ERPScan company, one of the key players in ERP security, has released ERPScan Security Scanner for SAP 2.0 – a complex solution to continuously monitor all areas of SAP security, from vulnerability assessment and misconfigurations to ABAP code review and analysis of business-critical privileges.
One of the most significant changes is a new module which can make static analysis of ABAP code security. It makes ERPScan the only solution on the market which makes both security assessment of platform and code review. We have also significantly increased the number of anonymous checks which can be performed in Penetration testing mode to help companies identify issues without using credentials in the system. The new engine can help to perform audit and compliance checks not just through RFC – it allows making complete scan through the web-interface which is a great feature for external penetration tests and can make pen-testers’ lives easier.
“Today, almost all critical operations like procurements, stock resources management, human resources management, financial reports and much more, and all the data related to them, are stored in SAP system. This is why the main target for an insider or an external attacker would be to gain illicit access to SAP with the purpose of malicious manipulation of company resources. In spite of the increasing popularity of ERP systems security in the security community, companies are still vulnerable to cybercriminal and insider attacks. At this moment SAP has released more than 2000 Security notes closing various vulnerabilities, which is quite a lot, especially if you keep in mind that sometimes it is enough to get access to all business critical data through only one issue. An example was presented at BlackHat last summer. On the other side, almost every company develops custom ABAP code which can also have vulnerabilities and backdoors left by developers”, said Alexander Polyakov, CTO of ERPScan.
Using ERPScan, all kinds of customers can decrease their expenses and get different benefits.
- Consulting companies can save time and resources. ERPScan allows them to significantly simplify the task of assessment by automating most of the ordinary checks, so auditors can pay more attention to the analysis of the customized part. Moreover, the unique database of checks gives consulting companies competitive advantages.
- CISOs can effectively monitor security of SAP systems and prevent insider and hacker threats.
- Penetration testers can easily perform black-box and white-box assessments of SAP with the largest knowledge base in the world and 0-day vulnerabilities.
- SAP team can manage business-critical authorizations and control development by applying preventive measures.
“SAP security assessment, according to our experience, usually takes quite a long time. Additionally, the complexity of the system and the large amount of different installation types require the participation of specialists from various fields of security. Even the application server may have either ABAP or Java platform, and they require completely different specialists, not to mention particular applications and modules. ERPScan allows you to significantly simplify the task of assessment by automating most of the ordinary checks, so you can pay more attention to the analysis of the customized part”, said Alexander Polyakov.
More new functions:
- Support of different web application types (bsp/iviews/jsp/webservices/webdynpro’s)
- More than 5000 different checks covering misconfigurations, vulnerabilities, access to web-applications; search for 50 different types of vulnerabilities in ABAP code
- Elaborated black-box vulnerability assessment
- Cataloguing of SAP systems and services
“Earlier, you needed to implement many different solutions to secure SAP from threats, now it is all in one place”, said Ilya Medvedovsky, CEO of ERPScan.