In his Cybersecurity for SAP Customers 2018 session “Going from the Outside In: The Truth About Penetration Testing,” Frederik Weidemann of Virtual Forge explains why you should perform a penetration test of your SAP landscape. Security breaches are a big problem and enterprise technology is not exempt, as recent news reports have shown. Weidemann says that penetration testing can find bugs and vulnerabilities before hackers do so that you can reduce risks for your company.
He discusses the challenges and opportunities you may encounter while preparing to run an SAP penetration test. He cites these three challenges:
1. Implementing thorough security patching: A key point Weidemann makes is that ”SAP security patches stick to the ‘downwards compatible’ policy.” This means that applying security patches in many cases will require manual post-installation activities. “If these activities are not applied, the patch is not active, and the system remains vulnerable,” he says.
2. Establishing, monitoring, and enforcing an SAP security baseline: Before going forward with a penetration test, use the SAP security baseline template security guide to help you detect any simple and well-known issues related to areas such as standard passwords, critical basis authorizations, insecure profile parameters, remote function calls (RFC), RFC gateway, and RFC callback security.
3. Validating the first two challenges and finding the right person to do the penetration test: A general penetration tester may not be proficient in working in an SAP system; you need to use an SAP specialist who knows the SAP language.
Weidemann also cites two opportunities resulting from conducting an SAP penetration test:
1. Raise awareness and boost your career: A successful penetration test can raise security awareness within your organization and help boost your career.
2. Get beyond a baseline security level: To go beyond baseline security, you need to use an experienced penetration tester who knows an SAP environment. This person should know what security architecture to cover and what the best project scope for your organization is.
These are a just a few highlights of this session at the upcoming SAPinsider Cybersecurity for SAP Customers 2018 conference, which will be held June 27-29, 2018, in Prague. For more information on this conference, click here.