https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=AlexanderOWASP - User contributions [en]2026-05-27T07:59:14ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Projects/OWASP_Enterprise_Application_Security_Project&diff=235844Projects/OWASP Enterprise Application Security Project2017-11-29T08:49:00Z<p>Alexander: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude><br />
| project_name = OWASP Enterprise Application Security Project<br />
| project_home_page = OWASP Enterprise Application Security Project<br />
<br />
| project_description =<br />
<br />
Enterprise applications security is one of the major topics in overall security area because those applications controls money and resources and every security violation can result a significant money loss. Purpose of this project is to aware people about enterprise application security problems and create a guideline for EA security assessment. <br />
<br />
| project_license = [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0'''] <br />
<br />
| leader_name1 = Alexander Polyakov<br />
| leader_email1 = a.polyakov@erpscan.com<br />
| leader_username1 = Alexander<br />
<br />
| contributor_name2 = Dmitriy Chastuhin <br />
| contributor_email2 = chipik2@gmail.com <br />
| contributor_username2 =<br />
<br />
<br />
| pamphlet_link = <br />
<br />
| presentation_link = <br />
<br />
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-eas<br />
<br />
| project_road_map = http://www.owasp.org/index.php/OWASP_Enterprise_Application_Security_Project/Roadmp<br />
<br />
| links_url1 = http://erpscan.com/<br />
| links_name1 = ERPSCAN Enterprise Security Software and Services <br />
<br />
| links_url2 = http://eas-sec.org/<br />
| links_name2 = EAS-SEC<br />
<br />
<br />
| release_4 =<br />
<!--- The line below is for GPC usage only. Please do not edit it ---><br />
| project_about_page = Projects/OWASP Enterprise Application Security Project<br />
}}</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Application_Vulnerability_Statistics&diff=235843Enterprise Application Vulnerability Statistics2017-11-29T08:41:16Z<p>Alexander: /* Authors */</p>
<hr />
<div>==== Statistics ====<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually, showing tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document will show a result of statistical research in the business application security area made by ERPScan Research Group and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical those are and what kind of tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security because these applications store business data, and any vulnerability in these applications will cause a significant monetary loss. Nonetheless, people still don’t pay much attention to enterprise business application area, as we see during our and our collegues' researches and audits. Business applications are very large and complex systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. The purpose of those surveys is to increase awareness about business application security. <br />
<br />
== Links ==<br />
<br />
Surveys:<br />
<br />
[https://www.owasp.org/images/6/6b/SAP_Security_in_figures_-_a_global_survey_2007-2011._OWASP-EAS.pdf SAP Security In Figures – A Global Survey 2007-2011]<br />
<br />
[http://erpscan.com/wp-content/uploads/2014/02/SAP-Security-in-Figures-A-Global-Survey-2013.pdf SAP Security In Figures – A Global Survey 2013]<br />
<br />
<br />
Links:<br />
<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov, Alexey Tyurin, Dmitry Chastukhin<br />
<br />
<br><br />
<br />
== Contributors ==</div>Alexanderhttps://wiki.owasp.org/index.php?title=User:Alexander&diff=235842User:Alexander2017-11-29T08:39:39Z<p>Alexander: </p>
<hr />
<div>A Founder of ERPScan. His expertise covers security of enterprise business-critical software like ERP, CRM, SRM, banking and processing software. He is the manager of OWASP-EAS (OWASP subproject), a well-known security expert of the enterprise applications of such vendors as SAP and Oracle, who published a significant number of the vulnerabilities found in the applications of these vendors with acknowledgements from SAP. He is the writer of multiple whitepapers and surveys devoted to information security research in SAP like "SAP Security in figures". Alexander were invited to speak and train at international conferences such as BlackHat, RSA, HITB and 30 others around globe as well as in internal workshops for SAP and fortune 500 companies.</div>Alexanderhttps://wiki.owasp.org/index.php?title=OWASP_Enterprise_Application_Security_Project&diff=235841OWASP Enterprise Application Security Project2017-11-29T08:38:04Z<p>Alexander: </p>
<hr />
<div>=== Main ===<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]] </div><br />
== Objective ==<br />
<br />
The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation, or sign-off of large scale (i.e. 'Enterprise') applications. <br />
<br />
The latest project information can be found here <nowiki>http://eas-sec.org</nowiki> <br />
<br />
== The purpose of the project ==<br />
<br />
Enterprise applications security is one of the major topics in overall security area because those applications control money and resources, and any security violation can result in significant money loss. The purpose of this project is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment. <br />
<br />
