Beruflich Dokumente
Kultur Dokumente
SE38
SE38
Change Management
ABAP Code
Business Process Risks
Completeness Privileges
Correctness Traceability
Segregation of Duties Data Protection
Page 7
(Wrong) Focus on Transactions (only)
Its the ABAP commands, not the transactions, that are dangerous.
SE 80 SE 38
Risk Risk
Transaction ZTRANS1 Function Module ZFB1
INSERT REPORT
Risk Risk
Transaction ZTRANS2 Function Module ZFB2
Risk Risk
REPORT ZREP Business Server Page ZBSP
Risk
Web Dynpro Applications ZWD
Page 8
Entering Your SAP System
User Interfaces External Systems
Indirect ABAP-System
User Interfaces
Database
Java-Applications Files
Java EE/Portal (Web Application) Firewall RFC
WebDynpro Java PI
Web-Services
Page 9
Resulting Risks
Unauthorized execution of business logic
Loss of accountability
Identity theft
Page 10
General project challenges
Goals of the project / implementation team:
Project budget and go-live date
Delivered product must work at point in time of hand-over
Satisfy the direct customers (e.g. new site)
Minimize coordination effort where ever possible
(with the customer as well as team-/supplier internally)
Minimize regression tests
Scope reductions (classic not part of our job / contract discussions)
SE38
Minor knowledge
Works with copy & paste and uses public information, programs, tools, etc. in
order to attack / damage computer systems
Random targets
Highly skilled
SM49 / SM69
ABAP OS Call OS Command
Command Program
LIST ls
'LIST' 'ls'
PING ping
X_PYTHON x_python
OS
2010 Virtual Forge GmbH. All rights reserved.
Reports
OK
Authority Checks without check of return code
ASSET
Failed
2010 Virtual Forge GmbH. All rights reserved.
Part of this solution is the check of transports during release (in case of a
finding, release is stopped)
Kernel and operating system calls
Repository and ABAP Commend Injection
Native SQL
SY-UNAME/SYSID/MANDT in IF / CASE / CHECK
Cross-client SQL
Missing generic XSS prevention in Business Server Pages
Direct updates to critical tables
Missing evidence of authority checks
Consistency and rules check for security roles
Page 30
Seite 31
Roadmap
Your Turn: Questions?
Markus Seibel
GM IT Business Services
Adam Opel AG | IPC 15-03 | 65423 Ruesselsheim
markus.seibel@de.opel.com
Weiterfhrende Informationen