Invest  in  security   to  secure  investments  

All  your  SAP  Passwords   belong  to  us.    

Dmitry  Chastuchin   Director,  Security  Consul;ng  ERPScan.      

About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu;on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta=ons  key  security  conferences  worldwide   •  25  Awards  and  nomina=ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)  

    2  

SAP   •  The  most  popular  business  applica;on   •  More  than  250000  customers  worldwide     •  More  than  83  %  of  Forbes  500  run  SAP  

3  

SAP  security   Espionage   •  Stealing  financial  informa;on   •  Stealing  corporate  secrets   •  Stealing  supplier  and  customer  lists   •  Stealing  HR  data   Fraud   •  False  transac;ons   •  Modifica;on  of  master  data   Sabotage   •  Denial  of  service   •  Modifica;on  of  financial  reports   •  Access  to  technology  network  (SCADA)  by  trust  rela;ons  

4  

Is  it  remotely  exploitable?  

   

5000+    non-­‐web  SAP  services  exposed  in  the  world    including  Dispatcher,  Message  server,  SapHostControl,  etc.     5  

Is  it  remotely  exploitable?  

   

9 8 7 6 5

4 3 2 1 0 SAP Dispatcher

SAP MMC

SAP Message Server

SAP HostControl

SAP ITS Agate

SAP Message Server httpd

6  

SAP  MMC  –  overview   •  •  •  •  •  • 

MMC  is  installed  by  default  on  port  513   Used  for  remote  management  of  SAP  servers   Commands  executed  via  SOAP  interface   By  default,  SSL  is  not  implemented   Administra;ve  password  transmi\ed  using  basic  auth  (Base64)   By  sniffing  this  password,  we  can  get  full  control  over  the  server  

 

  7  

SAP  MMC  –  aSacks   •  Many  a\acks  can  be  implemented  without  authen;ca;on   •  A\acks  can  be  executed  by  sending  SOAP  requests   •  Mostly,  it  is  informa;on  disclosure  and  denial  of  service   •  Also,  OS  command  execu;on    

8  

Advanced  MMC  aSacks   true j2ee/cluster/server0/log/system/userinterface.log %COUNT% EOF 9  

PWN  

If  an  a&acker  can  read  a  file  from  server  OS,  he  can  get  clear  text   passwords  of  SAP  users  and,  as  a  result,  compromise  the  SAP   system  

10  

Default  passwords  

11  

Passwords  on  client  side  

User  name  

Password  

SAP*  

06071992   PASS  

DDIC  

19920706  

TMSADM  

PASSWORD   $1Pawd2&  

EARLYWATCH  

SUPPORT  

SAPCPIC  

ADMIN  

12  

Passwords  on  client  side  

13  

Passwords  on  client  side   •  A\ack  via  Ac;veX   ‒  A  lot  of  issues  with  RCE  inside  (1519966,  1327004,  1092631,  …)  

•  A\ack  via  client  bugs   ‒  Buffer  overflow  in  saplogon.exe  (1504547)  

  What  aler  that?     SapLogon  shortcuts!     Olen,  lazy  users  store  password  for  SAP  account  in  shortcuts     14  

Passwords  on  client  side   [System] Name=DM0 Description=Test Sap Server Client=800 [User] Name=SAP* Language=EN Password=PW_48B7231FD1FE390C [Function] Title=myShortcut Command=se16 [Configuration] WorkDir=C:\Documents and Settings\Administrator\My Documents\SAP\SAP GUI [Options] Reuse=1

  This  is  how  a  typical  shortcut  looks  like…  

 

  File: .sap

15  

Passwords  on  client  side   [Label] Key1=myShortcut [Command] Key1=desc="Test Sap Server" -sid="DM0" -clt="800" -u="SAP*" -l="EN" -tit="myShortcut" -cmd="se16" -wd="C:\Documents and Settings\Administrator\My Documents\SAP\SAP GUI" -ok="/nse16" -pwenc="PW_48B7231FD1FE390C"      

…or  like  that  

           

 

File: sapshortcut.ini

16  

Passwords  on  client  side   pwenc="PW_48B7231FD1FE390C"

PW_48B7231FD1FE390C

48B7231FD1FE390C   I  used  this  password:  06071992     Looks  like  XOR  encryp;on  

