The Onapsis Research Labs recently attended Troopers Conference in Heidelberg, Germany, not only one of the best cybersecurity events in Europe, but also a conference that for years has helped raise awareness for securing business-critical applications by hosting a dedicated track for SAP security.
It was a busy and active week at the conference and included our researchers Nahuel Sanchez and Pablo Artuso delivering our “SAP Security In-Depth Training” early in the week. Onapsis has been attending Troopers for years, but personally it was my first time here so I would like to share five phrases I heard throughout the conference and my thoughts on them. Here we go...
1. “Offensive security should guide defensive security.”
This idea was mentioned by Rodrigo Branco, Chief Security Researcher at Intel, during his keynote presentation. It was a great event opening, where this experienced Brazilian researcher analyzed the career path of a researcher vs. one of an InfoSec professional - one who finds and report vulnerabilities vs. one who is responsible to fix and mitigate them.
What’s the view of a researcher who has decided to pursue an offensive security career? They usually underestimate how difficult it is to mitigate vulnerabilities, not just individually patch a reported proof of concept, but to improve the security of a system or application. And how is that different from those InfoSec professionals on the defensive side? They usually underestimate how important it is to understand and work with offensive experts.
As noted in Branco’s talk, the best way to maintain a strong defensive security strategy is to drive it with an offensive strategy. This is a big part of what we do at Onapsis. Since our foundation, our research team has reported over 600 bugs in both SAP and Oracle, helping these vendors to improve product security and better protect their customers. From an InfoSec perspective, they realize the importance of getting ahead of bugs by going out and finding them. It is a shared effort that in the end benefits everybody.
2. “CVSS can obscure impact.”
I can’t take credit for this one - this was part of Onapsis researchers Nahuel Sanchez and Pablo Artuso’s presentation, “Dark Clouds Ahead: Attacking a Cloud Foundry Implementation,” where they talked about several bugs they have found in SAP HANA XSA. The interesting thing, that lead to this conclusion, is that they showed, during live demonstration, how using several bugs in the same attack, including ones that were originally tagged with low values (such as CVSS v3 5.3/10), could be part of bigger attacks with consequences similar to a unique bug with CVSS 10/10. CVSS is a useful value to better understand details about a vulnerability, but cannot be used to fully assess a system risk without considering a deeper understanding of the system, a complete assessment with all the vulnerabilities and an additional layer of the business value of this particular system.
3. “The CISO should have the final responsibility for SAP security.”
Troopers also hosted a discussion panel with BIZEC, a non-profit alliance that focuses on security defects in SAP business applications. Several of our team members, including myself as moderator and Frederick Weidemann from Virtual Forge (recently acquired by Onapsis), Martin Gallo and Joerg Schneider-Simon as panelists discussed the “Past, Present and Future of SAP Security.”
At the beginning of the discussion we talked about the state of SAP security as it was ten years ago. At that time, nobody was completely sure who should take care of SAP cybersecurity: the SAP Security Team, who until this moment mostly focused on roles and segregation of duties, or the Infosec Team, who up until then were not fully aware of the ERP security topic. All three panelists agreed that it is still, ten years later, an issue in some organizations. SAP Security Teams sometimes lack cybersecurity knowledge, and vice versa, Infosec Team sometimes lack specific understanding of SAP. After almost an hour of discussing, I asked the panelists one final question to close the debate: Although both teams should be part of the solution, who has the final responsibility for SAP security? The answer was unanimous: The CISO. As the main party responsible for Information Security, we agreed that there could be no other owner.
4. “A hacker without ethics is a wild beast loosed upon this world.”
Nobody said this, to be honest. And it wasn’t my idea. But there’s a famous quote from Albert Camus that says, “a man without ethics is a wild beast loosed upon this world.” This quote came to my mind during two hours of ethics discussion at Troopers, a perfect topic, in my mind, to talk about at a cybersecurity conference. Enno Rey, the main organizer of the conference, delivered a talk titled, “Introduction to Practical Ethics for Security Practitioners,” an interesting overview of several practical situations where they as professionals (and as a company) needed to make an ethical decision. What’s the point at which a forensic project can be confused with spying on an employee? Would you develop an exploitative POC that the customer claims will be used only for internal purposes? This and other scenarios were properly explained and then further discussed in a panel with Rey, accompanied by Bigezy, Dror-John Roecher and Rodrigo Branco.
One of the panelists said something that I loved. Anytime you need to make an ethical decision, the 10-80-10 rule applies. You need ethical decisions for situations where 10% of people would behave in an unethical way, 10% in an ethical way, but 80% will have doubts about what to do. When the line is not clear, you need an ethical committee, Rey proposed. Cybersecurity is all about ethics and I love that this was highlighted during the conference.
5. “If it works, hack it.”
This is part of our Onapsis Manifesto. If it works, hack it. We are always trying to find new ways to do things that help our community, our customers and our employees. Innovation is key. This is a big part of what we do and it is always good to see two days comprised of several talks about so many different topics…that share the same spirit.
Troopers 19 was a great conference - and international as well! As Enno Rey mentioned during the conference opening, there were speakers from 25 countries and attendees from 40! Cybersecurity is a global effort that we’re glad to be a part of.
Thanks to everybody that came to our training and talks and to the Troopers staff for inviting us. We hope to see you at next year’s conference!