Security Think beyond! Patrick Hildenbrand, SAP HANA Platform Extensions June 17, 2014

Similar documents
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis. Patrick Hildenbrand, Product Management Security, SAP AG September 2014

SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis

How To Manage Work Mode On An It Calendar On An Apa System

Compliance & SAP Security. Secure SAP applications based on state-of-the-art user & system concepts. Driving value with IT

SAP Change Control - One Integrated Process to Manage Software Solution Deployments SAP AG

How To Make Your Software More Secure

End User Training and Documentation a capability of Solution Implementation. August 2011

SAP Mobile Documents. December, 2015

SAP Audit Management A Preview

Protect Your Connected Business Systems by Identifying and Analyzing Threats

SAP Secure Operations Map. SAP Active Global Support Security Services May 2015

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

Die Technologieplattform der Zukunft. Arne Speck Solution Expert, Mobility & Technology, SAP (Schweiz) AG

Data Management for SAP Business Suite and SAP S/4HANA. Robert Wassermann, SAP SE

SAP HANA SPS 09 - What s New? SAP HANA Application Lifecycle Management

ITM204 Post-Copy Automation for SAP NetWeaver Business Warehouse System Landscapes. October 2013

ABAP Custom Code Security

Glyder Mobile Doc s(for commercial business & healthcare) May, 2014

SAP NetWeaver Information Lifecycle Management

SAP Business One mobile app for Android Version 1.0.x November 2013

ALM 271 From End-User Experience Monitoring to Management Dashboards and Reporting Stefan Lahr, SAP Active Global Support September, 2011

IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

Andreas Wiegenstein Dr. Markus Schumacher

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

SAP IT Infrastructure Management

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Mobile app for Android Version 1.0.x, January 2014

SAP Project Portfolio Monitoring Rapid- Deployment Solution: Software Requirements

SERENA SOFTWARE Serena Service Manager Security

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Software Requirements

Auditing the Security of an SAP HANA Implementation

Reference Architecture: Enterprise Security For The Cloud

Understanding Security and Rights in SAP BusinessObjects Business Intelligence 4.1

SAP Automated Testing Excellence Using HP Quality Center Test Tools. Linda Lehman, SAP Kjell Lillemoen, HP

SAP BusinessObjects Business Intelligence 4 Innovation and Implementation

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Columbia University Web Security Standards and Practices. Objective and Scope

SAP HANA Backup and Recovery (Overview, SPS08)

SAP BW 7.4 Real-Time Replication using Operational Data Provisioning (ODP)

Web application security: automated scanning versus manual penetration testing.

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

SAST, DAST and Vulnerability Assessments, = 4

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

1 Introduction Product Description Strengths and Challenges Copyright... 5

Migration and Upgrade Paths to SAP Process Orchestration. Udo Paltzer Product Owner SAP Process Integration, SAP HANA Cloud Integration

SAP Cloud Identity Service

SAP Technology Overview and Strategy

EO Data by using SAP HANA Spatial Hinnerk Gildhoff, Head of HANA Spatial, SAP Satellite Masters Conference 21 th October 2015 Public

SAP HANA Cloud Platform for the Internet of Things

SAP BusinessObjects BI Content Lifecycle Management Best Practices

High Availability & Disaster Recovery. Sivagopal Modadugula/SAP HANA Product Management Session # 0506 May 09, 2014

Vulnerability Management

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

A7 / SAP Financial Services Forum 2014 / September 9-10, 2014 / London / UK Cloud Strategy for Banking Run Simple with SAP

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

SAP Security Recommendations December Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1.