  17  

Passwords  on  client  side   •  Aler  a  few  experiments,  we  found  out:   –  Yes,  this  is  XOR     –  Yes,  the  key  is  sta;c  for  all  SAPLogon  

  •  The  key  is:     788113…dc49b0        

18  

Passwords  on  client  side   •  …and  the  PY  code  to  decrypt       key="788…" def sxor(s1,s2): return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2)) enc_pass="PW_48B7231FD1FE390C" dec_pass=sxor(enc_pass[3:].decode("hex"),key.decode("hex")) print "Decoded password is: "+dec_pass  

19  

Preven=on  

•  Don’t  use  SAPGUI  6.4  (there  are  no  patches  for  some   vulns)   •  Patch  SAPGUI  with  the  latest  SP   •  Don’t  store  password  in  shortcuts     •  (HKCU\Solware\SAP\SAPShortcut\Security   EnablePassword=0)   •  Make  sure  that  you  do  not  ac;vate  the  storage  of   passwords  in  SAP  shortcuts   •  Authen;ca;on  security  for  SAP  shortcuts:   h\p://help.sap.com/SAPHELP_NWPI71/helpdata/en/4d/dc9db9bc0e02cfe10000000a42189b/ content.htm    

20  

Passwords  from  USR02,  USH02,  USRPWDHISTORY  

21  

USR02  password  hash   •  Well  known  password  area   •  Hash  algorithm:   –  –  –  –  –  –  –  – 

CODVN  A   CODVN  B  (MD5-­‐based)   CODVN  D  (MD5-­‐based)   CODVN  E  (MD5-­‐based)   CODVN  F  (SHA1-­‐based)   CODVN  G  (Code  versions  B  &  F)   CODVN  H  (SHA-­‐1-­‐based)   CODVN  I  (Code  versions  B,  F  &  H)  

•  Just  use  John  the  Ripper  

22  

Preven=on  

•  •  •  •  •  •  •  •  •  •  •  •  • 

Use  the  latest  algorithm   SAP  Note  2467:  Password  rules  and  preven;ng  incorrect  logons   SAP  Note  721119:  Logon  with  (delivered)  default  user  fails   SAP  Note  735356:  Special  character  in  passwords;  reac;va;on  not  possible   SAP  Note  862989:  New  password  rules  as  of  SAP  NetWeaver  2004s   SAP  Note  874738:  New  password  hash  calcula;on  procedure  (code  version  E)   SAP  Note  991968:  Value  list  for  login/password_hash_algorithm   SAP  Note  1023437:  Downwardly  incompa;ble  passwords  since  NW2004s   SAP  Note  1237762:  Protec;on  against  password  hash  a\acks   SAP  Note  1300104:  CUA  –  New  password  hash  procedures  -­‐  Background  informa;on   SAP  Note  1458262:  Recommended  se|ngs  for  password  hash  algorithms   SAP  Note  1484692:  Protect  read  access  to  password  hash  value  tables   SAP  Note  1488159:  SUIM  –  RSUSR003  –  Incorrect  results  for  CODVN  =  F  

23  

Passwords  from  RFC  request  

24  

Passwords  from  RFC  request   •  If  an  a\acker  catches  an  RFC  request  with  logon  data,  he  will   be:   –  –  –  – 

Happy  because  he  got  the  login  and  password   Upset  because  the  password  is  encrypted   Happy  because  the  encryp;on  is  just  a  XOR  (lol)   Happy  because  the  key  is  sta;c  

                               Key: 313ec…a4021   –  Very  happy  because  he  got  the  clear  text  password    

25  

Passwords  from  RFC  request  

26  

Passwords  from  RFC  request   •  …and  the  PY  code  to  decrypt       key="313e…" def sxor(s1,s2): return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2)) enc_pass="0108F357D03F770D" dec_pass=sxor(enc_pass.decode("hex"),key.decode("hex")) print "Decoded password is: "+dec_pass

27  

Preven=on  

•  Secure  RFC  connec;on  using    SNC   •  SAP  Security  Note  1724516   •  RFC  and  SNC:   h\p://help.sap.com/saphelp_nw70ehp2/helpdata/en/72/ e52c4057cb185de10000000a1550b0/content.htm    

