The Final Frontier: The Challenges in Developing Secure Custom ABAP Programs
In November, SAP released an unusually high number of Security Notes to patch various forms of injection vulnerabilities in it’s software. The trend continued in December with the release of several patches for code injection flaws in the Computer Center Management System (BC-CCM), Project System (PS-IS), Transport Organizer (BC-CTS-ORG) and work processes in Application Servers […]
SAP Audit Guides for Inventory and Human Resources
Layer Seven Security has released the highly anticipated SAP Audit Guides for Inventory and Human Resources. Download your free copy at http://layersevensecurity.com/SAP_audit_guides.html
SAP Security Notes, August 2012
Missing authorization checks, hardcoded usernames and passwords, and vulnerabilities in credit card data stored in SAP Logistics. Download our latest guide to SAP Security Notes at http://layersevensecurity.com/SAP_security_advisories.html
Cybersecurity Disclosures: A Three Step Strategy for Compliance with the New SEC Guidance
Against a background of growing investor concern and pressure from legislators, the Securities and Exchange Commission (SEC) is leading the drive for more open and timely disclosure of cybersecurity risks and incidents from public companies. Earlier this year, it challenged Amazon’s decision not to disclose the financial impact of the theft of customer data held […]
SOAP Opera: Securing SAP Web Services
The best run businesses may run SAP but very few run it exclusively. Most SAP systems operate in a complex, heterogeneous environment with information and processes spread across multiple systems including legacy applications. For SAP, this has always been a barrier to the rapid deployment of its software. Traditional solutions such IDocs, BAPIs and other […]
The Four Myths of ERP Security
There are several myths in ERP security. One of the most common is that security is largely a matter of controlling access and segregation of duties. Another is that business applications are accessible only within internal networks. Yet another is that such applications are not a target for attack. All three are based on a […]
A Ten Step Guide to Implementing SAP’s New Security Recommendations
On January 16, SAP issued a revamped version of the whitepaper Secure Configuration of SAP Netweaver Application Server using ABAP, which is rapidly becoming the de-facto standard for securing the technical components of SAP. According to SAP, the guidance provided in the whitepaper is intended to help customers protect ABAP systems against unauthorized access within […]
Netweaver Single Sign-On: Is it Worth the Risk?
SAP’s acquisition of SECUDE in 2011 is finally bearing fruit. Recently, SAP announced the launch of Netweaver Single Sign-On 1.0 which can be downloaded from the Service Marketplace. This is the latest addition to SAP’s identity and access management portfolio and is based on SECUDE’s Secure Login and Enterprise SSO solutions. It uses protocols such […]
SAP patches a session hijacking vulnerability in the Netweaver Portal
Imagine a system that provides a single, unified interface to all your SAP applications for not only everyone in your company but customers and suppliers. Imagine also that this system is web-based and uses single-sign-on. Congratulations, you’ve just envisioned the Netweaver Portal, the cornerstone of SAP’s strategy to integrate business information and processes and the […]