Thank You!

We have received your message. We will contact within 1-2 business days to schedule the demonstration.

Here are some recently published articles speaking to securing your SAP systems.

Lessons from the Top Ten Data Breaches of 2012: Defense-in-Depth for SAP Systems

Posted on
According to the Privacy Rights Clearinghouse (PRC), there were 680 reported data breaches in 2012 covering all forms of commercial, governmental, educational, medical and non-profit organizations. The breaches are estimated to have compromised over 27M data records.   The most significant breach occurred at VeriSign. Although the extent of the breach has never been disclosed …
Read Article Lessons from the Top Ten Data Breaches of 2012: Defense-in-Depth for SAP Systems

The Final Frontier: The Challenges in Developing Secure Custom ABAP Programs

Posted on
In November, SAP released an unusually high number of Security Notes to patch various forms of injection vulnerabilities in it’s software. The trend continued in December with the release of several patches for code injection flaws in the Computer Center Management System (BC-CCM), Project System (PS-IS),  Transport Organizer (BC-CTS-ORG) and work processes in Application Servers …
Read Article The Final Frontier: The Challenges in Developing Secure Custom ABAP Programs

Security Researchers Expose a Dangerous Authentication Bypass in Oracle Databases

Posted on
More than two-thirds of mid to large SAP customers in every industry run their SAP applications with Oracle databases. Oracle’s success is driven by compatibility and performance. Oracle 11.2 is certified for use with Unix, Linux and Windows-based SAP environments and provides features such as self-tuning, sophisticated partitioning and advanced data compression that give Oracle …
Read Article Security Researchers Expose a Dangerous Authentication Bypass in Oracle Databases

Cybersecurity Disclosures: A Three Step Strategy for Compliance with the New SEC Guidance

Posted on
Against a background of growing investor concern and pressure from legislators, the Securities and Exchange Commission (SEC) is leading the drive for more open and timely disclosure of cybersecurity risks and incidents from public companies. Earlier this year, it challenged Amazon’s decision not to disclose the financial impact of the theft of customer data held …
Read Article Cybersecurity Disclosures: A Three Step Strategy for Compliance with the New SEC Guidance

Download the Ultimate Guide to Auditing and Securing Procure-to-Pay Controls in SAP

Posted on
The third installment of Layer Seven Security’s SAP Audit Guide was released today and can be downloaded at http://layersevensecurity.com/SAP_audit_guides.html. The series has proven to be a popular resource for audit and security professionals with over 10,000 downloads to date. The latest Guide focuses upon expenditure-related controls in areas such as vendor master data, purchasing, invoice processing and …
Read Article Download the Ultimate Guide to Auditing and Securing Procure-to-Pay Controls in SAP

SOAP Opera: Securing SAP Web Services

Posted on
The best run businesses may run SAP but very few run it exclusively. Most SAP systems operate in a complex, heterogeneous environment with information and processes spread across multiple systems including legacy applications. For SAP, this has always been a barrier to the rapid deployment of its software. Traditional solutions such IDocs, BAPIs and other …
Read Article SOAP Opera: Securing SAP Web Services

FTC Takes Action against Wyndham Worldwide after Data Breach

Posted on
Until recently, the fallout from the data breach at Wyndham Worldwide, owner of Ramada, Travelodge and a host of other hotel brands, followed an all too familiar path. Immediately after news of the breach reached customers in 2010, the company followed regular protocols by issuing an apology and committing itself to improving security procedures in …
Read Article FTC Takes Action against Wyndham Worldwide after Data Breach

White Hats, Black Hats and Skiddies: The Class System in Information Security

Posted on
There are few terms more widely misunderstood in the world of information security than the word ‘hacking’. Although it’s used in a variety of contexts, it’s most commonly used to refer to all types of cyber crime including everything from fraud and industrial espionage to identity theft and spamming. If you take this view, cyber …
Read Article White Hats, Black Hats and Skiddies: The Class System in Information Security

