1 2 3 17 Previous Next

Security

251 Posts

With my roots as a SAP technical consultant(ABAP/BASIS),  I admit that I was always annoyed by having  to implement and abide by SAP security roles and segregation of duty(SOD) policies.  I, like most of my  peers, always felt that these mechanisms were a hinderance to effectively do our jobs.  Well, over the years with the growth of criminal and state sponsored hacking, my views have changed 180 degrees.

 

In the past, the attack surfaces for SAP applications had been generally ignored by the larger hacking community….somewhat analagous to Apple OS and its applications being less likely to be compromised than MS Windows applications a few years ago.  This has changed for Apple, and it has changed for SAP too.

If I were the owner of an SAP environment and ultimately accountable for it,  i would  ask myself what is the worst outcome of my system being compromised by a hacker or state agency?  I would think the answer lies somewhere between career ending and apocalyptic

.

As a cautionary tale, remember the infamous OPM hack a few years ago.  You and millions of others may  have received a letter from OPM stating that your personal information may have been inadvertently disclosed .  It has generally been confirmed that the access point of this breach was from an SAP system owned by a government contractor USIS.  The hackers were able to breach USIS’s SAP system and pivot from this system into OPM data stores. Well,suffice it to say, USIS is no longer in business.

 

DOD SAP customers generally have a strong cyber security framework and more specifically have adopted SAP specific security practices. They are taking  the necessary proactive steps to harden their SAP environments recommended by SAP and other organizations such as NIST.

 

Federal Civilian  SAP customers, in my experience, are somewhat behind their DOD counterparts in terms of cyber and SAP specific security.  This is unfortunate since these types of systems are often accessible through public networks making them even more vulnerable than DOD.

 

There are a few ’boutique’  security firms that specialize in SAP security such as Onapsis. You might want to check out some of their white papers and documentation on their websites.  I found  it eye-opening as to how vulnerable the majority of  SAP systems  may be.

 

While security is not ‘sexy’ in that it does not make any business processes flashier or more efficient; it is the ultimate means of covering your *** ‘ CYA’.  While most hardcore security folk proclaim that no system is totally secure, this is no excuse for not doing your due diligence.  If your SAP system gets hacked, you are going to get ‘help’ from your larger organization determining how your system was breached.  Their forensic analysis will comment as to how well your system was protected.   Therefore,  you better be sure you that you can prove that you are following best practices and doing everything reasonable to detect and prevent security breaches.  Right now, in my experience, this tends to be the exception rather than the norm.

Often, after the project is completed, there's a need to display the system and configuration in Production server for data analysis.

To achieve this, we can adopt existing SAP_ALL profile and adjust it so that user access the system in display mode only.

 

Many SCN posts tell you to export the role to notepad, and then change the "ACTVT" field value to "03".

Well, this is not entirely true. You may got decent working role, but since you are not dealing with only one activity code, you can't ensure that your role will work flawlessly across departments in your company.

 

Common display activity codes are 03, 04, 08, 09.

Some modules uses 27, 28, 29, 53, 54, A5, etc.

You can check table TACT to list all display-related activity.

 

Having said that, you won't know either whether an ACTVT field can have value 03, 04, both, or all values except to browse the field one by one and maintain it manually.

This is a very time consuming process, but in the end you can finally have a reusable role that work across your projects.

Good news is, I have gone through this and you can download the role below.

It has been validated using table AGR_1251 and contain only display values across tons of object.

 

System: ECC 6.0 EhP7

two pans of pizza were harmed during making process

 

<Downloadfile removed by moderator!>

Hello Team,

 

Overview:

Last week, I was trying to find out if a user forcefully run a program by "by-passing" the authority check function in Test.

After scanning some sap standard programs by basis, I bumped into these transaction codes - sm20/sm21.

 

Although this is the first time I have used these tcodes, it did wonders for me so I have decided to share it.

 

 

Test Scenario:

I have a limited access to run a program (even in DEV) that edit the transport's status so I need to "by-pass" authority check.

