OWASP Core Business Application Security

OWASP CBAS Project Structure

Introduction

To allow organizations using enterprise business applications to determine an achievable, tailored-to approach defining actionable targets and measurable results, with the capability to scale by strengthening people, leveraging processes, and enhancing the use of tools. The Core Business Application Security (CBAS) project is designed to combine different industry standards and expertise from various security professionals to provide a comprehensive framework to align enterprise application security measures with the organization’s security strategy. As a result, a framework is created to improve the security governance of enterprise application technology.

Background

Core business applications or enterprise business applications are beneficial to organizations in several ways. Some of these benefits include:

  • Combining different business processes under one solution
  • Improving business performance
  • Higher productivity by eliminating redundant processes
  • Flexibility and mobility
  • Easier collaboration between different organizational teams
  • Centralized data

Even though there are numerous benefits that these solutions have, security threats have not decreased. Maintaining, implementing, and deploying security controls and/or information security standards around such solutions is still facing challenges. Some of these challenges include:

  • Little to no understanding of the solutions in place
  • Security professionals not involved in the initial phases of deploying and implementing such solutions
  • Security controls being built after the solution is operational and functional; causing a blow back from business units

NO MONKEY Security Matrix

The NO MONKEY Security Matrix is used as a governance tool throughout the different projects under the CBAS-SAP. It combines elements of the security operational functions, defined by NIST, and IPAC model, defined by NO MONKEY, into a functional graph.

Benefits and the usage of the security matrix is listed under each project of the CBAS-SAP.

CHECK IT OUT

SAP Security Verification Standard

The CBAS - SAP Security Verification Standard (CBAS-SSVS) project allows organizations to determine their SAP security posture based on controls used to define a maturity level that organizations can maintain or adapt to. This enables organizations to plan and enhance their security mechanisms when protecting SAP resources.

CHECK IT OUT

HoneySAP: SAP low-interaction honeypot

HoneySAP is a low-interaction research-focused honeypot specific for SAP services. It’s aimed at learn the techniques and motivations behind attacks against SAP systems.

CHECK IT OUT

pysap - Python library for crafting SAP’s network protocols packets

SAP Netweaver and SAP HANA are technology platforms for building and integrating SAP business applications. Communication between components uses different network protocols and some services and tools make use of custom file formats as well. While some of them are standard and well-known protocols, others are proprietaries and public information is generally not available.

pysap is an open source Python 2 library that provides modules for crafting and sending packets using SAP’s NI, Diag, Enqueue, Router, MS, SNC, IGS, RFC and HDB protocols. In addition, support for creating and parsing different proprietary file formats is included. The modules are built on top of Scapy and are based on information acquired at researching the different protocols, file formats and services.

CHECK IT OUT

OWASP SAPKiln

SAPKiln is an open-source GUI tool designed to empower security researchers in conducting efficient auditing and penetration testing of SAP systems through SAP Logon/GUI (desktop application). It caters to both experienced SAP professionals and those unfamiliar with the SAP environment, as it streamlines the process of performing security checks with a user-friendly interface.

CHECK IT OUT

SAP Attack Surface Discovery

The project aims to help organizations and security professionals to identify and discover open SAP services through the use of different network scanning techniques. This allows individuals to further test these services for any potential threat that might affect SAP applications in their organizations.

CHECK IT OUT

News and Updates Channels

Anyone interested in supporting, contributing or giving feedback join us in our discord channel.

License

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.


NO MONKEY Security Matrix

The NO MONKEY Security Matrix combines elements of the security operational functions, defined by NIST, and IPAC model, created by NO MONKEY and explained below, into a functional graph.

SAP Operational Areas

NO MONKEY has come up with the below four security areas to focus the security topics to a core business application. The areas are:

  • Integration: Focuses on different integration scenarios within systems and third-party tools integrating with a core business application environment, including proprietary and non-proprietary communication protocols and interfaces. Topics include secure architecture, security design, and general security operation concepts.

  • Platform: Focuses on vulnerabilities, hardening, and configuration of the core business applications. It includes reviewing security features and weaknesses in software operations, setup, and security management.

  • Access: Focuses on access control, user authorizations measures, and methodologies of SAP software.

  • Customization: Focuses on the customization of core business applications, including change management, custom code, business customizing, legacy interfaces, and add-ons.

Applicability

The Security Matrix serves as a starting point to:

  • Visually show what areas within an organization can be improved; this can be achieved throughout the different projects released.
  • Identify responsibility and knowledge gaps that are aligned to the areas of the Security Matrix within the Security Aptitude Assessment project

Below is a list of projects that benefit from the NO MONKEY Security Matrix:


SAP Security Verification Standard

The CBAS - SAP Security Verification Standard (SSVS) project allows organizations to determine their SAP security posture based on controls used to define a standard security baseline that organizations can maintain and adopt. This enables organizations to plan and enhance their security mechanisms when protecting SAP resources.

