Protecting SAP HANA from vulnerabilities and exploits

Presented at TROOPERS17 (2017), March 22, 2017, 1:30 p.m. (Unknown duration).

SAP HANA is considered by SAP to be the most important technology among its offerings including S/4HANA, HANA Cloud Platform and other products, heavily relying on its power to process big data at a fast pace.

It has already been adapted by more than 7,200 customers worldwide including governments, aerospace and defense, automotive and healthcare companies to name a few. Conceived and designed to be the underlying database for every future SAP System, it stores all business-critical information that keeps a company running.

Over the past few years, SAP has included new features in SAP HANA to fulfill their customer???s business needs. However, as a result, these features have increased the platform's attack surface.

During this presentation, we'll analyze the evolution of SAP HANA security from its beginning to its latest version, 2.0, which was recently released. Attendees will understand how the platform evolved through architectural changes, and vulnerabilities being addressed by SAP. This presentation will cover the process of vulnerability discovery and evaluation of fixes including some of the critical bugs uncovered by our research team.

Finally, we will share our recommendations for how organizations can protect their SAP HANA platform against attackers, and will provide guidelines for effectively auditing and assessing SAP HANA Systems.


Presenters:

  • Nahuel Sanchez
    Nahuel D. Sanchez is as a security researcher at Onapsis. Being a member of Onapsis Research Labs, his work focuses on performing extensive research of SAP products and components, identifying and reporting security vulnerabilities, attack vectors and advanced exploitation techniques that are applicable to different platforms. Nahuel is one of the most frequent reporter of vulnerabilities in SAP products and is a frequent author of the publication "SAP Security In-Depth". He previously worked as a security consultant, evaluating the security of Web applications and participating of Penetration Testing projects. His areas of interest include Web security, reverse engineering, and the security of Business-Critical applications.
  • Pablo Artuso
    Pablo is a security researcher at the Onapsis Research Labs. His work is focused on the analysis and research of SAP and Oracle components. As a result of his research, he has reported and published several vulnerabilities in different SAP solutions such as SAP HANA and SAP Netweaver. Moreover, Pablo works closely with the Innovation team contributing with the development of cutting-edge technologies to boost Onapsis products.

Links:

Similar Presentations: