Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks?

Stephen Lamy, Virtual Forge

Agenda

Mobile Trends and The New Threats

The Forgotten Layer

Benchmarks of Defects in Custom ABAP

What Can Go Wrong?

Security Standards

Virtual Forge

Founded in 2001

CodeProfiler released 2008, SystemProfiler released 2013

Patented Data and Control Flow Analysis for ABAP

Gartner:

• Magic Quadrant for Application Security Testing

• Leading vendor for ABAP Security

• Cool Vendor 2011

Heidelberg, Weimar and Philadelphia

Experts in the field of SAP® system and application security and quality

Mobile Trends and the new Threats

The Forgotten Layer

Benchmarks of Defects in Custom ABAP

What Can Go Wrong?

Security Standards

Agenda

Going Mobile ... and the Key Threats

Access from anywhere Hostile environment (public)

5

Source: Dimension Research – “The impact of mobile devices on information security”

Attractive target for attackers

Increased attack surface

Extensive access to corporate information

New features added daily

Attack Vectors against Mobiles

6

Source: Fraunhofer SIT: „How Smartphones and Co. may be Cheating on you”

Facts

McAfee Threats Report: First Quarter 2013 “… the total number of samples in our mobile malware ‘zoo’

reached 50,926, with 28 percent of that arriving in 2013” (source this is the Q1 report!)

“… IP addresses in the United States are again both the source and the target of most malicious network activity.”

7

Q1 only!

Facts (continued)

Attacks on Mobile devices focus either: Using the mobile to steal sensitive data

Getting access data to backend systems

Apple: “50% of smartphone users do not set up a passcode”

Phishing “Companies from the United States are the most targeted, suffering 80

percent of all attacks.”

Phishing by country:

8

Mobile Trends and the new Threats

The Forgotten Layer

Benchmarks of Defects in Custom ABAP

What Can Go Wrong?

Security Standards

Agenda

ALL Mobile apps eventually call ABAP programs

Where the data comes from

Mobile Gateway

Java Application

HTML Application

SAP

… C++

Application

ABAP RFC/BAdI

The Attack Surface of SAP

1 9 9 7

The Attack Surface of SAP

2 0 0 2

The Attack Surface of SAP

Since 2 0 0 7

The Attack Surface of SAP

Since 2 0 11

NetWeaver

Gateway

SAP security must be addressed holistically

Business Run-time Apps must properly enforce Business Logic

GRC & SoD are only effective if they are enforced within the applications

Operating System

Database

Business Runtime

The Forgotten Layer – Business Runtime

Business Logic

SAP System Security Tests

Testing of >550 SAP Systems (including some of the largest organizations of the world)

Over 95% of the systems analyzed were exposed to espionage, sabotage and fraud attacks

None of the evaluated SAP systems were fully updated with the latest SAP security patches

Most of these exploitable vulnerabilities have been publicly known to SAP customers for more than 5 years

Source: Onapsis-BlackHat 2012

Increased External SAP Access Points

Increased External Access Points

Never Trust the Other Side! - Security Paradigm

Unsecured devices have access to sensitive backend systems (e.g. BYOD) 93% have mobile devices connected to their corporate networks

The attacks against Mobiles continue to rise dramatically 52% of large companies say cost of mobile security incidents last

year exceeded $500,000 45% have more than five times as many personal mobile devices

as they had two years ago, a 36% increase from 2012

Best Practice: Stringently enforce device-level security Test and validate the complete application and data processing

18

“Our SAP systems are secure…“

Mobile Trends and the new Threats

The Forgotten Layer

Benchmarks of Defects in Custom ABAP

What Can Go Wrong?

Security Standards

Agenda

Source of Defects

Source of Defects

Little/no technical specifications

Manual/Basic code reviews

Testing focused on functional aspects

External/3rd Party development

Limited/no code change monitoring

Definitions

Average (Arithmetic Mean):

Median:

The value in the middle, when the numbers are sorted

Example: 1,2,3,100,101 Median = 3

LOC = Lines of Code (without comments and empty lines)

KLOC = 1 Thousand LOC

MLOC = 1 Million LOC

Benchmark Data

As of: July, 2013

# of Systems: 88

Total LOC: 156,443,087

Namespaces: All custom ABAP code

(Y*,Z*, 3rd-Party namespaces, BADIs,…)

Test Case Domains: Security

Compliance

Performance

Maintainability

Robustness

Custom ABAP Benchmarks

Benchmark Statistics Metric Average Median

Source Code Lines (LOC) (without comments and empty lines) 1,862,418 1,032,539

Comments 596,059 325,931

Inline Comments 122,876 63,892

Percentage of Comments in Analyzed Lines 28% 28%

Pragmas 5,119 1,621

Average Module Size (LOC) 53 52

Critical Defects at the Average Customer

Benchmarks of Critical Defects

Domain Average Median Pro KLOC (Average)

