2010 — the third year of ERPScan public work has come to an end. This year was quite complicated, but very productive. In 2010 multiple vulnerabilities were found, though the amount of vulnerabilities published is less than previously as the vendors have not yet introduced updates allowing their disclosure. Moreover, vulnerabilities have become more critical and diversified, while the scope of applications under research was broadened with banking software and new ERP systems.
Significant research expertise in several areas was accumulated within these three years, and what is important for goal setting and continuous advancement is that there have been worked out the core research area — thus we are going to proceed. The main research area is business-critical systems, applications and technologies, and among them we are making research under ERP systems, corporate DBMS, as well as banking and processing software. This year we have turned our attention to SCADA and technological system security as one of the current research areas, making a review of Stuxnet.
During the last year along with vulnerability research and their publication we were frequently invited to speak at international conferences.
The talks were given at 8 European and Asian information security conferences known worldwide:
- Troopers10 in Heidelberg, Germany — Some Notes on SAP Security
- CONFidence 2010 in Krakow, Poland — You can’t stop us: latest trends on exploit techniques
- Hack In The Box 2010 in Amsterdam, The Netherlands — Attacking SAP Users with Sapsploit and JIT-Spray Attacks and Advanced Shellcode
- Source Barcelona 2010 in Barcelona, Spain — ERP Security. Myths, Problems, Solutions
- Hack In The Box 2010 in Kuala-Lumpur, Malaysia — Attacking SAP users with sapsploit Extended
- DEEPSEC 2010 in Vienna, Austria — Attacking SAP Users with Sapsploit Extended 1.1
- CONFidence 2.0 2010 in Prague, Czech Republic — Stupid Mistakes. Architecture and Business Logic Vulnerabilities
Speaking at these conferences enabled us to share our new results of research work with international community, get to know many experts, and broaden the outlook regarding new methods and technologies.
The report and research work in 2010 was mostly dedicated to SAP security. Since September 2010 we started receiving official monthly acknowledgements (at http://sdn.sap.com) for the vulnerabilities found in security updates, keeping up the leadership in the quantity of the vulnerabilities found. Moreover, we launched free service that helps SAP users assess their awareness level and security level of the SAP GUI client software and new NetWeaver Business Client. The service at http://online.erpscan.com will be updated and completed with the latest vulnerabilities and new analyzed software.
What concerns business application security, in 2010 we started taking part in OWASP and now we are working under the OWASP_EAS project dedicated to enterprise business applications.
Facts of interest
- We support our blog and our plan for the next year is to add several columns, thus significantly extending its content
- All of us registered on Twitter to get instant access to current news and enhance its distribution;
- Our four experts are writing articles and several columns for the Hacker magazine
- Our page About and name are copied by young researchers from various countries
New year 2011 is starting for us on January 18, the day we will speak at the top-ranked information security conference — BlackHat DC 2011 held in Virginia, USA. We will talk about our research work within ERP security and demonstrate the difference in the approach towards the common pentest and the pentest aimed at critical business applications (security analysis) at the same time drawing examples of different vulnerabilities and misconfigurations in the architecture. In addition, we will keep on speaking at various conferences during the whole year. This year most of the projects have been implemented and considering the fact that the main efforts have turned to development of our ERPScan security scanner for SAP systems, this year has proved to be very fruitful.