solution that combines a preventative, behavioral-based and context-aware detective approach for identifying and mitigating security risks, compliance gaps and cyber-attacks on business-critical applications. These applications include ERP, CRM, HCM, SCM, SRM and BI solutions.

Our new Platform is able to deliver continuous monitoring, real-time visibility and protection for SAP applications, providing coverage across SAP NetWeaver ABAP, J2EE, HANA, Mobile and BusinessObjects platforms. It also provides compliance gap analysis, automates the security audit process for SAP applications and is able to generate alarms to close windows of vulnerability, as detection and response actions are automatically triggered, including both alerting and real-time mitigation capabilities.

One thing we’ve heard from our customers was to integrate our capabilities with their existing network security, security management and SIEM solutions and workflows. And we always listened. The new platform is not intended to have CISOs, Compliance and SAP teams worry about “yet another platform to manage”, but to serve as the vehicle to seamlessly incorporate business-critical applications security running on SAP into their existing Risk Management, Audit and Incident Response initiatives.

We are so happy to see the launch of this product and look forward to continue developing solutions to ensure our customer’s success, solving their existing and upcoming challenges.

I welcome you to read more about our new platform and look forward to hearing from all of you with continued feedback that will help guide our technology roadmap:

Best regards,

Mariano

Share Button

Implementing Layered Security for SAP

Since the Sarbanes-Oxley (SOX) Act passed in 2002, an organizations’ emphasis on their internal controls and risk management has increased significantly. United States Federal Law set new standards for all publicly traded US company’s boards, management and for public accounting firms. As a result of SOX, top management of these companies must individually certify the accuracy of their reported financial information.

Different software has been developed in order to meet these new requirements. One of the most famous is the module designed by SAP, known as SAP GRC Access Control. The driving idea behind this Security module is to ensure segregation of duties (SoD), by defining an SoD Matrix and allowing risk analysis reports to be periodically generated. It also helps organizations detect if they have Super User accounts in Production Systems, a finding usually flagged during any traditional audit as this violation implies there is no controlled environment for the use of emergency users. The SAP GRC Access Control module ties into workflows for creating new users or modifying existing users, allowing the workflow to interact with the SoD Matrix and alerting administrators if they are granting accesses that would represent an SoD conflict as they grant that access. Finally, the design and configuration of users’ roles can be broken out into several approval steps. This means that risk analysis can also be made at the role level.

Continue reading

Share Button

SAP Products and OpenSSL Heartbleed

There has been a lot of discussion last week about CVE-2014-0160, also known as the Heartbleed vulnerability. For those unfamiliar with the vulnerability I recommend heartbleed.com and, for a light hearted explanation, XKCD. Along with impacting a good chunk of the Internet it has also taken a toll on a number of products including those from Cisco, VMWare, and Oracle to name just a few. As you can imagine we have been watching the issue pretty closely and performing testing in our lab in order to better understand the impact, if any to SAP and its customers.  Here is our current understanding on the status of some of SAP’s products:

Vulnerable

Continue reading

Share Button

Securing Your SAP Through Research

In the latest Notes Tuesday Onapsis was credited with discovering and reporting almost half (10 out of 23) of the vulnerabilities addressed by SAP (or alternatively three quarters or one third, depending on how you do the math: there were only 13 Notes that were attributed to third party security researchers of which Onapsis discovered 10. And SAP released 23 security notes on Notes Tuesday; but had also released an additional 10 notes since the last patch Tuesday; bringing the total released during that period to 33).

Having received a number of messages of appreciation and additional questions about the work done by Onapsis Labs to find so many of the vulnerabilities remediated by SAP this month, I thought people should know about the effort and work done to discover and responsibly report these risks every month.

So how do we find these issues in the first place? There are a number of possible ways. It could be a result of a number of activities that the Onapsis Research Labs team or Professional Services team perform. It might be we discover the vulnerability during a services engagement for a client; or as the output from a dedicated bug hunting activity (where our labs team will take a deep dive with SAP technology and attempt to find previously unknown issues in SAP modules and applications) or they are born out of ideas that lead to “What if” and other brain storming conversations that take place internally.

Continue reading

Share Button

Analyzing SAP Security Notes February 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or applying Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation and security patches, SAP releases their latest Security Notes information the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it is highly recommended to carry out periodic assessments on a monthly basis in the least.

At Onapsis we are very concerned about not only our client’s SAP system security but the state of SAP security in general, so to assist SAP’s customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 33 Security Notes were published by SAP. Of these 33 notes, Onapsis Research Labs reported 10 of the underlying issues that have been addressed by SAP:

  • 1791081 by Sergio Abraham
  • 1768049 by Sergio Abraham
  • 1920323 by Sergio Abraham
  • 1915873 by Sergio Abraham
  • 1914777 by Sergio Abraham
  • 1911174 by Sergio Abraham
  • 1795463 by Sergio Abraham
  • 1789569 by Sergio Abraham
  • 1738965 by Sergio Abraham
  • 1939334 by Juan Pablo Perez Etchegoyen, Jordan Santarsieri and Pablo Muller.

Continue reading

Share Button

Security Geeks Introduction to SAP – RFC Destinations

As means of a background, I have been in the security field, specifically the pro-active testing (penetration testing) side of security for over a decade. As part of my role I would present at public and private conferences, helping to educate organizations about the benefits of pen testing or helping to educate pen testing teams about the latest techniques.

I say all of this in order to communicate that I would grade myself as having an above average knowledge of the security space and significant familiarity with commonly used terms in the industry. So when I recently took a product manager roles at Onapsis and was told I would have to learn about SAP and the security and risk implications around SAP in the enterprise I smiled and thought “well, I guess I know what I am doing the first couple of days”. As it turns out SAP is a world unto itself, with a lot of history and complexity.

This blog is the third in a series that documents the self-education that I have been undertaking as I learn about SAP, assessing the security of a SAP system and then implementing secure practices.

This blog builds on a webcast I was fortunate to take part in. My colleague Sergio Abraham has spent a considerable amount of time research RFC Destinations, the common ways they are configured and how various SAP components install RFC Destinations in order to function. I recommend in addition to this blog you view the webcast recording here and the corresponding question and answer session it generated here.

Continue reading

Share Button

Analyzing SAP Security Notes January 2014 Edition

SAP is a complex and ever evolving implementation; whether that is through changes introduced to your SAP implementation to better serve the business or the newly disclosed vulnerabilities targeting SAP products. In order to provide a predictable and scheduled flow of security, vulnerability and mitigation information SAP releases their latest Notes and security information regarding their products on the second Tuesday of every month. Because of this regular disclosure of new issues that could potentially weaken an organizations security SAP security assessments should be carried out on a regular basis. In order to ensure our customers are testing for all the published vulnerabilities in their SAP implementations we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published.

CVSS distribution for the Security Notes released in January 2014

In January SAP released a total of 34 Security Notes, of those Notes, six were the result of reports made to SAP by the Onapsis Research Labs.
Notes 1918333, 1917381 and 1894049 were reported by Nahuel D. Sánchez, 1922547 and 1910914 by Jordan Santarsieri and note 1931399 by Willis Vandevanter all from Onapsis Research Labs.

Continue reading

Share Button