The Death of Traditional SAP Security

00:00:00: Now, things that have been sitting in the past and were treated as the crown jewels are now moved on systems towards the cloud.

00:00:09: And then all of a sudden they're abroad getting access from the internet directly.

00:00:15: Sometimes it's literally as BTP service Fiori Launchpad sub-cloud connector you where within the intralet which another environment would be like big direct no go.

00:00:38: Welcome to SAP Cyber Security by NoMonkey, where we are tackling SAP security together.

00:00:44: Where we break down the complexities of SAP cybersecurity and make them real relevant an actionable.

00:00:51: I'm your host Wasi Majerab from NoMonKey And every episode We try to explore the threats innovations and strategies shaping The future of SAP cyber security.

00:01:01: whether you're deep in those technical trenches or leading at the sea level This is where we talk openly about what it really takes to protect the systems that run your business.

00:01:11: All right, let's dive in.

00:01:12: today we have one of the I would say leading security researchers and SAP a long time SAP Security professional.

00:01:22: Fred It's great to have you on the show And looking forward our topic Today before We look into That Topic Before we summarize what were going To discuss and for Our listeners out there who might not know You Who is Frederick your journey in and out of SAP, or in SAP?

00:01:40: And how you are evolving with that.

00:01:42: maybe a few areas from that aspect.

00:01:44: Fredrik thankyou for joining us.

00:01:47: Yeah Thank You For Having Me.

00:01:48: So my background is really offensive security.

00:01:51: I started playing captain of flag like twenty years ago and then ended up an IT Security Consulting Roughly Twenty Years Of IT Security & SAP Security Background.

00:02:03: I wrote a book back then about SAP security, so that one co-authored it with colleagues.

00:02:10: Back then when i was working at workshop forge... ...I had been speaking in various conferences.

00:02:16: fifty plus troopers rsa dsad and so on.. ..i have discovered several zero day vulnerabilities also within the SAP standard.

00:02:25: Fifty nine if you see that red button with the callback attack Virtual Forge.

00:02:30: back then, and four years ago I founded my own company.

00:02:34: So i'm a co-founder together with my partner in crime Jens Midler.

00:02:41: Well, it's pleasure to meet your friend or pleasure.

00:02:43: To have you.

00:02:44: I had no news for some time now.

00:02:46: So you

00:03:13: have to look at how the market behave from a historic perspective and still some people think about SAP security as just being roads, an authorizations.

00:03:24: And everyone is smiling about that but we can see it in all of our engagements.

00:03:28: We had huge mindshift when Microsoft basically changed how they treated security overall.

00:03:40: And I would say when i started around two thousand six uh with the IT security consulting and then putting a photos on SAP Security that was still in the early days.I wrote the book in two thousand nine.

00:03:54: now if you look at the SAP security patches,and That big spike you see around Two thousand ten or two thousand eleven?

00:04:04: Maybe some of the older people like me remember that brought here before Christmas, there was a huge amount of security patches being released.

00:04:15: So back then SAP also changed the way how they were treating SAP Security.

00:04:21: from my own perspective and since then SAP has putting on more focus.

00:04:30: security is an super important foundation for them to have the trust.

00:04:36: So looking at that, in the early days you found everything... In two thousand and eight we had the gateway vulnerability

00:04:41: as

00:04:42: an example And we still haven't got up until today.

00:04:46: Yeah Absolutely For people who've done research You do a lot of research on your daily work As well And any researchers really want tackle SAP as part of their research within cybersecurity or the different applications.

00:05:05: How do security researchers outside the SAP world view it today?

00:05:10: Because I've spoken to so many in different B-sides and different security conferences, this is not touched at all!

00:05:19: Some are afraid to touch it because its criticality but they don't want.

00:05:26: What's your point on that part?

00:05:28: when it comes to security researchers coming into this, let's say testing SAP applications?

00:05:34: Yeah.

00:05:34: That's a good question.

00:05:35: so I would say you should categorize those different groups.

00:05:40: there is a large group of course who are just status.

00:05:44: okay maybe i'm a pen test company may be.

00:05:47: um Just have the skill set to use tools and do good reporting.

00:05:52: then There are companies out dual-fencer stuff, write their own tools find new vulnerabilities that the others are not able to catch.

00:06:01: as an example.

00:06:03: Out of these there are people who say no this looks like an ugly beast.

00:06:10: I hate it but nowadays with a shift towards cloud and now you just web skills completely changes.

00:06:18: But if you look at your old in quotation marks Then there are lots of people who, every once in a while get interested and also hooked towards the topic.

00:06:31: And you have seen new persons getting into that area.

00:06:35: so it's not only for those who did research like ten or fifteen years ago.

00:06:40: There are new persons actively contributing doing great research nowadays.

00:06:46: Those are also the ones ambitious enough to deal with this Let's say beast of complexity with the huge challenge.

00:06:54: Of course that you somehow also need to get access.

00:06:57: I mean did they learning office there?

00:06:59: You don't start just from scratch With a net weaver trial system and then in five minutes, you understand The topics like new web applications.

00:07:09: i mean i could think off my My journey going into this sepanese world.

