Business Applicat...
Follow
Find
1.4K views | +0 today
Business Application Security
Your new post is loading...
Your new post is loading...
Scooped by erpscan
Scoop.it!

Securing SAP Systems from XSS vulnerabilities Part 3: Defense for SAP NetWeaver J2EE - ERPScan

erpscan's insight:

 

Cross-site scripting, or XSS, is one of the most popular vulnerability in all products and in SAP products with total number of 628 vulnerabilities (almost 22% of all vulnerabilities ever found in SAP during 12 years). In the previous posts, we described the general information on XSS and how to defense SAP NetWeaver ABAP from this vulnerability. Today we will give an overview of SAP NetWeaver J2EE defence.

more...
No comment yet.
Scooped by erpscan
Scoop.it!

SAP Passwords part 2: SAP HANA Security Storage. How it works - ERPScan

SAP Passwords part 2: SAP HANA Security Storage. How it works - ERPScan | Business Application Security | Scoop.it
erpscan's insight:

SAP HANA is a recent key product of SAP. It is a software solution based on the in-memory technology, that reduces the time of the data processing significantly.

 

This product has obviously caused an excitement among large enterprises interested in processing their data in real time. We do not doubt that SAP HANA is capable of processing big data. However, the security of critical data companies stored in SAP HANA deserves attention.

 

more...
No comment yet.
Scooped by erpscan
Scoop.it!

Security sleuths, sniff out the stupid from your Oracle DBs

Security sleuths, sniff out the stupid from your Oracle DBs | Business Application Security | Scoop.it
DBAs and hackers, you can learn to get along
more...
No comment yet.
Scooped by erpscan
Scoop.it!

SAP Security Notes May 2015 - ERPScan

erpscan's insight:

SAP has released the monthly critical patch update for May 2015. This patch update closes a lot of vulnerabilities in SAP products, some of them belong in the SAP HANA security area. This month, three critical vulnerabilities found by ERPScan researchers Dmitry Chastukhin and Vahagn Vardanyan were closed.

more...
No comment yet.
Scooped by erpscan
Scoop.it!

SAP vulnerabilities highlighted in many reports such as HP Cyber Risk Report 2015 - ERPScan

SAP vulnerabilities highlighted in many reports such as HP Cyber Risk Report 2015 - ERPScan | Business Application Security | Scoop.it
erpscan's insight:

Recently, HP published their yearly Cyber Risk Report 2015. Having many typical things spotlighted in this report such as growing number of ATM and IOT Security events, we have found some parts that are relevant to business application security, which we are honored to share with our readers, customers and partners.

more...
No comment yet.
Scooped by erpscan
Scoop.it!

ERPScan warns SAP Clients about serious vulnerabilities in Microsoft affecting Afaria and other products - ERPScan

erpscan's insight:

April 17, 2015 – As a part of monthly updates Microsoft released security update MS15-034 which closes vulnerability in driver HTTP.sys which enables an attacker to execute arbitrary code on OS remotely.

more...
No comment yet.
Scooped by erpscan
Scoop.it!

SAP NetWeaver ABAP Security Configuration Part 6: Insecure Settings - ERPScan

SAP NetWeaver ABAP Security Configuration Part 6: Insecure Settings - ERPScan | Business Application Security | Scoop.it

Fifth critical issue. Insecure settings. Each application has several security settings that do not fit into any of the critical issues groups mentioned in our series of articles.Among such settings there are both standard settings (such as password length or the number of attempts given to enter invalid password) and the specific to the system, individual settings. In this article we are going to use as an example the SAP Gateway service access settings.

more...
No comment yet.
Scooped by erpscan
Scoop.it!

SAP NetWeaver ABAP Security Configuration Part 4: Open remote management interfaces

SAP NetWeaver ABAP Security Configuration Part 4: Open remote management interfaces | Business Application Security | Scoop.it

Today we are going on with our series of articles where we describe the 33 steps to security. The subject is of great significance not only to a small group of SAP infosec specialists, but to all those people who work with ERP systems as recent years have witnessed an increased awareness of business data protection problems. Not to go into details, let us get right to the topic. 

erpscan's insight:

Let us once again remind you of the fact that presently no ERP system is immune to security threats. There is no exception to this rule. That is why solid information should be regularly provided on how to rise security control to higher levels.

more...
No comment yet.
Scooped by erpscan
Scoop.it!