Whats In It For Me (WIIFM)

The project intends to be used by different professionals:

  • SAP Security Experts
  • non-SAP Security Experts
  • Consultants
  • Auditors
  • Advisors
  1. The project helps operations, security, and audit teams assess, plan, and verify security controls that affect SAP implementations in their organizations.
  2. Helps organizations determine their maturity in protecting their SAP applications.
  3. Enables and supports organizations with implementing security controls that are required to protect their SAP applications.

Standard Definition

In our initial release, we want to create a security baseline every organization must maintain to secure SAP applications.

The initial release is derived from the below standards:

  • SAP Security Baseline Template V2.4
  • German Federal Office for Information Security - BSI 4.2 SAP ERP System
  • German Federal Office for Information Security - BSI 4.6 SAP ABAP Programming
  • SAP security white papers - used for critical areas missing in the security baseline template and BSI standards
  • OWASP Application Security Verification Standard ASVS 2.0
  • NO MONKEY Security Matrix

Controls

We aim to create controls in a structured, easy, and understandable way.

  • Every control follows the same identification schema and structure
  • Markdown language used for presenting the controls
  • Excel tool to present maturity levels, risk areas represented by the NO MONKEY Security Matrix, and implementation status

Control Header:

  • NIST Security Function
  • NIST Category
  • IPAC Model
  • SAP Technology
  • Maturity Level
  • Defender (People, Process, Technology)
  • Control Prerequisite

Appendix A lists the acronyms used in either the control header or the naming convention for controls.

Control Structure:

  • Description of the control
  • Implementing the control
  • Verification of the control
  • References

Example:


button


SAP Attack Surface Discovery

[!WARNING] Make sure you have the appropriate permissions to actively scan and test applications. Without doing so, you might face legal implications

The project aims to help organizations and security professionals to identify and discover open SAP services through the use of different network scanning techniques. This allows individuals to further test these services for any potential threat that might affect SAP applications in their organizations.

OWASP CBAS project

Three areas within the NO MONKEY Security Matrix can benefit from the project:

  1. Identify – NIST Security Functions
  2. Detect - NIST Security Functions
  3. Integration – IPAC Model

Identify | Integration

When applied to a single organization, the results from the project can aid organizations to further concentrate their efforts in the IDENTIFY and INTEGRATION quadrant of the NO MONKEY Security Matrix.

Detect | Integration

Another potential area of benefit will be under the DETECT and INTEGRATION quadrant, this will allow organizations to automate their monitoring capabilities when it comes to publishing SAP application to the internet. If publishing these applications is not a requirement and have been done due to misconfiguration then the organization would be able to properly detect it.

More information can be found on the OWASP CBAS project Page

SAP Attack Surface Discovery Wiki

More information, benefits and details to each service can be found in the Wiki

button

Communication and Contribution

Anyone interested in supporting, contributing or giving feedback join us in our discord channel

We have also included a section about contribution in out Wiki, which can be found here


HoneySAP: SAP Low-interaction honeypot

Build and test HoneySAP Documentation Status

Version 0.1.2.dev0 (XXX 2022)

Overview

HoneySAP is a low-interaction research-focused honeypot specific for SAP services. It’s aimed at learn the techniques and motivations behind attacks against SAP systems.

Features

  • Low-interaction honeypot for SAP services
  • YAML and JSON-based configuration
  • Pluggable datastore backend
  • Modular services system
  • Modular feeds system
  • Console logging

Installation

To install HoneySAP, simply download the sources and run:

$ python -m pip install .

A more complete guidance on how to install HoneySAP on different environments is provided in the documentation.

Documentation

Documentation is available at Read the Docs.

License

This tool is distributed under the GPLv2 license. Check the COPYING file for more details.

Authors

The tool was initially designed and developed by Martin Gallo while working at SecureAuth’s Innovation Labs team, with the help of many contributors. The code was then contributed by SecureAuth to the OWASP CBAS Project in October 2022.

Disclaimer

The spirit of this open source initiative is to help security researchers, and the community, speed up research and educational activities related to the implementation of networking protocols and stacks.

The information in this repository is for research and educational purposes and not meant to be used in production environments and/or as part of commercial products.