00:07:14: it was interesting To say at least sometimes It Was not fun but its always.

00:07:20: I would say in a nice word, put it exciting because at some point the vulnerabilities that have been found by you and other researchers we had on this episode or podcast.

00:07:33: You still find them.

00:07:35: so something might tell us what's happening there.

00:07:39: but i do want to touch base of an important part around SAP security patches.

00:07:49: Looking at this recent SAP Security Patch Day, so there was one last... This week on Tuesday.

00:07:56: With these SAP Security Patch Days or within the year are you seeing a shift in the type of vulnerabilities researchers and maybe attackers are targeting when it comes to SAP systems?

00:08:09: I mean to be fair You have look at the entire time.

00:08:13: In the other new days There were like a lot off Let's say missing authorization checks But do still find these.

00:08:19: You still find missing authorization checks.

00:08:22: I remember that one of the vulnerabilities identified at Bertil Forge was later on named as a Missing Authorization Check, this was related to ESC-Thirty and it contained an ABAP-Comart injection both rated like CVS.

00:08:38: six dot zero is an example.

00:08:41: And we just recently had similar situation where the colleagues from SmarterSec as an example, found a vulnerability that was then rated within CVS of two dot zero and also gained command injection which is sometimes surprising.

00:08:59: Technically there's a shift.

00:09:01: we have new classes on vulnerabilities everything related to DC realization.

00:09:08: We had like two years ago A lot good research related to ROC protocol where ten years ago or five years ago when Martin Gajor did the research he was engineering a lot of the protocols with the tools that you can still download for as open source.

00:09:27: But no, there were more content to be found and from that perspective over time Yes, there's for sure a shift that we can see and I think one of the big questions that came up is everything around this beautiful report RSBDCOS zero.

00:09:46: That it's now by everyone to execute operating system commands?

00:09:50: There will be a lot people who complain especially

00:09:54: on SAP basis.

00:09:56: So if you're not familiar, You can use this recall to execute basically arbitrary operating system commands.

00:10:02: But If your on that level with the permissions that are assigned to new user.

00:10:06: technically there Are other ways how you can achieve The same things.

00:10:10: There are let's just say otherwise we don't want To go here into the full details How you Can still execute Operating System Commands and With all the fun AI stuff it super easy to absolutely

00:10:22: so So you touch base on this OS command report, specifically around also with the recent SAP security notes.

00:10:32: This is now going to be removed.

00:10:35: one question actually use edit.

00:10:37: I just want to stress it more.

00:10:38: does It actually solve The problem when it comes To finding ways to interact With the OS from that perspective or at least in creating, not creating but putting some OS commands on your operating system to do certain attack vectors.

00:10:55: Does it solve the problem?

00:10:57: It reduces the attack surface to be fair But it does not solve The problem itself and there are enough other ways how you could as I mentioned earlier How you can still execute that.

00:11:08: nevertheless There is...I mean everyone was talking about security fault In the past somehow injected suggestions, what I would like to see and then later on sometimes people maybe some colleagues from SAP are listening.

00:11:24: To this.

00:11:24: make the changes internally.

00:11:25: so SPTH as an example super technical but This is about file system security And having the ability whether you can overwrite certain files or not Is something that I foresee a similar relevant as executing operating system commands, because technically everyone who can upload files to the application server and think about in a PCE environment you should not be able do that.

00:11:50: The Application Server and the Operating System.

00:11:52: this is with SAP normally but... You know..you can overwrite SAP binaries With all of the implications.

00:12:01: then all of sudden we can execute Operator System Commands.

00:12:04: There are lot of binaries being executed by certain transactions route a kernel in the background so you can easily attach to those and then still execute operating system commands.

00:12:16: And just by having the possibility to upload fire, You could exploit that.

00:12:24: In the end users permissions authorizations on kernel level you can restrict that.

00:12:30: this is available.

00:12:31: I mean even writing.

00:12:35: the product is table sp teenage and if you look into in your system, then you just see five entries.

00:12:40: You have not maintained that as a dedicated project to get it up and running once to compromise the system.

00:12:52: I do agree on that, i mean with some of the research we are trying to do and were doing ,we see once these are actually there.

00:12:59: you said attack vectors reduced in certain elements when it comes a huge separation, I would say between the SAP application and the operating system in terms of security.

00:13:20: So on the OS itself you don't see those hardening controls that are usually supposed to be there if it wasn't an SAP system.

00:13:29: now Is this?

00:13:30: a few questions pop up in my mind?

00:13:33: One, why is this treated the way it is where security is not hardened properly on an operating system.

00:13:40: Does that have to do with how SAP runs?

00:13:43: maybe because I'm pretty sure outside of the Japanese world for people who harden operating systems they would think Areas from running.

00:13:56: What are your thoughts around this area coming?

00:13:58: From the operating system side,

00:13:59: I think that's a tricky one to be honest because To be fairly infrastructure teams especially in the larger organizations somehow to a certain degree know how to secure The environment.

00:14:10: it is the challenge that this beast of an SAP system provides its own complexity and contains More code than the actual operating systems.

00:14:21: so securing both worlds is a challenge.

00:14:25: and there are still, let's say certain things that once you are on operating system level.