I did succeed however in making the edit button displayable - see below highlighted:

 

P1.png

Now, one method to trace this is by using sm20

 

This we can track the ff in the "Audit classes" or the items to be tracked on by simply ticking

 

Enter the client and the user if you know

press enter and then F8

 

P2.png

You will see a consolidated security log like below - focus on the highlighted in orange

P3.png

It says that the user (me) tried to change the SY- SUBRC field  in program LSTR9U03

 

 

and this is exactly what we did in debug mode

P4.JPG

 

 

Now the other tcode is SM21.

SM21 as per sap docs is the system logs that logs all the system errors, warnings, user locks due to failed logon attempts from known users etc.

 

Now we enter the date/time and the user we need to spy on

 

P5.png

press execute

 

P6.png

it says that the user is trying to change the SY-SUBRC of program LSTR9U03 - same as in sm20 output too.

There is also a more detailed technical info once you double clicked a record

 

P7.png

 

going back to the sm21 selection screen, we can see a button called "Use old System log tcode"

This is just the old tcode but will yield as much as the same output but of course with the previous layout

P8.JPG

No client filter so both clients 111 and 222 shows up

P9.JPG

 

a more technical view also will display once a record was double clicked

P10.JPG

 

 

 


We announced today, September 15th, 2016 the release of  the SAP HANA Cloud Platform Identity Provisioning - a new service in the SAP HANA Cloud Platform family that will help companies to push their technology easier into the cloud

Most of the cloud-driven companies extend their existing IT infrastructure rather than starting from scratch. This is why they need a reliable identity and access management solution, capable to handle properly the identities and their authorizations across heterogeneous landscapes.

The new SAP HANA Cloud Platform Identity Provisioning service (shortly Identity Provisioning) offers a comprehensive, low cost approach to identity lifecycle management in the cloud. This new service together with the already existing SAP HANA Cloud Platform Identity Authentication service (formerly known as SAP Cloud Identity) offer an end-to-end solution for identity and access management as a service from SAP.

IPS_Blog_15_9_2016.png

Now let us look into the supported scenarios and features with the first version of the Identity Provisioning service:

Provision on premise users to cloud applications

Customers, who currently manage their identities using an on premise user store like for example, Microsoft Active Directory or the Central User Administration (CUA) of the SAP Application Server ABAP can use the Identity Provisioning service to provision their users into the cloud applications like for example SAP Hybris Cloud for Customer.

Using policy based authorization management

Once the identities are created into the cloud applications, the users will need also proper authorizations in order to use the business scenarios that are relevant for their role, department, location, etc. This is where the access policies feature of the Identity Provisioning service comes into the play. It helps companies to define simple mappings between identity attributes and the authorization artifacts of the respective cloud business applications. A good example could be the mapping between Microsoft Active Directory groups and SAP Hybris Cloud for Customer roles. The access policies are considered during the provisioning process, and the authorizations of the individual user are determined and provisioned to the respective cloud applications.

Policy.png

Using a cloud user store

If the company is already using SAP SuccessFactors to manage employees, and if it is considered the central identity data store of the company, the SAP SuccessFactors system can be simply configured as a source system in the Identity Provisioning. These settings will push the SAP SuccessFactors users into the relevant cloud application with the respective for them policy-based authorizations when there are such configured.

There are two more scenarios supported when a cloud user store is used as a source and they are based on the integration between the Identity Provisioning service and the Identity Authentication service.

Easy consumer and partner provisioning

The first scenario concerns the external for the company users like for example, consumers and partners that are easy to handle using the cloud user store of the Identity Authentication service. When the Identity Authentication service is configured as a source system in the Identity Provisioning, it will be possible to provision existing or newly registered cloud users into the relevant for them, cloud applications like for example, SAP JAM or even systems that simply support the System for Cross-domain Identity Management (SCIM) open standard.

Untitled.png

Writing into the cloud user store

The other supported scenario that relates to the Identity Authentication service is the following: A company wants to integrate an existing on premise authentication solution with a simple and low cost strong authentication service (two-factor authentication, risk-based authentication, etc.) or to introduce to the business users Mobile SSO as a service. This is necessary to the companies in order to achieve better control over the authentication for the cloud business processes, and to keep the corporate security on a very high level while offering at the same time more flexibility to the business users to do their job. This scenario is possible because the integration with the Identity Authentication allows also provisioning in the other direction, when the on premise users are created into the cloud user store of the Identity Authentication service. This way companies will be able to manage an additional level of authentication security for the cloud applications like SAP Hybris Cloud for Customer and to offer to their business users simple and secure access to such cloud application from anywhere and on any device, on a low and attractive service cost.

