Uploaded bysebastianschinzel
495 views

Assessing and Measuring Security in Custom SAP Applications

The document discusses the complexities of securing custom SAP applications, highlighting common security vulnerabilities such as cross-site scripting and session ID exploitation. It emphasizes the importance of threat modeling as a communication tool between security experts and business personnel to identify and assess risks to business assets. The conclusion stresses that effective security requires ongoing assessment and improvement rather than one-time efforts.

Assessing and Measuring Security in Custom SAP Applications Sebastian Schinzel IT-Security Consultant Virtual Forge GmbH
Common Security Vulnerabilities Threat Modelling Measuring security How can I improve my security performance? Hands-on Threat Modelling Agenda
Common Security Vulnerabilities http://www.zdnet.com.au/news/security/soa/XSS-flaw-makes-PM-say-I-want-to-suck-your-blood-/0,130061744,339282682,00.htm
Cross Site Scripting (XSS) “most serious web application vulnerability” according to OWASP Top 10 Common Security Vulnerabilities Learn about XSS at http://virtualforge.de/vmovie.php Or meet me at the Virtual Forge booth
Common Security Vulnerabilities http://www.theage.com.au/news/tv--radio/porn-privacy-glitches-hit-big-bro/2007/04/23/1177180548617.html
Vulnerabilities in handling of user session IDs Small pool of available session IDs Pool got exhausted with many concurrent users Users were falsely logged in as another already logged in user Small pool of session IDs = predictable session IDs Easy to find and exploit for an attacker Attack easy to automate Possibility of getting caught is low Common Security Vulnerabilities
Common Security Vulnerabilities
Problems: SAP architectures very complex You had no security incidents because... ... your application landscape is secure? ... you regularly pray to god? ... the hacker covered the tracks? ... nobody bothered so far to look for vulnerabilities?  How can you reasonably protect your business data? Common Security Vulnerabilities
Common Security Vulnerabilities Threat Modelling Measuring security How can I improve my security performance? Hands-on Threat Modelling Agenda
Problem: Security experts and business people speak different languages Security expert: “XSS, XSRF, SQL-Injection, Input Validation, Output Encoding, Encryption, ...” Business people: “Return of Investment, Industrial Espionage, Risk Management, Business Assets, ...” Threat Modelling creates a common language for security experts and business people Threat Modelling
How can you reasonably protect your business data? Cost-Benefit analysis from an attacker viewpoint Targets are interesting for an attacker if Cost of attack << Benefit of successful attack Threat Modelling Probability of getting caught Skill needed for attack Time needed for attack Cost Repudiation Blackmail Industrial espionage Benefit
Determine threats your applications face List the assets of your company How are these assets processed by your applications? (  Processes) Who uses the applications to work with the company’s assets? (  Actors) Threat Modelling
Assets Employee data (e.g. SSN) Customer data (e.g. Credit Card Data) Process Online Recruiting Online shop (order form, edit customer data) Actors HR Department Customers, shipping department Threat Modelling
Example: Asset: Private data of customers (e.g. CC data ) Process: A registered user edits the private data in the web form Threats A registered user views private data of other customers by tampering with the form’s request A registered user edits private data of other customers Threat Modelling
Add further information to the threats Business impact Level of exposure Affected users Damage potential Exploitability Threat Modelling
Common Security Vulnerabilities Threat Modelling Measuring security How can I improve my security performance? Hands-on Threat Modelling Agenda
People thinking about security “ Yes, others have issues, we read that in the news – but not here.” “ We haven’t been attacked so far.” “ We use a firewall and IDS.” “ This is a feature, not a defect!” “ This is the responsibility of the vendor.” Measuring Security  How do you know?  What is the impact?  Is that enough?  How can you tell?  How secure is your code?
Measuring Security Another view on metrics … There is an 80% risk that a child hit by a car driving at 40 mph hour will be killed There is an 80% chance that a child hit by a car driving at 30 mph would survive People now drive slower as a result Smoking ban reduces likeliness of heart attacks … That’s how security metrics should be  shaping behaviour and not just being interesting! 
Measuring Security Recall Secure code is the real line of defence Metrics should change behaviour Software Security Metrics should lead to secure software! Change behaviour of customers, vendors, consultants, developers, …
Different levels of measurement Measuring Security
Common Security Vulnerabilities Threat Modelling Measuring security How can I improve my security performance? Hands-on Threat Modelling Agenda
Rank entries in threat model Determine the most critical threats to your business assets Determine threats that are easy to mitigate (easy wins) Perform a security assessment (external security experts) Check applications that are involved with critical threats Find security vulnerabilities in those applications Determine root causes of vulnerabilities (faulty input validation, faulty output encoding, faults in application design, misuse of frameworks and libraries) Map found vulnerabilities to threats in the threat model How Can I Improve My Security Performance
The aftermath: Rank the vulnerabilities that were found during the assessment What are the most critical vulnerabilities? What vulnerabilities are easy to fix (quick wins) Fix it! Fix easy wins immediately Create plan about how to mitigate the most critical threats as soon as possible Create road map for Security Assurance How Can I Improve My Security Performance
The aftermath: Create road map for Security Assurance Train software architects for secure software application design Train developers for security development guidelines and best practices Include regular security assessments in your development lifecycle Incorporate managed security services (e.g. regular scans of web page for trivial security vulnerabilities) How Can I Improve My Security Performance
Common Security Vulnerabilities Threat Modelling Measuring security How can I improve my security performance? Hands-on Threat Modelling Agenda
Hands-on Threat Modelling
Security incidents happen regularly SAP application landscapes are very complex, thus difficult to build securely Use Threat Modelling to find the risks to your assets Measure security to improve security Create a road map for security assurance Conclusion
3 Key Points to Take Home “ Complexity is the worst enemy of security” (Schneier) Measure security to improve security Security can only be successful when it is an ongoing process. One-time efforts are not effective.
QUESTIONS? Sebastian Schinzel [email_address]

