OWASP Core Business Application Security

CBAS Project Structure

CBAS-SAP
├── Security Aptitude Assessment (SAA)
├── Security Maturity Model (SMM)
└── SAP Internet Research

Introduction

To allow organizations using enterprise business applications to determine an achievable, tailored-to approach defining actionable targets and measurable results, with the capability to scale by strengthening people, leveraging processes, and enhancing the use of tools. The Core Business Application Security (CBAS) project is designed to combine different industry standards and expertise from various security professionals to provide a comprehensive framework to align enterprise application security measures with the organization’s security strategy. As a result, a framework is created to improve the security governance of enterprise application technology.

Background

Core business applications or enterprise business applications are beneficial to organizations in several ways. Some of these benefits include:

  • Combining different business processes under one solution
  • Improving business performance
  • Higher productivity by eliminating redundant processes
  • Flexibility and mobility
  • Easier collaboration between different organizational teams
  • Centralized data

Even though there are numerous benefits that these solutions have, security threats have not decreased. Maintaining, implementing, and deploying security controls and/or information security standards around such solutions is still facing challenges. Some of these challenges include:

  • Little to no understanding of the solutions in place
  • Security professionals not involved in the initial phases of deploying and implementing such solutions
  • Security controls being built after the solution is operational and functional; causing a blow back from business units

NO MONKEY Security Matrix

The NO MONKEY Security Matrix is used as a governance tool throughout the different projects under the CBAS-SAP. It combines elements of the security operational functions, defined by NIST, and IPAC model, defined by NO MONKEY, into a functional graph.

Benefits and the usage of the security matrix is listed under each project of the CBAS-SAP.

CHECK IT OUT

Security Aptitude Assessment

The CBAS - SAP Security Aptitude Assessment (CBAS-SSAA) project allows organizations to determine the skill and knowledge gaps required to secure SAP implementations in an organization.

CHECK IT OUT

Security Maturity Model

The CBAS - SAP Security Maturity Model (CBAS-SSMM) project allows organizations to determine their SAP security posture based on controls used to define a maturity level that organizations can maintain or adapt to. This enables organizations to plan and enhance their security mechanisms when protecting SAP resources.

CHECK IT OUT

SAP Internet Research

With the contribution of Joris van de Vis, the SAP Internet Research project aims to help organizations and security professionals to identify and discover open SAP services facing the internet. This allows individuals to further test these services for any potential threats that might affect their SAP applications.

CHECK IT OUT

Contribution

See CONTRIBUTING section for more information.

Leaders

Contributors

Communication channel

Anyone interested in supporting, contributing or giving feedback join us in our discord channel.

License

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.


NO MONKEY Security Matrix

The NO MONKEY Security Matrix combines elements of the security operational functions, defined by NIST, and IPAC model, created by NO MONKEY and explained below, into a functional graph.

IPAC model

NO MONKEY has come up with the below four security areas to focus the security topics to a core business application. The areas are:

  • Integration: Focuses on different integration scenarios within systems and third-party tools integrating with a core business application environment, including proprietary and non-proprietary communication protocols and interfaces. Topics include secure architecture, security design, and general security operation concepts.

  • Platform: Focuses on vulnerabilities, hardening, and configuration of the core business applications. It includes reviewing security features and weaknesses in software operations, setup, and security management.

  • Access: Focuses on access control, user authorizations measures, and core business application methodologies.

  • Customization: Focuses on the customization of core business applications, including change management, custom code, business customizing, legacy interfaces, and add-ons.

Applicability

The Security Matrix serves as a starting point to:

  • Visually show what areas within an organization can be improved; this can be achieved throughout the different projects released.
  • Identify responsibility and knowledge gaps that are aligned to the areas of the Security Matrix within the Security Aptitude Assessment project

Below is a list of projects that benefit from the NO MONKEY Security Matrix:


Security Aptitude Assessment and Analysis

The CBAS - SAP Security Aptitude Assessment (CBAS-SSAA) project allows organizations to determine the skill and knowledge gaps required to secure SAP implementations in an organization.

The Security Aptitude Assessment is designed to find these gaps and map them to the NO MONKEY Security Matrix.

Whats In It For Me (WIIFM)

Organization’s and security experts can benefit from this project through:

  • Prioritize their security efforts in areas that have been identified as a high risk
  • Align and plan SAP security training for their teams to increase their knowledge and skills in protecting the SAP environment

Getting Started

The below video illustrates how you can get started with the Security Aptitude Assessment and Analysis.

Watch the video

The HOW-TO file also gives an overview on how to start with your Security Aptitude Assessment and Analysis.

button


SAP Security Maturity Model

The CBAS - SAP Security Maturity Model (CBAS-SSMM) project allows organizations to determine their SAP security posture based on controls used to define a maturity level that organizations can maintain or adopt. This enables organizations to plan and enhance their security mechanisms when protecting SAP resources.

