Why SAP Security guides always provide so little help?
Let us speak, for the first time, only about defense – about different SAP Security guides, which can help to secure your SAP system. However, nothing to worry about – this article will nevertheless remain useful and interesting, even if it does not contain information about 0-days or words like “cyber” or “weapon” in the title.
This blog post will be about the new SAP Security guide for securing SAP implementations (or testing their security), which is going to be the first standard of the EAS-SEC standard series. There were 2 things that pushed us into developing this SAP Security guide and gave a second birth to our project. We thought about making some kind of a guideline from the very beginning, and finally, made it, when we got a clear idea of how it should be done and what customers really needed.
Yet another SAP Security guide?
And the reason we decided to make this…
… is as easy as ABC.
One. Questions like “why?” and “what for” are Alpha and Omega of every research. For us, as it sometimes happens, the answer came from another question. After implementation of our Security Monitoring Suite for SAP in huge enterprises, making dozens of POC’s and completing numerous penetration tests in SAP systems (as well as other business critical systems), the thing we were asked more often than any other was: “Guys, you are awesome! And you are doing a great job so far, finding so many issues in our installations. It’s absolutely fantastic, but we don’t know, where to start solving them. Could you provide us with top 10/20/50/100/ [put your favorite number here] most critical bugs in each area?”
Two. At the same time, we had to do something completely different from the top 10 critical bugs like the one when you can select missing SAP security notes with highest CVSS. Even if you patch all of the notes there still could remain lots of issues. For example, you may have SAP_ALL assigned to every user or have your logs disabled so that next time when you forget to close SAP Security Notes, it would be easy to hack your system due to the non-comprehensive approach. So, the challenge number one is to understand all security areas of SAP platform and have an opportunity for every area to select a number of most critical issues. The first aim of our research was to cover all SAP security areas, while staying simple to implement.
Three. We started to analyze existing SAP Security guides and standards. Currently, there are few, which cover SAP security and all of them are supported by the ERPScan product. The SAP Security guides we have are the following ones: Secure Configuration of SAP NetWeaver® Application Server Using ABAP by SAP, ISACA Assurance (ITAF) by ISACA, and DSAG by German SAP User Group. These standards are great, however, unfortunately, all of them have at least one big disadvantage, and let’s be patient and get a better understanding of the standards:
Secure Configuration of SAP NetWeaver® Application Server Using ABAP
It is the first official SAP Security guide for the technical security of NetWeaver ABAP in general. Before it, only dozens of specific SAP guides were made for every application. The first version was published in 2010 and followed by version 1.2 in 2012. Almost 2 years ago, we have to bear in mind that some critical things could be missing for now in our fast-changing world. This guideline was created for rapid assessment of the most common technical misconfigurations in the platform, it consists of 9 areas and 82 checks in total.
Advantages: it is very brief (only 9 pages) but quite informative, covers application platform issues, applicable to every ABAP-based platform either ERP or Solution manager or HR, it doesn’t matter.
Disadvantages: 82 checks is still a lot for a first brief look at secure configuration. Most importantly, standard doesn’t cover access control issues and logging and even miss some things in platform security. Finally, it gives people a false sense of security if they cover all checks. It wouldn’t be completely true.
ISACA Assurance (ITAFF)
Probably, it is the first guide for SAP Security. The guideline was made by ISACA consortium. There were 3 versions published in 2002, 2006, and finally in 2009. It means that 5 years passed from the last release and many areas are outdated now. In general, checks cover configuration and access control areas, the application platform security part covers less than access control and miss critical areas. The guideline consists of 4 parts and about 160 checks in total.
Advantages: detailed coverage of access control checks.
Disadvantages: it is outdated. The technical part is missing. The guideline consists of too many checks and can’t be easily used by a non-SAP specialist. In addition, it can’t be applicable to any system without the prior understanding of the business processes. Finally, this guideline could be found officially only as part of a book, or you should be at least an ISACA member to get it.
