Penetration Testing: Re: SAP Security

[mht () clark net]

SAP Weaknesses can be found if exposed to the Internet, can be exploited 
through the HTML, SOAP, XML, Java front ends.  Some of the SAP modules also 
do not have inherent security schemes.. In fact, many SAP implementations 
do not implement security since it  becomes an undaunting task when various 
SAP modules are customized.  There have been very few reported SAP security 
vulnerabilities since major organizations do not want to hear that their 1 
-2 billion investment has some major security vulnerabilities.  Each 
component of SAP are just as vulnerable since implementing SAP requires 
layering of typically off the shelf hardware and software.
/mark

At 01:28 PM 6/13/2001 +0200, Johann van Duyn wrote:
> Hi there...
>
> I'm planning to run a lightweight internal penetration test against some of
> our servers, and have run into a snag: security information on WinNT, Unix,
> Oracle, etc. is quite easy to find, but I am struggling to find anything
> good on SAP R/3. Most of the stuff is very vague, or refers to securing
> network transmissions against eavesdropping.
>
> Anyone have any real information on SAP security, especially weaknesses?
> :-)
>
> Thanks!
>
> Johann
>
>
>
> Confidentiality Notice: The information in this document and
> attachments is confidential and may also be legally privileged.
> It is intended only for the use of the named recipient. Internet
> communications are not   secure and therefore British American
> Tobacco does not accept legal responsibility for the contents of
> this message. If you are not the intended recipient,please notify us
> immediately and then delete this document. Do not disclose the
> contents of this document to any other person, nor take any copies.
> Violation of this notice may be unlawful.