== Our Subprojects ==<br />
<br />
Here are our primary goals: <br />
<br />
1 Aware people about enterprise application security vulnerabilities by releasing annual statistics of enterprise business application security vulnerabilities. <br />
<br />
[[Enterprise Application Vulnerability Statistics]] <br />
<br />
2 Help companies to begin the assessment of enterprise applications <br />
<br />
[[Enterprise Application Security Vulnerability Assessment]] <br />
<br />
3 Help companies to securely develop and customize business applications<br />
<br />
[[Enterprise Application Security Development Issues]] <br />
<br />
== Project Roadmap ==<br />
<br />
Have a look at the [[OWASP Enterprise Application Security Project/Roadmp]] <br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP Enterprise Application Security Project | Project About}} <br />
<br />
<br><br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Project|Enterprise Application Security Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Alpha_Quality_Document]]</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Application_Vulnerability_Statistics&diff=172607Enterprise Application Vulnerability Statistics2014-04-13T23:14:01Z<p>Alexander: </p>
<hr />
<div>==== Statistics ====<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually, showing tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document will show a result of statistical research in the business application security area made by ERPScan Research Group and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical those are and what kind of tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security because these applications store business data, and any vulnerability in these applications will cause a significant monetary loss. Nonetheless, people still don’t pay much attention to enterprise business application area, as we see during our and our collegues' researches and audits. Business applications are very large and complex systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. The purpose of those surveys is to increase awareness about business application security. <br />
<br />
== Links ==<br />
<br />
Surveys:<br />
<br />
[https://www.owasp.org/images/6/6b/SAP_Security_in_figures_-_a_global_survey_2007-2011._OWASP-EAS.pdf SAP Security In Figures – A Global Survey 2007-2011]<br />
<br />
[http://erpscan.com/wp-content/uploads/2014/02/SAP-Security-in-Figures-A-Global-Survey-2013.pdf SAP Security In Figures – A Global Survey 2013]<br />
<br />
<br />
Links:<br />
<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov, Alexey Tyurin, Nikolay Mescherin, Kirill Nikitenkov, Dmitry Chastukhin, Dmitry Evdokimov<br />
<br />
<br><br />
<br />
== Contributors ==</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Application_Vulnerability_Statistics&diff=172606Enterprise Application Vulnerability Statistics2014-04-13T23:12:23Z<p>Alexander: </p>
<hr />
<div>==== Statistics ====<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually, showing tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document will show a result of statistical research in the business application security area made by ERPScan Research Group and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical those are and what kind of tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security because these applications store business data, and any vulnerability in these applications will cause a significant monetary loss. Nonetheless, people still don’t pay much attention to enterprise business application area, as we see during our and our collegues' researches and audits. Business applications are very large and complex systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. Overall security of Enterprise Business Application consists of different layers such as: <br />
<br />
• Network architecture security <br />
<br />
• OS security <br />
<br />
• Database security <br />
<br />
• Application security <br />
<br />
• Front-end security <br />
<br />
Each of the described layers may have their own vulnerabilities that can give an attacker full access to business data, even if other layers are fully secured. In this document, all the popular applications from described levels and their vulnerabilities will be shown. The purpose of this document is to increase awareness about business application security. <br />
<br />
== Links ==<br />
<br />
Surveys:<br />
<br />
[https://www.owasp.org/images/6/6b/SAP_Security_in_figures_-_a_global_survey_2007-2011._OWASP-EAS.pdf SAP Security In Figures – A Global Survey 2007-2011]<br />
<br />
[http://erpscan.com/wp-content/uploads/2014/02/SAP-Security-in-Figures-A-Global-Survey-2013.pdf SAP Security In Figures – A Global Survey 2013]<br />
<br />
<br />
Links:<br />
<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov, Alexey Tyurin, Nikolay Mescherin, Kirill Nikitenkov, Dmitry Chastukhin, Dmitry Evdokimov<br />
<br />
<br><br />
<br />
== Contributors ==</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Application_Security_Development_Issues&diff=172605Enterprise Application Security Development Issues2014-04-13T23:10:17Z<p>Alexander: Created page with " === Development Issues === == Objective == This document will describe different areas of program vulnerabilities that can be found in the source code of Enterprise Busin..."</p>
<hr />
<div><br />
