Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Info about Pen Testing - how to tackle complexity?
From: Gadi Evron <ge () linuxbox org>
Date: Tue, 13 Mar 2007 19:24:30 -0500 (CDT)

On Mon, 12 Mar 2007 Petr.Kazil () eap nl wrote:
I've started, 8 years ago, by reading from start to end the accumulated
volumes of "Hacking Exposed". Just by understanding past exploits, you 
can
see the various vectors of intrusion [...]

You inspired me to put another kind of learning problem to the list that 
we're struggling with at the moment. I would appreciate your thoughts on 
this subject. A few weeks ago the following question popped up in our 
IT-Audit team and we'll have to do something about it:

- What are the technical security risks of SAP infrastructures?

We're lucky that we have access to the SAP online documentation with a lot 
of security guides, but still we're faced with the following problems:

- How to get a grip on hundreds of pages of documentation?
- How to get a grip on all the different components of SAP with all the 
possible network interactions and functionalities (webservers, application 
servers, application firewalls, databases, portals, middleware)?

And maybe more important:

- How to interpret the SAP security guides that seem to imply that 
installing Unix / Oracle more or less "out of the box" doesn't seem to 
endanger the SAP installation? (Broadly stated - the guides concentrate on 
passwords of the most sensitive accounts and don't say much about any 
other hardening.)

On the one hand we're skeptical that such a huge infrastructure can be 
made safe, but we're positively overwhelmed by the size of it all. We 
think that this problem with understanding huge, complex, modern business 
infrastructures may not be limited to our little team. I don't know if the 
classic approach - find a bug and exploit it - can help us with getting a 
grip on the overall security issues. There are relatively few SAP-hacking 
sources on the Internet, but does that mean that SAP is safe or that no 
one tries hacking SAP?

This problem of complexity is not limited to SAP I think. The same kind of 
complexity is found in Oracle Application server, all the modules, 
web-services, portals and Java stuff.

I'm sorry for the long and vague post, but I'm still trying to find the 
best way into this huge new field. And to do it in the leftover time 
between other commitments :-)

Not answering the theoretical problem of facing such a task, some
practical suggestions:
1. Read an intro to SAP and take notes on what you see as issues. Try and
ask others to do it too.

2. Google SAP security and see if you find any guides in 10 pages or less,
don't invest too much time in these. Try and find some mailing list posts.

3. Remember security is.. security, and not disregarding the issue as a
whole which would take years of study, trust your judgement (to a level).

        Gadi.


Greetings, Petr Kazil

--
"beepbeep it, i leave work, stop reading sec lists and im still hearing
gadi"
- HD Moore to Gadi Evron on IM, on Gadi's interview on npr, March 2007.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]