Rich Mogull Securosis, L.L.C.

Taming the Beast(s): Securing Major Enterprise Applications

Rich MogullSecurosis, L.L.C.

Old School/New School/Oh SH&$ School

Major Enterprise Application Classes

Enterprise Software

Web Application Servers

Custom Applications

● All major enterprise applications implement mostly custom code● Custom vulnerabilities exist only on your systems● Attackers now use refined, repeatable techniques to find custom

vulnerabilities● Common classes of remotely exploitable vulnerabilities

– SQL injection– Buffer overflows– Cross-site scripting– Logic flaws

Custom Code = Custom Vulnerabilities

System

Database

Network/Domain

Inhe

ritR

emap

Application

Batch Jobs OLAP Hertiage

User Credentials Break

Privileged Access

Developers Administrators Direct Query

Static Accounts

Downstream Data

Reports(Excel) EDI OLAP Backups

Batch Jobs Other Apps. Other DBs

Traditional Security

Sniffing Vulns RemoteAccess

PrivilegeEscalation Availability

Vulnerability Classes

Virtualization Apocalypse

Defensive Security Stack

Application Security

Application Security Cycle

Secure Development

Secure Deployment

Harden TiersMinimize open ports

• Network segmentationEncrypt Connections

• Use network hardware to manage performance

Control Authentication• Minimize static passwords• Minimize administration access

Simplification!

ApplicationServer

VPNAppliance

VPNAppliance

Database

Encrypted

Hardening Tiers

Database Security

• SAP is very flexible and complex- Most deployments use extensive custom code

Understand differences between R/3 and NetWeaver/ECC• SAP built on WebAS

- A full application server- J2EE and ABAP offer different security options- Extensive customization may require same security approach as a Web

application server• SAP focuses security efforts on roles/authorization

- Many enterprises lose control of entitlements- Role transfers and poor role management are biggest sources of security

issues- Manage through Profile Generator, but beware conflicts/config errors

• Multiple, complex auditing options

SAP

• Many security features across product lines - Not all features in all products; large variation- Expect to pay extra for them

• Consider Oracle Identity Management or third-party IAM- E-business suite built in account management sufficient for isolated deployments

• Take advantage of system roles/responsibilities• Use digital certificates for systems with static connections• Use client ID (CID) where possible• Double-check encryption

- Some fields default encrypted; confirm DBA limits• Data Vault can limit access on existing applications• Use Enterprise Manager for patching

- Patching features cost extra, so push Oracle on pricing- Manual patching unreliable

• Use a DB Activity Monitoring tool to monitor privileged accounts- Audit Vault with Fine Grained Auditing can accomplish this, but is not feature-competitive

with third-party tools• Enable audit trails

Oracle

Securing Web Applications

Managing Virtualization

Production Development

Data Masking

● Profile/inventory your applications.

● Good identity management is the key to any enterprise software security.

● Tightly manage/secure network connections- sniffing is on the rise.

● All enterprise software needs secure development standards.

● Use new standards moving forward, while shielding then cleaning heritage applications.

Summary

Rich Mogull

[email protected]://securosis.com

AIM: securosisSkype: rmogull

Securosis, L.L.C.