Infrastructure Security is concerned with Network and Communications Security, Platform Security, System Security, and Front-End Security.
Network and Communication Security
You can provide for security at the transport layer for securing connections between SAP NetWeaver system components. When using transport layer security, the data transfer not only protected against eavesdropping by using encryption, the communication partners can be authenticated as well.
This TechEd presentation covers all aspects of increasing infrastructure security in your SAP installation.
This newly updated paper provides a comprehensive list of ports used by SAP software. Knowing these can be extremely useful when you are planning, configuring and securing your network infrastructure according to SAP requirements.
Operating System and Database Security
In many automated processes, different parts of your landscape need to be able to authenticate one another without direct human intervention. Naturally, this has to be done securely so that you can be assured of the integrity of your systems and data, and be able to prove this after the fact if required.
There are many security aspects to be considered when managing the systems and support infrastructure for SAP NetWeaver. This NW2004s Guide describes security aspects of the SAP Solution Manager, the SAP NetWeaver Administrator, CCMS, and much more.
SAP offers security guides for the SAP system when running under each supported operating system and database platform.
More information on operating System and Database Security
This thorough whitepaper from Microsoft discusses two important security measures for SAP systems on Windows Server - hardening and patch management. Hardening produces a system environment that is less vulnerable to unauthorized access and virus attacks, and patch management assesses when to best apply security updates. Together these measures can help you secure your SAP systems that run on Windows Server.
A comprehensive security plan at your site must include securing application databases. This SAP whitepaper explains how best to secure SAP applications running on Oracle. Specifically, you'll learn about securing the OPS$ mechanism and securing DBA tools for Oracle including RMAN, BRBACKUP, and BRRECOVER.
This article provides a brief overview of the J2EE security model, and introduces some of the features that support secure transport, user authentication, and authorizations in SAP's J2EE engine.
Front - End Security
Input Validation: Many Internet applications accept input from the user that is then built into the page and then displayed. If this input is not filtered, an attacker may be able to execute instructions beyond his or her session, which is known as cross-site scripting. Applications using SAP's Web Dynpro Framework have automatic input and output filters built in.
Output Encoding: You can use the SAP Output Encoding Framework to prevent cross-site scripting attacks. This applies if you, as an application developer, generate your HTML code. By manually encoding user-supplied output before rendering it, any inserted scripts are prevented from being transmitted to users in an executable form.
Since release 6.40 SP13 of the SAP Web Application Server Java various methods for encoding output are available.
XSS attack scenarios have been analyzed quite precisely by SAP. The main result is that you need to distinguish between essentially four different cases for XSS attacks which are described in the Secure Programming Guide (SAP Help Portal).
Secure Session Handling: Secure session handling is achieved by several mechanisms:
- Having the Web server issue cookies which are valid for a restricted time period. This means that even if the cookie is compromised in some way, the amount of damage that can be done is strictly limited.
- SAP logon tickets issued, for example, by the SAP NetWeaver Application Server or the SAP Internet Transaction Server also support secure session handling. An additional mechanism to protect the SAP logon tickets is a digital signature to ensure their content is not altered by an attacker.
Secure Data Replication: Secure data replication involves copying data securely to devices that will then work in offline mode, and ensuring that the data be stored safely on the device.
The Secure Programming Guide provides you with information about developing secure applications. Learn about common security errors and weaknesses to watch out for as well as approved procedures so that your application functions u201Csecurelyu201D. Also donu2019t forget to have a look at the checklist for secure programming that lists the most important security issues that you should pay attention to when developing your application.