mo’ budget, mo’ problems
DESCRIPTION
Mo’ Budget, Mo’ Problems. Steve Lord, Mandalorian. What is this talk about?. Large IT Projects System Integrators SAP. What is SAP?. Enterprise Resource Planning (SAP R/3) CRM EP HR FI/CO BW MM PP. What is SAP/R3, really?. Business process re-implementation - PowerPoint PPT PresentationTRANSCRIPT
Mo’ Budget, Mo’ Mo’ Budget, Mo’ ProblemsProblemsSteve Lord, MandalorianSteve Lord, Mandalorian
What is this talk about?What is this talk about?
Large IT ProjectsLarge IT Projects System IntegratorsSystem Integrators SAPSAP
What is SAP?What is SAP?
Enterprise Resource Planning (SAP Enterprise Resource Planning (SAP R/3)R/3)
CRMCRM EPEP HRHR FI/COFI/CO BWBW MMMM PPPP
What is SAP/R3, really?What is SAP/R3, really?
Business process re-Business process re-implementationimplementation
Fancy MIS framework with template Fancy MIS framework with template processesprocesses
Big basket for corporate eggsBig basket for corporate eggs
Fundamentals of Large Fundamentals of Large ProjectsProjects
The bigger the budget, the harder The bigger the budget, the harder the fallthe fall Compound delays due to complex Compound delays due to complex
dependenciesdependencies Corners cut to meet deadlinesCorners cut to meet deadlines Functionality Vs. SecurityFunctionality Vs. Security Decision rarely based upon business Decision rarely based upon business
casecase When was the last time you signed off $xxx When was the last time you signed off $xxx
million?million? Don’t believe me?Don’t believe me?
Irish HSE PPARs and FISP Irish HSE PPARs and FISP SystemsSystems
PPARs (HR) and FISP (FI/CO)PPARs (HR) and FISP (FI/CO) Projected Combined Cost - £6.2milProjected Combined Cost - £6.2mil PPARs Cost when halted in 2005 - PPARs Cost when halted in 2005 -
£80mil£80mil FISP Cost when halted - £20.7milFISP Cost when halted - £20.7mil Revenues for Deloitte & Touche - Revenues for Deloitte & Touche -
£34.5mil£34.5mil Revenues for SAP – Undisclosed (not Revenues for SAP – Undisclosed (not
part of D&T’s fees)part of D&T’s fees)
PPARsPPARs
““It’s like a case study in how not to It’s like a case study in how not to run a project … It’s appaling stuff.” run a project … It’s appaling stuff.” – Enda Kenny, Fine Gael Leader– Enda Kenny, Fine Gael Leader
PPARs could’ve paid for:PPARs could’ve paid for: A 600 bed HospitalA 600 bed Hospital 20 St. Patrick’s Day beers for Every 20 St. Patrick’s Day beers for Every
Man, Woman and Child in IrelandMan, Woman and Child in Ireland
HP’s Internal FailureHP’s Internal Failure
iGSOiGSO Launched in 2002Launched in 2002 Consolidate 350 Digital, Compaq, HP, Consolidate 350 Digital, Compaq, HP,
Tandem systemsTandem systems Expected finish date 2007Expected finish date 2007
HP: The Adaptive Enterprise HP: The Adaptive Enterprise that couldn’t adaptthat couldn’t adapt
Total cost of Implementation failureTotal cost of Implementation failure US$400 mil (revenue)US$400 mil (revenue) US$275 mil (operating profit)US$275 mil (operating profit) 3 Executives heads3 Executives heads
Did I mention this was the total for Did I mention this was the total for Q3 2002?Q3 2002?
How is SAP Implemented How is SAP Implemented Internally?Internally?
Usually PoorlyUsually Poorly Inadequate Skills/ExperienceInadequate Skills/Experience Poor/No Business Requirements Poor/No Business Requirements
CaptureCapture Technology Driven ImplementationTechnology Driven Implementation Poor DocumentationPoor Documentation Usually very expensive ($20mil+)Usually very expensive ($20mil+)
How is SAP implemented by How is SAP implemented by External Integrators?External Integrators?