More Related Content

PPT
Security Compliance Web Application Risk Management
byMarco Morana
 
PPTX
Risk Analysis Of Banking Malware Attacks
byMarco Morana
 
PPTX
Threat Simulation and Modeling Training
byBryan Len
 
PPTX
2016 Risk Management Workshop
byStacy Willis
 
PPTX
6 Most Popular Threat Modeling Methodologies
byEC-Council
 
KEY
EISA Considerations for Web Application Security
byLarry Ball
 
PPTX
Pasta Threat Modeling
byEC-Council
 
PPTX
The bare minimum that you should know about web application security testing ...
byKen DeSouza
 
Security Compliance Web Application Risk Management
byMarco Morana
 
Risk Analysis Of Banking Malware Attacks
byMarco Morana
 
Threat Simulation and Modeling Training
byBryan Len
 
2016 Risk Management Workshop
byStacy Willis
 
6 Most Popular Threat Modeling Methodologies
byEC-Council
 
EISA Considerations for Web Application Security
byLarry Ball
 
Pasta Threat Modeling
byEC-Council
 
The bare minimum that you should know about web application security testing ...
byKen DeSouza
 

What's hot

PPT
Software Security Initiatives
byMarco Morana
 
DOCX
Vulnerability scanning project
byChirag Dhamecha
 
PDF
Unisys_AppDefender_Symantec_CFD_0_1_final
byKoko Fontana
 
PPT
Software security engineering
byAHM Pervej Kabir
 
DOCX
tarunidhar
bytarunidhar chitirala
 
PPTX
Application Security Testing for Software Engineers ,Developers and testers
byGustavo Nieves Arreaza
 
PPTX
Security for Architects and Developers
byShamir Charania
 
PDF
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
byDefCamp
 
PDF
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
byEditor IJMTER
 
PDF
The Complete Web Application Security Testing Checklist
byCigital
 
PPTX
Introduction of Secure Software Development Lifecycle
byRishi Kant
 
PPT
Mobile application security Guidelines
byEntersoft Security
 
PPTX
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
DOCX
Research Paper
byDavid Chaponniere
 
PDF
Analysis of XSS attack Mitigation techniques based on Platforms and Browsers
bycscpconf
 
