ebook img

SQL Injection with ABAP - HITB Security Conference - Hack In The Box PDF

35 Pages·2011·1.21 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview SQL Injection with ABAP - HITB Security Conference - Hack In The Box

Hack In The Box Conference 2011, Amsterdam Dr. Markus Schumacher PPT Masterfolie SQL Injection with ABAP zur Erstellung von Präsentationen Ascending from Open SQL Injection to ADBC Injection ©© 22001111 VViirrttuuaall FFoorrggee GGmmbbHH || wwwwww..vviirrttuuaallffoorrggee..ccoomm || AAllll rriigghhttss rreesseerrvveedd.. Who am I PPT Masterfolie Andreas Wiegenstein zur Erstellung von Präsentationen  CTO and founder of Virtual Forge, responsible for R&D  SAP Security Researcher, active since 2003  Speaker at SAP TechEd 2004, 2005, 2006, DSAG 2009, BlackHat 2011  Co-Author of "Secure ABAP Programming" (SAP Press) Virtual Forge GmbH  SAP security product company based in Heidelberg, Germany  Focus on (ABAP) application security services  ABAP Security Scanner  ABAP Security Guidelines  ABAP Security Trainings  SAP Security Consulting ©© 22001111 VViirrttuuaall FFoorrggee GGmmbbHH || wwwwww..vviirrttuuaallffoorrggee..ccoomm || AAllll rriigghhttss rreesseerrvveedd.. Belief: "Our SAP system is secure." PPT Masterfolie  Roles & Authorizations zur Erstellung von Präsentationen  Segregation of Duties  Secure Configuration & System / Service Hardening  Encryption  Secure Network Infrastructure  Password Policies  Patch Management  Identity Management  Single Sign-on ©© 22001111 VViirrttuuaall FFoorrggee GGmmbbHH || wwwwww..vviirrttuuaallffoorrggee..ccoomm || AAllll rriigghhttss rreesseerrvveedd.. Reality-Check PPT Masterfolie zur Erstellung von Präsentationen ©© 22001111 VViirrttuuaall FFoorrggee GGmmbbHH || wwwwww..vviirrttuuaallffoorrggee..ccoomm || AAllll rriigghhttss rreesseerrvveedd.. Inhalt PPT Masterfolie zur Erstellung von Präsentationen 1. About ABAP 2. SQL Injection revisited 3. Open SQL (OSQL) Overview, Risks & Mitigations 4. Native SQL 5. ABAP Database Connectivity (ADBC) © 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. 1P.P …T aMnads ttehrefonl iteh e re was ABAP zur Erstellung von Präsentationen ©© 22001111 VViirrttuuaall FFoorrggee GGmmbbHH || wwwwww..vviirrttuuaallffoorrggee..ccoomm || AAllll rriigghhttss rreesseerrvveedd.. Advanced Business Application Programming PPT Masterfolie  Proprietary language, exact specification not (freely) available zur Erstellung von Präsentationen  Platform-independent code  Client separation built-in *  Integrated auditing capabilities  System-to-System calls via SAP Remote Function Call (RFC)  Client-Server communication via SAP GUI (DIAG protocol)  Various programming paradigms:  Programs & Forms, Reports, Function Modules, Dynpros  Classes & Methods, Business Server Pages, Web Dynpro ABAP  Integrated platform-independent SQL Standard: Open SQL  Built-in authentication, roles and (explicit) authorization model  Thousands of well-known standard programs and database tables  150+ Million Lines of Code in an ECC6.0 System ©© 22001111 VViirrttuuaall FFoorrggee GGmmbbHH || wwwwww..vviirrttuuaallffoorrggee..ccoomm || AAllll rriigghhttss rreesseerrvveedd.. A closer look at Client Separation PPT Masterfolie Client Separation zur Erstellung von Präsentationen Client 007 Client 023 Client 042 © 2010 Virtual Forge GmbH. All rights reserved.  Users log on to "clients"  Clients represent business (and user) data of independent organizations  The SAP system implicitly separates client data in the database  Done via a special column that indicates, if a table is client-dependent  ABAP code is client-independent. Every program is available on all clients ©© 22001111 VViirrttuuaall FFoorrggee GGmmbbHH || wwwwww..vviirrttuuaallffoorrggee..ccoomm || AAllll rriigghhttss rreesseerrvveedd.. Attack Surface of ABAP PPT Masterfolie zur Erstellung von Präsentationen ©© 22001111 VViirrttuuaall FFoorrggee GGmmbbHH || wwwwww..vviirrttuuaallffoorrggee..ccoomm || AAllll rriigghhttss rreesseerrvveedd.. 2P.P STQ MLa Isntjeercfotiloien revisited zur Erstellung von Präsentationen ©© 22001111 VViirrttuuaall FFoorrggee GGmmbbHH || wwwwww..vviirrttuuaallffoorrggee..ccoomm || AAllll rriigghhttss rreesseerrvveedd..

Description:
Co-Author of "Secure ABAP Programming" (SAP Press). Virtual Forge GmbH. ▫ SAP security product company based in Heidelberg, Germany. ▫ Focus on
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.