The SAP NetWeaver ABAP Platform Vulnerability Assessment Guide

The Enterprise Resource Planning (ERP) systems such as the SAP allow to add some positive quality changes to information processing within an organization. However, while the ERP applications may solve some principal problems, they also may incur new associated risks. That is why the security is the most important aspect on the enterprise application and ERP system implementation.

“The Enterprise Application System Implementation Assessment Guide” describes 9 most known business application security issues relating to implementation and operation (the Top 9 implementation issues). This top issues list was prepared by the authors during vulnerability assessments of multiple business applications; this list may be applied to any of them. These issues are weighty factors for many emerging threats and related attacks. Prevention of these issues means getting ready to prevent numerous attacks targeted at business application security.

This document contains a detailed analysis of the most widespread business application platform – the SAP NetWeaver ABAP. During this analysis 33 key settings were identified and distributed between 9 issues mentioned above (the Top 9 Implementation issues). This guide shows how to protect against the most widespread vulnerabilities in this area as well as provide further steps on securing all 9 areas

The 33 steps to securely configure SAP NetWeaver ABAP platform, that were distributed among 9 issues mentioned above.

The authors’ efforts were to make this list as brief as possible but also to cover the most critical threats for each issue. This approach is the main objective of this Guide: as despite best practices by the SAP, ISACA and DSAG, our intention was not to create just another list of issues with no explanation on why a particular issue was (not) included in the final list, but to prepare a document that may be easily used not only by SAP security experts. Report should also provide comprehensive coverage of all critical areas of SAP Security.

At the same time, the development of the most complete guide would be a never-ending story as at the time of writing there were more than 7000 checks of security configuration settings for the SAP platform as such, without those of specific role-based access and in-house applications. As a result, each of the 9 issues includes major checks that must be implemented first and can be applied to any system regardless of its settings and custom parameters. It also important that these checks are equally applicable both to production systems and those of testing and development.

In addition to major all-purpose checks, each item contains a subsection called “Further steps”. This subsection gives major guidelines and instructions on what should be done in the second and third place, and then how to further securely configure each particular item. The recommended guidelines are not always mandatory and sometimes depend on a specific SAP solution. On the one hand, with this approach, the authors were able to highlight key security parameters for a quick assessment of any SAP solution (from the ERP to the Solution Manager or Industry Solution) based on the NetWeaver ABAP platform and, on the other hand, to cover all issues and give complete recommendations on them.

Full text of the report could be found here