00:14:31: You can nowadays still use.

00:14:33: so simple example is the gateway vulnerability.

00:14:37: That was never from my personal perspective completely passed.

00:14:41: It just reduced from remote exploitation towards local exploitation.

00:14:45: So it means everyone who has access to an operating system which by the way no one should have access on operating system level.

00:14:53: but if you have access, you can still use that and even as a guest user.

00:14:57: You would be technically able due to the way how the default configuration is set up at ninety nine percent of the environment.

00:15:06: just personal estimations could be less off course.

00:15:09: But you could still execute operating system commands with CID ADM And then you will find in the internet enough information That this basically translates towards make arbitrary modifications, and you can read arbitrary data from the database.

00:15:27: Implicating that you cannot create users.

00:15:30: assign them your master authorization SAPR.

00:15:33: so you're a super administrator within this system And then you can do whatever you want.

00:15:38: So that is one challenge I set up to a certain degree.

00:15:41: I see for example in past episodes.

00:15:44: You have been talking about security operation centers.

00:15:46: Well...you would see the syslog Standard logs are being integrated while the application level is not integrated and that already gives kind of like an indication That many teams are at least looking in a certain way into the SAP environment.

00:16:02: But then the question is how do you integrate it?

00:16:05: And How, Do You manage It.

00:16:07: We have jump servers questions.

00:16:11: I still come around SAP systems that Have no firewall in front Of them.

00:16:15: even large organization where we would say parameters security is out of the nineties, nor does it still present with all the implications.

00:16:23: It brings because one misconfiguration then in the end even an unknown SAP service could endanger the entire SAP application.

00:16:32: so that's certainly a challenge.

00:16:33: and then In this same way I think than the past two weeks We have seen an insane amount of new exploitation attempts due to let's Say everything around dirty frag and the possibility privilege escalations in a way that is super reliable.

00:16:51: And, of course it's also another attack vector because if you become rude on an SAP system and subsequently you can easily compromise the system back to whatever you want with this system.

00:17:09: Absolutely I mean becoming a root on the operating systems.

00:17:12: always think about always think about different attack vectors.

00:17:17: And especially when we are talking, I don't want to extend the cloud right now which i would like to come near because We're talking older stuff that's still there and some of them being closed down.

00:17:31: Operating system is underestimated if it comes to attack vectors or not hardening with that said you did mention around a secure default and that idea is being heavily addressed, and heavily communicated out there.

00:17:49: Going into secure architecture going in to BTP at least... To touch base on it.

00:17:55: right now with BTP assuming security has automatically improved.

00:18:01: And this a question I would like you put here

00:18:03: How

00:18:04: does BTP with rise, with your on-premise environment.

00:18:08: So I'm connecting all of these different environments.

00:18:11: changed that enterprise attack surface from your perspective?

00:18:15: Well i think we can talk several hours about that is a challenge.

00:18:19: but again let's maybe split the question up into a different area.

00:18:23: thinking about smaller companies midsize companies where there's one SAP Basis guy two may be three guys managing five ten sometimes even fifteen different SAP production lines consisting over forty five.

00:18:40: You can already imagine what's the implication

00:18:43: with

00:18:44: business having new demands, new functionality, SAP throwing so many how much new functionality on the market that you can't even survive the demand by your own business in terms of new features and functionality In those areas.

00:18:58: for sure there is a significant increase if towards the SAP Cloud.

00:19:04: Think about a rice construct, I don't want to discuss on anything related to the fees that it implies.

00:19:12: That's totally different story, but that is an SAP to decide with the client what they negotiate.

00:19:18: But if you go through larger companies.

00:19:21: there are some extra companies who over the past years have matured watch an operational excellence where I can say, this is beyond what SAP today is offering in certain areas.

00:19:40: There are of course other clients who are less mature and then it can be a significant boost.

00:19:46: but in the same way once you go towards the cloud It's not about just saying okay now SAP has taken care off that.

00:19:54: You know how many clients misunderstand the shared security responsibility model and in the same way you know how many clients actually negotiate security into their rice contract or whatever.

00:20:07: The future btp naming convention will be, and then of course everyone wants to save money.

00:20:13: and where do use that money?

00:20:14: You stop with a security things.

00:20:17: yeah one gets two another In the same.

00:20:20: if we look at the architecture over all this also on mindset from an architecture point of view that you have to take into account.

00:20:30: In the former world, everything was kind off on-premise.

00:20:32: You would set up a DMZ and you'd have external connections going through your DMZ maybe towards your SAP system.

00:20:40: Maybe your SAP System in some cases Was even in.

00:20:44: dedicated DMZ Would have PIPO infrastructure, exchange infrastructure or GUN And nowadays we just had everything move toward cloud.

00:20:56: You have the BTP services, you have BTP sub-accounts.

00:21:01: You have services where businesses literally just subscribe and create some sort of shadow IT.

00:21:07: You'll have challenges that you get everything beneath one contract because sometimes there are multiple contracts.

00:21:13: You don't have to full overview on your entire landscape.

00:21:18: And then persons are relying at this cloud.