PPTX
Fendley how secure is your e learning
byBryan Fendley
 
PDF
Application security testing an integrated approach
byIdexcel Technologies
 
RTF
Madam synopis
byuttarkar
 
PPTX
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
byPhil Legg
 
PDF
web application security
byahmed sami
 
Software Security Initiatives
byMarco Morana
 
Vulnerability scanning project
byChirag Dhamecha
 
Unisys_AppDefender_Symantec_CFD_0_1_final
byKoko Fontana
 
Software security engineering
byAHM Pervej Kabir
 
tarunidhar
bytarunidhar chitirala
 
Application Security Testing for Software Engineers ,Developers and testers
byGustavo Nieves Arreaza
 
Security for Architects and Developers
byShamir Charania
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
byDefCamp
 
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
byEditor IJMTER
 
The Complete Web Application Security Testing Checklist
byCigital
 
Introduction of Secure Software Development Lifecycle
byRishi Kant
 
Mobile application security Guidelines
byEntersoft Security
 
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
Research Paper
byDavid Chaponniere
 
Analysis of XSS attack Mitigation techniques based on Platforms and Browsers
bycscpconf
 
Fendley how secure is your e learning
byBryan Fendley
 
Application security testing an integrated approach
byIdexcel Technologies
 
Madam synopis
byuttarkar
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
byPhil Legg
 
web application security
byahmed sami
 

Viewers also liked

PDF
Measuring The Security Of Web Applications (Owasp Germany 2008)
bysebastianschinzel
 
DOCX
Gs
byrenzel ordenes
 
PDF
Numerical Differentiations Solved examples
byDevelopedia
 
PDF
C.S. Lewis Teaching & Activity Guides
byHomeschool Literature
 
PDF
7 modulo 1_de_producao_4_1
byBhayano Sheyk
 
PPS
ссво от 06.11.2015
bysmoker403
 
PDF
Schwachstellen In Sap Web Anwendungen (OWASP Germany 2009)
bysebastianschinzel
 
PDF
5 modulo 3_de_producao_10_1_pessoa_da_tostadeira_regulares
byBhayano Sheyk
 
Measuring The Security Of Web Applications (Owasp Germany 2008)
bysebastianschinzel
 
Gs
byrenzel ordenes
 
Numerical Differentiations Solved examples
byDevelopedia
 
C.S. Lewis Teaching & Activity Guides
byHomeschool Literature
 
7 modulo 1_de_producao_4_1
byBhayano Sheyk
 
ссво от 06.11.2015
bysmoker403
 
Schwachstellen In Sap Web Anwendungen (OWASP Germany 2009)
bysebastianschinzel
 
5 modulo 3_de_producao_10_1_pessoa_da_tostadeira_regulares
byBhayano Sheyk
 

Similar to Assessing and Measuring Security in Custom SAP Applications

PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
PPTX
How to develop an AppSec culture in your project
by99X Technology
 
PPTX
Building an AppSec Culture
byNirosh Jayaratnam
 
PDF
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
PPTX
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
PDF
Secure Design: Threat Modeling
byNarudom Roongsiriwong, CISSP
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
PPTX
Best Practices for Embedding Security in the Development Stage
byCovrize IT Solutions Private Limited
 
PPTX
Security Incident machnism Security Incident machnismSecurity Incident machni...
bykarthikvcyber
 
PPT
Security metrics 2
byManish Kumar
 
PDF
Application Threat Modeling In Risk Management
byMel Drews
 
PPTX
Application Security: What do we need to know?
byJose L. Quiñones-Borrero
 
PDF
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
byCodemotion
 
PPT
Application Threat Modeling
byMarco Morana
 
PPTX
Secure Iowa Oct 2016
byLarry Slobodzian
 
PPT
Software Security in the Real World
byMark Curphey
 
KEY
Application Security Done Right
bypvanwoud
 
PDF
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
PDF
Threat Modeling to Reduce Software Security Risk
bySecurity Innovation
 
PPTX
Presenting Metrics to the Executive Team
byJohn D. Johnson
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
How to develop an AppSec culture in your project
by99X Technology
 
