Layer Seven Security Blog

Stay up to date on the latest trends in SAP security, new threats and information on protecting your critical systems against an attack

Download the Ultimate Guide to Auditing and Securing Procure-to-Pay Controls in SAP

Posted on
The third installment of Layer Seven Security’s SAP Audit Guide was released today and can be downloaded at http://layersevensecurity.com/SAP_audit_guides.html. The series has proven to be a popular resource for audit and security professionals with over 10,000 downloads to date. The latest Guide focuses upon expenditure-related controls in areas such as vendor master data, purchasing, invoice processing and …
Read Article Download the Ultimate Guide to Auditing and Securing Procure-to-Pay Controls in SAP

SOAP Opera: Securing SAP Web Services

Posted on
The best run businesses may run SAP but very few run it exclusively. Most SAP systems operate in a complex, heterogeneous environment with information and processes spread across multiple systems including legacy applications. For SAP, this has always been a barrier to the rapid deployment of its software. Traditional solutions such IDocs, BAPIs and other …
Read Article SOAP Opera: Securing SAP Web Services

FTC Takes Action against Wyndham Worldwide after Data Breach

Posted on
Until recently, the fallout from the data breach at Wyndham Worldwide, owner of Ramada, Travelodge and a host of other hotel brands, followed an all too familiar path. Immediately after news of the breach reached customers in 2010, the company followed regular protocols by issuing an apology and committing itself to improving security procedures in …
Read Article FTC Takes Action against Wyndham Worldwide after Data Breach

White Hats, Black Hats and Skiddies: The Class System in Information Security

Posted on
There are few terms more widely misunderstood in the world of information security than the word ‘hacking’. Although it’s used in a variety of contexts, it’s most commonly used to refer to all types of cyber crime including everything from fraud and industrial espionage to identity theft and spamming. If you take this view, cyber …
Read Article White Hats, Black Hats and Skiddies: The Class System in Information Security

The Top 5 Security Notes you should apply to Patch your SAP systems

Posted on
April was another bumper month for SAP Security Notes. In all, SAP issued 33 patches, of which 5 were considered critical. Top of the list were Notes 1647225 and 1675432 which address missing authorization checks in components of Business Objects Data Services (EIM-DS) and the SAP Classification System (CA-CL). EIM-DS is SAP’s flagship solution for …
Read Article The Top 5 Security Notes you should apply to Patch your SAP systems

The Four Myths of ERP Security

Posted on
There are several myths in ERP security. One of the most common is that security is largely a matter of controlling access and segregation of duties. Another is that business applications are accessible only within internal networks. Yet another is that such applications are not a target for attack. All three are based on a …
Read Article The Four Myths of ERP Security

A Ten Step Guide to Implementing SAP’s New Security Recommendations

Posted on
On January 16, SAP issued a revamped version of the whitepaper Secure Configuration of SAP Netweaver Application Server using ABAP, which is rapidly becoming the de-facto standard for securing the technical components of SAP. According to SAP, the guidance provided in the whitepaper is intended to help customers protect ABAP systems against unauthorized access within …
Read Article A Ten Step Guide to Implementing SAP’s New Security Recommendations

SAP had reservations with Deloitte’s blueprint for Marin County

Posted on
After recently losing Beneficial Mutual as an audit client, Deloitte suffered another major setback last week. While a U.S District Court Judge dismissed racketeering and other claims against the firm made by Marin County as a result of what the Californian authority considered a botched implementation of SAP for Public Sector, the court declared that …
Read Article SAP had reservations with Deloitte’s blueprint for Marin County

Why you should immediately patch the recent DoS Vulnerability in AIX

Posted on
IBM released an advisory in February for a Denial of Service (DoS) vulnerability in AIX versions 5.3, 6.1, and 7.1. The warning seems to have flown under the radar since so far, many companies running the effected AIX OS platforms for their SAP environments have yet to deploy the patch. The vulnerability relates to a …
Read Article Why you should immediately patch the recent DoS Vulnerability in AIX

MasterCard confirms it will enforce the PCI DSS compliance deadline for Level 2 merchants

Posted on
As you probably recall, MasterCard issued a directive in 2009 that required all Level 2 merchants to comply with the PCI DSS through either a Self-Assessment Questionnaire (SAQ) prepared by a certified Internal Security Assessor or an assessment performed by a Qualified Security Assessor by June 30, 2010. Following an uproar from merchants, this was …
Read Article MasterCard confirms it will enforce the PCI DSS compliance deadline for Level 2 merchants

Netweaver Single Sign-On: Is it Worth the Risk?

Posted on
SAP’s acquisition of SECUDE in 2011 is finally bearing fruit. Recently, SAP announced the launch of Netweaver Single Sign-On 1.0 which can be downloaded from the Service Marketplace. This is the latest addition to SAP’s identity and access management portfolio and is based on SECUDE’s Secure Login and Enterprise SSO solutions. It uses protocols such …
Read Article Netweaver Single Sign-On: Is it Worth the Risk?

SAP patches a session hijacking vulnerability in the Netweaver Portal

Posted on
Imagine a system that provides a single, unified interface to all your SAP applications for not only everyone in your company but customers and suppliers. Imagine also that this system is web-based and uses single-sign-on. Congratulations, you’ve just envisioned the Netweaver Portal, the cornerstone of SAP’s strategy to integrate business information and processes and the …
Read Article SAP patches a session hijacking vulnerability in the Netweaver Portal

A Guide to Rootkits and Trojans in ABAP Programs

Posted on
If you missed Ertunga Arsal’s presentation on SAP Rootkits and Trojans at the 27th Chaos Communication Congress, you can now watch the entire hour-long session below. Ertunga is an accomplished SAP security expert and an entertaining speaker if you appreciate dry, German humour. In this video, Ertunga demonstrates how attackers can use several paths to …
Read Article A Guide to Rootkits and Trojans in ABAP Programs

The Hidden Danger of GRC

Posted on
Does anyone remember the world before GRC? I know it seems like decades ago but the fact is solutions such as SAP GRC are a relatively new phenomenon. Until recently, most of us were working with SU01 and SUIM. While such tools have undoubtedly made life easier for administrators and auditors alike, there’s a hidden …
Read Article The Hidden Danger of GRC

The SAP Security Blog

Posted on
Welcome! This blog is designed to help you stay in touch with the latest trends and developments in SAP security. Feel free to join the discussion by leaving comments and stay updated by subscribing to the RSS feed. To subscribe by email, click the RSS icon in the top right hand corner of the page, …
Read Article The SAP Security Blog