SAP NetWeaver Business Client 5.0 Overview. Product Management P&I Technology Core Platform

locuz.com Professional Services Security Audit Services

Operating System Security Hardening for SAP HANA

DIVISION OF INFORMATION SECURITY (DIS)

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

SAP Business One mobile app for ios. Version 1.9.x September 2013

SAP Single Sign-On 2.0 Overview Presentation

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

AN OVERVIEW OF VULNERABILITY SCANNERS

Adobe Systems Incorporated

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

SAP HANA SPS 09 - What s New? Administration & Monitoring

Trustwave MANAGED SECURITY TESTING

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

SAP's Strategy and Roadmap for Cloud for Marketing How Customers Benefit from Adopting Cloud to Empower the Modern Marketer

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Microsoft Security Development Lifecycle for IT. Rob Labbé Application Consulting and Engineering Services

How To Ensure That Your Computer System Is Safe

2015 Vulnerability Statistics Report

Proven LANDesk Solutions

WHITEPAPER. Nessus Exploit Integration

SAP HANA Cloud Applications Partner Program Certification

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

SAP HANA SPS 09 - What s New? HANA IM Services: SDI and SDQ

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

Web App Security Audit Services

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Data Integration using Integration Gateway. SAP Mobile Platform 3.0 SP02

SAP Security Monitoring with agilesi. agilesi tm Solution Brief Product Specification July 2012 Version 1.1

Processed on SAP Solution Manager Service Center Release EHP 1 for Solution Manager 7.0 Telephone Service Tool 701_2011_1 SP0 Fax

Transcription:

Security Think beyond! Patrick Hildenbrand, SAP HANA Platform Extensions June 17, 2014

Disclaimer This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent. 2014 SAP (Schweiz) AG. All rights reserved. 2

Security What is the problem realm? SAP GRC Security Management SAP NetWeaver Identity Management SAP NetWeaver Single Sign-On SSL/TLS Mobile Security SAP ID Service SNC SCIM HANA SIEM Kerberos Cloud Security Data Privacy Security, Logging, Monitoring Read Access Logging Social identities LDAP Open ID Connect Digital Signature/e-Signature Web Services Security IT Security Lower cost Budget restrictions Raise Efficiency Enterprise Thread Detection Security Optimization Self Service Vulnerability Analysis and Testing Secure Programming Secure Software Development Lifecycle Security Services Secure by Default Confidentiality Authorization Non-repudiation Integrity Authentication 2014 SAP (Schweiz) AG. All rights reserved. 3

Source Code The Source of the Risk

Business Applications do have a History Today's business applications are often Grown over the years Complex Built on changing requirements Created based on different development paradigms Optimized for Performance Extended but not reinvented And often security was only an afterthought. 2014 SAP (Schweiz) AG. All rights reserved. 5

Application Security Testing Find vulnerabilities in the running application Manual Application Penetration Testing Automated Application Vulnerability Scanning Find vulnerabilities analyzing the sources Manual Source Code Review Automated Source Code Analysis DAST SAST SAP NetWeaver Application Server add-on for code vulnerability analysis Finding security issues at design time is easier and less expensive! 2014 SAP (Schweiz) AG. All rights reserved. 6

SAP NetWeaver AS, add-on for code vulnerability analysis Key trends and customer needs The more applications using the ABAP programming language are exposed via interconnected systems and mobile and cloud-based applications, the more vulnerable they are to attacks. Proactively preventing security breaches by static source code analysis is a standard precaution for many application development environments and languages. It helps to save costs by discovering issues early in the development cycle and helps to estimate the risk of an application. The tools used to evaluate the code however need to be deeply integrated into the developers toolset, easy consumable showing a high usability to foster acceptance by the development teams. 2014 SAP (Schweiz) AG. All rights reserved. 7

Does application security pay? In a 2013 study by Kaspersky Labs, 85% of the companies interviewed have reported internal IT security incidents, and software vulnerabilities were the single biggest cause. Source: http://www.firstbiz.com/biztech/software-vulnerabilities-create-internal-data-security-problems-for-39-cos-19237.html In a 2013 security workforce study from (ISC)², Application vulnerabilities were ranked highest in security concern by 69% of the respondents. Source: https://www.isc2cares.org/uploadedfiles/wwwisc2caresorg/content/2013-isc2-global-information-security-workforce-study.pdf In a 2010 white paper from independent consulting firm Mainstay, reports software security programs not only enhance security, they can generate as much as $37M annually in economic benefits. Source: http://www.thedatachain.com/materials/mainstay_roi_study_2010.pdf 2014 SAP (Schweiz) AG. All rights reserved. 8