28  

SAP  Visual  Admin  password  

29  

SAP  VisualAdmin   •  •  •  •  •  • 

SAP  Visual  Admin  –  a  remote  tool  for  controlling  J2EE  Engine   Uses  the  P4  protocol  –  SAP’s  proprietary   By  default,  all  data  transmi\ed  in  cleartext   P4  can  be  configured  to  use  SSL  to  prevent  MitM   Passwords  are  transmi\ed  by  some  sort  of  encryp;on     In  reality,  it  is  some  sort  of  Base64  transforma;on  with  a  known   key  

   

   

30  

SAP  VisualAdmin  data  

31  

Insecure  password  encryp=on  in  P4   /* /* /* /* /* /* /* /* /* /* /*

87 88 89 */ 91 92 93 */ 95 */ 97

*/ char mask = 43690; //aaaa hex */ char check = 21845; //5555 hex */ char[] result = new char[data.length + 1]; */ */ */ } */

for (int i = 0; i < data.length; ++i) { mask = (char)(mask ^ data[i]); result[i] = mask; result[data.length] = (char)(mask ^ check);

*/ return result;

32  

DEMO   SAP  Visual  Admin  password  sniffing  

33  

Preven=on  

•  Secure  P4  connec;on  using  SSL   •  SAP  Security  Note  1724516   •  Using  P4  protocol  over  a  secure  connec;on:   h\p://help.sap.com/saphelp_nw73ehp1/helpdata/en/ 48/2d9ba88aef4bb9e10000000a42189b/content.htm  

34  

SAP  JAVA  Security  Storage  

35  

SecStore   •  The  AS  Java  stores  security-­‐relevant  informa;on  encrypted  in  a   file  in  the  file  system   •  The  AS  Java  stores  the  following  security-­‐relevant  informa;on   in  files  in  the  file  system:   –   Database  user  SAPDB  and  its  password   –   Database  connec;on  informa;on   –   Administrator  user  and  its  password  

  •  Secure  storage  file  is  located  at  :   \usr\sap\\SYS\global\security\data\SecStore.properties      

 

  36  

SecStore   $internal/version=Ni4zFF4wMSeaseforCCMxegAfx admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgqDp+QD04b0Fh jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ $internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt $internal/mode=encrypted admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E

•  The  AS  Java  uses  the  SAP  Java  Cryptography  Toolkit  to  encrypt   the  informa;on  in  the  secure  store  using  the  TripleDES   algorithm.  The  encryp;on  is  performed  during  the  AS  Java   installa;on  process •  Let’s  look  deeper   37  

SecStore   •  Algorithm  is  TripleDES.  We  heed  a  key  for  decryp;on   •  The  main  issue  is  that  the  key  file  is  located  in  the  same   directory  as  the  encrypted  data:   \usr\sap\\SYS\global\security\data\SecStore.key      

•  The  key  consists  of  two  parts:   –   Version  informa;on   –   Encrypted  key  phrase   38  

SecStore   •   Version  informa;on.  It  affects  the  TripleDES  key   –     If  version  >=  7.00.000,  then  the  Triple  DES  key  =  key  phrase  +    

•   Encrypted  key  phrase     –   By  default,  it  is  the  ini;al  password  which  the  administrator  sets  up  during  

SAP  system  installa;on.  Olen,  this  phase  equals  to  the  DB  password  or  an   SAP  administrator  account  password  (SAP*,  DDIC,  J2EE_Admin,  etc.)   –     For  encryp;ng  the  key  phrase,  XOR  algorithm  with  sta;c  key  is  used     43,-74…,-41,-67  

 

•  That’s  why,  if  an  a\acker  only  got  the  SecStore.key  file,  they  can   also  get  access  into  SAP,  because  they  have  the  ini;al  password  

39  

SecStore   •  •  •  •  • 

OK.  We  have  the  encrypted  password  (SecStore.properXes)   We  have  the  decryp;on  key  (SecStore.key)   We  can  get  all  sensi;ve  informa;on  from  Security  Storage     As  I  said,  data’s  encrypted  by  the  TripleDES  algorithm   More  precisely,  the  encryp;on  uses  the  TripleDES  algorithm  in   CBC  mode  using  a  secret  key  which  is  derived  from  a  password   with  the  SHA  hash  algorithm   –   The  key  is  the  key  phrase  from  SecStore.key  +    (if  version  >=   7.00.000)   –   The  salt  is  the  value  0000000000000000  

40  

SecStore   •  We  also  wrote  a  tool  which  decrypts  all  the  stuff  from  SAP  JAVA   AS  Security  Storage  (SecStore_Cr.jar)  

•  Also,  SAP  Secure  Store  file  can  have  another  name  (ex.   JUpgrade.proper;es)  and  store  other  interes;ng  data,  like:   –   Password  for  SAP  OS  user  (SIDADM)   –   DB  password   –   DDIC  password   –   etc…   41  

Preven=on  

•   Install  SAP  Note  1619539   •   Restrict  read  access  to  files  SecStore.properXes,   JUpgrade.properXes,  and  SecStore.key   •   Managing  secure  storage  in  the  file  system:   h\p://help.sap.com/saphelp_nw70ehp2/helpdata/en/cd/ 14c93ec2f7df6ae10000000a114084/content.htm  

42  

Passwords  from  log  files  

43  

Log  files   •  We  know  about  many  places  where  SAP  writes  logs   •  Administrator  can  define  the  verbosity  level   •  A\acker  can  found  many  interes;ng  things  in  log  files:   informa;on  about  the  system,  informa;on  about  the  users,   even  session  informa;on   •  Very  interes;ng  path  with  logs:  /sapinst_instdir/         But    what  about  passwords?  

44  

Log  files   •  Passwords  in  SAP  log  files  looks  like  that:  

dev_umconfigurator.trc

45  

Log  files   •  Some;mes,  we  can  find  a  clear  text  password  

sapinst_dev..log 46  

Log  files   •  Some;mes,  we  can  find  an  encrypted  password  

47  

Log  files   •  Guess  what  type  of  encryp;on  is  used?  J   •  Right!  XOR  with  a  sta;c  hardcoded  key:  

31…65d •  As  a  result,  we  have  a  decryptor:   key="31XXXXXXXXXXXX5d" def sxor(s1,s2): return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2)) def prepare(val): encoco=val.split("|") rez="" for a in encoco: rez= rez + str(hex(int(a)).replace("0x","")) return rez encr=prepare(raw_input("Enter encrypted password:")) dec_pass=sxor(encr.decode("hex"),key.decode("hex")) print "Decoded password is: "+dec_pass

48  

Log  files   •   The  same  story  with  the  config  file    

 usr\sap\\config\usagetypes.properXes  

49  

Preven=on  

•  Don’t  use  TRACE_LEVEL  =  3   •  Delete  traces  when  work  is  finished   •  Mask  security-­‐sensi;ve  data  in  HTTP  access  log       •  Incremen;ng/decremen;ng  the  trace  level:   h\ps://help.sap.com/saphelp_nwpi71/helpdata/en/ 46/962416a5a613e8e10000000a155369/content.htm  

50  

Passwords  from  SLD  config  file  

51  

SLD   •  SLD  is  the  central  informa;on  repository  for  your  system   landscape   •  It  contains  informa;on  about:   –   technical  systems   –   landscapes   –   business  systems   –   products   –   solware  components  in  your  system  landscape  

52  

SLD  password  files   •     Configura;on  file:  usr\sap\\DVEBMGS\exe\  slddest.cfg     –   User  name  with  DataSupplierLD  role   –   User  password  (wooot!)   –   Host  name   –   Port  

Encrypted  by  DES  algorithm  in  the  early  version  of  SLD   Sta;c  default  key  is:  0A…71F But  if  user  specifies  the  key,  then  the  key  file  is  stored  near  the   encrypted  data  file  in  slddest.cfg.key  

53  

SLD  password  files   •  In  the  latest  versions  of  SLD,  another  algorithm  is  used:   TripleDES  with  hardcoded  key  

54  

Preven=on  

•  Restrict  read  access  to  fileslddest.cfg  and  slddest.cfg.key   •  Configuring  sldreg  and  transferring  data  to  SLD:     h\p://help.sap.com/saphelp_nw70/helpdata/en/42/ ea5ff4b5d61bd9e10000000a11466f/content.htm      

55  

Passwords  from  ABAP  SecStore  

56  

Password  from  RSECTAB     •  The  secure  storage  is  a  component  of  the  SAP  Web  Applica;on   Server  ABAP   •  It  allows  the  encrypted  storage  of  sensi;ve  data  that  SAP   applica;ons  require  when  logging  into  other  systems   •  These  SAP  applica;ons  use  the  storage  to  store  passwords:   –  –  –  –  –  – 

RFC  des;na;ons   Exchange  Infrastructure  (XI)   LDAP  system  users   SAPphone   SAPconnect   CCMS  (Generic  Request  and  Message  Generator)  

•  Table  RSECTAB     select rawtohex(DATA) from SAPSR3.RSECTAB 57  

Password  from  RSECTAB    

58  

Password  from  RSECTAB    

59  

Password  from  RSECTAB     •  TripleDES  3DES  mode:  DES-­‐EDE3   •  The  triple  DES  algorithm  uses  the  DES-­‐EDE3  method  where  a  24   byte  key  is  supplied.  This  means  there  are  three  DES  opera;ons   in  the  sequence  encrypt-­‐decrypt-­‐encrypt  with  the  three   different  keys.  The  first  key  will  be  bytes  1  to  8,  the  second  key   bytes  9  to  16  and  the  third  key  bytes  17  to  24   •  Two  rounds  

60  

Password  from  RSECTAB     •  First  round   •  Encrypt:     –   char  randomPrefix[2];   –   char  payload[109];     –   char  payloadLength;     –   char  magicLocal[4];     –   char  magicGlobalSalted[4];     –   char  recordIden;fierA7Hash[16];    

61  

Password  from  RSECTAB     •  Key  for  the  first  round  of  encryp;on  base  on  default  key:   Key’def[1] = Keydef[1] ^ Key’def[6] = Keydef[6] ^ Key’def[7] = Keydef[7] ^ Key’def[10] = Keydef[10] Key’def[13] = Keydef[13] Key’def[16] = Keydef[16] Key’def[19] = Keydef[19] Key’def[20] = Keydef[20]  

(Hsup[0] & (Hsup[0] & (Hsup[3] & ^ (Hsup[1] ^ (Hsup[1] ^ (Hsup[4] ^ (Hsup[2] ^ (Hsup[2]

0xF0) 0x0F) 0xF0) & 0xF0) & 0x0F) & 0x0F) & 0xF0) & 0x0F)

•  Where  Hsup  is  md5(sidA7[3]+insnoA7[10])

62  

Password  from  RSECTAB    

63  

Password  from  RSECTAB     •  Second  round   •  Encrypt  all  data  with  the  default  key    

64  

Password  from  RSECTAB     •  What  about  the  default  key?   •  It  is  encrypted  via  3DES-­‐EDE2,  too   •  But  the  key  for  this  encryp;on  is  hardcoded  

65  

Preven=on  

•  Change  the  default  key     •  SAP  Security  Note  1902611   •  Choosing  your  own  key:   h\p://help.sap.com/saphelp_nw70ehp2/helpdata/en/e0/ f73d41945bdb2be10000000a1550b0/content.htm      

66  

Passwords  from  DBCON  table  

67  

DBCON  table   •  SAP  has  a  connec;on  with  different  DBs   •  Administrator  can  manage  this  connec;on  via  the  transac;on   DBCO   •  All  DB  connec;ons  informa;on  is  stored  encrypted  in  the  table   DBCON  (Descrip;on  of  Database  Connec;ons)  

68  

DBCON  table   •   Encrypted  data  looks  like:     V01/0030ZctvSB67Wv1OuVLazse4ORik –   BASE64  +  DES   –   hardcoded  key:  59A…70E –   decrypted  data  includes  sta;c  salt:  BE HAPPY

69  

Preven=on  

•  Restrict  access  to  the  table  DBCON   •  Restrict  access  to  the  transac;on  DBCO   •  SAP  Security  Notes  1638280  and  1823566      

70  

Passwords  from  HANA  

71  

SAP  HANA   •  User  details  (including  passwords)  stored  in  hdbuserstore   •  Located  in  the  /usr/sap/hdbclient  directory   •  About  hdbuserstore:   ‒  SSFS_HDB.DAT   ‒  with  user  data   ‒  with  keys  

 

