The Enterprise Application System Platform Vulnerability Assessment Guide developed by EAS-SEC group describes 9 most known business application security areas relating to implementation and operation. This top issues list was prepared by the authors during vulnerability assessments of multiple business applications; this list may be applied to any of them. These issues are weighty factors for many emerging threats and related attacks. Prevention of these issues means getting ready to prevent numerous attacks targeted at business application security.
This document contains a detailed analysis of the most widespread business application platform – the SAP NetWeaver ABAP. During this analysis 33 key security settings were identified and distributed between 9 areas mentioned above. This guide show how to protect against the most widespread vulnerabilities in this area as well as provide further steps on securing all 9 areas.
The authors’ efforts were to make this list as brief as possible but also to cover the most critical threats for each issue. This approach is the main objective of this Guide: as despite best practices by the SAP, ISACA and DSAG, our intention was not to create just another list of issues with no explanation on why a particular issue was (not) included in the final list, but to prepare a document that may be easily used not only by SAP security experts. Report should also provide comprehensive coverage of all critical areas of SAP Security.
In addition to major all-purpose checks, each item contains a subsection called “Further steps”. This subsection gives major guidelines and instructions on what should be done in the second and third place, and then how to further securely configure each particular item. The recommended guidelines are not always mandatory and sometimes depend on a specific SAP solution. On the one hand, with this approach, the authors were able to highlight key security parameters for a quick assessment of any SAP solution (from the ERP to the Solution Manager or Industry Solution) based on the NetWeaver ABAP platform and, on the other hand, to cover all issues and give complete recommendations on them.