Close

Have questions?

Contact us today.

Subscribe me to your mailing list

SAP Vulnerability

Perfect SAP Penetration testing. Part 1: Threat Modeling

Penetration test is a practice of attacking an IT infrastructure to evaluate its security and determine whether malicious actions are possible. Although it’s a typical task, the nature and methodology of a penetration test is largely dependent on the scope, aims, specifics of a client company, and many other factors.

Once ERPScan team was conducting a penetration test in a large manufacturing organization. The task was not so ordinary and easy because the number of systems in the scope was huge and little time was allotted. That’s why it was absolutely necessary to perform Threat Modelling before diving into the process of hacking. Here we decided to describe this case study in detail. This series of articles is intended to explain what SAP Penetration testing is.

The first step of every successful penetration testing is Threat Modelling. At this stage a cybersecurity professional gets understanding of business processes of a typical manufacturing company, identifies the most critical assets and associated risks. The gathered information helps a penetration tester to decide what to focus on. Read more..

What is SAP Security?

What is SAP security? A funny thing, we have been dealing with it last 10 years but have never tried to answer this question in a distinct article before.
Read more..

Introduction to MDM solutions and SAP Afaria

Bring your own device (BYOD) tendency is changing the way IT is managed, delivered, and, most importantly, secured. BYOD encourages a company’s employees to work on devices they prefer. So, modern organizations and enterprises may either supply their employees with multi-function mobile devices or allow staff to bring their own handhelds of different types. BYOD sometimes includes specific concepts like bring your own computer (BYOC), bring your own laptop (BYOL), bring your own apps (BYOA), and bring your own PC (BYOPC).
Read more..

SAP Security Notes November 2015 – Review

SAP has released the monthly critical patch update for November 2015. This patch update closes 23 vulnerabilities in SAP products (15 Patch Day Security Notes and 8 Support Package Security notes), 13 of which are high priority, some of them belong to the SAP HANA security area. The most common vulnerability is Code injection. This month, two critical vulnerabilities found by ERPScan researchers Alexander Polyakov and Mathieu Geli were closed.
Read more..

SAP Afaria Security: Stored XSS vulnerability – detailed review

Today we will talk about SAP Afaria Security. We will show how SAP Afaria, an MDM solution from a world-famous software vendor, works and how cybercriminals can attack it in different ways using Stored XSS vulnerability.

In a nutshell, MDM is a set of services that help an administrator of a large company to control the mobile devices (smartphones, tablets, phablets and so on and so forth) of employees, thus establishing the security measures of corporate data stored and processed on those devices. A special application called MDM client is installed on a device and allows administrators to implement settings.
Read more..

SAP Security Notes October 2015 – Review

SAP has released the monthly critical patch update for October 2015. This patch update closes 29 vulnerabilities in SAP products, 15 of which are high priority, some of them belong to the SAP HANA security area. The most common vulnerability is Missing Authorization Check (as it was in SAP Security Notes September 2015). This month, one critical vulnerability found by ERPScan researcher Mathieu Geli was closed. This vulnerability also affects SAP HANA security and has the highest CVSS score among all issues closed by the update.
Read more..