Whats In It For Me (WIIFM)

The project intends to be used by different professionals:

  • SAP Security Experts
  • non-SAP Security Experts
  • Consultants
  • Auditors
  • Advisors
  1. The project helps operations, security, and audit teams assess, plan, and verify security controls that affect SAP implementations in their organizations.
  2. Helps organizations determine their maturity in protecting their SAP applications.
  3. Enables and supports organizations with implementing security controls that are required to protect their SAP applications.

Maturity Levels

We follow different methodologies and standards to define the different controls for each maturity level.

In our initial release, and for defining maturity level 1, we want to create a security baseline every organization must maintain to secure SAP applications.

Maturity level 1:

The first maturity level is the initial baseline and derived from the below standards:

  • SAP Security Baseline Template V2.1
  • German Federal Office for Information Security - BSI 4.2 SAP ERP System
  • German Federal Office for Information Security - BSI 4.6 SAP ABAP Programming
  • SAP security white papers - used for critical areas missing in the security baseline template and BSI standards

Controls

We aim to create controls in a structured, easy, and understandable way.

  • Every control follows the same identification schema and structure
  • Markdown language used for presenting the controls
  • Excel tool to present maturity levels, risk areas represented by the NO MONKEY Security Matrix, and implementation status

Control Header:

  • NIST Security Function
  • NIST Category
  • IPAC Model
  • SAP Technology
  • Maturity Level
  • Defender (People, Process, Technology)
  • Control Prerequisite

Appendix A lists the acronyms used in either the control header or the naming convention for controls.

Control Structure:

  • Description of the control
  • Implementing the control
  • Verification of the control
  • References

Example:


button


SAP Internet Research

Make sure you have the appropriate permissions to actively scan and test applications. Without doing so, you might face legal implications

The SAP Internet Research project aims to help organization and security professionals to identify and discover open SAP services facing the internet. This allows individuals to further test these services for any potential threat that might affect SAP applications in their organizations.

Objectives:

  • To allow security professional to be able to identify and discover SAP internet facing applications being used by their organization
  • To be able to demonstrate to organizations the risk that can exist from SAP applications facing the internet
  • Aligning the results of the research to a single organization to demonstrate SAP technology risk
  • To allow contribution to the SAP Internet Research project

WIIFM (Whats In It For Me)

Below is a list of how you can benefit from the different research areas of the project:

  • Using different port scanners to discover your organizations open SAP services that are published to the internet, below are the services included in the project:
    • SAPRouter
    • SAP Gateway
    • SAP Internet Graphic Server
    • SAP Message Server Internal Port
    • HANA Database
  • Conducting further analysis on the discovered services
  • Aligning discovery with the Core Business Application Security (CBAS) – Security Aptitude Assessment.
  • Monitoring services within your organizations IP block that might get published due to misconfiguration

OWASP CBAS project:

Three areas within the NO MONKEY Security Matrix can benefit from the SAP Internet Research project:

  1. Identify – NIST Security Functions
  2. Detect - NIST Security Functions
  3. Integration – IPAC Model

Identify | Integration

When applied to a single organization, the results from the SAP Internet Research project can aid organizations to further concentrate their efforts in the IDENTIFY and INTEGRATION quadrant of the NO MONKEY Security Matrix.

Detect | Integration

Another potential area of benefit will be under the DETECT and INTEGRATION quadrant, this will allow organizations to automate their monitoring capabilities when it comes to publishing SAP application to the internet. If publishing these applications is not a requirement and have been done due to misconfiguration then the organization would be able to properly detect it.

button


Areas of Contribution

We have different areas and projects that we love for you to help us with. You don’t need to be a security expert to help us out. If you enjoy developing new tools, designing pages, creating documentation, or even translating, we want you!

We have created and adopted different projects that cover people, processes, and technologies when securing SAP applications. Contribution to one or all of these projects is welcome.

CBAS-SAP (Project structure)
├── Security Aptitude Assessment (SAA)
├── Security Maturity Model (SMM)
└── SAP Internet Research

If you still want to help and contribute but not sure how, contact us and we are happy to discuss it.


Contributors

With the help and support from the security community, we are continuously adding projects and tools that support the CBAS project.

The projects and tools support the different areas addressed in the CBAS project. The structure for the CBAS project is as follows:

CBAS-SAP
├── Security Aptitude Assessment (SAA)
├── Security Maturity Model (SMM)
└── SAP Internet Research

Anyone is welcome to contribute with their projects and tools to enhance the different areas of the CBAS project; contact us and tell us more

Core Business Application Security Project

SAP Internet Research Project

The SAP Internet Research project aims to help organization and security professionals to identify and discover open SAP services facing the internet. This allows individuals to further test these services for any potential threat that might affect SAP applications in their organizations. (More on how to conduct the tests in your organizations can be found here)