Taming the Beast(s): Securing Major Enterprise Applications Rich Mogull Securosis, L.L.C.
Taming the Beast(s): Securing Major Enterprise Applications
Rich MogullSecurosis, L.L.C.
Old School/New School/Oh SH&$ School
Major Enterprise Application Classes
Enterprise Software
Web Application Servers
Custom Applications
● All major enterprise applications implement mostly custom code● Custom vulnerabilities exist only on your systems● Attackers now use refined, repeatable techniques to find custom
vulnerabilities● Common classes of remotely exploitable vulnerabilities
– SQL injection– Buffer overflows– Cross-site scripting– Logic flaws
Custom Code = Custom Vulnerabilities
System
Database
Network/Domain
Inhe
ritR
emap
Application
Batch Jobs OLAP Hertiage
User Credentials Break
Privileged Access
Developers Administrators Direct Query
Static Accounts
Downstream Data
Reports(Excel) EDI OLAP Backups
Batch Jobs Other Apps. Other DBs
Traditional Security
Sniffing Vulns RemoteAccess
PrivilegeEscalation Availability
Vulnerability Classes
Virtualization Apocalypse
Defensive Security Stack
Application Security
Application Security Cycle
Secure Development
Secure Deployment
Harden TiersMinimize open ports
• Network segmentationEncrypt Connections
• Use network hardware to manage performance
Control Authentication• Minimize static passwords• Minimize administration access
Simplification!
ApplicationServer
VPNAppliance
VPNAppliance
Database
Encrypted
Hardening Tiers
Database Security
• SAP is very flexible and complex- Most deployments use extensive custom code
Understand differences between R/3 and NetWeaver/ECC• SAP built on WebAS
- A full application server- J2EE and ABAP offer different security options- Extensive customization may require same security approach as a Web
application server• SAP focuses security efforts on roles/authorization
- Many enterprises lose control of entitlements- Role transfers and poor role management are biggest sources of security
issues- Manage through Profile Generator, but beware conflicts/config errors
• Multiple, complex auditing options
SAP
• Many security features across product lines - Not all features in all products; large variation- Expect to pay extra for them
• Consider Oracle Identity Management or third-party IAM- E-business suite built in account management sufficient for isolated deployments
• Take advantage of system roles/responsibilities• Use digital certificates for systems with static connections• Use client ID (CID) where possible• Double-check encryption
- Some fields default encrypted; confirm DBA limits• Data Vault can limit access on existing applications• Use Enterprise Manager for patching
- Patching features cost extra, so push Oracle on pricing- Manual patching unreliable
• Use a DB Activity Monitoring tool to monitor privileged accounts- Audit Vault with Fine Grained Auditing can accomplish this, but is not feature-competitive
with third-party tools• Enable audit trails
Oracle
Securing Web Applications
Managing Virtualization
Production Development
Data Masking
● Profile/inventory your applications.
● Good identity management is the key to any enterprise software security.
● Tightly manage/secure network connections- sniffing is on the rise.
● All enterprise software needs secure development standards.
● Use new standards moving forward, while shielding then cleaning heritage applications.
Summary