Security (Critical only) 1,475 903 0,79

Compliance (Critical only) 270 93 0,14

Performance (Critical only) 1,171 1,016 0,63

Maintainability (Critical only) 415 0 0,22

Robustness (Critical only)

1,586 427 0,85

Metric Average Median

Source Code Lines (LOC) (without comments and empty lines) 1,862,418 1,032,539

Critical Defects at the Average Customer

1 critical security or compliance defect in every ~1,000 lines of ABAP code

Probabilities:

ABAP Command Injection 50%

Authorization Issue 100%

Directory Traversal 93%

26

Security Defects: Top 20

Test Case Missing AUTHORITY-CHECK before CALL TRANSACTION

Missing AUTHORITY-CHECK in Reports

Directory Traversal (Write Access)

Hard-coded SAP System ID Checks (sy-sysid)

Missing AUTHORITY-CHECK in RFC-Enabled Functions

Dangerous ABAP Commands

Directory Traversal (Read Access)

File Upload (SAP GUI)

Hard-coded SAP Client Checks (sy-mandt)

File Download (SAP GUI)

Generic RFC Destinations

OSQL Injection (Read Access)

Broken AUTHORITY-CHECKs

Generic Table Query (Write Access)

Generic ABAP Module Calls

Exposed Kernel Calls

Cross-Site Scripting

ABAP Command Injection (report)

ABAP Command Injection (program)

Hard-coded Passwords

Mobile Trends and the new Threats

The Forgotten Layer

Benchmarks of Defects in Custom ABAP

What Can Go Wrong?

Security Standards

Agenda

Free Benchmark Scan of Your ABAP Code

• Summary of findings

• Prioritization of found vulnerabilities

• Specific examples of findings from your own code

• Code metrics

• Benchmark (on request)

Robustness & Maintainability

Performance

Data Loss Prevention

Security & Compliance Your ABAP™ code

What Can Go Wrong?

Register Here for a Free Benchmark Scan

Mobile Trends and the new Threats

The Forgotten Layer

Benchmarks of Defects in Custom ABAP

What Can Go Wrong?

Security Standards

Agenda

Security Guidelines for SAP

Culture • Increase awareness of the need for SAP Security (for example,

though workshops) • Provide security training (Developer, Administrator, User, etc)

Organization

• Make SAP Security an integral part of your corporate security strategy

• Develop company and partner security standards and processes that are binding!

Compliance

• Make security a pre-requisite for all SAP projects • Test that all delivered applications comply with security

standards • Add SAP Security to your audit activities

Seite 31

32

Technology • Implement automated testing into your change control process

to enable faster detection and mediation of security and quality defects

Cost Awareness • The earlier that defects are found, the less they cost to correct

Cost of a correcting a single defect when found in: Unit testing (DEV) = $100

User Testing (QA) = $1,000

In productive system (PROD) =$10,000

After System failure, attack,… = $??????

Security Guidelines for SAP – continued

Protecting Against Security Defects

BIZEC APP/11 Standard Security Tests

ID Vulnerability Description

APP-01 ABAP Command Injection Execution of arbitrary ABAP Commands

APP-02 OS Command Injection Execution of arbitrary OS Commands

APP-03 Native SQL Injection Execution of arbitrary SQL Commands

APP-04 Improper Authorization (Missing, Broken, Proprietary, Generic)

Missing or incorrect Authorization Checks

APP-05 Directory Traversal Unauthorized write/read access to files (SAP Server)

APP-06 Direct Database Modifications Unauthorized Access to SAP Standard Tables

APP-07 Cross-Client Database Access Cross-Client Access to Business Data

APP-08 Open SQL Injection Malicious Manipulation of OSQL Commands

APP-09 Generic Module Execution Unauthorized Execution of Modules (Reports, FMs, etc.)

APP-10 Cross-Site Scripting Manipulation of the Browser UI, Identity Theft

APP-11 Obscure ABAP Code Hidden / untestable ABAP Code

LEARNING POINTS

Attacks on mobile Devices are rising exponentially.

The combination of increased external (Web, mobile, etc.) applications has increased the diligence required by companies to ensure that their SAP systems are safe and stable.

Custom ABAP and 3rd party code often have a relatively high number of defects that can introduce serious risks to your SAP production systems.

Manual code reviews and basic tools offer no real protection at a relatively high cost.

RETURN ON INVESTMENT

Implementing automated testing into your change control process will enable faster detection and mediation of security and quality defects

The earlier that defects are found, the less they cost to correct

Cost of a correcting a single defect when found in: Unit testing (DEV) = $100

User Testing (QA) = $1,000

In productive system (PROD) =$10,000

After System failure, attack,… = $??????

BEST PRACTICES

Enforce stringent security and quality standards for all custom and 3rd party code – add them to contracts!

Implement change control procedures that include automatic testing of all ABAP changes before importing to productive systems.

Thank You!

Stephen Lamy

stephen.lamy@virtualforge.com

+1 610 864 0261

@Virtual_Forge