Flexible data transformations

Almost every system (SAP or non-SAP) comes with a unique data model design of its identity and authorization store. The mapping between the data models of a source and a target system is the key aspect of one provisioning solution. The new Identity Provisioning service offers flexible transformations management that allow companies to extend the default transformation settings provided by the service for every integrated source or target system. Using the transformation configurations companies can configure different simple or complicated data transformation logic based on their business and security needs. For example, to filter the list with identities that have to be provisioned to SAP Hybris Cloud for Customer in the way that only users who have a certain group assigned as an attribute to get an identity created in the SAP Hybris Cloud for Customer.  

Comprehensive job scheduler

The frequency of the provisioning processes, that have to be performed on a regular basis, can be configured using the comprehensive job scheduler of the service. The operations related to the job management include activities like scheduling jobs, starting and stopping jobs, jobs monitoring, etc. The status of the jobs can be monitored using a Job Execution Log.

Figure1_Identity_Provisioning.png

Where to find more data

More details about the currently integrated source and target systems and also information how to configure different scenarios you will be able to find in the SAP documentation of the Identity Provisioning solution.

Future direction

As part of the roadmap for the service, it is planned to integrate further with more and more SAP solutions and also with the important for our customers non-SAP solutions like for example, Microsoft Office 365, etc. The solution will offer also new features related to the identity management and provisioning  processes.

Integrations_ALL.png

Using the SAP HANA Cloud Platform Identity Provisioning companies best leverage existing corporate infrastructure while also benefiting from the agility, flexibility, and simplicity provided by the cloud.

 

Understanding authorization objects superposition


Role 1

Transaction VA02

object  V_VBAK_AAT

fields ACTVT 03 "view"

         AUART Z491 "document type"

 

Role 2

Transaction VA02

object  V_VBAK_AAT

fields ACTVT 02 "modify"

          AUART * "document type"

 

Below is the access of the user when he has the role 1 and 2.

Transaction VA02

object  V_VBAK_AAT

fields ACTVT 02 03

          AUART *

 

In this case the user can modify the document Z491 even when only have the activity 3 in the role 1, because in the role 2 the user have permission to modify all kinds of documents through the ACTVT *

The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key takeaways

1) SAP’s critical patch update for September fixes 19 vulnerabilities.

2)  This update contains a record number of patches for missing authorization check vulnerabilities.

3) DBMS at risk. Several critical vulnerabilities in SAP ASE were discovered.

 

SAP Security Notes – September 2016

 

SAP has released the monthly critical patch update for September  2016. This patch update closes 19 vulnerabilities in SAP products including 14 SAP Security Patch Day Notes and 5 Support Package Notes. 7 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 4 of all the Notes are updates to previously released Security Notes.

 

3 of the released SAP Security Notes have a high priority rating. The highest CVSS score of the vulnerabilities is 8.8.

SAP Security Notes September by priority

The most common vulnerability type is Missing authorization check. Approximately 40%  vulnerabilities in this update are missing auth check issues(twice more than the total number of  20%).

SAP Security Notes September 2016 by type

Missing authorization check in SAP

Missing Authorization Check vulnerability allows an attacker to access a service without any authorization procedure and use its functionality, which has restricted access. This can lead to information disclosure, privilege escalation, and other attacks.

According to the recent SAP Security in figures. Global threat report, Missing Authorization is among the most common vulnerability types for SAP products. It constitutes approximately 20% of all closed SAP security issues. As for the end of 2015, 725 such issues were closed in all SAP products (for more details see the table below).

In totalSAP NW ABAPSAP NW J2EESAP HANASAP BOBJSAP FrontendMobileOTHER
72564354241516

Issues that were patched with the help of ERPScan

This month, 1 critical vulnerability identified by ERPScan’s researcher Roman Bezhan was closed.

