Re: Info about Pen Testing - how to tackle complexity?

From: Petr.Kazil@eap.nl
Date: Mon Mar 12 2007 - 04:54:12 EST


> I've started, 8 years ago, by reading from start to end the accumulated
> volumes of "Hacking Exposed". Just by understanding past exploits, you
can
> see the various vectors of intrusion [...]

You inspired me to put another kind of learning problem to the list that
we're struggling with at the moment. I would appreciate your thoughts on
this subject. A few weeks ago the following question popped up in our
IT-Audit team and we'll have to do something about it:

- What are the technical security risks of SAP infrastructures?

We're lucky that we have access to the SAP online documentation with a lot
of security guides, but still we're faced with the following problems:

- How to get a grip on hundreds of pages of documentation?
- How to get a grip on all the different components of SAP with all the
possible network interactions and functionalities (webservers, application
servers, application firewalls, databases, portals, middleware)?

And maybe more important:

- How to interpret the SAP security guides that seem to imply that
installing Unix / Oracle more or less "out of the box" doesn't seem to
endanger the SAP installation? (Broadly stated - the guides concentrate on
passwords of the most sensitive accounts and don't say much about any
other hardening.)

On the one hand we're skeptical that such a huge infrastructure can be
made safe, but we're positively overwhelmed by the size of it all. We
think that this problem with understanding huge, complex, modern business
infrastructures may not be limited to our little team. I don't know if the
classic approach - find a bug and exploit it - can help us with getting a
grip on the overall security issues. There are relatively few SAP-hacking
sources on the Internet, but does that mean that SAP is safe or that no
one tries hacking SAP?

This problem of complexity is not limited to SAP I think. The same kind of
complexity is found in Oracle Application server, all the modules,
web-services, portals and Java stuff.

I'm sorry for the long and vague post, but I'm still trying to find the
best way into this huge new field. And to do it in the leftover time
between other commitments :-)

Greetings, Petr Kazil

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:39 EDT