SAP Security Notes July 2013

Welcome to our August 2013 SAP Security Newsletter. This is our second Newsletter this year and feedback has been great.

In July 2013, SAP released 34 security related OSS notes. Below the statistics:

  • 8 Notes are not rated with a CVSS code
  • 16 Notes are rated with a CVSS code between 3.5 to 5.0
  • 10 Notes are rated with a CVSS code of 6, none above

SAP Security Notes 07-2013

Below a few highlights from the July 2013 Security Notes. Keep up the good job and make sure your SAP systems are safe!

1823687 BC-SEC-LGN Potential information disclosure relating to user existence

Information such as the existence of users can be discovered using a failed logon attempt. Solution: Configure the ABAP server to reply all logon attempts which fail due to invalid or not validated credentials with an error message not disclosing any details regarding the failure reason. This information may be used by an attacker to further target system access by password logon.

1870605 BC-DB-HDB Privilege escalation in SAP HANA

The vulnerability is caused by a security problem in the program’s source code. An attacker who has specific information can log on to the system with high system privileges without having been assigned legitimate access by the system administrator(s).

1798286 SCM-BAS-EHS Potential modif./disclosure of persisted data in SCM

The problem is caused by an SQL injection vulnerability. The code composes an SQL statement that contains strings that can be altered by an attacker. The manipulated SQL statement can then be used to retrieve additional data from the database, or to modify this data.

Revisiting old SAP Security notes!

Please read our blog about one of our most visited posts to prevent users to make changes to tables, such as master & transaction tables with SE16N! Have you implemented SAP Notes 1420281, 1473881 and 1446530 to mention a few? We have seen that a number of clients still have not implemented all notes, especially the one that allows to change/view data across clients with UASE16N! If you think your HR data is save by having the data on its own client, think again!

Edit SAP tables: Your SAP Security Admin’s nightmare: &sap_edit

SAP Security Notes June 2013

Welcome to our first SAP Security Advisory Post. Depending on feedback, we will outline all SAP Security notes issued by SAP each following month and make these available to you. As you know, each SAP Security with vulnerabilities is generally rated with a Common Vulnerability Scoring System (CVSS V 2.0) code. The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. SAP is adopting CVSS version 2.0.

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS consists of 3 groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10, and a Vector, a compressed textual representation that reflects the values used to derive the score. The Base group represents the intrinsic qualities of a vulnerability. The Temporal group reflects the characteristics of a vulnerability that change over time. The Environmental group represents the characteristics of a vulnerability that are unique to any user’s environment. CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors and researchers to all benefit by adopting this common language of scoring IT vulnerabilities.

We will issue tips & tricks and additional Vulnerability issues in future Newsletters as well as what your organization can do to be prepared and informed about potential risks to your SAP infrastructure. Below the outline of all SAP Security notes issued in June 2013: Continue reading SAP Security Notes June 2013

Ensuring the Security and Quality of Custom SAP Applications

How safe is your business?

In order to better serve specific business requirements,  SAP standard solutions are often enhanced with custom applications. In many industries, the proportion of proprietary developments in SAP systems averages more than twenty five percent, provided either by  internal IT specialists or third-party companies.

Whether SAP applications are at the heart of your business or it is your business to develop SAP add-on applications, you need to both ensure that business critical processes and sensitive data remain safe, and reduce the risk of security breaches or data loss whilst meeting compliance rules and standards.

Download the brochure: Ensuring the Security  and Quality of Custom SAP Applications

Download the entire whitepaper or contact us for more information:
[email-download download_id=”11″ contact_form_id=”143″]

SAP Security – Why Segregation of Duties is not Enough

Segregation of duties (SoD), as a security principle, is designed primarily to prevent fraud and errors. This objective is achieved by disseminating tasks and associated privileges for a specifc business process among multiple users. A common example of this principle is requiring two signatures to validate a cheque.

For several years, the Auditing and IT Security industries have considered that the deployment of SoD controls was enough to enforcethe security of SAP systems. Therefore, today when many professionals refer to the term “SAP Security”, they are only discussing the processes of creating and managing the SAP roles and profles which are assigned to an organization’s users to restrict their activities over the business information.

While this kind of controls is of absolute importance to the overall security of the SAP landscape, there are many other threats that are overlooked and involve much higher levels of risk: the security vulnerabilities in the technological components that build up SAP platforms (business runtime).

Examples of these components include: SAP Web Application Servers, SAP J2EE Engines, SAP Enterprise Portals, SAP XI/PI, SAP BI, SAP ITS, SAP Web Dispatchers, SAProuters, RFC interfaces and other technical services such as the SAP Gateways and SAP Message Servers.

According to a study conducted by the CERT Coordination Center at Carnegie Mellon University, 99% of intrusions result from two factors: exploitation of known vulnerabilities (for which there are patches or corrective countermeasures) and confguration errors.

While SAP rapidly reacts to newly discovered security weaknesses through patches and provides security guidelines to confgure systems securely, still many organizations face a tough time keeping all of their business-critical platforms protected against these threats.