PoorlyPoorly Front-loading SkillsFront-loading Skills Business Requirements Capture?Business Requirements Capture? Partner-driven ImplementationPartner-driven Implementation Poor/No DocumentationPoor/No Documentation Subject to contract wranglingSubject to contract wrangling Can be extremely expensive ($50mil+)Can be extremely expensive ($50mil+)
Where does it all go Where does it all go wrong?wrong?
Lack of:Lack of: CommunicationCommunication ContingencyContingency Requirements Capture/AnalysisRequirements Capture/Analysis SimplicitySimplicity SecuritySecurity
Where does Security come Where does Security come in?in?
At the end of a long queueAt the end of a long queue By the time it reaches us, it is:By the time it reaches us, it is:
Non or semi-functionalNon or semi-functional DelayedDelayed Costing the businessCosting the business
Security’s role is toSecurity’s role is to SUSO (Shut Up, Sign Off)SUSO (Shut Up, Sign Off)
Show me the SUSOShow me the SUSO
You need to sign this offYou need to sign this off If you don’tIf you don’t
You’re blocking the businessYou’re blocking the business You’re costing us moneyYou’re costing us money You’re getting in the way of the projectYou’re getting in the way of the project
If you doIf you do It’s your backside on the dotted lineIt’s your backside on the dotted line
End of TalkEnd of Talk
Oh you want more?Oh you want more?
This is the price, right?This is the price, right?Come on down!Come on down!
This is the price, right?This is the price, right?
Quiz ShowQuiz Show PrizesPrizes Need Need Victims Victims VolunteersVolunteers
How it worksHow it works
Question is askedQuestion is asked Potential answers are shownPotential answers are shown You have to guess which one of the You have to guess which one of the
answers was an actual responseanswers was an actual response
This is the price, right?This is the price, right?Question 1Question 1
Why can’t we use SSH?Why can’t we use SSH?
A) It (PuTTY) isn’t vendor supportedA) It (PuTTY) isn’t vendor supported B) SFTP Doesn’t support ASCIIB) SFTP Doesn’t support ASCII C) We don’t have a PKIC) We don’t have a PKI D) Key Management is too difficultD) Key Management is too difficult E) The TCO for OpenSSH is too highE) The TCO for OpenSSH is too high
Why can’t we switch off Why can’t we switch off RSH?RSH?
A) It requires a server rebuildA) It requires a server rebuild B) It requires extensive testing that B) It requires extensive testing that
would cost millionswould cost millions C) CowboyNealC) CowboyNeal D) We use telnet, you insensitive D) We use telnet, you insensitive
clod!clod! E) We don’t know what it would E) We don’t know what it would
breakbreak
Why did the SI buy the tin Why did the SI buy the tin prior to completing the design prior to completing the design
stage?stage? A) Because the vendor rebate would be A) Because the vendor rebate would be
lower next yearlower next year B) Because the client will have to write B) Because the client will have to write
off the hardware expenditure anywayoff the hardware expenditure anyway C) Because it’s easier to justify spending C) Because it’s easier to justify spending
on one round of big tin than two rounds on one round of big tin than two rounds of smaller tinof smaller tin
D) If the client has already paid a fortune D) If the client has already paid a fortune up front they’re less likely to pull the up front they’re less likely to pull the plug laterplug later
Why were all the consultants Why were all the consultants on the job South African?on the job South African?
