Main Page
Contents
|
BIZEC - Mission
The Business Application Security Initiative (BIZEC.org) is a non-profit organization with a focus on security defects in business applications. These applications are responsible for processing and managing the most critical business information and processes. Their protection is a key subject for private, governmental and defense organizations around the globe.
To these days, many security professionals believe that ERP security is synonymous to "Segregation of Duties". While functional security is highly important, there are many other threats which introduce higher levels of risk and are not usually assessed properly. The work of BIZEC is centered on risk rather than on technical details. This enables organizations to understand the true impact of application security vulnerabilities and prioritize their mitigation accordingly.
The main goals of BIZEC are:
- Raise awareness, by demonstrating that ERP security must be analyzed holistically.
- Analyze current and future threats affecting ERP systems.
- Serve as a unique central point of knowledge and reference in this subject.
- Provide experienced feedback to global organizations, helping them to increase the security of their business-critical information.
- Organize events with the community to share and exchange knowledge.
BIZEC does not endorse or recommend commercial products or services with the objective of remaining as a vendor-independent community and provide the best available information free of commercial bounds and restrictions.
BIZEC SAP Project
Since SAP is the dominating ERP vendor, BIZEC’s first project focuses on issues affecting the security of SAP business applications. BIZEC describes several SAP Security Features built into the SAP Standard that are designed to achieve the SAP protection goals. It's important to understand which features are in place and which protection goals are important in your business context.
As SAP solutions comprise several technological and business layers, we have structured content accordingly to provide organized and useful information. Currently, the SAP project is composed of the following subprojects:
- BIZEC APP11: Top security defects affecting custom ABAP applications.
- BIZEC TEC11: Top security defects affecting the technological components of SAP implementations.
Current activities
Mark your calenders: The 4th BIZEC workshop will take place at the Troopers conference on March 17, 2015.
The 4th BIZEC workshop will be focused on SAP Attacks, Defenses & Forensics.
Participants will be challenged to spot weaknesses in the defense setup of our demo systems. This challenge will take place in the spirit of a "Capture The Flag" (CTF) competition. As we are aware that not all participants have deep technical understanding, the CTF activities will be guided. Once the participants are able to penetrate the defenses, we will discuss countermeasures and analyze to what degree the attacks are detectable by SAP standard logging and monitoring. The technological basis will be AS ABAP as well as HANA.
Participants need to bring their own laptop (SAP GUI installation required).
Here is our current agenda, packed with first-class expert know-how:
SAP® Security 2015 – Attack, Defense & Forensics
09:00 | Welcome & Introduction to BIZEC and its mission |
---|---|
09:10 | CTF challenge number 1 (AS ABAP) |
Ralf Kempf, akquinet | |
10:00 | CTF challenge number 2 (HANA) |
Juan Perez-Etchegoyen, Onapsis | |
10:50 | Coffee Break & Time To Meet The Experts |
11:00 | CTF challenge number 3 (AS ABAP) |
Joris van de Vis, ERP SEC | |
11:50 | CTF challenge number 4 (AS ABAP - Backdoors) |
Andreas Wiegenstein, Virtual Forge | |
12:30 | Lunch Break & Time to Meet The Experts |
13:30 | Open Discussion with all presenting BIZEC partners (akquinet, axl&trax, CSI-Tools, ERP SEC, Onapsis, Virtual Forge) on the CTF outcome as well as “How to Fix” strategies / Demos |
15:15 | Coffee Break & Time To Meet The Experts |
15:30 | "Who can really do what in SAP ECC?" - Detecting role anomalies and wrong audit reports |
Johan Hermans, CSI Tools | |
16:15 | "Willing to make a change in SAP ECC?" - Exploring audit trails and logs in SAP |
Wouter Janssen, axl & trax | |
17:00 | Final discussion round with all presenting BIZEC partners & feedback |
17:30 | BIZEC workshop ends. Transfer to Networking Dinner. |
18:00 | Networking Dinner (open end) |
Read the blog post about our 2014 event and download all the great talks The BIZEC SAP Security Workshop 2014 - In Retrospective.
BIZEC Contribution
Since we are strongly convinced that the discipline of business application security is still in its infancy, there is still much research to be done. Thus we encourage individuals and companies to support this project.
For details how to join BIZEC, please visit the "How to become a Member" section of the Members page.
Join BIZEC. Contribute.