how to assess the risks in your sap systems at the push of a button
TRANSCRIPT
Virtual Forge, Inc.
How to Assess the Risks in Your SAP® Systemsat the Push of a Button
Basis and SAP Administration 2015
Virtual Forge: Management Summary
We reduce business risks and protect your entire SAP environment.
We cover all SAP® risk categories from Security to Compliance to Quality, on both code- and system layer.
Our solutions follow a simple approach: Assess – Safeguard – Optimize.
Improving the state of your entire SAP system continuously.
We provide highly efficient, automated solutions built using our deep knowledge and experience.
We ensure that SAP systems of leading global companies adhere to the highest Security, Compliance and Quality standards.
We ensure Security, Compliance and Quality worldwide.
Customer Success Stories
The U.S. Department of Defense“Virtual Forge CodeProfiler enables us to prove that our code is secure and compliant… It is accurate, comprehensive and consistent and ensures that all ABAP code meets our high standards.”
~Christine Warring, TEWLS Sustainment Manager for the Dept of Defense
The Globe and Mail“With Virtual Forge CodeProfiler tightly integrated into our SAP change and transport management processes, we were able to scan all our custom ABAP code and identify non-compliant code in no time at all.”
~Joby Joseph, SAP Security Lead at the Globe and Mail
SAP“Applying the Virtual Forge CodeProfiler and the close collaboration helped us to increase the level of security and improved the quality of our business solutions.”
~Ralph Salomon, Vice President, IT Security & Risk Office, at SAP
Siemens“One of the key requirements was to scan several billion lines of code each week. Together with Virtual Forge, we have been able to create a truly unique solution.”
~Michael Brauer, Director of Corporate Automation within the Corporate IT department at Siemens
A simple approach: Assess – Safeguard – Optimize.
Assess: Automatically assess risk by continuously monitoring system configuration and code changes.
Safeguard: Implement automatic testing for risk in ABAP code and SAP System Configurations.
Optimize: Continually reduce risk exposure as possible during ongoing operations and projects.
SAPSecurity, Compliance
& Quality
1. Assess
2. Safeguard3. Optimize
Why manage risk?
Some facts…1. More than 248,500 companies depend upon SAP to run their business2. SAP customers include:
1. Transport > 1.1 million flight passengers per day2. Produce > 77,000 cars every day3. Produce > 65% of all TV’s4. 72% of the world-wide beer production depends on companies that run SAP!!!
Current Situation
Cyber-attacks, fraud, and system downtimes are key business risks
SAP Security, Compliance and Quality challenges
SAP Applications• Authorizations• Transport
Management• Patches• Business Continuity• Application
Performance
SAP Configuration• Authorizations• SAP Operating
& Database System• Web Security• Communication
Channels• Logging / Forensic
SAP Coding• Assessment• Development• Architecture• Code Quality• Testing• Deployment
Key Business RisksSources of Risk
System configuration and settings
Custom coding
Extended functionalityof the SAP standard
Sources: Cost of Cyber Crime Study (Poneomon Institute, 2013), Global Fraud Study (ACFE, 2014),The Avoidable Cost of Downtime (CA Technologies, 2010)
Cyber-attacks $7.2 million per caseFrauds 5% annual revenue loss per companySystem downtimes 14 hrs per case
Analysis of custom ABAP in 217 customer systems shows:
ABAP Custom ABAP
code
There is more than 1 critical security/compliance issue per 1,000 Lines of Custom ABAP® Code. A typical SAP system has 2,150 security/compliance issues in custom code.
For you this means:An attacker gains full access to all business data by exploiting just one of these vulnerabilities.
For you this means: Companies only use a fraction of the hardware speed their systems could provide. Any failure can lead to data corruption and system downtime.
There are 1 critical performance and 3 critical Robustness issues per 1,000 Lines of Custom ABAP® Code.
Source: CodeProfiler analysis of 453 million lines of custom ABAP® code from 217 SAP systems (status: Oct 2014)
Demonstration of ABAP Vulnerability
Analysis of the configuration of 121 SAP Systems shows:
SAPSystem
Configuration
90% of all SAP systems are vulnerable to attacks, and the number of SAP systems connected to the internet is increasing rapidly
For you this means:An attacker gains full access to all business data by exploiting just one critical vulnerability.