The Top 5 Security Notes you should apply to Patch your SAP systems

Posted on
April was another bumper month for SAP Security Notes. In all, SAP issued 33 patches, of which 5 were considered critical. Top of the list were Notes 1647225 and 1675432 which address missing authorization checks in components of Business Objects Data Services (EIM-DS) and the SAP Classification System (CA-CL). EIM-DS is SAP’s flagship solution for …
Read Article The Top 5 Security Notes you should apply to Patch your SAP systems

The Four Myths of ERP Security

Posted on
There are several myths in ERP security. One of the most common is that security is largely a matter of controlling access and segregation of duties. Another is that business applications are accessible only within internal networks. Yet another is that such applications are not a target for attack. All three are based on a …
Read Article The Four Myths of ERP Security

A Ten Step Guide to Implementing SAP’s New Security Recommendations

Posted on
On January 16, SAP issued a revamped version of the whitepaper Secure Configuration of SAP Netweaver Application Server using ABAP, which is rapidly becoming the de-facto standard for securing the technical components of SAP. According to SAP, the guidance provided in the whitepaper is intended to help customers protect ABAP systems against unauthorized access within …
Read Article A Ten Step Guide to Implementing SAP’s New Security Recommendations

SAP had reservations with Deloitte’s blueprint for Marin County

Posted on
After recently losing Beneficial Mutual as an audit client, Deloitte suffered another major setback last week. While a U.S District Court Judge dismissed racketeering and other claims against the firm made by Marin County as a result of what the Californian authority considered a botched implementation of SAP for Public Sector, the court declared that …
Read Article SAP had reservations with Deloitte’s blueprint for Marin County

Why you should immediately patch the recent DoS Vulnerability in AIX

Posted on
IBM released an advisory in February for a Denial of Service (DoS) vulnerability in AIX versions 5.3, 6.1, and 7.1. The warning seems to have flown under the radar since so far, many companies running the effected AIX OS platforms for their SAP environments have yet to deploy the patch. The vulnerability relates to a …
Read Article Why you should immediately patch the recent DoS Vulnerability in AIX

MasterCard confirms it will enforce the PCI DSS compliance deadline for Level 2 merchants

Posted on
As you probably recall, MasterCard issued a directive in 2009 that required all Level 2 merchants to comply with the PCI DSS through either a Self-Assessment Questionnaire (SAQ) prepared by a certified Internal Security Assessor or an assessment performed by a Qualified Security Assessor by June 30, 2010. Following an uproar from merchants, this was …
Read Article MasterCard confirms it will enforce the PCI DSS compliance deadline for Level 2 merchants

Netweaver Single Sign-On: Is it Worth the Risk?

Posted on
SAP’s acquisition of SECUDE in 2011 is finally bearing fruit. Recently, SAP announced the launch of Netweaver Single Sign-On 1.0 which can be downloaded from the Service Marketplace. This is the latest addition to SAP’s identity and access management portfolio and is based on SECUDE’s Secure Login and Enterprise SSO solutions. It uses protocols such …
Read Article Netweaver Single Sign-On: Is it Worth the Risk?

SAP patches a session hijacking vulnerability in the Netweaver Portal

Posted on
Imagine a system that provides a single, unified interface to all your SAP applications for not only everyone in your company but customers and suppliers. Imagine also that this system is web-based and uses single-sign-on. Congratulations, you’ve just envisioned the Netweaver Portal, the cornerstone of SAP’s strategy to integrate business information and processes and the …
Read Article SAP patches a session hijacking vulnerability in the Netweaver Portal

A Guide to Rootkits and Trojans in ABAP Programs

Posted on
If you missed Ertunga Arsal’s presentation on SAP Rootkits and Trojans at the 27th Chaos Communication Congress, you can now watch the entire hour-long session below. Ertunga is an accomplished SAP security expert and an entertaining speaker if you appreciate dry, German humour. In this video, Ertunga demonstrates how attackers can use several paths to …
Read Article A Guide to Rootkits and Trojans in ABAP Programs

The Hidden Danger of GRC

Posted on
Does anyone remember the world before GRC? I know it seems like decades ago but the fact is solutions such as SAP GRC are a relatively new phenomenon. Until recently, most of us were working with SU01 and SUIM. While such tools have undoubtedly made life easier for administrators and auditors alike, there’s a hidden …
Read Article The Hidden Danger of GRC