Implementing proper security controls for a BusinessObjects implementation is a complex process. There are a number of moving parts, complicated Access Controls, and many client access points. For those tasked with auditing an implementation it can be difficult to know where to begin.

In this white paper we discuss the BusinessObjects architecture landscape, discuss common security practices, target areas for an attacker, and make recommendations that, if not already implemented, will increase the security posture of your BusinessObjects deployment.

By design the SAP Solution Manager is connected to all SAP systems (i.e. ERP, CRM, BI, etc), making it a critical component of any SAP implementation: if successfully exploited by an attacker, all the satellite SAP environments, and therefore their business information, could be completely compromised.

Despite its relevance, common IT security practices have traditionally overlooked this component, resulting in many insecure implementations. This issue presents key security concepts in Solution Manager, introduces an in-depth analysis of critical cyber-threats affecting it and outlines a list of mitigation techniques and countermeasures to protect SAP Solution Manager implementations.

By understanding and leveraging this information, SAP and Information Security professionals can increase the overall security level of their company’s SAP platform, better protecting their organization’s business-critical information.

SAP Application Servers Java, supported by the J2EE Engine, serve as the base framework for running critical solutions such as the SAP Enterprise Portal, SAP Exchange Infrastructure (XI), SAP Process Integration (PI) and SAP Mobile Infrastructure (MI). In addition, customers can also deploy their own custom Java applications on these platforms.

In December 2010, SAP released an important white-paper describing how to protect against common attacks against these applications. Among the security concepts detailed, there was one that was particularly critical: the Invoker Servlet. This functionality is subject to several threats to SAP platforms, such as the possibility of completely bypassing the authentication and authorization mechanisms.

This publication analyzes the Invoker Servlet Detour attack, identifying the root cause of this threat, how to verify whether your platform is exposed and how to mitigate it, effectively protecting your business-critical information against cyber-attacks.

SAP has implemented several unique password hashing procedures in its history. While each new version has increased the security level of their hashing scheme, the requirements for backward compatibility, if not considered in the implementation phase, may provide an opportunity for attacks against users’ stored credentials. Through the exploitation of these weaknesses, malicious attackers would be able to escalate privileges over vulnerable systems and perform business processes while impersonating other users.

This SAP Security In-Depth volume details the evolution of these hashing mechanisms developed by SAP, analyzes the different risk levels of attacks targeting this sensitive information and provides practical mitigation processes to protect the company’s SAP platform.