A) Because of S.A’s extensive A) Because of S.A’s extensive investment in enterprise technology investment in enterprise technology trainingtraining
B) Because all the experienced B) Because all the experienced guys are from Joburgguys are from Joburg
C) Because they’re cheaper than C) Because they’re cheaper than native employees and have a lesser native employees and have a lesser understanding of local employment understanding of local employment lawlaw
Why are these not risks?Why are these not risks? A) Because it’s not live yetA) Because it’s not live yet B) Because you need an account to access B) Because you need an account to access
the systemsthe systems C) Because you’d need to have an RSH client C) Because you’d need to have an RSH client
and a copy of finger to access the systemsand a copy of finger to access the systems D) Because you’d need to have an FTP client D) Because you’d need to have an FTP client
to gain access to an unshadowed /etc/passwdto gain access to an unshadowed /etc/passwd E) Because there are plenty of other ways inE) Because there are plenty of other ways in F) Because you’re holding the project up so F) Because you’re holding the project up so
just sign off or there’ll be troublejust sign off or there’ll be trouble
Well done!Well done!
The good news isThe good news is People got prizesPeople got prizes
The bad news isThe bad news is We’re all losers in the endWe’re all losers in the end
Breaking SAPBreaking SAPSend in the clownsSend in the clowns
SAP StructureSAP Structure
Infrastructure IssuesInfrastructure Issues Front-End ApplicationFront-End Application Business LogicBusiness Logic Business ProcessesBusiness Processes Database SkullduggeryDatabase Skullduggery
Infrastructure IssuesInfrastructure IssuesLet me paint you a pictureLet me paint you a picture
What does an SAP What does an SAP deployment look like?deployment look like?
What does an SAP What does an SAP deployment look like?deployment look like?
Points of interestPoints of interest
There is no standard deploymentThere is no standard deployment There should be Firewalls involvedThere should be Firewalls involved
If there are, Any-Any rules may be usedIf there are, Any-Any rules may be used Sometimes the File Server(s) are Sometimes the File Server(s) are
shared between dev, test and live tooshared between dev, test and live too Sometimes the App Server(s) are Sometimes the App Server(s) are
shared between dev, test and live tooshared between dev, test and live too
How (not) to conduct an SAP How (not) to conduct an SAP PentestPentest
NmapNmap AmapAmap NiktoNikto NessusNessus MetasploitMetasploit
How to conduct an SAP How to conduct an SAP PentestPentest
Nmap (-sS and –sU only, no –sV or –A Nmap (-sS and –sU only, no –sV or –A and watch timings)and watch timings)
Manual confirmation of services with Manual confirmation of services with standard client toolsstandard client tools
RSH, Finger, Net View, Showmount, RSH, Finger, Net View, Showmount, FTPFTP
No active exploitationNo active exploitation Password guessing possible, but not Password guessing possible, but not
automatedautomated
SAP Systems areSAP Systems are
UnpatchedUnpatched UnhardenedUnhardened Unmaintained (caveat: security)Unmaintained (caveat: security) Unmanaged (caveat: security)Unmanaged (caveat: security)
Once you’ve got local Once you’ve got local accessaccess
Useful toolsUseful tools R3TransR3Trans TPTP
SQL TrustsSQL Trusts OSQL –EOSQL –E SQLPLUS “/ as sysdba”SQLPLUS “/ as sysdba” MySQL –u root, mysqld_safeMySQL –u root, mysqld_safe
R3TransR3Trans
Uses SAP’s abstracted SQL model Uses SAP’s abstracted SQL model (T-SQL)(T-SQL)
Uses ‘control files’ to perform Uses ‘control files’ to perform actions upon databasesactions upon databases
R3Trans –d –vR3Trans –d –v Test database connectionTest database connection
R3Trans Control FileR3Trans Control File
EXPORTEXPORTFILE=‘/tmp/.export/’FILE=‘/tmp/.export/’CLIENT=000CLIENT=000SELECT * FROM USR02SELECT * FROM USR02
Start with:Start with: R3Trans /tmp/controlR3Trans /tmp/control
Don’t forget to check trans.logDon’t forget to check trans.log
Where to lookWhere to look
/usr/sap/trans/usr/sap/trans /usr/sap/<SID>/usr/sap/<SID> /home/<SID>adm/home/<SID>adm
There is no reason for these There is no reason for these directories to be world writeable!directories to be world writeable!