Below are the details of the SAP vulnerability, which was identified by ERPScan researcher.

  • An Information disclosure vulnerability in SAP Guided Procedures (CVSS Base Score: 5.3). Update is available in SAP Security Note 2344524. An attacker can use Information disclosure vulnerability to reveal information (in this case, usernames), which will help to learn about a system and to plan further attack.
    The impact of this vulnerability seems not so dangerous. However, there are at least 2 attack scenarios, and their execution does not require sophisticated skills. First, an attacker can bruteforce passwords for known usernames or just try to guess the right password by entering the most widespread ones. Secondly, an attacker can simply block the number of user accounts by entering wrong passwords several times (usually, according to SAP policy, 3-5 is the maximum password attempts). Without a doubt, both options are critical for business.

The most critical issues closed by SAP Security Notes September 2016 identified by  other researchers

 

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2358986: SAP ASE has an SQL injection  vulnerability (CVSS Base Score: 8.8).  An attacker can exploit an SQL injection vulnerability with specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable. Also, in some cases an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
  • 2353243: SAP ASE has an SQL injection  vulnerability (CVSS Base Score: 7.2).  An attacker can exploit an SQL injection vulnerability with specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable. Also, in some cases an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
  • 2353243: SAP Profile Maintenance has a Directory Traversal   vulnerability (CVSS Base Score: 6.5).  An attacker can use a Directory traversal to access arbitrary files and directories located in a SAP server filesystem including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent the risks.

Vulnerabilities in SAP ASE

 

As you can see from the previous part, 2 of 3 the most critical vulnerabilities within this patch update affect SAP Adaptive Server Enterprise (ASE). It is an SQL database that uses a relational model. Usually, it stores all sensitive and valuable corporate data. It would be no exaggeration to say that the SAP ASE database is a treasure trove for hackers.

Both closed vulnerabilities are SQL Injections. It means that an authenticated user on the following SAP ASE server versions may be able to create and execute a stored procedure with SQL commands. This allows the attacker to elevate their privileges, modify database objects, or execute commands they are not authorized to execute.

 

 

SAP customers as well as companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.


On 13th of September 2016, SAP Security Patch Day saw the release of 11 security notes. Additionally, there were 3 Updates to previously released Patch Day Security Notes.


As of March 01, 2016, SAP Security Note prioritization is based on CVSS v3 Base score. The revised prioritization scheme is aligned with the industry’s best practice, and to provide better transparency to our customers. From March 2016 security patch day, all patch day security notes will carry CVSS v3 Base score and vector information to assist our customers in their risk assessment. For further details, please refer to our blog on CVSS v3.

 

___________________________________________________________________________________________


Security Notes vs Vulnerability Type - September 2016

VT.jpg

Security Notes vs Priority Distribution (April 2016 - September 2016)**

ND.jpg

 

* Patch Day Security Notes are all notes that appear under the category of "Patch Day Notes" in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page


Do write to us at secure@sap.com with all your comments and feedback on this blog post.

 


 

SAP Product Security Response Team

With cyber-attacks against organizations growing increasingly frequent and complex, there is more pressure to refine cybersecurity strategies. SAP is in the business of securing the business of its customers, delivering secure, innovative business solutions and services for on premise and the cloud. Communication about securing businesses is essential for us.

 

Therefore, SAP would like to learn more about how you search and consume security information, what you expect from SAP, so we can amend our information channels to your needs, and make it available over www.sap.com/security.

 

Please support our effort to safeguard businesses against the evolving IT threat landscape by completing this short survey (approx. 5 min). Learning from your answers we will be able to optimize our security solutions and better protect organizations from all types of attacks.

Ø      Please support us and click here!

Thank you very much!

 

 

Hi,


We performed some SAP Enterprise Threat Detection performance tests, regarding the SAP HANA database.


The goal of this test was to find out the average EPS (events per second) in relation to the retention time of the data in the hot database (in our case: SAP HANA). We chose for our test a retention time from 0-60 days. Of course you can keep the data longer in the database.


So the important factors in case of SAP HANA are:

  • Memory (storage and calculation)
  • CPU Cores (processing of the data)


The required memory can be influenced by the number of days you keep the data in the hot storage.