00:21:21: level is basically the new security level itself, while they are still responsible on managing the access and configuring to a certain degree of attack surface.

00:21:36: Things that have been sitting in the past were treated as the crown jewels now moved on systems towards the cloud.

00:21:45: then all of sudden they were brought getting access from internet directly.

00:21:51: sometimes it's literally BTP service, Fiori Launchpad, SAP Cloud Connector and you are within the Intralet which in other environments would be like a big direct no-go.

00:22:05: Absolutely.

00:22:06: In some way thinking about the announcements we just recently set fire let's say going towards the autonomous enterprise business data cloud putting everything into one huge bucket then throwing in huge agents.

00:22:21: great idea taking and tackling the security in that environment, well assure we still have enough work for the next ten-fifteen years.

00:22:33: And let's see what happens.

00:22:35: Well absolutely!

00:22:36: I mean i like the way BTP.

00:22:38: you said that BTP is becoming this new or is it a new demitralized zone?

00:22:45: For SAP landscapes?

00:22:47: And one thing which came across was quite interesting with all of these services that you can add and remove.

00:22:55: And I think there was a policy recently also released, which is APIs now around DMZ...I do want to touch bases little bit on this.

00:23:02: API's your thoughts.

00:23:05: what can go wrong when it comes at least the integration suite?

00:23:10: So its becoming this kind of API management?

00:23:13: if you think of Azure or AWS they had API management, where they're connecting different systems with different connectors.

00:23:22: You are introducing new areas.

00:23:24: quite nice for a business process.

00:23:26: you know there's a lot of benefits to it.

00:23:28: I one hundred percent agree With that.

00:23:30: so from your perspective around integration suite slash the api Management.

00:23:36: how does That increase decrease?

00:23:39: and this is specifically putting It into context around This shared security responsibility model because some of our customers, people that we talk to there is this huge gap.

00:23:52: That do not understand the shared responsibility model.

00:23:55: and specifically when it comes to this area regardless of other areas involved how you see these API management integration suite?

00:24:04: who needs take care?

00:24:06: from what perspective?

00:24:14: a big fan of having one central solution where you can manage your BtoB communication.

00:24:22: You mentioned API management, the question is whether persons are using it?

00:24:26: Whether to which degree.

00:24:28: then you have good possibilities to do your own governance.

00:24:32: as an example I've seen client applications while let's say a client environment were.

00:24:38: they have set up a thousand plus interfaces in integration suite.

00:24:44: That is great, but the challenge just doing in the governance.

00:24:48: because with the integration suite of course you can also create your own scripts.

00:24:53: as an example.

00:24:54: Those run on a sandbox environment.

00:24:56: that's put thirty frag aside for a second.

00:25:00: But whomever is developer in let say system it has the possibility to manage one potentially endanger the entire application.

00:25:12: because from an offensive point of view, you have lots of possibilities with all the potential that you get through automation by using internal and public available APIs.

00:25:25: Well we recently had the announcement around the API usage but nevertheless just within your official APIs You can read credentials as All of a sudden, in an integration suite it can be literally as easy.

00:25:43: As you develop the script and whenever someone sends data... You copy that data somewhere else then forward it internally.

00:25:50: It requires somebody to actually review this script.

00:25:53: Is there static code analysis?

00:25:55: No!

00:25:57: There isn't partially limited.

00:26:00: And if you want to automate Dutch on your side ...you have to develop your own stuff.

00:26:05: Then we are again at discussion whether this is now legal or not.

00:26:10: looking at the new, let's say policy.

00:26:14: Well I guess it focused more in a different direction.

00:26:17: but if you do that one time and security assessment then that's one topic again.

00:26:25: i'm not recommending to do that anyway because it seems to be illegal.

00:26:30: well i think somebody has to try it.

00:26:37: disannouncement was, it is an opportunity where you can in a simple way if you have to do your research.

00:26:45: You can basically export using Vibecoding even nowadays, you can write your own scripts get everything into text files and then you can still work in the old fashioned way or use AI to analyze this stuff And you will find simpler things like HTTP connections.

00:27:02: Exactly

00:27:03: It is shown in integration suite, so SAP's also doing their stuff to highlight this towards developers.

00:27:11: For example you have this exclamation mark dangers and bill that shows here oh there's unencrypted communication.

00:27:17: but if you had one thousand interfaces or external developers some manager yelling it needs work then you have an endpoint that's unencrypted.

00:27:26: That can't easily change.

00:27:27: guess what happens?

00:27:28: You'll have unencripted communications.

00:27:30: And then it's a question on how is the authentication done and all these kind of things.

00:27:35: A

00:27:35: lot of

00:27:36: questions that pop up in this

00:27:38: scenario,

00:27:40: I like integrations we

00:27:43: do as well?

00:27:44: It does provide a lot of information.

00:27:54: Area that is connected there a lot of opportunities for companies to improve certain aspects within their I would say processes.

00:28:02: That are integrated.

00:28:03: they're which brings me too.

00:28:05: Conclude this little bit.

00:28:06: maybe

00:28:07: one quick remark related because yes, one factor that i also like the integration suite itself Is tremendously easier?

00:28:15: To understand then you follow my let's say exchange infrastructure.