For you this means: Manual configuration results in high operating costs. Only one omission can lead to severe security, compliance, or quality issues
Understanding best practices and managing configurations in a changing environment is a difficult and ongoing task, and configuration drift is a constant challenge.
Source: SystemProfiler analysis of 427 SAP systems (Status: Dec 2014)
Demonstration of Vulnerable SAP System
Distribution of Online SAP Systems (Internet Census)
*online systems including SAP systems Graphic: Thünemann/Schinzel
Old Habits, New World
The Evolution of SAP & ABAP Technology
In the past Today Future
Isolated systems Fewer users Less data Less custom development Regular but rare releases
Open systems More users More data More custom development Frequent release cycles
More open systems Even more users Even more data Even more development Higher frequency releases
Attack Surface of SAP1997 – A simpler life
Direct UIs
External Systems
SAP ABAP® System
Attack Surface of SAPSince 2011 – complexity continues to grow
Indirect UIs
External Systems
Direct UIs
SAP ABAP® System
SAP System Administration – a simple task
Profile Parameters
Logging
OS Security
System Authorizations
Password Policies
CommunicationSecurity
Patch Days Enhancement Packs
Transport Requests
FirewallsDatabase Performance
Java Servers
System Audits
Web ASSecurity
SecurityNotes
System Configuration Drift
Typical SAP landscape
Security & Quality (of configuration)
Security Audit QA ProjectTime
Automated Risk Management
The Benefits of Automated Risk Management
1. Apply best practice rules to reduce business risks
2. Enforce company policies consistently throughout organization
3. Reduce costs and time by eliminating manual tasks
4. Eliminate human error and lack of knowledge as risk factors
5. Manage emergencies without increasing risk
A simple approach: Assess – Safeguard – Optimize.
CodeProfiler for ABAP Code
Assess: Continually test and correct ABAP code during development. Inspect entire code base regularly.
Safeguard: Implement automatic code testing to prevent risky code from reaching your productive systems.
Optimize: Continually improve code as possible to close security and quality gaps.
SAPSecurity, Compliance
& Quality
1. Assess
2. Safeguard3. Optimize
CodeProfiler
Ensures that ABAP code meets industry best-practice standards for security, quality and performance
Performs automatic testing of any code changes and stops transport of bad code
Reduces the time and cost of development and code reviews
Developers can scan/correct online during developmentOnline documentation includes remediation instructions for on-the-job learningAutomatic testing of all code changes Automatic correction for fast remediation
Highly accurate results!
CodeProfiler Benefits
A simple approach: Assess – Safeguard – Optimize.
Assess: Continually audit configuration risk across the SAP landscape.
Safeguard: Implement automatic testing and escalation to reduce potential of risk exposure.
Optimize: Continually reduce risk exposure as possible during ongoing operations and projects.
SystemProfiler for SAP Configuration
SAPSecurity, Compliance
& Quality
1. Assess
2. Safeguard3. Optimize
SystemProfiler
Ensures that SAP System Configuration meets industry best practices
Allows automatic monitoring and correction of SAP configuration settings across your landscape
Saves time and money by automating manual, error-prone tasks
Allows you to distribute security policies across the landscape quickly and easily
Easy to install and scalable to any size landscape
Highly accurate results!
SystemProfiler Benefits
SYSTEMPROFILER
Virtual Forge CodeProfilerFree Risk Assessment Offer!
How good is your SAP system?Visit www.virtualforge.com
Quality
Compliance
Security
SAP®
Risk AssessmentVirtual Forge CodeProfiler
and SystemProfiler
Disclaimer
© 2015 Virtual Forge Inc. All rights reserved.
SAP, R/3, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG. All other product and service names mentioned are the trademarks of their respective companies.
Information contained in this publication is subject to change without prior notice. It is provided by Virtual Forge and serves informational purposes only. Virtual Forge is not liable for errors or incomplete information in this publication. Information contained in this publication does not imply any further liability.
Virtual Forge Terms and Conditions apply. See www.virtualforge.com for details.
DisclaimerSAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.