EPS are the number of events written by all connected systems to SAP Enterprise Threat Detection. The number varies of course  depending on the system usage.


How to read the graph?

Example:

You need 1600 EPS and you want to keep the data 30 days in the hot storage: Then you need at least a “512 GB/16 cores” server.


performance.png



Keep in mind:

  • The graphic is based on the hot storage – you can of course move data into a cold storage (example cold storage: simple log server storing important data of the last 10 years). In SAP Enterprise Threat Detection you can run very complex correlation on all data in real time (no batch). Many security solution in the market supporting real time analysis only in a much shorter time frame (or requiring several appliances to manage the data or running background jobs to create aggregates) – please keep this in mind if you compare it with other solution. SAP Enterprise Threat Detection is based on the newest database technology and there is only one hot data database.
  • This example is only based on a single node SAP HANA installation (there are depending on the hardware vendor many different scale out hardware solutions)
  • SAP HANA Smart Data Streaming (SDS) was installed on a separate server (no storage of data)
  • The graph is based on the average number of events/second (EPS) of a complete day. If you take the EPS during main working hours, you can of course store much more data in the database.
  • The solution can handle also peaks. SAP HANA Smart Data Streaming is able to queue data in a cache for extreme situations.
  • The size of the memory in the graph includes already the memory for calculations. So if you use SAP Enterprise Threat Detection the solution needs memory to calculate the results for the patterns or end user interactions. We choose here ~50% (best practice) of the database memory. So one part of the memory is used for the data and the other for temporary calculations. If you run many complex correlations in the system (in parallel), you need more temporary memory for the calculation.
  • Within SAP Enterprise Threat Detection you can run patterns regularly(standard) or you can run a pattern event based. Choose the event based option only, if you need results immediately (<30 seconds). If you select the standard method and choose 60 seconds as an interval, you have to wait in average 30 seconds to raise an alerts based on a pattern. In reality most companies are even ok with waiting times around 5-15 minutes, so the standard based option fits the needs of 99% of the cases. Event based executed patterns consume a lot of resources and should be used only in exceptional use cases.


The next question will be: How many events are generated by a user?

This is of course depending on the behavior of your users. A sales person who spend most time on the road creates much less than an office worker.

 

Best practice
A user generates 0,05 – 0,2 log entries per second if he is actively working.

So if you have 5 000 people working 3 hours a day in your SAP systems, you can calculate the number of events as following:


Peak times (all emoyees are working at the same time --> CPU intensive):      5 000 people * 0,1 events/second = 500 events/second

Average(relevant for the size of the database):                     5000 people * (3/24) * 0,1 * = 62,5 events/second


So if they want to keep the data only 30 days, a small SAP HANA instance of ~400 events/second (> 62,5 && <= 500) would be sufficient in the example: 128GB/8 Cores

 

If you want to have exact numbers, the only option is to analyse the real logs of your system and check the number of events in the past.



The required retention time es very different. Some customers only want to save the data 10 days. In this case anomalously detection cannot work efficient. Typically you compare a day of a week or a complete week with another week. But anomaly detection is only one component of many. Currently ~ 90% of the patterns are standard patterns which require a time range of maximal a week. But to use the full power of SAP Enterprise Threat Detection most customers choose a retention time of minimum 30 days.

 

The official sizing guide can be found here: http://help.sap.com/sapetd

 

 

Matthias

SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key findings

  • SAP Cyber Threat Report 2016 was released. 36000 SAP Systems worldwide are potentially affected. [deletion - external links not allowed]
  • Today SAP released 30 SAP Security notes to close vulnerabilities in SAP products, more than the average number for 2016
  • Some vulnerabilities closed by SAP Security Notes pose significant risks. For instance, Denial of Service vulnerability  in SAP Internet Communication Manager can be exploited remotely without authentication. About 560 such servers are exposed to the Internet and thus potentially vulnerable to this attack.

1. SAP Security Notes – August 2016

SAP has released the monthly critical patch update for August  2016. This patch update closes 30 vulnerabilities in SAP products including 26 SAP Security Patch Day Notes and 4 Support Package Notes. 17 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 14 of all the Notes are updates to previously released Security Notes.