Most should be 700, 770 or 775Most should be 700, 770 or 775
From the trenchesFrom the trenches
““We use RSH to copy files around We use RSH to copy files around the environment. RSH has a feature the environment. RSH has a feature call .rhosts which enables us to call .rhosts which enables us to restrict access to specific users or restrict access to specific users or hosts”hosts”
Front-End IssuesFront-End IssuesBusting down the door citing section Busting down the door citing section 404404
What front-end?What front-end?
SAP has manySAP has many SAPGUISAPGUI WebGUI/NetWeaver/ITS/EPWebGUI/NetWeaver/ITS/EP SAPRFCSAPRFC
For the sake of time we will focus For the sake of time we will focus on SAPGUIon SAPGUI These issues do apply elsewhere These issues do apply elsewhere
thoughthough
SAPGUISAPGUI
SAPGUISAPGUI
See the box up next to the green tick?See the box up next to the green tick? Use /? to start debuggingUse /? to start debugging Type in a transaction code (T-Code) to start a Type in a transaction code (T-Code) to start a
transactiontransaction
SAP Transactions of NoteSAP Transactions of Note SU01 – User AuthorizationSU01 – User Authorization SU02 – User Profile AdministrationSU02 – User Profile Administration RZ04 – Maintain SAP InstancesRZ04 – Maintain SAP Instances SECR – Audit Information SystemSECR – Audit Information System SE11 – Data DictionarySE11 – Data Dictionary SE38 – ABAP EditorSE38 – ABAP Editor SE61 – R/3 DocumentationSE61 – R/3 Documentation SM21 – System LogSM21 – System Log SM31 – Table MaintenanceSM31 – Table Maintenance SM51 – List of SM51 – List of TargetsTargets SAP Servers SAP Servers SU24 – Disable Authorization ChecksSU24 – Disable Authorization Checks SM49 – Execute Operating System CommandsSM49 – Execute Operating System Commands SU12 – Delete All UsersSU12 – Delete All Users PE51 – HR Form Editor (HR)PE51 – HR Form Editor (HR) P013 – Maintain Positions (HR)P013 – Maintain Positions (HR) P001 – Maintain Jobs (HR)P001 – Maintain Jobs (HR)
SAP Transactions of NoteSAP Transactions of Note AL08 – Users Logged OnAL08 – Users Logged On AL11 – Display SAP DirectoriesAL11 – Display SAP Directories OS01 – LAN Check with PingOS01 – LAN Check with Ping OS03 – Local OS Parameter changesOS03 – Local OS Parameter changes OS04 – Local System ConfigurationOS04 – Local System Configuration OSO5 – Remote System ConfigurationOSO5 – Remote System Configuration OSS1 – SAP’s Online Service SystemOSS1 – SAP’s Online Service System PFCG – Profile GeneratorPFCG – Profile Generator RZ01 – Job Scheduling MonitorRZ01 – Job Scheduling Monitor RZ20 – CCMS MonitoringRZ20 – CCMS Monitoring RZ21 – Customize CCMS MonitorRZ21 – Customize CCMS Monitor SA38 – ABAP/4 ReportingSA38 – ABAP/4 Reporting SCC0 – Client CopySCC0 – Client Copy SE01 – Transport and Correction SystemSE01 – Transport and Correction System SE13 – Maintain Technical Settings (Tables)SE13 – Maintain Technical Settings (Tables) SUIM – Repository Information SystemSUIM – Repository Information System
You can’t access those!You can’t access those!
I can access them (or equivalents) if I can access them (or equivalents) if restrictions are based on:restrictions are based on: Easy Access Menu ItemsEasy Access Menu Items Transactions onlyTransactions only Custom-tables (e.g a ZUSERS table of Custom-tables (e.g a ZUSERS table of
allowed users)allowed users)
Restrictions need to be implemented at Restrictions need to be implemented at the Authorization levelthe Authorization level
So what else is there?So what else is there?
