Layer Seven Security Blog

Stay up to date on the latest trends in SAP security, new threats and information on protecting your critical systems against an attack

Introducing the ABAP Test Cockpit: A New Level of ABAP Quality Assurance

Posted on
The ABAP Test Cockpit (ATC) is SAP’s new framework for Quality Assurance. It performs static and unit tests for custom ABAP programs and introduces Quality-Gates (Q-Gates) for transport requests. ATC was unveiled at last year’s SAP TechEd. The entire session including a live demo can be viewed below. Following a successful pilot, it was released …
Read Article Introducing the ABAP Test Cockpit: A New Level of ABAP Quality Assurance

A Dangerous Flaw in the SAP User Information System (SUIM)

Posted on
Customers that have yet to implement Security Note 1844202 released by SAP on June 10 should do so immediately. The Note deals with a vulnerability that could be exploited to bypass monitoring controls designed to detect users with privileged access, including the SAP_ALL profile. This profile can be used to provide users with almost all …
Read Article A Dangerous Flaw in the SAP User Information System (SUIM)

Lloyds 2013 Risk Index: Cyber Risk Rated as the Third Most Significant Risk by Board Executives

Posted on
The recent wave of sophisticated and targeted data breaches has led global business leaders to recognize cyber risk as one of the most significant threats faced by corporations today. According to the Lloyds 2013 Risk Index released this week, “Cyber security now sits squarely towards the top of the agenda for boards around the world”. …
Read Article Lloyds 2013 Risk Index: Cyber Risk Rated as the Third Most Significant Risk by Board Executives

Exploring the SAP DIAG Protocol

Posted on
One of the most memorable events at last year’s BruCON in Belgium was Martin Gallo’s expose of the SAP DIAG protocol. The session can be viewed in its entirety below. DIAG (Dynamic Information and Action Gateway) is a proprietary protocol supporting client-server communication and links the presentation (SAP GUI) and application (NetWeaver) layer in SAP …
Read Article Exploring the SAP DIAG Protocol

Securing Your SAP Systems: How to Counter Every Current and Emerging Threat

Posted on
One of the highlights of the Sapphire conference earlier this month was the insightful session on SAP security delivered by Gordon Muehl, Senior Vice President of Product Security at SAP. A recording of the session can be viewed below. The session highlighted the threat presented to Internet-enabled SAP systems by external agents and stressed the …
Read Article Securing Your SAP Systems: How to Counter Every Current and Emerging Threat

Verizon Data Breach Investigations Report (DBIR) 2013: ‘This isn’t a threat you can afford to ignore’

Posted on
The breadth and depth of the 2013 Verizon Data Breach Investigations Report (DBIR) is unprecedented. Released this Monday, the reports brings together the investigations performed by nineteen law enforcement agencies, research institutions and private security firms that combat data breaches including the European Cybercrime Centre (EC3), U.S Secret Service and the Department of Homeland Security. …
Read Article Verizon Data Breach Investigations Report (DBIR) 2013: ‘This isn’t a threat you can afford to ignore’

International Corporate Espionage: Annual Cost of Intellectual Property Theft Estimated at $250 Billion for U.S Economy

Posted on
According to NSA Director General Keith Alexander, cyber-espionage has led to “the greatest transfer of wealth in history.” This is supported by not only a recent report by Symantec, which places the cost of intellectual property theft in the United States at $250 billion a year, but a prominent report on cyber-espionage released by Mandiant …
Read Article International Corporate Espionage: Annual Cost of Intellectual Property Theft Estimated at $250 Billion for U.S Economy

Lessons from the Top Ten Data Breaches of 2012: Defense-in-Depth for SAP Systems

Posted on
According to the Privacy Rights Clearinghouse (PRC), there were 680 reported data breaches in 2012 covering all forms of commercial, governmental, educational, medical and non-profit organizations. The breaches are estimated to have compromised over 27M data records.   The most significant breach occurred at VeriSign. Although the extent of the breach has never been disclosed …
Read Article Lessons from the Top Ten Data Breaches of 2012: Defense-in-Depth for SAP Systems

The Final Frontier: The Challenges in Developing Secure Custom ABAP Programs

Posted on
In November, SAP released an unusually high number of Security Notes to patch various forms of injection vulnerabilities in it’s software. The trend continued in December with the release of several patches for code injection flaws in the Computer Center Management System (BC-CCM), Project System (PS-IS),  Transport Organizer (BC-CTS-ORG) and work processes in Application Servers …
Read Article The Final Frontier: The Challenges in Developing Secure Custom ABAP Programs

