OWASP Core Business Application Security

Introduction

To allow organizations using enterprise business applications to determine an achievable, tailored-to approach defining actionable targets and measurable results, with the capability to scale by strengthening people, leveraging processes, and enhancing the use of tools. The Core Business Security Application (CBAS) project is designed to combine different industry standards and expertise from various security professionals to provide a comprehensive framework to align the measures for enterprise application security with the organization’s security strategy. As a result, a framework is created to improve the security governance of the use of enterprise application technology.

Background

Core business applications or enterprise business applications are beneficial to organizations in several ways. Some of these benefits include

  • Combining different business processes under one solution
  • Improving business performance
  • Higher productivity by eliminating redundant processes
  • Flexibility and mobility
  • Easier collaboration between different organizational teams
  • Centralized data

Even though there are numerous benefits that these solutions have, security threats have not decreased. Maintaining, implementing, and deploying security controls and/or information security standards around such solutions is still facing challenges. Some of these challenges include

  • Little to no understanding of the solutions in place
  • Security professionals not involved in the initial phases of deploying and implementing such solutions
  • Security controls being built after the solution is operational and functional; causing a blow back from business units

NO MONKEY Security Matrix

The NO MONKEY Security Matrix, combines elements of the security operational functions, defined by NIST, and IPAC model, created by NO MONKEY and explained below, into a functional graph. The Security Matrix serves as a starting point to

  • Visually show what areas within an organization can be improved
  • Identify responsibility and knowledge gaps that are aligned to the areas of the Security Matrix

IPAC model

NO MONKEY have come up with these four different security areas to focus the security topics to a core business application. The areas are

  • Integration: focus of different integration scenarios within systems themselves, as well as third-party tools integrating with a core business application environment, including proprietary as well as non-proprietary communication protocols and interfaces. Topics include secure architecture, security design, and general security operation concepts.

  • Platform: consideration of the vulnerabilities, hardening, and configuration of the core business applications. Includes the review of security features and weaknesses in the software’s operations, setup, and security management.
  • Access: consideration of access control and user authorizations measures and methodologies of core business applications.
  • Customization: consideration of the customization of core business applications - including change management, custom code, business customizing, legacy interfaces, and add-ons.

Objectives

While there are many enterprise solutions out there, SAP has been proven to dominate the ERP market. With that in mind, the initial CBAS project release focuses on SAP solutions (CBAS-SAP).

The CBAS-SAP objectives and goals are defined in the Objectives page

Getting Started

The below video illustrates how you can get started with the Security Aptitude Assessment and Analysis; which serves as the first part of the CBAS project.

Getting Started

The HOW-TO page or the Getting Started page also gives an overview on how to start with your assessment and analysis.

Contribution

See CONTRIBUTING section for more information.


“The more the survey takers are, the better the results and analysis become to understand the gap areas within your organization”

To get started, download a copy of the “Security_Aptitude_Analysis”, “SAA_Assessment” and “Survey” documents from the Analysis folder or the Downloads tab

Assessment requirements:

  • Each assessment must uniquely be identified by an ID number (i.e. 1,2,3…)

  • The “Data” sheet inside the assessment should be exported to the generic file “Survey.xlsx”.

  • Once you have copied or exported the data to the “Survey.xlsx” file, edit the data source path in the “Security_Aptitude_Analysis” file to change it to your preferred location

  • Once you open the “Security_Aptitude_Analysis” the file will prompt to update the data source (this will depend on the excel version you are running)

  • To manually update the data source navigate to Data > edit links

  • Then change source to your preferred path.

  • Once you change the data source, any new data that you export or copy to the “Survey” file make sure you refresh the “Security_Aptitude_Analysis” file to get the recent changes. Navigate to Data > Refresh All

CBAS Projects RoadMap

Objectives and goals are defined in the Objectives document. All tasks that enable the success of a project are first raised under the Projects section, and then separated through five different areas:

  • Plan
  • Development
  • Design
  • Research and Development

In order to assure the success of achieving the objectives of the CBAS project, the roadmap is designed with a set of goals to achieve each objective.

All tasks that are created to achieve a specific goal are defined in the Projects section. They are converted to an ISSUE and placed in the “To Do” column of the Projects section once it has been identified as a priority.

While converting tasks to issues, they should be labeled with there respective label in order to be identified properly

Example:

  • The below task is associated to one of the goals for achieving the first objective, and so it will be labeled respectively with the OBJ01 and G01 labels.

On every minor or major release of different aspects of the project we conduct a simple yet effective testing mechanism:

  • Test
  • Adjust
  • Implement
Tag Legend  
OBJ Objective
G Goals

Objectives

Version Date Author
V1.0 01/06/2020 Waseem Ajrab

The success criteria of each objective is identified by the completion of the goals associated to a specific objective.

Objectives and goals can increase and get adjusted or modified as further requirements arise

Objective 1

To provide an assessment methodology for security professionals to assess and evaluate SAP security against different platforms, products, integrations, and security areas within their organization

Goals

  • Creating an assessment that identifies gaps against the NO MONKEY Security Matrix
  • Tuning and improving the assessment analysis
  • Identifying and mapping technology and process areas to be included in the assessment

Objective 2

To help and assist organizations with enabling and adopting a personalized SAP security assessment methodology based on a framework that promotes people, processes, and the use of technologies

Goals

  • Automating the assessment methodology

Objective 3

To bring awareness to security professionals of the threats and risks that SAP solutions can present within an organization


The below documents provides organizations and individuals with the necessary information to conduct the Security Aptitude Analysis (SAA) and perform the required analysis to determine the operational gaps within the NO MONKEY Security matrix

Required documents:

The How-To page or the Getting Started page will help you with getting started with the analysis and assessment.


Areas of Contribution

We have different areas that we love for you to help us with. You don’t need to be a security expert to help us out. If you enjoy developing new tools, designing pages, creating documentation, or even translating, we want you!

We are adopting an agile methodology while creating the projects’ roadmap and developing the CBAS project. The Roadmap page will give you a clear idea of how we plan to develop our first area of concentration, CBAS-SAP, and the Project map might also help you decide.

If you still want to help but not sure how, contact us and we are happy to discuss it