14 of the released SAP Securtiy Notes have a high priority rating and 1 has a Hot News rating. The highest CVSS score of the vulnerabilities is 7.5.

SAP Security Notes August 2016 by priority

The most common vulnerability type is Cross-site scripting.

SAP Security Notes August 2016 by type

Issues that were patched with the help of ERPScan

This month, 4 critical vulnerabilities identified by ERPScan’s researchers Daria Prosochkina, Mathieu Geli, and Vahagn Vardanyan were closed.

Below are the details of the SAP vulnerabilities identified by ERPScan researchers.

  • A Denial of service vulnerability in SAP Internet Communication Manager (CVSS Base Score: 7.5). Update is available in SAP Security Note 2313835. An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively affect business processes, system downtime and, as a result, business reputation.
  • A Denial of service vulnerability in SAP BPM (CVSS Base Score: 6.4). Update is available in SAP Security Note 2296909.  An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively affects business processes, system downtime and, as a result, business reputation.
  • A Directory Traversal vulnerability in SAP Business Partner (CVSS Base Score: 4.3). Update is available in SAP Security Note 2312966. An attacker can use a Directory traversal to access arbitrary files and directories located in a SAP server filesystem including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.
  • A Directory Traversal vulnerability in SAP Telnet Command (CVSS Base Score: 3.4). Update is available in SAP Security Note 2280371. An attacker can use a Directory traversal to access arbitrary files and directories located in a SAP server filesystem including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.

The most critical issues closed by SAP Security Notes August 2016 identified by  other researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2292714: SAP Memory Snapshot Creation has a Denial of service vulnerability (CVSS Base Score: 7.5). An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively affect business processes, system downtime and, as a result, business reputation. Install this SAP Security Note to prevent the risks.
  • 2319506: SAP Database Monitors for Oracle has a SQL injection vulnerability (CVSS Base Score: 7.2). An attacker can use an SQL injection vulnerability by specially-crafted SQL queries. It allows reading and modifying sensitive information from a database, executing administration operations on a database, destroying data or making it unavailable. Also in some cases, an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
  • 2294866: SAP JMS Provider Service has a Missing authorization check vulnerability (CVSS Base Score: 6.4 ). An attacker can use a Missing authorization check vulnerability to access a service without any authorization procedures and use service functionality, which has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent risks.

 

2. Threats

 

560 SAP Servers at risk

 

SAP Security Note 2313835 closes a Denial of Service vulnerability in SAP Internet Communication Manager - SAP’s web application server which provides clients and partners with access to a company’s web applications such as CRM, SRM or Portal. The vulnerability allows an attacker to prevent legitimate users from accessing the company’s services and thus stopping operations. Taking into account that SAP is installed in the largest organizations worldwide, a minute of downtime may cost millions of dollars.

 

The vulnerability can be exploited remotely without authentication. The scanning conducted by ERPScan Threat Intelligence and  research team revealed that at least 559 such servers are exposed to the Internet and possibly open to the DoS attack. The graph below shows that most such services are located in the USA, India, and China.

[section deleted - prohibited advertisement]

Both SAP and ASUG are highly committed to helping SAP customers protect their business. Together, we're launching a five-episode Webcast series starting August 31. Each Webinar will highlight a different aspect of enterprise security.


Learn how SAP can help you plan security into your digital transformation projects, supporting enterprise resilience from the start with a risk-based approach to security that does not compromise performance.


Examine the cornerstones of SAP’s cyber security strategy and learn more about:

 

  • The IT threat landscape and SAP’s approach to strategic security
  • Best-practice security measures that help safeguard your SAP software landscape both on-premise and in the cloud
  • Areas to consider when you plan and execute security measures, such as secure configuration and patch management for your business applications, and how to scale security skills
  • How to innovate with confidence using the SAP HANA platform and SAP HANA Cloud Platform
  • Key functionality available in SAP’s security portfolio to prevent, detect, and react to potential internal and external attacks, including tools such as identity and access management, enterprise threat detection, and custom code scanning

 

The Webcasts

Re-imagining Security for Today's World

August 31: 7-8 AM PT | 10-11AM ET | 4-5 PM CET
Justin Somaini (CSO at SAP) and Martin Whitworth (Senior Analyst at Forrester) will discuss current cyber security challenges, their potential impacts and possible solutions - and then look at how SAP is working to secure customer businesses now and in the future.

