Cyber Security Leadership

Security in the SAP System Environment

During a course called ADM960 at SAP, we covered numerous topics which included the fundamental concepts of authentication, encryption and network infrastructure, configuration of single sign-on, certificates-based authentication, system auditing in AS ABAP, AS Java, etc. Despite the fact that I haven’t had previous hands-on knowledge on SAP technologies and administration, I found the overall concepts pretty simple. My experience in security-related issues helped me out. All the exercises aided me in raising my awareness about security topics in SAP NetWeaver Application Server 7.00. I learned some basic transactions for password and roles auditing. I also found the configuration of SAProuter and trusted relationship to be somewhat interesting.

There are several things to remember:

Pay attention to SAP standard users like “SAP*”. Remember that the configuration may differ depending on the system you’re using: ABAP or Java. This standard user always uses “pass” as the password. You have to clone that account and block the original one (remove all authorizations).
Monitor services which you are actually using (including system services) and block all others.
You can use the “se95” transaction to monitor changes.
Use the “RSECNOTE” tool to check for critical security updates.
For ABAP system monitoring use transaction “sm19” for audit configuration and “sm20” for log monitoring. For Java go to: SAP Netweaver Administration – System Management- Monitoring – Logs and Traces
Use the “suim” transaction for users monitoring: authorizations, roles and account change control.
Use the “rz20” transaction to access Alert monitor.

The “sa38” transaction is used to run reports.

For more information please refer to the original SAP Security Guidance

Image courtesy of jscreationzs / FreeDigitalPhotos.net

Information systems auditing

Information systems audit do’s:

1. The main goal of an audit is not to find weak controls or policy violations, but to help a company mitigate its risks and achieve compliance.
2. Remember that an audit strengthens a discipline within a company.
3. An auditor is responsible for making sure that risks in weak areas don’t materialize, so he makes appropriate observations and comments.
4. Beware of flattery and concealment.
5. Replace opinions with facts and evidences.
6. Invest in improving communication skills.
7. When you finish interviewing someone, always give them a brief summary of the current situation (e.g. your observations: good and/or bad) if possible.
8. Do not add any photo/video materials or document copies to your final report.
9. Create good report templates in advance.

Information systems audit don’ts:

1. Don’t criticize.
2. Don’t argue.
3. Don’t use professional or specialized jargon.
4. Don’t say that you understand if you actually don’t.
5. Don’t try to guess.
6. Don’t use tests that can potentially cause incidents.
7. Don’t write only negative observations in your final report.

Image courtesy of Michal Marcol / FreeDigitalPhotos.net

Secure coding practices

workaround

The 2011 CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

Top 10 Secure Coding Practices