Building an AppSec Culture
byNirosh Jayaratnam
 
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
Secure Design: Threat Modeling
byNarudom Roongsiriwong, CISSP
 
Application Security - Your Success Depends on it
byWSO2
 
Best Practices for Embedding Security in the Development Stage
byCovrize IT Solutions Private Limited
 
Security Incident machnism Security Incident machnismSecurity Incident machni...
bykarthikvcyber
 
Security metrics 2
byManish Kumar
 
Application Threat Modeling In Risk Management
byMel Drews
 
Application Security: What do we need to know?
byJose L. Quiñones-Borrero
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
byCodemotion
 
Application Threat Modeling
byMarco Morana
 
Secure Iowa Oct 2016
byLarry Slobodzian
 
Software Security in the Real World
byMark Curphey
 
Application Security Done Right
bypvanwoud
 
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
Threat Modeling to Reduce Software Security Risk
bySecurity Innovation
 
Presenting Metrics to the Executive Team
byJohn D. Johnson
 

Assessing and Measuring Security in Custom SAP Applications

  • 1.
    Assessing and MeasuringSecurity in Custom SAP Applications Sebastian Schinzel IT-Security Consultant Virtual Forge GmbH
  • 2.
    Common Security VulnerabilitiesThreat Modelling Measuring security How can I improve my security performance? Hands-on Threat Modelling Agenda
  • 3.
    Common Security Vulnerabilitieshttp://www.zdnet.com.au/news/security/soa/XSS-flaw-makes-PM-say-I-want-to-suck-your-blood-/0,130061744,339282682,00.htm
  • 4.
    Cross Site Scripting(XSS) “most serious web application vulnerability” according to OWASP Top 10 Common Security Vulnerabilities Learn about XSS at http://virtualforge.de/vmovie.php Or meet me at the Virtual Forge booth
  • 5.
    Common Security Vulnerabilitieshttp://www.theage.com.au/news/tv--radio/porn-privacy-glitches-hit-big-bro/2007/04/23/1177180548617.html
  • 6.
    Vulnerabilities in handlingof user session IDs Small pool of available session IDs Pool got exhausted with many concurrent users Users were falsely logged in as another already logged in user Small pool of session IDs = predictable session IDs Easy to find and exploit for an attacker Attack easy to automate Possibility of getting caught is low Common Security Vulnerabilities
  • 7.
  • 8.
    Problems: SAP architecturesvery complex You had no security incidents because... ... your application landscape is secure? ... you regularly pray to god? ... the hacker covered the tracks? ... nobody bothered so far to look for vulnerabilities?  How can you reasonably protect your business data? Common Security Vulnerabilities
  • 9.
    Common Security VulnerabilitiesThreat Modelling Measuring security How can I improve my security performance? Hands-on Threat Modelling Agenda
  • 10.
    Problem: Security expertsand business people speak different languages Security expert: “XSS, XSRF, SQL-Injection, Input Validation, Output Encoding, Encryption, ...” Business people: “Return of Investment, Industrial Espionage, Risk Management, Business Assets, ...” Threat Modelling creates a common language for security experts and business people Threat Modelling
  • 11.
    How can youreasonably protect your business data? Cost-Benefit analysis from an attacker viewpoint Targets are interesting for an attacker if Cost of attack << Benefit of successful attack Threat Modelling Probability of getting caught Skill needed for attack Time needed for attack Cost Repudiation Blackmail Industrial espionage Benefit
  • 12.
    Determine threats yourapplications face List the assets of your company How are these assets processed by your applications? (  Processes) Who uses the applications to work with the company’s assets? (  Actors) Threat Modelling
  • 13.
    Assets Employee data(e.g. SSN) Customer data (e.g. Credit Card Data) Process Online Recruiting Online shop (order form, edit customer data) Actors HR Department Customers, shipping department Threat Modelling
  • 14.
    Example: Asset: Private data of customers (e.g. CC data ) Process: A registered user edits the private data in the web form Threats A registered user views private data of other customers by tampering with the form’s request A registered user edits private data of other customers Threat Modelling
  • 15.
    Add further informationto the threats Business impact Level of exposure Affected users Damage potential Exploitability Threat Modelling
  • 16.
    Common Security VulnerabilitiesThreat Modelling Measuring security How can I improve my security performance? Hands-on Threat Modelling Agenda
  • 17.