ReportsReports
RPCIFU01 – Display FileRPCIFU01 – Display File RPCIFU03 – Download Unix FileRPCIFU03 – Download Unix File RPCIFU04 – Upload Unix FileRPCIFU04 – Upload Unix File RPR_ABAP_SOURCE_SCAN – Search ABAP RPR_ABAP_SOURCE_SCAN – Search ABAP
for a string ;)for a string ;) RSBDCOS0 – Execute OS CommandRSBDCOS0 – Execute OS Command RSPARAM – Check System ParametersRSPARAM – Check System Parameters RSORAREL – Get the Oracle System RSORAREL – Get the Oracle System
ReleaseRelease
TablesTables
Accessible through: Accessible through: SE16 (Maintain Tables)SE16 (Maintain Tables) SE17 (Display Tables) SE17 (Display Tables) SA38 (Execute ABAP)SA38 (Execute ABAP) SE38 (ABAP Editor)SE38 (ABAP Editor) Customizations (ZZ_TABLE_ADMIN Customizations (ZZ_TABLE_ADMIN
etc.)etc.)
Will Be Covered LaterWill Be Covered Later
Job SchedulerJob Scheduler
Can’t get OS access?Can’t get OS access? Use SM36 or SM36WIZ InsteadUse SM36 or SM36WIZ Instead
Specify Immediate StartSpecify Immediate Start External Program as StepExternal Program as Step
Custom Transaction funCustom Transaction fun
Input ValidationInput Validation Selection Criteria ExpansionSelection Criteria Expansion Path specification (../../, // etc)Path specification (../../, // etc) Shell Escapes (; /bin/ls, |”/bin/ls”| etc)Shell Escapes (; /bin/ls, |”/bin/ls”| etc) SQL InjectionSQL Injection Export/Import file fun and gamesExport/Import file fun and games
Bypass Authorization ChecksBypass Authorization Checks
From the trenchesFrom the trenches
““As discussed in the meeting on As discussed in the meeting on <redacted> with <redacted>, <redacted> with <redacted>, we’ve agreed that there is no we’ve agreed that there is no further action required. I appreciate further action required. I appreciate that you are on holiday at the that you are on holiday at the moment, but we will take your moment, but we will take your expected non-response in advance expected non-response in advance as agreement upon the matter.”as agreement upon the matter.”
Database SkullduggeryDatabase SkullduggeryHere be DragonsHere be Dragons
Database StuffDatabase Stuff
The Database contains all the data.The Database contains all the data. The Database is accessed by SAP The Database is accessed by SAP
users through the SAP system.users through the SAP system. The SAP database is not subject to The SAP database is not subject to
the same controls as SAP itself.the same controls as SAP itself.