 

Understanding SAP’s Security Approach

September 14: 8-9 AM PT | 11-12 AM  ET | 5-6 PM CET

Gerold Huebner and Ralph Salomon (SAP) will explain SAP's approach to providing secure products and secure cloud services to customers.

 

Protect Your SAP Landscapes

September 28: 8-9 AM PT | 11-12 AM ET | 5-6 PM CET

In this session, Fritz Bauspiess and Birger Toedtmann, both from SAP, will provide an overview of the SAP security services and consulting offerings, complete with helpful information and links to get you started.

 

Innovate Securely and with Confidence on SAP HANA and SAP HANA Cloud Platform

October 12, 8-9 AM PT | 11-12 AM ET | 5-6 PM CET

SAP's Holger Mack and Michael Friedrich will give you an overview of the various security and compliance features offered in SAP HANA and SAP HANA Cloud Platform, including examples and best practices.

 

Apply the Security Solution Offerings from SAP

October 26, 8-9 AM PT | 11-12 AM ET | 5-6 PM CET

In this last episode, Gerlinde Zibulski (SAP) will explain the continuous evolution of SAP's security product portfolio and talk about new features and enhancements planned for upcoming releases.

 

This is an open webcast series for ASUG members and non-members. For more information, please visit the ASUG Web site.


This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.


On 9th of August 2016, SAP Security Patch Day saw the release of 13 security notes. Additionally, there are 13 Updates to previously released Patch Day Security Notes.


As of March 01, 2016, SAP Security Note prioritization is based on CVSS v3 Base score. The revised prioritization scheme is aligned with the industry’s best practice, and to provide better transparency to our customers. From March 2016 security patch day, all patch day security notes will carry CVSS v3 Base score and vector information to assist our customers in their risk assessment. For further details, please refer to our blog on CVSS v3.

 

___________________________________________________________________________________________


Security Notes vs Vulnerability Type - August 2016

VT.jpg

Security Notes vs Priority Distribution (March 2016 - August 2016)**

ND.jpg

 

* Patch Day Security Notes are all notes that appear under the category of "Patch Day Notes" in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page


Do write to us at secure@sap.com with all your comments and feedback on this blog post.

 


 

SAP Product Security Response Team

sec71_small.jpgSecurity plays a crucial role in Internet of Things (IoT) scenarios to prevent the manipulation of devices. Strong authentication proves that a device is the one it claims to be; encryption and digital signatures ensure the authenticity of the data source and privacy of the transmitted data. SAP HANA Cloud Platform for Internet of Things provides a standards-based approach for secure authentication between devices.

 

Learn more:

sec55.jpgSensitive data stored in your SAP HANA Cloud Platform application, such as financial information or personnel data, requires special protection. You can use dedicated repositories to securely manage the cryptographic keys used for data and communication encryption, as well as digital signatures.


Password Storage

  • Secure storage for passwords and key phrases
  • Exposed to applications via API


Keystore Service

  • Repository for cryptographic keys and certificates
  • Can be used for various crypto operations:
    • Creating and verifying digital signatures
    • Encrypting and decrypting messages
    • Setting up TLS-protected communication
  • Exposed to applications via API

 

Learn more: SAP HANA Cloud Platform documentation: Storing Passwords

SAP HANA Cloud Platform offers a rich set of security services to safeguard your cloud-based applications efficiently.

Based on open standards, they provide support for you to

 

  • Leverage single sign-on for secure and user-friendly logon processes
  • Protect your data from unauthorized access
  • Safeguard mobile and IoT scenarios
  • Securely integrate with your corporate user directory
  • Propagate the authenticated user to any SAP Cloud solution
  • Store your confidential data securely

 

sec_72.jpg

 

Learn more:

 

Actions

Filter Blog

By author:
By date:
By tag: