The bombshell exploded directly at the beginning of the year: almost all computer chips worldwide are affected by the so-called "Spectre" and "Meltdown" attack scenarios. They have their effect on hardware level and are therefore not limited to an OS. To make matters worse, the required patches will slow down affected devices. A vulnerability could not possibly cause more ripples. From an SAP® customer's viewpoint, the question whether this affects the security of my SAP systems comes to mind. Are they even at risk and if so, how high is the risk? Find all important answers in this post.Read more
In order for developers to not have to worry about the specifics of the underlying operating system when accessing files or executing OS commands, SAP® uses the concept of logical file names and logical OS commands. For this, a logical file name (and file path) is stored for each physical file name (file path) coming into question. In analogy, platform-specific physical commands are allocated to a collective logical command.Read more
Life at Virtual Forge is multifaceted; our tasks are widely spread between IT, Support and Marketing. We would like to give you a better insight: What does the work day of, e.g. an employee in the Support department look like? Which qualities does one need to become a dual student in our IT department or what do our Sales employees associate with our company?
We have asked our colleagues and will now introduce a new employee to you in our blog series “Life @ Virtual Forge” on a regular basis.
Almost every SAP® Basis administrator knows how dangerous XPRA entries can be in transport requests (R3TR XPRA <report name>). In principle, any report that does not require any specific parameters can be executed immediately after importing it. If the desired report is not available in the target system yet, it can either be imported with the same request or imported with a previous transport request. The later method is better for covering up attacks as the immediate connection between planting the code and executing it is not as easy to detect.Read more
Job Management in SAP® poses a big attack surface for external manipulation. The possibilities reach from abusing the vulnerabilities of certain SAP standard jobs over changing critical job attributes to completely defining and including jobs via transport request.Read more
In order to systematically find security vulnerabilities in custom SAP® developments and to correct errors, Krones AG introduced automated code checks despite of initial doubts. After a two year operating period, the machine and plant manufacturer draws a positive conclusion.Read more
The first article of this series talked about the global deactivation of authorization checks for single authorization objects per transport. A similar risk results from the possibility of deactivating authorization checks transaction-specifically. It is even more difficult to detect an attack if this method is used, as the impact can be limited to one transaction.Read more
An increasing number of companies report on the importance of vulnerability scanners in the IT context. We will go one step further and tell you why it is reasonable to particularly use vulnerability scanners for your SAP® systems.Read more
The news about the KRACK attack is causing quite a fuss in the media. This is not surprising since it effects a Wi-Fi-technology thought to be safe until now. Plus, surely everyone uses this encryption. But what does this vulnerability to WPA2 encryption mean to SAP® customers?Read more
The opinions on the SAP® authorization concept diverge widely. Surely, a certain complexity and the related maintenance effort cannot be denied. Yet, the most important requirement, the gapless protection of all read and write accesses within a program, can be realized quite well – at least in theory. In practice, there are several options to circumvent authorization checks.Read more
It's amazing that this vulnerability was published as late as 2012, considering the fact that the SAP gateway is a standard interface for every SAP system. And specifically interfaces should be secured by all means. Eventually it was SAP themselves, which had drawn attention to the SAP Gateway Exploit. One of the most dangerous weaknesses of each SAP system is thus recognized - but still not secured at many SAP customers.
Two independent studies have shown that the awareness regarding SAP security has tightened up over the past 12 months SAP users of the DACH countries as well as the SAP user group United Kingdom and Ireland see the necessity to spring into action and better protect their systems.Read more
If you want to check if the doors of a house are securely locked, it is best to try it yourself. The resident has an advantage over an intruder: he knows all doors and windows which can be used or misused as entry points. The same holds true for SAP systems: a penetration test is far more effective if an external attack (black box pen-testing) is combined with an analysis of possible vulnerabilities from within (white box pen-testing).Read more