DSAG (Deutschsprachige SAP-Anwendergruppe)
It is a set of recommendations from German-speaking SAP User Group. The checks cover all security areas from the technical configuration and source code to access control and management procedures. Nowadays, it is the biggest guideline about SAP Security. Last version was released in Jan 2013. It consists of 8 areas and 200+ checks.
Advantages: It is perfect as a final step for securing SAP. It is a great SAP Security guide for administrators, covers almost all possible areas.
Disadvantages: Unfortunately, it has the same one as ISACA. It is too big for a novice and does not help “security people” who are not familiar with SAP. Moreover, it can’t be directly applicable to every system without the prior understanding of business processes. Many checks are certain recommendations and a user should think by himself/herself if they are applicable in each case.
What goes around that comes around
We didn’t want to make another security guideline. Indeed, we saw that all of the current approaches miss something – they are big, on the one hand, and still don’t cover all checks pretending to do that, on the other hand.
Thus, we understood that there is a real need in the new SAP Security guide. Fortunately, now we knew, what we should do to make it not just good, but perfect.
The authors’ efforts were to make this list as brief as possible but also to cover the most critical threats for each area. This approach is the main objective of this guide: despite best practices by the SAP, ISACA and DSAG, our intention was not to create another list of issues with no explanation on why a particular issue was (not) included, but to prepare a document that may be easily used not only by SAP security experts but by every security specialist who just wants to check if his SAP is secure. The guideline should provide comprehensive coverage of all critical areas of SAP Security.
The development of the most complete guide would be a never-ending story as at the time of writing we had more than 7000 checks of security configuration settings for the SAP platform.
We need a guideline, which will consist of few but selected checks, and most importantly, it will have future steps so that everybody will know they made just a part of a job by implementing the standard, the really critical part but not everything. So, we are talking about 80/20 rules, and we will implement it in SAP Security.
EAS-SEC – a new SAP Security guide
It is a result of more than 7 years experience in security assessment of different Enterprise Business applications from different vendors (including SAP, Oracle, Microsoft, IBM), take into account various industry-specific systems (i.e. Retailix for Retail, MES/SCADA systems for Oil and Gas and ABS systems in Banking area), our broadly experienced pentest and research team known for sending 450+ advisories in different products and participating in 50+ events in every continent, collecting information about critical vulnerabilities and misconfigurations to understand the most critical areas. Our auditors, who were responsible for different certifications like ISO, PCIDSS, PA-DSS, SOX and NIST in previous work, analyzed those business applications from a compliance and risk point of view and finally we got 9 critical areas which are essential for security of every Enterprise Business Application and sorted by priority (Based on mix of Criticality, Probability, Popularity and Data needed for conducting attack).
After that, we pick the most critical vulnerabilities and configurations of SAP NetWeaver ABAP-based applications from each of those 9 areas, and got 33 most critical checks.
These checks are major ones that must be implemented first and can be applied to any system regardless of its type, settings, and custom parameters. It is also important that these checks are equally applicable to production systems, both testing and development.
In addition to major all-purpose checks, each of 9 critical areas contains a subsection called “Further steps”. This subsection gives major guidelines and instructions on what should be done in the second and third place, and then how to securely configure each particular item. The recommended guidelines are not always mandatory and sometimes depend on a specific SAP solution.
On the one hand, with this approach, the authors were able to highlight key security parameters for a quick assessment of any SAP solution (from the ERP to the Solution Manager or Industry Solution) based on the NetWeaver ABAP platform and, on the other hand, to cover all potential problems and give complete recommendations.
In terms of quality, this makes the present guide different from the SAP best practices that also contain few items, but do not cover the overall picture, as well as from best practices by ISACA and DSAG that have a lot of items, but the priorities are unclear and too complicated for beginners. Though these papers are highly valuable and absolutely necessary as next steps and they are mentioned in “Further steps” areas.
And finally, you are ready to use the guideline itself (click here), made with the help of overwhelming experience of ERPScan research team. Read, learn, stay secured!