00:28:19: so only from that perspective it has already.

00:28:22: no I can agree with that.

00:28:25: It does provide a lot of good functionalities, if it's probably protected as you say which i want to wrap up this specific area and use This...I don't think now its anymore a buzzword but the zero trust aspect

00:28:40: Of

00:28:40: security or The Zero Trust methodology.

00:28:43: let's see.

00:28:44: Now.

00:28:44: Its always been said That it sounds great on slides.

00:28:47: It looks great when somebody is explaining from outside an SAP perspective How and where do organizations struggle when implementing zero trust in SAP environments, considering all of these different environments that we just spoke about?

00:29:02: I think the key question here is to achieve zero-trustness.

00:29:07: You can connect this now towards intra, you can have your own identity.

00:29:20: Bring in just those four buzzwords.

00:29:24: I may have lost a lot of the listeners but there is also an understanding all deep different nuances about those buzzwords and then someone is deciding, okay we need to do this and that.

00:29:38: And maybe from management saw some beautiful slides advertising a certain scenario going for that.

00:29:44: nowadays I think the challenge Is you have to look at identity provisioning From an entire company perspective not only from SAP environment.

00:29:55: SAP of course historically is focused in providing A great solution around SAP.

00:30:01: But thinking about having an IDP, my personal opinion is we need to think beyond SAP and then have external IDPs.

00:30:12: We can still integrate using all the SAP tools but that would be one challenge.

00:30:17: That's also a foundation towards everything around zero trust ensuring there are authentication.

00:30:24: If you have many subaccounts in the BTP environment You also need to think about how you can, in an automated manner find a good way to set up the governance that these are your necessary controls.

00:30:39: To ensure what you postulate in terms of what is required related to authentication it's really also enforced.

00:30:48: sometimes we have central places where you can enforce that with effect or authentication but yet again then there are different additional services.

00:30:57: past environments Persons

00:31:00: built

00:31:02: their own things.

00:31:03: Let's just say it in that way and then all of a sudden It goes banana

00:31:08: where I mean the integration alone with Microsoft opens up Amazing amount of from my purse attack vectors that you look into.

00:31:19: it does close a lot but at the same time, It provides this aspect off.

00:31:23: Okay now SAP what?

00:31:25: What's thought about This isolation?

00:31:28: how I'm utilizing The double quotes the Isolation That was or thought it Was there and it was never There.

00:31:35: But At least the Isolate can pretty much be seen that the integration to different type of scales integrations, two different Microsoft I would say applications and utilities and tools are then expanding this kind of attack vector.

00:31:51: So

00:31:52: Related to that maybe a quick remark because thinking about EntraID and thinking about what's going on in the world, thinking about new European requirements So rain cloud as an example, I would put out the question who is able to substitute intra within a week with your own solution.

00:32:14: Whatever that if someone decides on two use American services in a hostile way?

00:32:20: I'm not saying some one's doing that but With the discussions that we had in the past it does not seem Not possible anymore.

00:32:28: Let's say them that way and in a gentle way.

00:32:31: so theoretically to certain degrees it might have been that some persons threatened certain activity.

00:32:38: I'm not saying this is going to happen, but i think that's a huge challenge.

00:32:43: talking about zero trust and thinking what happens if for whatever reason Entry is not there.

00:32:50: Yeah!

00:32:52: It does make identity and governance harder everywhere.

00:32:57: That sovereign cloud requirements are coming out.

00:33:01: But to be fair, I have seen also installations that already work.

00:33:06: And from a historic perspective where clients said okay we rely on Entra but we can pull the switch and within a week there's no issue

00:33:27: to small-to medium organizations or even larger enterprises we're talking here.

00:33:33: No,

00:33:34: I see this only being handled if politics and government are making a requirement But I have a small view.

00:33:51: I don't see the entire SAP market.

00:33:53: to be fair, The world is super large.

00:33:55: so there may other regions where things are different.

00:33:58: but in my tiny SAP security space with some sort of you into various organizations i can tell this all

00:34:06: right.

00:34:07: make sense from

00:34:08: your opinion on that?

00:34:10: From perspective how it gets difficult?

00:34:14: no

00:34:14: actually any client being able get rid in a short amount of

00:34:19: time?

00:34:20: Not easily, no.

00:34:23: There has the discussions that go on with multiple and like other consulting companies and advisors sitting on a table with business leaders and product owners.

00:34:36: it goes up to six-eight months without outcome.

00:34:40: that can happen.

00:34:41: one hundred percent.

00:34:42: this is... And your business

00:34:43: will survive then?

00:34:44: No

00:34:45: Talking about zero cost.

00:34:47: Yeah I mean, it's not an easy conversation to have but also at the same time necessary to some extent.

00:34:54: But i do agree that regardless of... ...of the actual process there needs to start somewhere now depending on how that organization goes.

00:35:04: But I think this is a huge topic that i would like to put on the side, go into some offensive discussions and you mentioned around AI... And we're utilizing now what we are hearing doing looking at how AI makes a lot of stuff for us A lot faster, a lot easier.

00:35:28: So from an offensive security... From an offensive part when it comes to LLMs and AI And definitely is changing offensive security quite fast.