WARNING: DO NOT MODIFY THE WARNING: DO NOT MODIFY THE DATABASE WITHOUT PERMISSION DATABASE WITHOUT PERMISSION SIGNED IN BLOOD (not yours)SIGNED IN BLOOD (not yours)
Getting InGetting In
Patch WeaknessesPatch Weaknesses Brute ForceBrute Force Roundhouse KicksRoundhouse Kicks Default AccountsDefault Accounts
Speaking of Default Speaking of Default AccountsAccounts
Default Accounts (with Oracle Default Accounts (with Oracle Hashes)Hashes) DDIC/199220706 (4F9FFB093F909574)DDIC/199220706 (4F9FFB093F909574) SAP/SAPR3SAP/SAPR3 (BEAA1036A464F9F0)(BEAA1036A464F9F0) SAP/6071992SAP/6071992 (B1344DC1B5F3D903)(B1344DC1B5F3D903) SAPR3/SAPSAPR3/SAP (58872B4319A76363)(58872B4319A76363) EARLYWATCH/SUPPORTEARLYWATCH/SUPPORT
(8AA1C62E08C76445)(8AA1C62E08C76445)
Note about SchemasNote about Schemas
<610 has SAPR3 as Schema Owner<610 has SAPR3 as Schema Owner >610 uses SAP as Schema Owner>610 uses SAP as Schema Owner
Database Queries of NoteDatabase Queries of Note
Select Select MANDT,BNAME,BCODE,USTYP,CLASMANDT,BNAME,BCODE,USTYP,CLASS from <SAPDB>..USR02S from <SAPDB>..USR02
SELECT * FROM UST04SELECT * FROM UST04 SELECT * FROM TSTCT WHERE SELECT * FROM TSTCT WHERE
SPRSL = ‘E’SPRSL = ‘E’ SELECT * FROM DBCONSELECT * FROM DBCON exec master.dbo.xp_cmdshell exec master.dbo.xp_cmdshell
'cmd.exe /c net view’'cmd.exe /c net view’
Common Values in the DBCommon Values in the DB
ACTVT – Activity CodeACTVT – Activity Code USTYP – User TypeUSTYP – User Type MANDT – Client NumberMANDT – Client Number BUKRS – Company CodeBUKRS – Company Code BEGRU – AuthorizationBEGRU – Authorization
USTYP valuesUSTYP values USTYP specifies the type of user (used in USTYP specifies the type of user (used in
USR02)USR02) A – Dialog (interactive user)A – Dialog (interactive user) C – Communications (CPIC)C – Communications (CPIC) D – System (BDC)D – System (BDC) S – ServiceS – Service L – ReferenceL – Reference
People often don’t change passwords on People often don’t change passwords on CPIC users as they’re not sure what breaksCPIC users as they’re not sure what breaks
Tables to look atTables to look at BKPF – Accounting Header (FI)BKPF – Accounting Header (FI) BSEG – Accounting Document Segment (FI)BSEG – Accounting Document Segment (FI) CEPC – Profit Master DataCEPC – Profit Master Data EKKO – PO HeaderEKKO – PO Header RSEG – Incoming InvoiceRSEG – Incoming Invoice RBKP – Invoice ReceiptsRBKP – Invoice Receipts KNA1 – Customer Master RecordsKNA1 – Customer Master Records LFA1 – Vendor Master RecordsLFA1 – Vendor Master Records PNP – Personnel Data (HR Only)PNP – Personnel Data (HR Only) CSKS – Cost Centre Master (HR)CSKS – Cost Centre Master (HR) T569V – Payroll Control Records (HR)T569V – Payroll Control Records (HR)
Subverting Business Subverting Business LogicLogicIt’s not a lie, we just didn’t tell you It’s not a lie, we just didn’t tell you thatthat
How SAP Controls AccessHow SAP Controls Access
Local logon details in USR02Local logon details in USR02 Profile details in UST04, USR04 etc.Profile details in UST04, USR04 etc. Authorizations & ProfilesAuthorizations & Profiles
Custom SAP Code and Access Custom SAP Code and Access ControlControl
ABAPs and Auths 101ABAPs and Auths 101 Authorization checksAuthorization checks
AUTHORITY-CHECK OBJECT <object>AUTHORITY-CHECK OBJECT <object>
If the authority check statement If the authority check statement isn’t there, it is assumed that you isn’t there, it is assumed that you can go ahead!can go ahead!
SAP Authorization ConceptSAP Authorization Concept
Common Authorization Common Authorization SnafusSnafus
‘‘Pyramid Structure’ ApproachPyramid Structure’ Approach Overly Restrictive ApproachOverly Restrictive Approach Use Standard SAP Profiles ApproachUse Standard SAP Profiles Approach Transactions/Menu only ApproachTransactions/Menu only Approach Objects only ApproachObjects only Approach
So what happens when things So what happens when things go wrong?go wrong?
