5 Questions CISOs Should Ask About SAP Security

Over the last few weeks, Adrian Lane, CTO & Analyst from Securosis, a leading cyber-security analyst firm, published two blog posts from his ongoing series called “Building an Enterprise Application Security Program.” In his current posts, Adrian describes how key business applications running on SAP and Oracle have security and compliance gaps that are not covered by traditional security measures.

Logging IP addresses in the Security Audit Log

Hi! I was reviewing some events coming from the Security Audit Log and noticed an interesting behavior.

For those who never heard about it, the Security Audit Log (a.k.a SAL) allows SAP security administrators to keep track of the activities performed in their systems. In a future post we will discuss how to enable and configure it.

SAP Security Note 2067859 Potential Exposure to Digital Signature Spoofing

This week, SAP AG published a hot news item titled: "SAP Security Note 2067859 (Potential Exposure to Digital Signature Spoofing)", which alerts users about a potential vulnerability in certain cryptographic libraries used in SAP NetWeaver Application Server ABAP and SAP HANA. By abusing these libraries, an attacker could potentially spoof (i.e., successfully masquerade as a legitimate user) Digital Signatures produced in vulnerable systems.

SAP HANA post exploitation vectors

This week the Onapsis Research Labs released an advisory for a server-side code injection vulnerability in SAP HANA integrated IDE. For more information about the SAP Note that fixes this issue, please refer to the Onapsis Research Labs advisory. To define a reasonable exploitation scenario, we will assume the following conditions are met by our testing landscape:

Pages

Subscribe to our monthly newsletter, the Defender's Digest!