=== Development Issues ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of program vulnerabilities that can be found in the source code of Enterprise Business applications and ERP systems. <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the developers of Enterprise Business software. Here, we will collect top software vulnerabilities in server side and frontend side that can exist in Business Applications. <br />
<br />
== Intro ==<br />
<br />
There are many different languages and technologies that can be used to develop business applications and write custom code such as ABAP for SAP, PeopleCode for PeopleSoft, X++ for Microsoft Dynamics, PL/SQL for Oracle EBS, LotusScript for Lotus and much, much more. Here, we will try to categorize them into 9 main areas filtered by criticality. <br />
<br />
== Main ==<br />
<br />
Crosslinks to CWE, SANS, OWASP and risks with descriptions will be added soon. <br />
<br />
== 9 most critical types of issues in source code [EASSEC-ASDI-9-2013] ==<br />
<br />
<br>1 Injections (code, SQL, OS)<br />
<br>2 Critical calls (to DB, to OS)<br />
<br>3 Missing or bad access control checks (missing auth checks)<br />
<br>4 Directory / path traversal (write, read, SMBRelay)<br />
<br>5 Modification of displayed content (XSS stored, XSS linked, JS/HTML injections)<br />
<br>6 Backdoors (hardcoded credentials)<br />
<br>7 Covert channels (sockets, HTTP calls, SSRFs)<br />
<br>8 Information disclosure (hardcoded users, passwords, debug information) <br />
<br>9 Obsolete statements (READ TABLE, kernel methods)<br />
<br />
<br />
<br />
== Links ==<br />
<br />
coming soon <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov<br />
<br />
Alexander Minozhenko<br />
<br />
Pavel Kuzmin</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Application_Security_Vulnerability_Assessment&diff=172604Enterprise Application Security Vulnerability Assessment2014-04-13T23:05:06Z<p>Alexander: </p>
<hr />
<div>=== Implementation guides ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of secure implementation of Enterprise Business Applications and ERP systems. Here, we will mainly focus on security architecture and configuration threats because program errors are well described in the "Software vulnerabilities" topic.<br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the administrators of Business Application security and help them to start self-assessment of their systems to find the most critical violations. <br />
<br />
== Intro ==<br />
<br />
Enterprise Business Applications (like ERP, it is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. Every described layer may have its own vulnerabilities and misconfigurations that can give an attacker full access to business data, even if other layers are completely secured. <br />
<br />
All of the data was collected and categorized during our extensive experience of assessing the security of popular Business Applications such as SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications. <br />
<br />
== Main ==<br />
<br />
Overall security of Enterprise Business Application consists of different layers, including: <br><br />
• Network architecture security <br><br />
• OS security <br><br />
• Database security <br><br />
• Application security <br><br />
• Front-end security <br><br />
In this document, we will describe top 10 violations for every layer of Enterprise Business Applications that can be easily assessed and mitigated. <br />
<br />
<br />
[[Image:Dev2.png]] <br />
<br />
== Top 10 Network/Architecture issues - 2010 ==<br />
<br />
1 Lack of proper network filtration between EA and corporate network<br><br />
2 Lacking or vulnerable encryption between corporate network and EA network<br><br />
3 Lack of separation between Test, Dev, and Prod systems<<br><br />
4 Lack of encryption inside EA network<br><br />
5 Insecure trust relations between components<br><br />
6 Insecurely configured Internet-facing applications <br><br />
7 Vulnerable or default configuration of routers<br><br />
8 Lack of frontend access filtration<br><br />
9 Lacking or misconfigured IDS/IPS<br><br />
10 Insecure or inappropriate wireless comunications<br />
<br />
== Top 10 OS issues - 2010 ==<br />
<br />
1 Unnecessary enabled services<br><br />
2 Missing 3rd party software patches<br><br />
3 Insecure trust relations<br><br />
4 Universal OS passwords<br><br />
5 Missing OS patches<br><br />
6 Lacking or misconfigured network access control<br><br />
7 Lacking or misconfigured monitoring<br><br />
8 Insecure internal acces control <br><br />
9 Unencrypted remote access <br><br />
10 Lack of password lockout/complexity checks<br><br />
<br />
== Top 10 Database issues - 2010 ==<br />
<br />
1 Default passwords for DB access<br><br />
2 Lack of DB patch management<br><br />
3 Unnecessary enabled DB features <br><br />
4 Lack of password lockout/complexity checks<br><br />
5 Unencrypted sensitive data transport / data<br><br />
6 Lacking or misconfigured network access control<br><br />
7 Extensive user and group privileges<br><br />
8 Lacking or misconfigured audit<br><br />
9 Insecure trust relations<br><br />
10 Open additional interfaces<br />
<br />
== Top 10 Frontend issues - 2010 ==<br />
<br />
1 Vulnerable frontend applications<br><br />
2 Lack of server trust check<br><br />
3 Lack of encryption<br><br />
