Are you aware that each of your SAP production systems statistically contains 9 security vulnerabilities in your own ABAP code that allow attackers to gain SAP_ALL privileges and thus take over complete control? This talk deals with an area usually ignored in SAP security concepts: custom code. It unveils unpleasant statistical results based on a code study of more than 200 large companies across the world that run SAP. It shows the most common and most critical security defects that exist in ABAP applications and provides guidance on how to deal with them.
Xu Jia is researching SAP security topics since 2006. His focus is on static code analysis for ABAP and he is the lead architect for a commercial SCA tool. Working in the CodeProfiler Research Labs at Virtual Forge, he also analyzes (ABAP) security defects in SAP standard software. Xu has received credit for more than 30 security advisories where he reported 0-days to SAP, including multiple new forms of attack that are specific to SAP software. He already presented some of his research at Troopers 2013 and 2014 in Heidelberg.
Andreas Wiegenstein has been working as a professional SAP security consultant since 2003. He performed numerous SAP security audits and received credit for more than 80 SAP security patches related to vulnerabilities he discovered in various SAP products. As CTO at Virtual Forge GmbH he leads Research & Innovation, a team focusing on SAP specific security research and new security solutions. Andreas has trained large companies and defense organizations on SAP security and has spoken at multiple SAP-specific conferences (like TechEd, DSAG, BIZEC and SAPience) as well as at general security conferences such as Troopers, Black Hat, HITB, IT Defense, DeepSec and RSA. He researched the ABAP Top 20 Risks published by the German Federal Office for Information Security (BSI) and is co-author of the first book on ABAP security (SAP Press 2009). He is also member of BIZEC.org, the Business Security Community.