SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business, or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.
Recently, I published a post on the SAP Security Gap. This post discussed the present disconnect between security professionals and business executives on the vulnerability of their SAP systems. With SAP Cyber-Security continuing to be a topic of concern making mainstream headlines, it is critical that organizations begin to think about this notion in more detail if they wish to truly secure their enterprise applications such as SAP or Oracle.
It feels like déjà vu all over again!
Back in the early 2000’s, I was involved in the widely publicized, EMC Business Continuity survey – which indicated a very large disparity between IT and business executives regarding the vulnerability of their business-critical data. Fast forward to today and I’m seeing a very similar scenario play out again. But this time, it has to do with the vulnerability of an organization’s business-critical SAP systems.
Hi! In this post I want to summarize you another little-known behavior of SAP Gateway, which is its ability to act as a proxy. Basically when we want to perform an RFC connection two parameters are specified: the IP of the gateway and the IP of the application server. But wait... Is not the gateway always located in the same host than the application server? Yes, usually... but there are some specific cases where you need to use these parameters with different values.
SAP has its own specific JAVA virtual machine implementation called SAPJVM, which according to SAP documentation: "...is derived from Sun’s HotSpot VM and JDK implementation ... the SAP JVM is only targeting server-side applications. Certain features related to client environments are intentionally omitted or are not supported for general use.".
Last week a new vulnerability was reported, affecting the GNU C library (glibc). This vulnerability affects a wide range of Linux distributions, among which are some supported by SAP products as stated in SAP Note 171356.
It's important to understand that even though this vulnerability does not directly affect any SAP application, it affects a lower layer, the operating system, allowing any application to potentially use the vulnerable function.
Last week we were doing some tests on the HANA XS engine trying to understand how an attacker could bypass the XSS filter provided by the ICM.
There is a lot of discussion in risk management circles on how risks within the value chain can often be ignored. Paul Proctor, Vice President of Research at Gartner, recently presented a webcast titled “Digital Business and the CIO’s Relationship with Risk." He indicates:
Over the last few weeks, Adrian Lane, CTO & Analyst from Securosis, a leading cyber-security analyst firm, published two blog posts from his ongoing series called “Building an Enterprise Application Security Program.” In his current posts, Adrian describes how key business applications running on SAP and Oracle have security and compliance gaps that are not covered by traditional security measures.
I’m pleased to announce that today we’ve launched both a new product, a re-design of our website and ultimately – a new brand. This is a very exciting day for Onapsis!
After having great success with the Onapsis X1 product, we worked closely with our customers and partners over the last several years to produce this next-generation platform.