& Product • The most popular business application and the core of any large company • It deals with all processes critical for business – purchases, payments, logistics, HR, product management, financial planning etc. • One of the key benefits SAP brings to an enterprise is the ability to integrate the data both within the enterprise, and between it and it’s partners /competitors. 3
and they are: • Technical Modules: SAP ABAP, SAP BASIS, XI, SAP HANA, etc. • Functional Modules: Financial Accounting and Controlling (FICO), Material Management (MM), Sales and Distribution (SD), Production Planning (PP), Plant Maintenance (PM), Human Resource (HR), Quality Management (QM), etc. that implements organization business processes. • Modules are linked together, integrated by the Netweaver platform. • Since SAP is an integrated system – therefore, any errors may have a widespread impact. 5
of SAP systems of the same flavor (CRM or SCM etc.). In a typical landscape you would expect to see three different groupings of systems, one for development, one for QA and one for production. • System: A grouping of one or more application servers/Instances. Each SAP System is identified by an SAP System ID (SID) which is three alphanumeric characters (so DEV, QAS, PRD etc.) • Client: An organizational unit within the SAP system (a group, business unit, etc.). A client of an SAP system is identified by a three digit number (and there are three built-in clients on every SAP system, 000, 001, 066). When a user connects to a SAP system the specific client they wish to connect to has to be specified. • ABAP: The SAP high-level programming language used to develop business applications. 6
to access a certain functionality on SAP. A transaction can be called by filling its code (TCODE). E.g.:SU01, SM49, SCC4, SE37, SE38, etc. • SAP BASIS: stands for (Business Application Systems Integrated Solutions), includes RDBMS, GUI and other powerful components for system administration. It’s a middle ware program. • Function modules: Procedures that are defined in special ABAP programs only. Can be called locally or remotely. • Remote Function Call (RFC): The standard SAP interface for communication between SAP systems. • SAP DIAG (Dynamic Information and Action Gateway): A protocol used for SAP GUI to SAP Server (Dispatcher and Message Server) communications. It is a clear text protocol. 7
whether the user is having an authorization to run particular transaction. • User Profile: The collection of authorizations a user or set of users has been granted in order to perform transactions related to their jobs. • Table: In ABAP Dictionary, the term "database table" (or table for short) is the database-independent definition of a database table. • Reports/Programs: ABAP programs are the one which receive user inputs and produce a report in the form of a interactive list. 8
user work with SAP GUI. It interacts with database layer via Application layer. • Application: It interacts between presentation and database layer. SAP application programs are executed in Application Layer. • Database: It is a central database that stores all the data of ERP SAP Systems. 10
for authorization & Segregation of Duties (SoD) controls: • User review for: a. Risky profiles like SAP_ALL , SAP_NEW, S_A.SYSTEM, S_A.ADMIN, etc. b. Risky authorization values like Users who can administer RFC connections, Users who can lock or unlock transactions, etc. (Authorization values can be viewed from table USR12 - User Master authorization values) c. Critical Transaction Code like SU10 (Mass User creation), SM19 (Security Audit Configuration), SM49 (Execute external OS commands), etc. d. Critical tables like USR02, AGR_USERS, BUT0CC , RFCDES, etc. • Segregation of Duties (SoD) is a security method to prevent conflict of interests, e.g., a right to create and to approve a Payment Order should be different user. For this, check TCODE SUIM where you can see list of users with their roles, profiles, tcodes etc. accordingly do SoD review as per their defined roles/profiles. 14
controls: • Network Security: Review SAP ACL’s on SAP router, SNC & SSL Encryption, etc. • Remote Function Calls (RFC): Review RFCDES table, Authorization object S_RFCACL, RFC authority checks parameter setting. • Web Services: Review the access to the SAP_BC_WEBSERVICE_ADMIN role, transaction WSADMIN, unwanted services and S_ICF_ADMIN authorization object should be restricted as per the principle of least privilege. • Password Security: Review password policy, default password for standard users (like SAP*, DDIC, EARLYWATCH, SAPCPIC, and TMSADM) using RSUSR003 report. 15
Check transactions SCUA and SCUM which are used to define CUA models or check if all SAP users are authenticated through LDAP or Microsoft Active Directory. • Change and Transport Management: Review BASIS change management policy & Procedure along with change request raised. Check access to critical change control transactions/authorizations/user profiles are locked or access is given based on least privilege. • Patch Management: Review using RSECNOTE report, SAP Solution manager. • Security Audit Log & Monitoring: Review logging and monitoring parameter settings. Check the monitoring mechanism & whether all the logs are integrated with the SIEM. 16
Enterprise Application Security Project: Top 9 Application issues – 2014 Top 10 OS issues – 2014 Top 10 Database issues – 2014 1. Lack of patch management 1 Unnecessary enabled services 1 Default passwords for DB access 2. Default passwords for application access 2 Missing 3rd party software patches 2 Lack of DB patch management 3. Unnecessary enabled functionality 3 Insecure trust relations 3 Unnecessary enabled DB features 4. Open remote management interfaces 4 Universal OS passwords 4 Lack of password lockout/complexity checks 5. Insecure configuration 5 Missing OS patches 5 Unencrypted sensitive data transport / data 6. Unencrypted communication 6 Lacking or misconfigured network access control 6 Lacking or misconfigured network access control 7. Access control and SoD 7 Lacking or misconfigured monitoring 7 Extensive user and group privileges 8. Insecure trust relations 8 Insecure internal acces control 8 Lacking or misconfigured audit 9. Logging and monitoring 9 Unencrypted remote access 9 Insecure trust relations 10 Lack of password lockout/complexity checks 10 Open additional interfaces 18
Enterprise Application Security Project: Top 10 Network/Architecture issues – 2014 1 Lack of proper network filtration between EA and corporate network 2 Lacking or vulnerable encryption between corporate network and EA network 3 Lack of separation between Test, Dev, and Prod systems 4 Lack of encryption inside EA network 5 Insecure trust relations between components 6 Insecurely configured Internet-facing applications 7 Vulnerable or default configuration of routers 8 Lack of frontend access filtration 9 Lacking or misconfigured IDS/IPS 10 Insecure or inappropriate wireless communications 19
daemonuser
tsuzuki817
flatt_security
ichimichi
shift_evolve
yusukeiwaki
tomasagi
tattaka
eventhub
yuhattor
.png){kind=avatar}
customercloud
ksaito_osx
miura55
lara
skipperchong
eitanlees
lauravandoore
zakiyama
deanohume
eileencodes
reverentgeek
akosma
mza
bkeepers
irinanazarova
![THANK YOU ☺ --------------------- 21 Questions – [email protected]](https://files.speakerdeck.com/presentations/793c6c4bea124dcc8c52e973e7ce8168/slide_20.jpg){kind=link}