00:35:38: How much easier does currently AI make exploiting SAP environments?

00:35:44: If you think about on-premise whether or BTP Whatever It Is for someone with the right background how easy How much easier does AI make that?

00:35:54: So,

00:35:54: I think AI has the super-duper huge advantage of providing scalability.

00:35:59: Scalability in a way how it was not imagined before.

00:36:04: You had to know lot different things In order find right areas for vulnerability.

00:36:11: Then do homework and research.

00:36:13: Nowadays certain activities Things like...I can ask LLM hey generate me and jco-implication that calls a certain rsc function model just as an entry point.

00:36:28: And of course I need to provide the context, i need to set it in the right way.

00:36:33: uh...I need to do a little bit of research because to be fair if I look at the LLMs outside of dual they understand ABAP They can write ABAP ,they create ABAP but this does not necessarily mean All the hierarchies.

00:36:50: internally, they think something is a function module which it's a class or method and mix up all of things at that time.

00:36:57: But if you want to do exploration, reconnaissance... You can super easy automate things!

00:37:04: You get information also from research in certain areas as well.

00:37:09: Asking for some information like where I find XYZ

00:37:13: It

00:37:13: still ends up in certain cases that you can throw out seventy five percent of the information.

00:37:18: But nevertheless, twenty-five percent are interesting.

00:37:22: part and you made or said a prerequisites is that person has a deep knowledge so that tremendously helps them automating certain activities.

00:37:35: And it's also very easy to find new vulnerabilities inside an SAP system, to be honest.

00:37:43: Because you can now automate things that require a certain level of motivation by certain persons and I think dirty freight in everything around it.

00:37:54: making it so efficient and reliable is also partly just possible due...

00:38:00: No i can see this!

00:38:02: And we see how even evolving with being said and writing code at least.

00:38:12: Regardless of Joule, I would want to come back to Joule a little bit because there are a lot of discussions there can or are...I mean i would assume if an offensive practitioner is utilizing AI to audit code faster?

00:38:25: I would assume that attackers are utilising the same thing right!

00:38:29: And then question It's by itself, this question can already be answered.

00:38:34: Are organizations able to actually mitigate or patch vulnerabilities?

00:38:40: Specifically now I'm talking about third-party vulnerabilities and custom code faster than this attacker or this offensive auditor that can provide you with a quick solution or a quick exploit to a certain ABAP code Can vulnerabilities patch in that fast manner?

00:38:58: So i think in general The LLMs tremendously help and with the possibilities that they provide.

00:39:05: Yes, you can fasten that process for sure.

00:39:09: should there be priority number one?

00:39:10: to be fair?

00:39:12: There are a lot of people pushing towards hey You need to look into the custom code And I've been doing That in the past as part Of my evangelizing As well.

00:39:21: but if you haven't done your homework Yeah

00:39:23: In

00:39:23: the infrastructure on the configuration in the patch management where you can then get from zero to hero, super easy and you miss CVS ten dot zero configuration items.

00:39:37: Then I don't know whether it's really necessary to already look on the

00:39:42: other side

00:39:43: if you are in that level when you have mastered the other areas or set up a central governance central solution.

00:39:51: There are various third-party solutions out there, maybe you're using Solution Manager or maybe you use Cloud LLM and build your own stuff in certain areas because they also have limitations.

00:40:02: then on a different level it's perfectly fair to look at the above code but we can see that a lot of organizations still struggle with Moving towards S. for Hannah, not everyone has migrated.

00:40:16: They have the programs ahead of them and you and I both know how much.

00:40:21: security is an important topic?

00:40:24: So one of the easy ways of getting rid off all other vulnerabilities this do-not migrate shitty code that's like twenty years ago.

00:40:33: rather think about using then new possibilities And there are a lot of smart developers also out there combining MCP using that opportunity to also get rid of these old classical fashion-developed ABAP reports and migrating them towards RAP, putting them into the new context.

00:40:55: Which totally made sense!

00:40:57: And if not supported then way more efficient?

00:41:02: The clear answer is yes.

00:41:04: it can be sped up significantly.

00:41:06: Well a few points around ABAP as you are mentioning it and um, You Are The Right Person When It Comes To ABAP.

00:41:14: People Often Think And Well I Would Say Not In Terms Of Consultant More To Or The Security Community of SAP More Towards Application Owners or Service Owner Or Sometimes to Some extent SAP Bases.

00:41:28: people often think of ABAP As A Business Logic And not An Offensive Weapon.

00:41:34: How Can Standard ABAP Functionality Be Abused?

00:41:38: some introductory to that before I continue with our offensive AI security.

00:41:46: First of all, ABAP is a programming language and if you have the possibility to write your own ABAP code You'll have full control over the SAP system because majority of code inside the SAP systems runs in ABAP.

00:42:00: So that implies it means you can execute operating system commands reading and writing.

00:42:09: You can overwrite any data again, you can create new users or you can modify things And you can Modify the SAP standard.

00:42:20: It's not required to have a modification key.

00:42:22: if you know what you're doing... ...you can use ABAP and basically change the behavior of the entire system.