When things go wrongWhen things go wrong
Too much accessToo much access Too little accessToo little access Disgruntled Employees and no Disgruntled Employees and no
audit trailaudit trail Enron style funEnron style fun
Business Process HackingBusiness Process HackingWhere you too can be like Where you too can be like NeoNeo
Business Process HackingBusiness Process Hacking
When your business processes are When your business processes are correctly aligned all is good.correctly aligned all is good.
When they aren’t…When they aren’t… … … And it’s even worse when it’s And it’s even worse when it’s
legislationlegislation
BPH Vs. Social EngineeringBPH Vs. Social Engineering From the Canadian charter of rights and From the Canadian charter of rights and
freedoms:freedoms: 20.20. (1) Any member of the public in Canada has the (1) Any member of the public in Canada has the
right to communicate with, and to receive available right to communicate with, and to receive available services from, any head or central office of an services from, any head or central office of an institution of the Parliament or government of Canada institution of the Parliament or government of Canada in English or French, and has the same right with in English or French, and has the same right with respect to any other office of any such institution respect to any other office of any such institution wherewhere
aa) there is a significant demand for communications with ) there is a significant demand for communications with and services from that office in such language; or and services from that office in such language; or
bb) due to the nature of the office, it is reasonable that ) due to the nature of the office, it is reasonable that communications with and services from that office be communications with and services from that office be available in both English and French.available in both English and French.
Is this charter open to abuse?Is this charter open to abuse?
BPH ExampleBPH Example
User provisioning policy not User provisioning policy not correctly implementedcorrectly implemented Weakness: New users created but old Weakness: New users created but old
ones not disabledones not disabled Result: Accounts can be used after Result: Accounts can be used after
owners leaveowners leave
BPH Example #2BPH Example #2
Evening meal expense claim Evening meal expense claim requires signature of most senior requires signature of most senior person presentperson present Then signed off by person at higher Then signed off by person at higher
gradegrade No requirement to list people presentNo requirement to list people present
How does this tie into SAP?How does this tie into SAP?
SAP process integrationSAP process integration If the process fits…If the process fits… If it doesn’t?If it doesn’t?
A word from our sponsorsA word from our sponsorsWell, Steve has to get revenue Well, Steve has to get revenue somehowsomehow
A word from our sponsorsA word from our sponsors
OWASP-EASOWASP-EASStays crisp in milkStays crisp in milk
OWASP-EASOWASP-EAS
What?What? Why?Why? How?How? When?When?
What?What?
OWASP-Enterprise Application OWASP-Enterprise Application Security ProjectSecurity Project
Enterprise Grade SchnizzleEnterprise Grade Schnizzle Requirements GuidelinesRequirements Guidelines Audit ProgrammesAudit Programmes Business-level and tech guidance docsBusiness-level and tech guidance docs
Why?Why?
OWASP is great for Web-based stuffOWASP is great for Web-based stuff It’s great for toy applicationsIt’s great for toy applications It’s not great for large business It’s not great for large business
systemssystems Not applicableNot applicable Not relevantNot relevant Not ‘Enterprise Grade’Not ‘Enterprise Grade’
How?How?
Initial LaunchInitial Launch Parent OWASP-EAS Mailing ListParent OWASP-EAS Mailing List Develop industry linksDevelop industry links Initial projectsInitial projects
OWASP-EAS RFP GuideOWASP-EAS RFP Guide Security Document TemplatesSecurity Document Templates SAP Assessment GuideSAP Assessment Guide
White PapersWhite Papers
When?When?
Real Soon Now*Real Soon Now* Formal launch in June ‘06Formal launch in June ‘06 ‘‘Soft’ Launch End AprilSoft’ Launch End April
Mailing ListMailing List Sub-Projects InitiationSub-Projects Initiation
*may contain nuts*may contain nuts
ConclusionsConclusions
ConclusionsConclusions
SAP is teh r0x0rSAP is teh r0x0r The people who implement it aren’t The people who implement it aren’t
necessarily sonecessarily so OWASP-EAS will help them… to a OWASP-EAS will help them… to a
pointpoint