Richard Stiennon interview Mariano Nunez, CEO and Co-founder of Onapsis, as part of IT-Harvest’s 2016 Video Interview Series.
SAP HANA is being pushed by SAP as the absolute in-memory database for its products and more recently as a standalone platform. The vast majority of companies who have already adopted it are leveraging its capabilities to support business-critical applications. Due to its nature, SAP HANA stores an organization’s most important assets, thus requiring large efforts to secure that data.
This publication will help security officers understand the SAP HANA layout, the security risks faced and most important, how to mitigate them. SAP HANA System Security Review explores various usage scenarios, reviewing a secure configuration for each one, as well as technical aspects, default users, privileges and roles. In addition this publication analyzes different published vulnerabilities, their impact to the business, and what has to be done to fix them.
When thinking of SAP security we tend to always think of SAP servers and pay little attention to the tools used by end-users that connect to most of our SAP Systems, as well as the way those tools are used. Outside the SAP security world it is well accepted that attackers are no longer targeting servers directly, but rather are focusing on client-side attacks which could potentially allow escalation to the servers. During the last year, several malware attacks targeting SAP systems were discovered but received little attention in the moment of discovery.
SAP End-User Tools: The Weakest Link to Sensitive Data analyzes multiple weaknesses that could affect end-user applications related to SAP such as the SAPGUI client, and other tools that are commonly used by SAP end-users. Additionally this publication specifies which sensitive data and credentials could be stolen, and outlines the context in which these weaknesses could be exploited. Each weakness is explored in detail with advice on workarounds and fixes.
Every organization running SAP to support its business-critical processes has typically implemented several systems in complex scenarios. Depending on the sizeof the company, the number of SAP Systems, Instances and Products used can be quite large.
All of these systems are interconnected and there are different components involved in regards to the connections such as specific features and restrictions. As a result, every SAP implementation has a certain number of configurations related to how the systems are connected. If these are not properly set, the systems could be abused in order to connect from one system to another, and could bypass authentication mechanisms or network restrictions, potentially rendering the entire landscape vulnerable.
Pivoting through SAP Systems explains current methods used by attackers to move, or “pivot” between SAP systems, and how these techniques are used in order to expand an initial compromise to the entire SAP landscape.
IT Harvest 2015 Video Interview Series. San Francisco, CA.
Implementing proper security controls for a BusinessObjects implementation is a complex process. There are a number of moving parts, complicated Access Controls, and many client access points. For those tasked with auditing an implementation it can be difficult to know where to begin.
In this white paper we discuss the BusinessObjects architecture landscape, discuss common security practices, target areas for an attacker, and make recommendations that, if not already implemented, will increase the security posture of your BusinessObjects deployment.
In all SAP implementations there are many reasons why organizations would need to make changes and updates on a regular basis; from changes to legislation and compliance mandates to business growth, process evolution and security modifications. The Transport Management System (TMS) is the backbone for applying these changes to our SAP Systems.
Each of the systems within a landscape are defined to play a role in the TMS transport strategy: DEV, QA and PRD are some of the roles. If the TMS is not properly secured and managed, incorrect or unauthorized changes could be implemented in the productive systems running our day-to-day critical processes.
This issue explains the main components and capabilities of the TMS. This information will help organizations increase the protection of their SAP platform against cyber-attacks by gaining visibility of the risks and details of how to secure TMS.
By design the SAP Solution Manager is connected to all SAP systems (i.e. ERP, CRM, BI, etc), making it a critical component of any SAP implementation: if successfully exploited by an attacker, all the satellite SAP environments, and therefore their business information, could be completely compromised.
Despite its relevance, common IT security practices have traditionally overlooked this component, resulting in many insecure implementations. This issue presents key security concepts in Solution Manager, introduces an in-depth analysis of critical cyber-threats affecting it and outlines a list of mitigation techniques and countermeasures to protect SAP Solution Manager implementations.
By understanding and leveraging this information, SAP and Information Security professionals can increase the overall security level of their company’s SAP platform, better protecting their organization’s business-critical information.
While the comment, SAP platforms are only accessible internally, was true in many organizations more than a decade ago, today, driven by modern business requirements for interconnectivity, SAP systems are very often connected to the Internet. This scenario dramatically increases the universe of possible attackers, as malicious attackers can remotely try to compromise the organization’s SAP platform.
SAP provides different Web technologies, such as the Enterprise Portal, the Internet Communication Manager (ICM) and the Internet Transaction Server (ITS), which may be prone to specific security risks.
This issue analyzes possible attack vectors to SAP Web components and the mitigation measures that need to be taken in order to prevent them. This information will enable organizations to better protect their business-critical infrastructure against cyber-attacks performed over Web scenarios.
Sitemap | Terms of Use | Privacy Policy |
Quality Policy | Disclosure Policy |
Security Vulnerability Reporting Guidelines |
©2025 Onapsis | All rights reserved