72  

SAP  HANA   •  •  •  • 

SSFS_HDB.DAT   Signature:  RSecSSFsData   Algorithm:  3DES   Default  key  is  the  same  as  in  the  ABAP  Security  Storage

73  

SAP  HANA   •  SAP  HANA  –  in  memory  database   •  But  it  drops  some  data  into  FS   –  Backup   –  Savepoint  

  “The  SAP  HANA  database  holds  the  bulk  of  its  data  in  memory  for  maximum   performance,  but  it  sXll  uses  persistent  disk  storage  to  provide  a  fallback  in  case   of  failure.  Data  is  automaXcally  saved  from  memory  to  disk  at  regular   savepoints.  The  data  belonging  to  a  savepoint  represents  a  consistent  state  of   the  data  on  disk  and  remains  so  unXl  the  next  savepoint  operaXon  has   completed.  Aber  a  power  failure,  the  database  can  be  restarted  like  any  disk-­‐ based  database  and  returns  to  its  last  consistent  state,”      –  SAP  HANA  Security  Guide  

74  

SAP  HANA   •   “Data  volume  encrypXon  ensures  that  anyone  who  can  access   the  data  volumes  on  disk  using  operaXng  system  commands   cannot  see  the  actual  data.  If  data  volumes  are  encrypted,  all   pages  that  reside  in  the  data  area  on  disk  are  encrypted  using   the  AES-­‐256-­‐CBC  algorithm.”   •   “Aber  data  volume  encrypXon  has  been  enabled,  an  iniXal  page   key  is  automaXcally  generated.  Page  keys  are  never  readable  in   plain  text,  but  are  encrypted  themselves  using  a  dedicated   persistence  encrypXon  root  key.”  

75  

SAP  HANA    “SAP  HANA  uses  SAP  NetWeaver  SSFS  to  protect  the  root  encrypXon  keys  that   are  used  to  protect  all  encrypXon  keys  used  in  the  SAP  HANA  system  from   unauthorized  access.”  

•  SSFS_HDB.DAT   –   HDB_SERVER/PERSISTENCE/ROOTKEY   –   HDB_SERVER/DPAPI  

•  The  persistence  encryp;on  feature  does  not  encrypt  the   following  data:   –   Database  redo  log  files   –   Database  backups   –   Database  traces   76  

Preven=on  

•  Change  the  encryp;on  key  aler  installa;on   •  Restrict  access  to  the  key  file   •  Restrict  access  to  the  DAT  file   •  Security  guide  for  HANA  (p.  71)   h&p://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf  

•  Secure  storage  in  the  file  system:   h&p://help.sap.com/saphelp_nw70ehp2/helpdata/en/ a0/82dd0abbde4696b98a8be133b27f3b/content.htm    

77  

Etc..   •   ICF  Password  Repository   –  ICFSECPASSWD  

•   FI  module  passwords   –  FIEB_PASSWORD  

•   Oracle  Fail  Safe   –  Stores  passwords  inside  the  ENVIRONMENT  variable  (Note  1764043  p.  4)  

•   SAP  BusinessObjects  LCMuser  –  hardcoded  SVN  user   –  \SAP  BusinessObjects  Enterprise  XI.0\LCM_repository\svn_repository \conf  

•   SAP  BusinessObjects  axis2  login:password   –  axis2.xml     78  

Conclusion   It  is  possible  to  protect  yourself  from  these  kinds  of  issues,     and  we  are  working  close  with  SAP  to  keep  customers  secure  

SAP  guides   Regular  security  assessments   Monitoring  technical  security   ABAP  code  review   Segrega=on  of  du=es  

It’s  all  in  your  hands  

79  

Future  work     I'd   like   to   thank   SAP's   Product   Security   Response   Team   for   the   great  cooperaXon  to  make  SAP  systems  more  secure.  Research   is  always  ongoing,  and  we  can't  share  all  of  it  today.  If  you  want   to   be   the   first   to   see   new   a&acks   and   demos,   follow   us   at   @erpscan  and  a&end  future  presentaXons.     PS:   •  EAS-­‐SEC:  Recourse  which  combines     –  Guidelines  for  assessing  enterprise  applica;on  security   –  Guidelines  for  assessing  custom  code   –  Surveys  about  enterprise  applica;on  security   80