00:42:29: So once your on that level then you Have unlocked way too long.

00:42:33: let say The kingdom!

00:42:37: There are different ways.

00:42:40: I mentioned execution of ABAP, ABAP command injections.

00:42:44: Execution of operating system commands.

00:42:46: you can also override files.

00:42:48: directory traversal is a topic as an example directly traversal itself.

00:42:53: so the open data set statements As An Example Are Also an input vector for executing Operating System Commands.

00:43:00: because there's this sneaky filter option not A lot Of People are Aware of.

00:43:06: I'm not saying that you will find this being exploitable, but in terms of using it as an offensive tool.

00:43:15: Very interesting because there's a sneaky way to execute operating system commands and maybe also how certain deficits might be optimized for the future on high level.

00:43:29: talking about it No, I don't want to release any exploits or things like that.

00:43:38: But with the filter option and it has been sufficiently documented you can look at .sap.com You can execute operating system commands in.

00:43:48: these will be executed as sit area full stop.

00:43:51: so if And it's also used by the PanTesters.

00:44:00: So if you're now limited with this RSBD-CMOS, zero as an example and you are able to create your own ABAP and execute that is important then there will be another option.

00:44:13: No I agree!

00:44:14: Moving from the ABAP.

00:44:16: now also ABAP has been introduced or is in BTP?

00:44:22: It not introduce already here Would you?

00:44:26: Yeah, exactly.

00:44:28: I'd like to hear your thoughts on this first of all and First of All these classic vulnerabilities.

00:44:34: i remember also from previous conversations i had with You whether it is directory traversal command injection you name It.

00:44:41: These are still existing till This day.

00:44:44: i mean um i don't know if it Is the problem Of static static code scans that Happening creating this kind of false sense of confidence that an ABAP or a custom code is quite okay.

00:44:58: But regardless, how do you see changing in the ABAP environment within a sub account for instance?

00:45:07: We need to differentiate there because if we go by site extension as example limited attack surface, so they not allow you to execute operating system commands.

00:45:24: You cannot

00:45:25: access the file systems and it does make sense in a cloud environment.

00:45:30: Nevertheless you said BTP as part of that.

00:45:34: we also talk about rise all over sudden.

00:45:36: We are kind more like this formally private cloud scenario.

00:45:43: In the end, more or less in an infrastructure as a service scenario where SAP is taking care of client zero-zero-zero and all other clients you can still whatever do what you want.

00:45:55: You also use those ABAP commands to do dirty stuff.

00:46:01: whether are allowed that's different story.

00:46:04: but technically I guess everyone is saying go for green field, we have a lot of brown fields and then all of the sudden there are sometimes something that I would consider more to be lift-and-shift kind of scenario.

00:46:21: So a lot dirty stuff gets also migrated towards the cloud in.

00:46:26: it will change some years until this... And i'm not saying this now.

00:46:31: on SAP don't get me wrong It has been developed at S&P customers for ages and then no one is putting the money on a table to get rid of that technique.

00:46:44: Yeah, well we got sidetracks by lovely ABAP.

00:46:48: maybe go back a little bit.

00:46:50: And I did want to come back to Juul now as it's becoming more deeply integrated into workflows.

00:46:57: i was reading today or yesterday around integration with NA New risks.

00:47:03: would organizations worry?

00:47:06: or what worries you in terms of these new integrations with Jule, going into this different workflows?

00:47:13: Well

00:47:14: I wouldn't say that it's not directly dual related.

00:47:16: This is more about everyone understanding the limitations of LLMs and they can help them scale.

00:47:25: but if take LLM to stop reading a book And then you use the LLM to just get a summary, and you rely on that summary.

00:47:35: You unlearn your ability To read book in scientific way Then this will have implications.

00:47:42: Now if we go towards Jewel becomes The central user interface In the autonomous enterprise Knowing sometimes That same LLm queries return different results.

00:47:59: I foresee certain challenges, no matter how SAP secures the environment beneath it.

00:48:07: But just from a pure functional perspective there will be challenges ahead of us and in the same way unfortunately we have also seen in the past that they may have been a case where A certain LLM was vulnerable prompt injection and potentially someone could read things.

00:48:32: Maybe it was just a security researcher, but those vulnerabilities exist with the LLMs helping you to do more offensive stuff To automate things too fast protocols to fast prompts even let LLM talk to other LLMS.

00:48:51: to a certain degree there is completely new challenge ahead of us in terms of how to secure those environments.

00:49:11: I would even go an agent does a change or introducing that, i think there's a lot of benefits here and To some extent security is There And still needs to be...I Would say mature from That perspective but there Is A lot Of things to do From that Perspective.

00:49:27: one hundred percent and monitoring

00:49:30: as a great monitoring because sorry to interrupt you, but I like how you also approach the SOC topic.

00:49:38: So one of the questions is hey can we have all dual queries somewhere centrally low?

00:49:44: Can we analyze that?

00:49:46: Because if something goes crazy We need to understand.

00:49:48: maybe SAP internally can do so.

00:49:50: there are a lot of questions.

00:49:51: Also from an architecture perspective needs.

00:49:54: Yeah, I

00:49:55: think with also this part of monitoring a lot of limitations currently exist.