If you desire to use this code or some part of it for your own uses, we recommend applying proper security development life cycle and secure coding practices, as well as generate and track the respective indicators of compromise according to your needs.

button


pysap - Python library for crafting SAP’s network protocols packets

Build and test pysap Latest Version Documentation Status

Version 0.1.20.dev0 (XXX 2022)

Overview

SAP Netweaver and SAP HANA are technology platforms for building and integrating SAP business applications. Communication between components uses different network protocols and some services and tools make use of custom file formats as well. While some of them are standard and well-known protocols, others are proprietaries and public information is generally not available.

pysap is an open source Python 2 library that provides modules for crafting and sending packets using SAP’s NI, Diag, Enqueue, Router, MS, SNC, IGS, RFC and HDB protocols. In addition, support for creating and parsing different proprietary file formats is included. The modules are built on top of Scapy and are based on information acquired at researching the different protocols, file formats and services.

Features

  • Dissection and crafting of the following network protocols:

    • SAP Network Interface (NI)
    • SAP Diag
    • SAP Enqueue
    • SAP Router
    • SAP Message Server (MS)
    • SAP Secure Network Connection (SNC)
    • SAP Internet Graphic Server (IGS)
    • SAP Remote Function Call (RFC)
    • SAP HANA SQL Command Network (HDB)
  • Client interfaces for handling the following file formats:

    • SAP SAR archive files
    • SAP Personal Security Environment (PSE) files
    • SAP SSO Credential (Credv2) files
    • SAP Secure Storage in File System (SSFS) files
  • Library implementing SAP’s LZH and LZC compression algorithms.

  • Automatic compression/decompression of payloads with SAP’s algorithms.

  • Client, proxy and server classes implemented for some of the protocols.

  • Example scripts to illustrate the use of the different modules and protocols.

Installation

To install pysap simply run:

$ python -m pip install pysap

pysap is compatible and tested with Python 2.7. A Python 2/3 compatible version is in the workings but it’s not finalized yet.

Documentation

Documentation is available at Read the Docs.

License

This library is distributed under the GPLv2 license. Check the COPYING file for more details.

Authors

The tool was initially designed and developed by Martin Gallo while working at SecureAuth’s Innovation Labs team, with the help of many contributors. The code was then contributed by SecureAuth to the OWASP CBAS Project in October 2022.

button


News

  • [September 2023] The SAP Internet Research project goes under a complete update and is now called the SAP Attack Surface Discovery
  • [September 2023] The OWASP CBAS Roadmap is created to provide a clear view and direction of the different improvements and security areas that will be covered
  • [August 2023] The OWASP SAPKiln project, lead by Alex Devassy, is added under the umbrella of the OWASP CBAS
  • [August 2023] Alex Devassy joins the OWASP CBAS team
  • [July 2023] Julian Petersohn contributes and takes lead on the SAP Internet Research project
  • [July 2023] Julian Petersohn joins the OWASP CBAS team
  • [October 2022] SecureAuth’s Innovation Labs donates the HoneySAP and Pysap projects to the OWASP CBAS
  • [October 2022] Martin Gallo joins the leadership team
  • [September 2020] Joris Van De Vis (@jvis) donates the SAP Internet Research project to the OWASP CBAS
  • [June 2020] NO MONKEY donates the SAP Security Matrix to the OWASP CBAS
  • [June 2020] OWASP CBAS created by Waseem Ajrab and Marco Hammel to provide a central location to address areas for SAP security

Events

COMING SOON

Roadmap


CBAS Supporters and Contributors

We are grateful for all our supporters and contributors that have spent a significant time working on the OWASP Core Business Application Security project.

We are continuously updating and improving the different parts of the project. All contributions are welcome. Get in touch with us to know more!

Supporters (Time and Donation) - Organizations

Organizations who have allowed contributors and/or donated a significant time and material on working on the different projects within the OWASP Core Business Application Security. Supporters contributing time and material will be evaluated at the sole discretion of the project leaders.

Supporters (Time and Donation) - Individuals

Contributors

A live update of contributors can be found under each area of the OWASP Core Business Application Security project.


CBAS Contribution Guidelines

We are grateful for all our supporters and contributors that are willing to spend time and effort on working on the OWASP Core Business Application Security projects.

Particpate in Dicussions

We’re using Discussions as a place to connect with other members of our community. We hope that you:

  • Ask questions you’re wondering about
  • Share ideas
  • Engage with other community members
  • Welcome others and are open-minded. Remember that this is a community we build together

Join our OWASP CBAS Discord or Slack Channel to stay up-to-date with any updates or news.

Contribution Steps

1. Create Issues

First create issues before opening any pull requests. Issues will be discussed for any missing requirements, content, duplications, or bugs.

Assignment will be done by project leaders.

2. Opening Pull Requests

Once you have opened a Pull Request, a reviewer will make sure all requirements are met and submitted for a merge. (refer to the Review page to learn more)

Becoming a Reviewer

COMING SOON