A detailed guide for SAP NetWeaver ABAP configuration. - ERPScan – SAP security made easy

A detailed guide for SAP NetWeaver ABAP configuration. - ERPScan – SAP security made easy | Business Application Security | Scoop.it

In our previous article we’ve already introduced you to the list of the 9 most important business application security critical issues. We’ve also had a chance to present to you the skeleton of our guideline with its 33 security assessment steps. As you’ve seen only the skeleton of it, now it’s high time to pay attention to a more detailed explanation of each step to be taken.

more...
No comment yet.
Scooped by erpscan
Scoop.it!

Secure configuring SAP NetWeaver ABAP. Why do we do these guidelines?

Secure configuring SAP NetWeaver ABAP. Why do we do these guidelines? | Business Application Security | Scoop.it

With this article we are starting a new series of guidelines describing some basic assessment procedures one can carry out on various business applications that would help security professionals to expand their ERP systems’ immunity to attacks.

erpscan's insight:

No need to say, that the ERP system is in the core of any large company: it deals with all processes critical for business – purchases, payments, logistics, HR, product management, financial planning etc. All information stored in the ERP systems is sensitive, and any unauthorized access to this information can cause huge damages up to a business interruption.

more...
No comment yet.
Scooped by erpscan
Scoop.it!

Latest OpenSSL bug HeartBleed 2.0 and SAP Products.

After the sensational vulnerability in OpenSSL: Heartbleed, another critical vulnerability was found on May 5, 2014 and received sequence number CVE-2014-0224 (OpenSSL CCS Injection). CVE-2014-0224 is informally called Heartbleed 2. It affects major web sites, products, and software solutions that use OpenSSL.

erpscan's insight:

Specialists of ERPScan strongly recommend that companies using SAP products such as: Relay Server Outbound, SAP Community Network, Mobilink Server, SQL Anywhere Server, SAP Netweaver, and SAP HANA should check their OpenSSL version and update it if necessary to secure their infrastructure.

more...
No comment yet.
Scooped by erpscan
Scoop.it!

“Practical SAP Pentesting” From B-Sides Sao-Paulo 2014 - ERPScan – SAP security made easy

“Practical SAP Pentesting” From B-Sides Sao-Paulo 2014 - ERPScan – SAP security made easy | Business Application Security | Scoop.it

Understanding the architecture of typical SAP system and focuses on every component that can be attacked with live demo and hands-on exercises Covering areas such as SAP Gateway, Message server, RFC security, ITS, ABAP code vulnerabilities, JAVA-engine attacks, Authorizations, Database security, SAPGUI security and many others will be described.

more...
No comment yet.
Scooped by erpscan
Scoop.it!

“If I want a perfect cyberweapon i’ll target ERP” from RSA conference Europe 2013 by Alexandr Polyakov

“If I want a perfect cyberweapon i’ll target ERP” from RSA conference Europe 2013 by Alexandr Polyakov | Business Application Security | Scoop.it
erpscan's insight:

I'm shocked, really, that this perfect weapon has not been made yet (or we just don't know about it?). Everybody's talking about attacks on critical infrastructure between countries, but big commercial companies have even more power: they can make their own corporate wars by industrial espionage. What can they target? Business applications like ERP/CRM systems storing all corporate data. Learn how.

more...
No comment yet.
Scooped by erpscan
Scoop.it!

Securing SAP Systems from XSS vulnerabilities Part 2: Defense for SAP NetWeaver ABAP - ERPScan

erpscan's insight:

We continue our series of posts giving a review of one of the most frequent vulnerability which affects a lot of SAP modules: cross-site scripting, or XSS. Today's post describes how to protect SAP NetWeaver ABAP from XSS.

more...
No comment yet.
Scooped by erpscan
Scoop.it!

SAP Security Notes June 2015 - ERPScan

erpscan's insight:

SAP has released the monthly critical patch update for June 2015. This patch update closes a lot of vulnerabilities in SAP products. The most popular vulnerability is Missing Authorization Check. This month, three critical vulnerabilities found by ERPScan researchers Vahagn Vardanyan, Rustem Gazizov, and Diana Grigorieva were closed.

more...
No comment yet.
Scooped by erpscan
Scoop.it!

Securing SAP Systems from XSS vulnerabilities Part 1: Introduction - ERPScan

Securing SAP Systems from XSS vulnerabilities Part 1: Introduction - ERPScan | Business Application Security | Scoop.it
erpscan's insight:

With this article we are starting new series of posts giving a review of one of the most frequent vulnerability which affects a lot of SAP modules: cross-site scripting, or XSS. XSS is by far one of the most popular vulnerability indeed in all products and a most popular vulnerability in SAP products with total number of 628 vulnerabilities that is almost 22% of all vulnerabilities ever found in SAP during 12 years. You can find this in our latest research “Analysis of 3000 vulnerabilities in SAP”. Only ERPScan researchers have reported about 52 XSS vulnerabilities in SAP products (by mid-2014).

more...
No comment yet.
Scooped by erpscan
Scoop.it!