Download the entire whitepaper or contact us for more information:
[email-download download_id=”10″ contact_form_id=”143″]

Onapsis Success Story: Siemens

The Challenge
As part of its information security strategy, Siemens continuously performs security assessments and penetration tests of its IT assets. As a Senior Information Security Expert at the Computer Emergency Response Team (CERT) at Siemens, Robert Ingruber, was aware that the organization’s numerous SAP systems, which contain the organization’s most sensitive data, were not fully tested and assessed. While the operating systems and databases running the SAP platform were being evaluated with the rest of the IT infrastructure, the SAP application itself was mostly addressed at the top business-logic layer.

Download the entire whitepaper or contact us for more information:
[email-download download_id=”9″ contact_form_id=”143″]

Gulfmark Offshore: EPI-USE Labs success story

Tackling an SAP HCM Upgrade
Recently GulfMark upgraded their largest region to their Global HCM framework. The project was very high impact and extremely complex, affecting Payroll and Crew scheduling and necessitating an entire payroll transformation. The challenge was how to engage a team that was risk averse and complete the project on time.

Other considerations included the impact of the project on the entire HCM business community. Change Control and an aggressive timeframe were handled with no failure on day-to-day business impact.  After examining a number of options, GulfMark found the EPI USE Labs’ solutions would provide the functionality and completeness they needed. For the copying of HCM data they used Object Sync™ for HR from the Data Sync Manager product suite, and for the parallel testing phase they used Variance Monitor™.
The main obstacle was the amount of time and planning it took to refresh non-production instances. Several weeks of planning and many days of execution were needed prior to the project to refresh the systems. (“It used to be a very tedious process” said Sandeep Pulavarty, the SAP Development Manager.)

All development scenarios were created manually, which naturally took many hours to complete for each scenario. This affected the ability to troubleshoot production problems.

Download the entire whitepaper or contact us for more information:
[email-download download_id=”8″ contact_form_id=”143″]

Note 736410: Objects mapped to SAP Application Components

I have been asked many times if I could tell what functional area a transaction, program, table etc. belong to. Each time I did a short onsite or online demo for clients I work as a virtual consultant and created a short documentation. Now, that I have setup a blog, I thought it would be a good idea to document this here so that I can just reference it via a hyperlink.

To look up the application area of an object, use transaction SE11 and enter the object you want to look up. (If you want to do this for a transaction, follow a similar procedure with transaction SE93, for ABAPs use SE38 and so on.

Now, let’s us focus on SE11 and how to find what application area a specific table has been assigned to, in this example table MARC. Click the ‘display’ button and select the ‘Attributes’ Tab:


By double-clicking the package from the attributes screen, you will be taken to the Package Builder screen where the Application Component is visible:


On the package builder screen, you can see to what Application Component the Package belongs to and also what Software Component the package belongs to.


You can follow the very same procedures for Reports, Function Modules, Transactions etc.

Another example for transaction ob08 via SE93:


The package SFIB is mapped technically to application component BC-SRV-BSF-CUR:


You can whip up a query or ABAP to get this information neatly listed in a report:


You can purchase the ABAP Query that lists the application component of objects for US$ 75.00 – 100% with 30 days money back guarantee!

[paiddownloads id=”2″]

Note: 742767: e-Mail Notification for User Expiration

You have setup a procedure where contractors / temporary workers are limited to x number of days to make sure that these users won’t be active for ever. The downside of this procedure is, that someone needs to keep track on these user-ID’s before they expire so that access can be extended ahead of time to make sure users are not impacted.

Best case scenario would be that the access to SAP is in synch with the network ID and communication is setup so that everyone is informed in a timely manner about the upcoming expiration.

However, in many instances this is not the case.

We have setup a InfoSet query and procedure that will send an e-mail with a list of users expiring in x days in PDF format to helpdesk or SAP Security team so that necessary action can be taken to extend or terminate the user-ID. Please note, that this procedure could also be used to generate a list of users that have last logged on 90 days ago.

In order to follow this procedure, you need to have an adequate query or report and setup a printer device as PDF printer with capability to e-mail the output to a specific e-mail address.

Setup a variant that captures the expiration date (or last logon date) for a given time period:

a) User-ID expiring in x days

b) user logged on last time 90 days ago

Once you have setup a (transportable) report variant, you can schedule a background job that runs on a daily basis. Make sure you define the output device as PDF printer and for ease of use, add a title that will show up in the subject line of the e-mail you generate.

Once the report has been scheduled, the support team or helpdesk will get an e-mail with the list of users to be taken care of.

The attached PDF file will contain all the users that will expire (or have not logged on), depending on the purpose of your background job:

If you want to purchase the code (ABAP Query)  that contains additional fields, such as Single Sign-On information and more you can purchase it now for only US$ 75.00 with 100% 30 days Money Back Guarantee!

[paiddownloads id=”1″]

Security Compliance Suite

We would like to introduce to you a new GRC Suite that may be of interest to you:

The Security Compliance Suite is an SAP-centric application used to manage system compliance, provision temporary authorization for system support, and to manage permanent authorization change requests. The solution includes best practices SOD rule set. It can be initially configured in your system for evaluation purposes in less than 90 minutes.

Continue reading Security Compliance Suite