Layer Seven Security

Organisations are not effectively addressing IT security and compliance risks according to accounting professionals

The results of the 2013 Top Technology Initiatives Survey revealed that securing IT environments against cyber attack and managing IT risks and compliance are rated as two of the three greatest challenges in technology by accounting professionals in North America. The survey was performed jointly by the AICPA and CPA, the largest accounting organisations in the United States and Canada. The survey sampled approximately 2000 members from the public accounting, business and industry, consulting, government and not-for-profit sectors. Members of both the AICPA and CPA placed securing the IT environment as the second highest priority for organisations in the area of information technology. Managing IT risks and compliance was ranked third by AICPA members and fourth by CPA members.

U.S respondents expressed average confidence levels of just 51 percent in organisational initiatives designed to manage IT security and 47 percent in initiatives addressed at managing IT and compliance risks. Confidence levels have fallen drastically in 2013 due to the wave of recent well-publicized data breaches. In 2012, U.S confidence levels for securing IT environments and managing IT risk and compliance were 62 and 65 percent. However, according to the Chair of the AICPA’s Information Management and Technology Assurance (IMTA) Division, The decline in confidence levels may mean professionals are making more knowledgeable assessments of the ability of organizations to achieve technology goals. This more realistic assessment indicates that the goals may be more challenging than originally thought, and that organizations must have the focus, commitment and drive to achieve them.

Layer Seven Security assist organisations worldwide to identify and remove vulnerabilities that expose SAP systems to cyber attack and impact the ability to comply with the requirements of IT control frameworks. To learn how we can assist your organisation manage SAP risks and stay compliant, contact Layer Seven Security.

Introducing the ABAP Test Cockpit: A New Level of ABAP Quality Assurance

The ABAP Test Cockpit (ATC) is SAP’s new framework for Quality Assurance. It performs static and unit tests for custom ABAP programs and introduces Quality-Gates (Q-Gates) for transport requests.

ATC was unveiled at last year’s SAP TechEd. The entire session including a live demo can be viewed below. Following a successful pilot, it was released for NetWeaver 7.0 SP12 and NetWeaver AS ABAP 7.03 SP05 in September and October 2012, respectively. General guidelines for configuring and running ATC are available at the SAP Community Network for both developers and quality managers.

ATC integrates directly with the ABAP Workbench and is accessible through SE80, SE24, SE38, SE11 and other Workbench tools. The existing iteration of the tool focuses almost exclusively on performance checks for exceptions such as runtime errors. However, SAP has revealed plans to deliver a new Security Scan Solution (SLIN_SEC) as an add-on for the Extended Program Check (SLIN) in ATC. This will enable security vulnerability checks for custom code. The introduction of the Security Scan Solution should improve the general security of ABAP programs and lower the risk of code-level vulnerabilities in ABAP systems including insufficient authority checks and code injections arising from uncontrolled input. You can learn more about the solution at session SIS261 scheduled on October 24 during this year’s SAP TechEd.

The alternative to the SAP Security Scan Solution is Virtual Forge CodeProfiler. CodeProfiler also integrates with ATC and performs a patented static code analysis for any type of ABAP program. CodeProfiler provides comprehensive performance and quality testing and is SAP-certified for integration with SAP NetWeaver.

The Brand-New ABAP Test Cockpit – A New Level of ABAP Quality Assurance

The Brand-New ABAP Test Cockpit: A New Level of ABAP Quality Assurance

A Dangerous Flaw in the SAP User Information System (SUIM)

Customers that have yet to implement Security Note 1844202 released by SAP on June 10 should do so immediately. The Note deals with a vulnerability that could be exploited to bypass monitoring controls designed to detect users with privileged access, including the SAP_ALL profile. This profile can be used to provide users with almost all authorizations in SAP systems. The vulnerability arises from a flaw in the coding of the RSUSR002 report accessible through the SAP User Information System (SUIM) or transaction SA38. RSUSR002 is a standard built-in tool used by security administrators and auditors to analyse user authorizations. A side-effect of Note 694250 was the insertion of the following line into the algorithm for RSUSR002:

DELETE userlist WHERE bname = “”

As a result of the insertion, users assigned the name “” are excluded from the search results generated by RSUSR002. This could lead to a scenario in which users are assigned SAP_ALL or equivalent authorizations without detection through regular monitoring protocols. However, the user “” would remain visible in UST04 and other user tables. The implementation of Note 1844202 will close the vulnerability in RSUSR002. Customers can also prevent the assignment of the username “” using customizing lists. For detailed instructions, refer to Note 1731549.