Main Page

From Bizec.org - The Business Security Community
Jump to: navigation, search

Contents

  • 1 BIZEC - Mission
  • 2 BIZEC SAP Project
  • 3 Current activities
  • 4 BIZEC Contribution

BIZEC - Mission

The Business Application Security Initiative (BIZEC.org) is a non-profit organization with a focus on security defects in business applications. These applications are responsible for processing and managing the most critical business information and processes. Their protection is a key subject for private, governmental and defense organizations around the globe.

To these days, many security professionals believe that ERP security is synonymous to "Segregation of Duties". While functional security is highly important, there are many other threats which introduce higher levels of risk and are not usually assessed properly. The work of BIZEC is centered on risk rather than on technical details. This enables organizations to understand the true impact of application security vulnerabilities and prioritize their mitigation accordingly.

The main goals of BIZEC are:

  • Raise awareness, by demonstrating that ERP security must be analyzed holistically.
  • Analyze current and future threats affecting ERP systems.
  • Serve as a unique central point of knowledge and reference in this subject.
  • Provide experienced feedback to global organizations, helping them to increase the security of their business-critical information.
  • Organize events with the community to share and exchange knowledge.

BIZEC does not endorse or recommend commercial products or services with the objective of remaining as a vendor-independent community and provide the best available information free of commercial bounds and restrictions.

BIZEC SAP Project

Since SAP is the dominating ERP vendor, BIZEC’s first project focuses on issues affecting the security of SAP business applications. BIZEC describes several SAP Security Features built into the SAP Standard that are designed to achieve the SAP protection goals. It's important to understand which features are in place and which protection goals are important in your business context.

As SAP solutions comprise several technological and business layers, we have structured content accordingly to provide organized and useful information. Currently, the SAP project is composed of the following subprojects:

  • BIZEC APP11: Top security defects affecting custom ABAP applications.
  • BIZEC TEC11: Top security defects affecting the technological components of SAP implementations.

Current activities

Mark your calenders: The 4th BIZEC workshop will take place at the Troopers conference on March 17, 2015.

The 4th BIZEC workshop will be focused on SAP Attacks, Defenses & Forensics.

Participants will be challenged to spot weaknesses in the defense setup of our demo systems. This challenge will take place in the spirit of a "Capture The Flag" (CTF) competition. As we are aware that not all participants have deep technical understanding, the CTF activities will be guided. Once the participants are able to penetrate the defenses, we will discuss countermeasures and analyze to what degree the attacks are detectable by SAP standard logging and monitoring. The technological basis will be AS ABAP as well as HANA.

Participants need to bring their own laptop (SAP GUI installation required).


Here is our current agenda, packed with first-class expert know-how:

SAP® Security 2015 – Attack, Defense & Forensics

09:00 Welcome & Introduction to BIZEC and its mission
09:10 CTF challenge number 1 (AS ABAP)
Ralf Kempf, akquinet
10:00 CTF challenge number 2 (HANA)
Juan Perez-Etchegoyen, Onapsis
10:50 Coffee Break & Time To Meet The Experts
11:00 CTF challenge number 3 (AS ABAP)
Joris van de Vis, ERP SEC
11:50 CTF challenge number 4 (AS ABAP - Backdoors)
Andreas Wiegenstein, Virtual Forge
12:30 Lunch Break & Time to Meet The Experts
13:30 Open Discussion with all presenting BIZEC partners (akquinet, axl&trax, CSI-Tools, ERP SEC, Onapsis, Virtual Forge) on the CTF outcome as well as “How to Fix” strategies / Demos
15:15 Coffee Break & Time To Meet The Experts
15:30 "Who can really do what in SAP ECC?" - Detecting role anomalies and wrong audit reports
Johan Hermans, CSI Tools
16:15 "Willing to make a change in SAP ECC?" - Exploring audit trails and logs in SAP
Wouter Janssen, axl & trax
17:00 Final discussion round with all presenting BIZEC partners & feedback
17:30 BIZEC workshop ends. Transfer to Networking Dinner.
18:00 Networking Dinner (open end)

Read the blog post about our 2014 event and download all the great talks The BIZEC SAP Security Workshop 2014 - In Retrospective.

BIZEC Contribution

Since we are strongly convinced that the discipline of business application security is still in its infancy, there is still much research to be done. Thus we encourage individuals and companies to support this project.

For details how to join BIZEC, please visit the "How to become a Member" section of the Members page.

Join BIZEC. Contribute.

spacer

Retrieved from "www.bizec.org/index.php?title=Main_Page&oldid=317"
Views
  • Page
  • Discussion
  • View source
  • History
Personal tools
  • Log in
Navigation
  • Main Page
  • BIZEC APP/11
  • BIZEC TEC/11
  • SAP Protection Goals
  • SAP Security Features
  • Members
Tools
  • What links here
  • Related changes
  • Special pages
  • Printable version
Related searches:
security project community challenge workshop
gipoco.com is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.