Re: Info about Pen Testing - how to tackle complexity?

From: Gadi Evron (ge@linuxbox.org)
Date: Tue Mar 13 2007 - 19:24:30 EST


On Mon, 12 Mar 2007 Petr.Kazil@eap.nl wrote:
> > I've started, 8 years ago, by reading from start to end the accumulated
> > volumes of "Hacking Exposed". Just by understanding past exploits, you
> can
> > see the various vectors of intrusion [...]
>
> You inspired me to put another kind of learning problem to the list that
> we're struggling with at the moment. I would appreciate your thoughts on
> this subject. A few weeks ago the following question popped up in our
> IT-Audit team and we'll have to do something about it:
>
> - What are the technical security risks of SAP infrastructures?
>
> We're lucky that we have access to the SAP online documentation with a lot
> of security guides, but still we're faced with the following problems:
>
> - How to get a grip on hundreds of pages of documentation?
> - How to get a grip on all the different components of SAP with all the
> possible network interactions and functionalities (webservers, application
> servers, application firewalls, databases, portals, middleware)?
>
> And maybe more important:
>
> - How to interpret the SAP security guides that seem to imply that
> installing Unix / Oracle more or less "out of the box" doesn't seem to
> endanger the SAP installation? (Broadly stated - the guides concentrate on
> passwords of the most sensitive accounts and don't say much about any
> other hardening.)
>
> On the one hand we're skeptical that such a huge infrastructure can be
> made safe, but we're positively overwhelmed by the size of it all. We
> think that this problem with understanding huge, complex, modern business
> infrastructures may not be limited to our little team. I don't know if the
> classic approach - find a bug and exploit it - can help us with getting a
> grip on the overall security issues. There are relatively few SAP-hacking
> sources on the Internet, but does that mean that SAP is safe or that no
> one tries hacking SAP?
>
> This problem of complexity is not limited to SAP I think. The same kind of
> complexity is found in Oracle Application server, all the modules,
> web-services, portals and Java stuff.
>
> I'm sorry for the long and vague post, but I'm still trying to find the
> best way into this huge new field. And to do it in the leftover time
> between other commitments :-)

Not answering the theoretical problem of facing such a task, some
practical suggestions:
1. Read an intro to SAP and take notes on what you see as issues. Try and
ask others to do it too.

2. Google SAP security and see if you find any guides in 10 pages or less,
don't invest too much time in these. Try and find some mailing list posts.

3. Remember security is.. security, and not disregarding the issue as a
whole which would take years of study, trust your judgement (to a level).

        Gadi.

>
> Greetings, Petr Kazil

--
"beepbeep it, i leave work, stop reading sec lists and im still hearing
gadi"
- HD Moore to Gadi Evron on IM, on Gadi's interview on npr, March 2007.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:39 EDT