Security Researchers Expose a Dangerous Authentication Bypass in Oracle Databases

Posted on
More than two-thirds of mid to large SAP customers in every industry run their SAP applications with Oracle databases. Oracle’s success is driven by compatibility and performance. Oracle 11.2 is certified for use with Unix, Linux and Windows-based SAP environments and provides features such as self-tuning, sophisticated partitioning and advanced data compression that give Oracle …
Read Article Security Researchers Expose a Dangerous Authentication Bypass in Oracle Databases

Cybersecurity Disclosures: A Three Step Strategy for Compliance with the New SEC Guidance

Posted on
Against a background of growing investor concern and pressure from legislators, the Securities and Exchange Commission (SEC) is leading the drive for more open and timely disclosure of cybersecurity risks and incidents from public companies. Earlier this year, it challenged Amazon’s decision not to disclose the financial impact of the theft of customer data held …
Read Article Cybersecurity Disclosures: A Three Step Strategy for Compliance with the New SEC Guidance

Download the Ultimate Guide to Auditing and Securing Procure-to-Pay Controls in SAP

Posted on
The third installment of Layer Seven Security’s SAP Audit Guide was released today and can be downloaded at http://layersevensecurity.com/SAP_audit_guides.html. The series has proven to be a popular resource for audit and security professionals with over 10,000 downloads to date. The latest Guide focuses upon expenditure-related controls in areas such as vendor master data, purchasing, invoice processing and …
Read Article Download the Ultimate Guide to Auditing and Securing Procure-to-Pay Controls in SAP

SOAP Opera: Securing SAP Web Services

Posted on
The best run businesses may run SAP but very few run it exclusively. Most SAP systems operate in a complex, heterogeneous environment with information and processes spread across multiple systems including legacy applications. For SAP, this has always been a barrier to the rapid deployment of its software. Traditional solutions such IDocs, BAPIs and other …
Read Article SOAP Opera: Securing SAP Web Services

FTC Takes Action against Wyndham Worldwide after Data Breach

Posted on
Until recently, the fallout from the data breach at Wyndham Worldwide, owner of Ramada, Travelodge and a host of other hotel brands, followed an all too familiar path. Immediately after news of the breach reached customers in 2010, the company followed regular protocols by issuing an apology and committing itself to improving security procedures in …
Read Article FTC Takes Action against Wyndham Worldwide after Data Breach

White Hats, Black Hats and Skiddies: The Class System in Information Security

Posted on
There are few terms more widely misunderstood in the world of information security than the word ‘hacking’. Although it’s used in a variety of contexts, it’s most commonly used to refer to all types of cyber crime including everything from fraud and industrial espionage to identity theft and spamming. If you take this view, cyber …
Read Article White Hats, Black Hats and Skiddies: The Class System in Information Security

The Top 5 Security Notes you should apply to Patch your SAP systems

Posted on
April was another bumper month for SAP Security Notes. In all, SAP issued 33 patches, of which 5 were considered critical. Top of the list were Notes 1647225 and 1675432 which address missing authorization checks in components of Business Objects Data Services (EIM-DS) and the SAP Classification System (CA-CL). EIM-DS is SAP’s flagship solution for …
Read Article The Top 5 Security Notes you should apply to Patch your SAP systems

The Four Myths of ERP Security

Posted on
There are several myths in ERP security. One of the most common is that security is largely a matter of controlling access and segregation of duties. Another is that business applications are accessible only within internal networks. Yet another is that such applications are not a target for attack. All three are based on a …
Read Article The Four Myths of ERP Security

A Ten Step Guide to Implementing SAP’s New Security Recommendations

Posted on
On January 16, SAP issued a revamped version of the whitepaper Secure Configuration of SAP Netweaver Application Server using ABAP, which is rapidly becoming the de-facto standard for securing the technical components of SAP. According to SAP, the guidance provided in the whitepaper is intended to help customers protect ABAP systems against unauthorized access within …
Read Article A Ten Step Guide to Implementing SAP’s New Security Recommendations

SAP had reservations with Deloitte’s blueprint for Marin County

Posted on
After recently losing Beneficial Mutual as an audit client, Deloitte suffered another major setback last week. While a U.S District Court Judge dismissed racketeering and other claims against the firm made by Marin County as a result of what the Californian authority considered a botched implementation of SAP for Public Sector, the court declared that …
Read Article SAP had reservations with Deloitte’s blueprint for Marin County