One of the most essential tasks entrusted to the information security services of any current company is to provide ERP-system security. A significant part of corporate assets is stored and processed by ERP-systems, and many business processes depend on their reliable work. As a result ERP-systems often become the subject of attacks.
The SAP Company is the largest ERP-system producer worldwide. Therefore we focus our attention on the SAP software security analysis and offer the integrated audit for SAP-systems security as a separate service.
SAP-systems are complex program solutions characterized by their own peculiarities and shortcomings. One of these shortcomings is a big amount of security problems requiring thorough analysis, as the information on this subject is scant.
The widely known problem of the Segregation of Duties (SOD) is not a single problem that should be paid attention to when auditing SAP security. Digital Security experts have been cooperating with SAP Corporation in the field of vulnerability research and analysis for a long time and our experience shows, as does the research carried out by the known world experts, that there is a great number of vulnerabilities and miss configurations used to get the administrative access to SAP even if the SOD is perfectly adjusted.
The audit methodology we use makes it possible to assess security on each level (network, OS, DBMS, application, presentation) what consequently gives the opportunity of the most profound analysis of probable system vulnerability and the elaboration of effective recommendations to increase its security.
The main assessment procedures are cited below:
- technical assessment performed on the network level (SAP Router, RFC interfaces, encryption, XI);
- technical assessment on the OS level (vulnerabilities, common users, access rights);
- technical assessment on the DBMS level within SAP-system (specific configurations, vulnerabilities, common users, access rights);
- internal assessment of the SAP BASIS roles and privileges (standard passwords, password policy, access to critical profiles, transactions, log-files, backups);
- technical assessment on the SAP Netweaver and Applicarions (standard passwords, j2ee application vulnerabilities, WAS, ITS, IGS and other services vulnerabilities and missconfigurations);
- change management procedures;
- security checks of SAP client components such as SAPGUI (configurations, password storage, client software vulnerabilities);
- assessment of information security management procedures within SAP for compliance with ISO/IEC 27001:2005;
- and many others.
Outcome
The assessment completed, you receive the report that contains:
1. Detected vulnerabilities and configuration shortcomings;
2. The aftermath of detected vulnerabilities exploitation and corresponding risks;
3. Detailed guidelines to increase security of the system under test taking in consideration its peculiarities.
Please contact us at services@dsecrg.com