00:49:59: But i do agree that it is something that I like to always tackle rather than...I mean look at from an offensive perspective and then directly okay how can see what you are doing in the system coming?

00:50:13: I want before we start closing out and bringing the entire picture.

00:50:19: We went from old ways but still there, then into this new infrastructure with BTP, with RISE how AI is supporting both offensive and defensive whether it's an attacker perspective or a defensive state like with AI introducing areas to improve threat detection, but maybe from your years of experience and still going on strong with the SAP areas.

00:50:50: If organizations considering what we have spoken about if organizations want to mature SAP security over the next few years where should they start?

00:51:00: I think again we have a question.

00:51:01: well we can't have an entire podcast just not that single question.

00:51:06: it depends on maturity after organization.

00:51:08: There are organizations who are on an ISO, two seven or one maturity level between one and two.

00:51:15: And then it's a completely different story what you need to do while You're really at the top of them.

00:51:21: So I think that is huge challenge.

00:51:23: One of the fundamental things in general To understand this starts from historic perspective.

00:51:29: Let us Think about The good old security patching That security patches have been always downwards compatible.

00:51:37: So that means in many cases you have to do manual adoptions, especially with the critical nodes where you'll have to restart or change a certain parameter transaction SACF.

00:51:51: You heard about that?

00:51:52: That's good example because lot of persons are not aware they need enable certain scenarios in an SAP system and as for HANA this is now activated by default.

00:52:04: But if, as an example SAP forgets in a certain remote enabled function and authorization check they are going to release an update with the security patch but do authorization checkers.

00:52:17: In many cases not enforced until you enable this scenario because otherwise it could be that the Security Patch would break with business processes all of sudden background postings aren't running anymore To just name one example.

00:52:34: this for sure a challenge.

00:52:36: I think governance is huge topic, having governance in one premise environment and the cloud environment or non-privileged environments there's lot of stuff you can book In the Cloud Environment.

00:52:49: There are some things that are being advertised but in different ways.

00:52:53: SAP is not offering APIs For everything.

00:52:59: You would technically need to have my personal perceived level of a good BTP governance level, then in the same way going into logging and being able to understand what's going on in this systems.

00:53:14: Looking at the logs you quite often see SAP internal IP addresses ten dot zero something rather than the true source IP which is a challenge in itself.

00:53:26: And so having a good stock visibility for sure is mandatory topic also within this tool now getting already being enforced.

00:53:40: In

00:53:41: which country you are, of course but on European level we have that already enforced.

00:53:46: and having visibility on the application level both in your own progress environment end with in the cloud related to the SAP security locks and different flavors networks network logs and so on, is super crucial because no matter what you do systems can still break.

00:54:07: An attacker can find a way in.

00:54:08: it could be even an internal one.

00:54:11: there has been multiple cases when the past admins went crazy And On their last day they started changing keys then and then you need to pull the forensic evidence and create that absolutely reliable way.

00:54:26: That won't work if you don't have the necessary.

00:54:31: I like the visibility part.

00:54:32: Like, i'd like to know what is happening... ...I would like see what happened and so on.

00:54:37: So my final question for you And to summarize our conversation which I gladly enjoyed.

00:54:43: If attackers continue- This isn't as an if but Attackers are going to evolve faster than SAP security programs What mindset shift do organizations need right now?

00:54:57: A few sentences or a sentence from that perspective.

00:55:01: I think the general awareness on security and using security as a driver in certain cases, so i know there's uh huge discussion always on-on the topic of return on security investment because you spend a certain amount of money And then you reduce an arbitrary risk Of getting compromised.

00:55:20: You need to find ways where your security programs are sometimes also improving their ROI for example, single sign one super simple example.

00:55:30: But in the same way central logging.

00:55:32: you could use that not only from a way to have the visibility and the sock but also the admins tremendously having advantage if all of sudden there is I don't know standard third level support question whether it's an issue on some systems?

00:55:50: You can pull up the logs easily see.

00:55:52: Hey, that's happening in multiple systems.

00:55:54: Now I can easily fix this before someone else is noticing them.

00:55:58: for me also as a security architect it was always about looking to the left and right getting away from that fear mongering and finding ways.

00:56:07: i personally like to say am a lazy person so if i could put my feet on desk because everything has kind of automated they don't want over-engineered.

00:56:16: i know i'm german but let just say your fundamentals are automated And LLMs tremendously help you doing that.

00:56:25: When you have automated the stuff, then you also understand how applications and your environment is working.

00:56:33: We still see systems where users on SAP Systems are manually provisioned in twenty-twenty six.

00:56:41: What should I say about security architecture?

00:56:49: Of course everyone will be bored.

00:56:50: who has already mastered it.

00:56:52: There's still a lot who are doing that in the on-premise environment.

00:56:58: What could possibly go wrong?

00:57:01: With user administration rights, I can tell you... You're

00:57:05: getting the wrong

00:57:05: conditions aside!

00:57:07: Think there is so many more topics to discuss with and open up.

00:57:16: We did touch base of areas On very high level.

00:57:20: we went into depth not too much But at least I like the

00:57:50: conversation.