    People thinking aboutsecurity “ Yes, others have issues, we read that in the news – but not here.” “ We haven’t been attacked so far.” “ We use a firewall and IDS.” “ This is a feature, not a defect!” “ This is the responsibility of the vendor.” Measuring Security  How do you know?  What is the impact?  Is that enough?  How can you tell?  How secure is your code?
  • 18.
    Measuring Security Anotherview on metrics … There is an 80% risk that a child hit by a car driving at 40 mph hour will be killed There is an 80% chance that a child hit by a car driving at 30 mph would survive People now drive slower as a result Smoking ban reduces likeliness of heart attacks … That’s how security metrics should be  shaping behaviour and not just being interesting! 
  • 19.
    Measuring Security Recall Secure code is the real line of defence Metrics should change behaviour Software Security Metrics should lead to secure software! Change behaviour of customers, vendors, consultants, developers, …
  • 20.
    Different levels ofmeasurement Measuring Security
  • 21.
    Common Security VulnerabilitiesThreat Modelling Measuring security How can I improve my security performance? Hands-on Threat Modelling Agenda
  • 22.
    Rank entries inthreat model Determine the most critical threats to your business assets Determine threats that are easy to mitigate (easy wins) Perform a security assessment (external security experts) Check applications that are involved with critical threats Find security vulnerabilities in those applications Determine root causes of vulnerabilities (faulty input validation, faulty output encoding, faults in application design, misuse of frameworks and libraries) Map found vulnerabilities to threats in the threat model How Can I Improve My Security Performance
  • 23.
    The aftermath: Rankthe vulnerabilities that were found during the assessment What are the most critical vulnerabilities? What vulnerabilities are easy to fix (quick wins) Fix it! Fix easy wins immediately Create plan about how to mitigate the most critical threats as soon as possible Create road map for Security Assurance How Can I Improve My Security Performance
  • 24.
    The aftermath: Createroad map for Security Assurance Train software architects for secure software application design Train developers for security development guidelines and best practices Include regular security assessments in your development lifecycle Incorporate managed security services (e.g. regular scans of web page for trivial security vulnerabilities) How Can I Improve My Security Performance
  • 25.
    Common Security VulnerabilitiesThreat Modelling Measuring security How can I improve my security performance? Hands-on Threat Modelling Agenda
  • 26.
  • 27.
    Security incidents happenregularly SAP application landscapes are very complex, thus difficult to build securely Use Threat Modelling to find the risks to your assets Measure security to improve security Create a road map for security assurance Conclusion
  • 28.
    3 Key Pointsto Take Home “ Complexity is the worst enemy of security” (Schneier) Measure security to improve security Security can only be successful when it is an ongoing process. One-time efforts are not effective.
  • 29.

Editor's Notes

  • #3 How attackers bring home the bacon A method to find, analyse, and document threats to your business assets Measure the security of your applications
  • #6 - Normal users were falsely logged on as different users
  • #8 SAP architectures very complex --&gt; People cannot grasp architecture, different opinions about how architecture works among developers --&gt; Many forgotten legacy systems --&gt; A lot of glue code to make legacy systems work with newer components --&gt; A lot of customisations with zero documentation, authors have long moved on no in-depth-knowledge, system just works --&gt; no need to know system as long as it runs
  • #10 How attackers bring home the bacon A method to find, analyse, and document threats to your business assets Measure the security of your applications
  • #16 Result?
  • #17 How attackers bring home the bacon A method to find, analyse, and document threats to your business assets Measure the security of your applications
  • #22 How attackers bring home the bacon A method to find, analyse, and document threats to your business assets Measure the security of your applications
  • #24 Easy to fix: mitigation by changing web server configuration
  • #25 Easy to fix: mitigation by changing web server configuration
  • #26 How attackers bring home the bacon A method to find, analyse, and document threats to your business assets Measure the security of your applications
  • #30 Meet me at the virtual forge booth