SAP NetWeaver AS, add-on for code vulnerability analysis Product description In order to break an application, only one flaw in any of its components/functions or the infrastructure may be enough. SAP NetWeaver AS, add-on for code vulnerability analysis helps you to identify potential weaknesses in your application early in the development process to avoid this risk. Scan efficiently Reduced false-positive rate by dataflow analysis Scanning directly from within the ABAP development environment Developer guidance Detailed help and explanations to all errors Assistance to find the right location for the fix Approval workflows for false positives included Integration Integrated into standard ABAP check frameworks, SAP transport system and ABAP Test Cockpit (ATC) 2014 SAP (Schweiz) AG. All rights reserved. 9

SAP NetWeaver AS, add-on for code vulnerability analysis Checks Broad range of predefined checks SQL injection Code injection OS command injection Directory traversal Backdoors Prioritization of checks By the ability to control the priority of every single check, you are able to take into account your own risk and security requirements. 2014 SAP (Schweiz) AG. All rights reserved. 12

Summary

Summary: Code Vulnerability Analyzer Developed by the team creating the ABAP language Tightly integrated into standard testing infrastructure Already tested and in use by SAP internally for several years Successfully piloted by customers SAP SAP NetWeaver AS, add-on for code vulnerability analysis is available as of: SAP NetWeaver AS ABAP 7.0 EhP2 Support Package 14 SAP NetWeaver AS ABAP 7.0 EhP3 Support Package 09 SAP NetWeaver AS ABAP 7.3 EhP1 Support Package 09 SAP NetWeaver AS ABAP 7.4 Support Package 05 and later releases 2014 SAP (Schweiz) AG. All rights reserved. 14

SAP NetWeaver AS, add-on for code vulnerability analysis Produktplanung im Überblick Integration and flexibility Integration into development landscape Flexible checks Low false positive ratio Checks & Reporting Reporting capabilities with SAP Solution Manager 7.1 SP12 Support for new ABAP 7.40 language features New Checks Detection of Cross Site Scripting in BSP pages Detection of direct access to sensitive database tables Usability Context based documentation Direct navigation to dataflow Flexibility & Performance Customer defined sanitizations Public API to access scan results in ATC Optimizations in dataflow engine Reporting Improved reporting functions based on solution manager integration Ability to define a security baseline Checks Broad range of checks Prioritization of checks Today (Release 7.40 SP05) Configuration Improved administration Planned Innovations Landscape Tighter integration of old systems into check infrastructure Future Direction This is the current state of planning and may be changed by SAP at any time 2014 SAP (Schweiz) AG. All rights reserved. 15

Further Information SAP NetWeaver Application Server, add-on for code vulnerability analysis http://wiki.scn.sap.com/wiki/display/abap/sap+netweaver+application+server%2c+add-on+for+code+vulnerability+analysis Roadmap presentation: https://service.sap.com/~sapidb/011000358700000256742014e.pdf ABAP Test and Analysis Tools http://wiki.sdn.sap.com/wiki/display/abap/abap+test+and+analysis+tools ABAP Test Cockpit (ATC) http://wiki.sdn.sap.com/wiki/display/abap/abap+test+cockpit SAP Community http://scn.sap.com/community/security http://scn.sap.com/community/abap/testing-and-troubleshooting 2014 SAP (Schweiz) AG. All rights reserved. 16

SAP NetWeaver AS, add-on for code vulnerability analysis Key Takeaways Software development more efficient than ever by proactive code security checks Well accepted by developers because of tight integration into standard development environment Integrated into standard code quality checks by using existing frameworks Extends your standard checks 2014 SAP (Schweiz) AG. All rights reserved. 17

Thank you Contact information: Patrick Hildenbrand Product Manager SAP AG, Walldorf 2014 SAP (Schweiz) AG. All rights reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information