DEFENSE IN DEPTH - Layer Seven Security

More documents

Recommendations

Info

DEFENSE IN DEPTH AN INTEGRATED STRATEGY FOR SAP SECURITY 8Program SecurityThe third component of an integrated SAP security strategy is thedevelopment of secure custom programs, free of code-levelvulnerabilities.SAP systems are designed to perform thousands of distinctfunctions ranging from adding a vendor to a list of approvedsuppliers, performing a transport to implement a change in aspecific system, and encrypting/decrypting traffic between serversor clients. These functions are performed by programs stored in thedatabase table known as REPOSRC that are called when requestedby work processes in the NetWeaver AS.SAP programs are developed using two distinct programminglanguages: Advanced Business Application Programming (ABAP)and Java. Both are vulnerable to coding errors that could exposeSAP programs to exploits such as code, OS and SQL injection,cross-site scripting, cross-site request forgery, buffer overflow,directory traversal and denial of service. SAP programs are alsosusceptible to missing or broken authority-checks that could leadto the unauthorized execution of programs. Finally, programs cancontain backdoors through hardcoded credentials that bypassregular authentication and authorization controls, as well asmalware known as rootkits that provide attackers with remote,privileged access to system functions and resources. Table 4.1 liststhe 25 Most Dangerous Soſtware Errors identified by the CommonWeaknesses Enumeration (CWE), co-sponsored by the Office ofCybersecurity and Communications at the U.S Department ofHomeland Security. ABAP and Java programs are vulnerable to70% of the vulnerabilities in the list and are highlighted in red.1Improper Neutralization of Special Elements used inan SQL Command ('SQL Injection')14Download of Code Without Integrity Check2Improper Neutralization of Special Elements used inan OS Command ('OS Command Injection')15Incorrect Authorization3Buffer Copy without Checking Size of Input ('ClassicBuffer Overflow')16Inclusion of Functionality from Untrusted ControlSphere4Improper Neutralization of Input During Web PageGeneration ('Cross-site Scripting')17Incorrect Permission Assignment for CriticalResource5Missing Authentication for Critical Function18Use of Potentially Dangerous Function6Missing Authorization19Use of a Broken or Risky Cryptographic Algorithm7Use of Hard-coded Credentials20Incorrect Calculation of Buffer Size8Missing Encryption of Sensitive Data21Improper Restriction of Excessive AuthenticationAttempts9Unrestricted Upload of File with Dangerous Type22URL Redirection to Untrusted Site ('Open Redirect')10Reliance on Untrusted Inputs in a Security Decision23Uncontrolled Format String11Execution with Unnecessary Privileges24Integer Overflow or Wraparound12Cross-Site Request Forgery (CSRF)25Use of a One-Way Hash without a Salt13Improper Limitation of a Pathname to a RestrictedDirectory ('Path Traversal')Table 4.1: CWE Top 25 Most Dangerous Soſtware Errors(Source: CWE/MITRE, 2012)LAYER SEVEN SECURITY © 2013
DEFENSE IN DEPTH AN INTEGRATED STRATEGY FOR SAP SECURITY9SAP performs a rigorous code review for all standard or deliveredprograms prior to release and regularly issues Security Notes topatch vulnerabilities detected aſter release. Custom programs arerarely subject to the same level of scrutiny. Programs developed byin-house or off-shore developers to meet the needs of customersnot met by standard SAP functionality are oſten laden with vulnerabilitiesthat, when exploited, undermine the integrity of entire SAPlandscapes. Such landscapes are only as strong as their weakestpoint. A robust application layer fortified with properly configuredplatforms can still be breached through vulnerabilities at theprogram level.SAP does not assume responsibility or liability for losses arisingfrom the exploitation of vulnerabilities in custom code. Customersare expected to develop and apply appropriate soſtware developmentprocedures to manage such risks. Procedures should includerequirements for soſtware integrity and security and should notfocus exclusively on measures such as functionality and performance.Specific examples include the use of open rather thannative SQL, avoiding arbitrary input for dynamic SQL statements,encoding user input before output, removing hardcoded users,secure construction of SELECT statements, and input validationthrough existence and length checks, canonicalization, type checks,range checks and white or black list filters.Developing secure custom programs is a formidable challenge formany SAP customers. ABAP and Java programmers are generallyunfamiliar with secure programming techniques. Furthermore,manual code reviews can increase resource requirements andtimeframes during development and testing. Standard SAP toolssuch as Code Inspector can be used to perform static checks andtests for development objects. Code Inspector is accessed throughthe ABAP Workbench or directly through transaction SCI. Thedefault check variant includes some checks for security risks.Errors, warnings and messages generated by the Code Inspectorshould be investigated and resolved before the release of transports.Code Inspector does not match the performance of soſtware suchas CodeProfiler designed to detect a wider array of vulnerabilitiesin SAP programs. CodeProfiler is used by SAP to perform qualityassurance for standard programs. It is tuned to detect andauto-correct suspicious statements in ABAP programs andintegrates directly with the SAP Transport Management System toprevent the deployment of malicious code. It scans an average of2.24M lines of ABAP code per project and detects an average of5,065 critical errors, of which over 2,400 are considered criticalsecurity flaws. CodeProfiler is SAP-certified for integration withSAP NetWeaver.LAYER SEVEN SECURITY © 2013
Page 3 and 4: DEFENSE IN DEPTH AN INTEGRATED STRA

DEFENSE IN DEPTH - Layer Seven Security

Create successful ePaper yourself

Delete template?

Save as template?