Close

have questions?

Contact us today.

Subscribe me to your mailing list

SAP Security

2016 State of Business application security

In the wake of several high-profile incidents involving business applications over the outgoing year, there is an increasing focus on business software security. In this blog post, we gathered together the milestones of this topic for 2016.

The list of critical incidents and significant statistics is endless, but we decided to focus on 5 major facts:

1. The first-ever US-CERT alert on SAP Vulnerability;
2. Potential attacks against critical infrastructure via vulnerabilities in business applications;
3. The number of SAP Vulnerabilities identified per year is high; 4. SAP threat landscape has grown;
5. Oracle MICROS hack compromises data of 330,000 customer sites around the world.
Read more..

0-day SAP vulnerability published, here’s what you can do

The information about a 0-day SAP vulnerability was published on LinkedIn on October 28, 2016. A researcher disclosed details of the vulnerability in SAP system that he had identified and stated as 0-day. As it turns out, the vulnerability was already patched by SAP on 13th of September by SAP Note 2344524, so technically it’s not a 0-day vulnerability, but 0-day details of the vulnerability, so to speak. However, as it takes time to implement a patch, most of SAP users may be still susceptible to attack by this issue.
Read more..

Perfect SAP Penetration testing. Part 1: Threat Modeling

Penetration test is a practice of attacking an IT infrastructure to evaluate its security and determine whether malicious actions are possible. Although it’s a typical task, the nature and methodology of a penetration test is largely dependent on the scope, aims, specifics of a client company, and many other factors.

Once ERPScan team was conducting a penetration test in a large manufacturing organization. The task was not so ordinary and easy because the number of systems in the scope was huge and little time was allotted. That’s why it was absolutely necessary to perform Threat Modelling before diving into the process of hacking. Here we decided to describe this case study in detail. This series of articles is intended to explain what SAP Penetration testing is.

The first step of every successful penetration testing is Threat Modelling. At this stage a cybersecurity professional gets understanding of business processes of a typical manufacturing company, identifies the most critical assets and associated risks. The gathered information helps a penetration tester to decide what to focus on. Read more..