Does anyone have information on penetration testing of SAP application? I am looking for the following:
· Methodology including any reference material
phenoelit has some resources/vulns for SAP.
Thanks in advance,
Elad Shapira, CISSP
SAP Security Testing is at the complex end of Application Testing. It's easy to test individual components (e.g. EP or ITS apps can be tested to some extent by more or less any outfit with Web App experience). We've been 'doing' SAP Security Testing for most modules, WAS, EP and ITS for a while now and it's a very strange beast indeed.
The bad news: There aren't any tools (beyond ABAP Workbench and Access/TOAD).
Generally in an SAP test you're looking for the following:
Assurance that underlying infrastructure and databases are secure (So, classic Vulnerability Assessment and Database testing)
Assurance that the SAP instances themselves are sufficiently secured (Authorizations, audit focused points, source code review for Z* and Y* transactions, Interfaces, User Exits etc.)
Assurance that the documentation and procedures are up to scratch (normally a fairly swift policy review, usually highlights the areas that are different).
Please feel free to send me a message offline if there's any specifics you'd like to discuss.