Embed Size (px)
Citation preview
run your business safer
SEC 112
SAP HANA Security: New technologies, new risks
Markus Schumacher © 2015, Virtual Forge, Inc. All rights reserved.
Agenda
Virtual Forge: Who we are
Understanding HANA security
New risks in SAP HANA
5 rules to protect SAP HANA
Security, Compliance and Quality solutions
Virtual Forge: Who we are
About Virtual Forge
Experts in SAP Security, Compliance and Quality
2001: Founded as consulting house
2008: Release of “CodeProfiler”
2013: Release of “SystemProfiler”
Patented Data and Control Flow Analysis for ABAP®
Gartner: Magic Quadrant for Application Security Testing 2013
Named Virtual Forge the “Leading Vendor for ABAP® Security”
Cool Vendor in the SAP Ecosystem 2011
About Virtual Forge The Key Benefits
Cost reduction
Automated process leads to lower effort and cost for:
- identifying errors (up to 95%)
- correcting errors (up to 70%)
- QA effort (up to 90%)
Improved User Experience
Our products are seamlessly integrated into the SAP environment
- enables working in a familiar environment
- Makes work noticeably easier
Expertise & Experience
- more than 170 customers
- more than 1,400 customer projects
- more than 2,000 product installations
Independence
- active member of the SAP community
- participating in DSAG and ASUG chapters
- cooperating with global auditing firms
Industry recognition
- admitted to the Garter Magic Quadrant for Application Security Testing (AST) in 2013 and 2014
- Chosen as one of the top 500 cyber security companies to watch in 2015
Trusted Advisor for Security, Compliance and Quality
The Virtual Forge Portfolio
Security
Compliance
Quality
Code Level System Level
Virtual Forge Professional Services help
to improve development, operating lifecycle and
security in SAP® standards.
Virtual Forge SystemProfiler detects
and corrects errors in SAP system
configurations and avoids recurrence.
SYSTEMPROFILER
Virtual Forge CodeProfiler pinpoints vulnerabilities in ABAP®
program codes and corrects errors automatically.
CODEPROFILER PROFESSIONAL SERVICES
Entire SAP landscape
Understanding HANA security
HANA as a data mart Similar to “classic” BW architecture, HANA gathers data from (several) source systems
HANA in a classic 3-tier architecture HANA replaces regular relational database
HANA as a technical infrastructure for native applications New business application platform (S/4 HANA)
Understanding HANA Security
HANA deployment scenarios
Content Considerations Contains business critical data à espionage target
Central to business processes à sabotage target
Technology Considerations Fraud possibilities
IT / Security has little experience with HANA
Understanding HANA Security Why is HANA important to Hackers
HANA provides its own security functions
Standard security features such as authentication, user/role mgt., authorization,
encryption…
Need to be configured within HANA toolset
Other mechanisms to integrate HANA into the general security infrastructure Includes Standard SAP administration tools, Network, OS and DB security tools, etc.
Different documents deal with HANA security, e.g. HANA security overview, HANA security admin guide, SQLScript-Reference-guide
Understanding HANA Security
What SAP says about HANA security
Security complexity rises with SAP HANA !
New risks in SAP HANA
Weaknesses can include XSS, SQL injection, Directory Traversal
Risk #1: Web Applications
SAP HANA systems can easily be found on the Internet
Unauthorized access possible
Services can be misused
SAP HANA is still vulnerable to typical web weaknesses
Be aware of risks in privileged functions, preventing OS command execution, etc.
Risk #2: R-Serve
R is used for statistical and advanced data analysis
SAP HANA can be connected to R-Serve to utilize R functions
For separate hosts, remote functions enabled
Make sure server-side scripting is protected against any injection attack
Risk #3: RAM scraping
HANA makes RAM scraping attractive for hackers Leaves almost no footprint
Circumvents encryption
Data on SAP HANA is not encrypted on RAM level
ABAP programming needs to be validated for weaknesses
Risk #4: Custom Development
SAP HANA applications are accessible through browsers
ABAP is still used for HANA in a 3-tier or data mart scenario
Increased development complexity
Web applications need to be secured at all levels
Risk #5: Basis security
Reality: SAP HANA runs in parallel to existing systems
SAP HANA includes separate security functions
Basic security features to be considered
Increased system landscape complexity with HANA means more security settings to keep in mind
5 rules to protect SAP HANA
Rule #1: No surprise: User and role management
Secure standard users (SYSTEM, <sid>adm, etc.)
Restrict authorizations
Use Single Sign-On
Strong Password Policies
Extensive privileges compromise the entire system !
Rule #2: Obviously: Data encryption and security
Encrypt all sensitive data (encryption is disabled by default on SAP HANA)
Encrypt at all levels (data at rest, secure store in the file system)
Establish key management procedures
Encryption effectively minimizes data theft !
Rule #3: Remember: Secure application development
Avoid http exposed packages
Use standard authentication methods
Follow development guidelines
Validate custom application security
Your code – your responsibility !
Rule #4: Don’t forget: Harden System settings
Ensure OS system security
Validate all other (HANA) system security settings
Secure communications for all connections
Restrict access wherever necessary
Monitor all security settings – configuration drift is a real challenge !
Rule #5: Not to mention: Enable auditing and logging
Enable audit log
Restrict audit authorizations
Secure access to audits and logs
Auditing enables a forensic analysis in case of an attack !
Security, Compliance and Quality Solutions
HANA can be an attractive target for hackers
Many known and new risks apply to HANA Web applications
R-Serve
RAM-Scraping
Custom developments
Complexity of SAP system landscapes increases with additional HANA scenarios
For an optimal use of HANA, many settings need to be adjusted
Challenges to HANA Security & Quality
Optimizing ABAP code for HANA usage (CodeProfiler) HANA Test Cases (HANA Readiness & Optimization) Automated Correction (“Quick Fix” and Bulk)
Securing HANA configuration (SystemProfiler) Additional platform for SystemProfiler Test Cases, e.g. communication security, authorization, others
CodeProfiler for HANA Eclipse and Web IDE Integration First HANA Code Scanner ever
Virtual Forge HANA Security Suite
Optimizing Code for HANA
Hybrid Performance Analysis for HANA
Securing HANA configuration with SystemProfiler
Scanning HANA Scripts During Development (Eclipse)
Scanning HANA Scripts During Development (Web Editor)
Reporting Dashboards
Take action: We evaluate the current state of your SAP environment for free
Take an instant test Visit www.virtualforge.com
ü Summary of
findings
ü Priorization and
classification of
vulnerabilities
ü Specific examples
of findings
ü Code and system
metrics Quality
Compliance
Security Secure SAP®- systems
Risk Assessment / Penetration Test
• SAP configuration • Custom code
Free
Dr. Markus Schumacher www.virtualforge.com
@Virtual_Forge
Thank you! Feel free to write or call for any questions and requests 35
Disclaimer
© 2015 Virtual Forge Inc. All rights reserved. SAP, R/3, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG. All other product and service names mentioned are the trademarks of their respective companies. Information contained in this publication is subject to change without prior notice. It is provided by Virtual Forge and serves informational purposes only. Virtual Forge is not liable for errors or incomplete information in this publication. Information contained in this publication does not imply any further liability. Virtual Forge Terms and Conditions apply. See www.virtualforge.com for details.