Chinese attack on USIS using SAP vulnerability – Detailed review and comments - ERPScan

erpscan's insight:

On 11th of May, a security headline broke out in the news, it was about an attack on USIS (U.S. Investigations Services) conducted potentially by Chinese state-sponsored hackers via a vulnerability in SAP Software. Hackers broke into third-party software in 2013 to open personal records of federal employees and contractors with access to classified intelligence, according to the government's largest private employee investigation provider .

more...
No comment yet.
Scooped by erpscan
Scoop.it!

SAP Security Notes April 2015 - ERPScan

erpscan's insight:

SAP has released the monthly critical patch update for April 2015. This patch update closes a lot of vulnerabilities in SAP products. Most of them are potential information disclosure vulnerabilities.

more...
No comment yet.
Scooped by erpscan
Scoop.it!

SAP Mobile Platform Security: Introduction - ERPScan

erpscan's insight:

Mobile devices are actively integrated into business processes. Companies have more and more business applications and mobile devices. Employees increasingly bring their own equipment to the workplace (BYOD policy – Bring Your Own Device) and gain access to critical corporate information.

more...
No comment yet.
Scooped by erpscan
Scoop.it!

SAP Passwords part 1: ABAP Secure Storage. How it works

SAP Passwords part 1: ABAP Secure Storage. How it works | Business Application Security | Scoop.it
erpscan's insight:

This is the first entry in our blog series dedicated to passwords in SAP systems. We will discuss how different passwords are stored in systems, how they are protected and transmitted. It seems easy at first glance: passwords should be stored in a database. Of course this is true for regular users: their passwords are stored in databases as hashes. But it’s not that simple for the service users of SAP systems. 

more...
No comment yet.
Scooped by erpscan
Scoop.it!

SAP NetWeaver ABAP security configuration part 3: Unnecessary functionality - ERPScan – SAP security made easy

SAP NetWeaver ABAP security configuration part 3: Unnecessary functionality - ERPScan – SAP security made easy | Business Application Security | Scoop.it

Let us once again remind you of the fact that presently no ERP system is immune to security threats. There is no exception to this rule. That is why solid information should be regularly provided on how to rise security control to higher levels. 

erpscan's insight:

What is the most common problem of any more or less complex application? In essence, they almost always have numerous unnecessary functions aimed to perform multiple tasks. 
Obviously, that makes the whole system vulnerable. The more functionality is available, the higher becomes the number of vulnerabilities. "Complexity Kills Security" 

more...
No comment yet.
Scooped by erpscan
Scoop.it!

Analysis of 3000 Vulnerabilities in SAP

Analysis of 3000 Vulnerabilities in SAP | Business Application Security | Scoop.it

According to official information from SAP portal, more than 3000 vulnerabilities have been closed by SAP, as informs us the security research specialists from the ERPScan company, the leading security partner of SAP AG. Here are 6 highlights from a research conducted by the ERPScan team during 7 years of deep analysis of SAP vulnerabilities. Notably, a significant share of the analyzed vulnerabilities was found by the ERPScan research team themselves.

more...
No comment yet.
Scooped by erpscan
Scoop.it!

Why SAP Security Guides always provide so little help?

Why SAP Security Guides always provide so little help? | Business Application Security | Scoop.it

This blog post will be about new guideline, or standard, for securing - or testing of the security - of SAP implementations, which is going to be a first standard of the EAS-SEC standard series. 

erpscan's insight:

There were 2 things that push us unto developing this guideline and give a second burn for our project. We thought about making some kind of guideline from the very beginning, and finally made it, when we’ve got a clear idea of how it should be done and what customers really needed.

more...
No comment yet.
Scooped by erpscan
Scoop.it!

“Practical SAP Pentesting” from Nullcon Goa 2014 - ERPScan – SAP security made easy

“Practical SAP Pentesting” from Nullcon Goa 2014 - ERPScan – SAP security made easy | Business Application Security | Scoop.it

This workshop was focused on basics and advanced areas of technical aspects of SAP security. Understanding the architecture of typical SAP system and focuses on every component that can be attacked with live demo and hands-on exercises 

more...
No comment yet.