4 Autocomplete enabled in the browser <br><br />
5 Insecure browser scripting options<br><br />
6 Insecure configuration <br><br />
7 Insecure sortware distribution service<br><br />
8 Lack of AV software<br><br />
9 Password stored in configuration file<br><br />
10 Sensitive information storage<br />
<br />
== Top 9 Application issues - 2014 ==<br />
<br />
1. Lack of patch management<br><br />
2. Default passwords for application access<br><br />
3. Unnecessary enabled functionality<br><br />
4. Open remote management interfaces<br><br />
5. Insecure configuration<br><br />
6. Unencrypted communication<br><br />
7. Access control and SoD<br><br />
8. Insecure trust relations<br><br />
9. Logging and monitoring<br><br />
<br />
== Links ==<br />
<br />
[EASSEC-PVAG-ABAP] THE SAP NETWEAVER ABAP PLATFORM VULNERABILITY ASSESSMENT GUIDE 2014<br />
<br />
http://erpscan.com/publications/the-sap-netweaver-abap-platform-vulnerability-assessment-guide/<br />
<br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov<br />
Nikolay Mesherin<br />
Kirill Nikitenkov</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Application_Security_Vulnerability_Assessment&diff=172603Enterprise Application Security Vulnerability Assessment2014-04-13T23:04:19Z<p>Alexander: Created page with "=== Implementation guides === == Objective == This document will describe different areas of secure implementation of Enterprise Business Applications and ERP systems. Her..."</p>
<hr />
<div>=== Implementation guides ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of secure implementation of Enterprise Business Applications and ERP systems. Here, we will mainly focus on security architecture and configuration threats because program errors are well described in the "Software vulnerabilities" topic.<br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the administrators of Business Application security and help them to start self-assessment of their systems to find the most critical violations. <br />
<br />
== Intro ==<br />
<br />
Enterprise Business Applications (like ERP, it is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. Every described layer may have its own vulnerabilities and misconfigurations that can give an attacker full access to business data, even if other layers are completely secured. <br />
<br />
All of the data was collected and categorized during our extensive experience of assessing the security of popular Business Applications such as SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications. <br />
<br />
== Main ==<br />
<br />
Overall security of Enterprise Business Application consists of different layers, including: <br><br />
• Network architecture security <br><br />
• OS security <br><br />
• Database security <br><br />
• Application security <br><br />
• Front-end security <br><br />
In this document, we will describe top 10 violations for every layer of Enterprise Business Applications that can be easily assessed and mitigated. <br />
<br />
<br />
[[Image:Dev2.png]] <br />
<br />
== Top 10 Network/Architecture issues - 2010 ==<br />
<br />
1 Lack of proper network filtration between EA and corporate network<br><br />
2 Lacking or vulnerable encryption between corporate network and EA network<br><br />
3 Lack of separation between Test, Dev, and Prod systems<<br><br />
4 Lack of encryption inside EA network<br><br />
5 Insecure trust relations between components<br><br />
6 Insecurely configured Internet-facing applications <br><br />
7 Vulnerable or default configuration of routers<br><br />
8 Lack of frontend access filtration<br><br />
9 Lacking or misconfigured IDS/IPS<br><br />
10 Insecure or inappropriate wireless comunications<br />
<br />
== Top 10 OS issues - 2010 ==<br />
<br />
1 Unnecessary enabled services<br><br />
2 Missing 3rd party software patches<br><br />
3 Insecure trust relations<br><br />
4 Universal OS passwords<br><br />
5 Missing OS patches<br><br />
6 Lacking or misconfigured network access control<br><br />
7 Lacking or misconfigured monitoring<br><br />
8 Insecure internal acces control <br><br />
9 Unencrypted remote access <br><br />
10 Lack of password lockout/complexity checks<br><br />
<br />
== Top 10 Database issues - 2010 ==<br />
<br />
1 Default passwords for DB access<br><br />
2 Lack of DB patch management<br><br />
3 Unnecessary enabled DB features <br><br />
4 Lack of password lockout/complexity checks<br><br />
5 Unencrypted sensitive data transport / data<br><br />
6 Lacking or misconfigured network access control<br><br />
7 Extensive user and group privileges<br><br />
8 Lacking or misconfigured audit<br><br />
9 Insecure trust relations<br><br />
10 Open additional interfaces<br />
<br />
== Top 10 Frontend issues - 2010 ==<br />
<br />
1 Vulnerable frontend applications<br><br />
2 Lack of server trust check<br><br />
3 Lack of encryption<br><br />
4 Autocomplete enabled in the browser <br><br />
5 Insecure browser scripting options<br><br />
6 Insecure configuration <br><br />
7 Insecure sortware distribution service<br><br />
8 Lack of AV software<br><br />
9 Password stored in configuration file<br><br />
10 Sensitive information storage<br />
<br />
== Top 9 Application issues - 2014 ==<br />
<br />
1. Lack of patch management<br><br />
2. Default passwords for application access<br><br />
3. Unnecessary enabled functionality<br><br />
4. Open remote management interfaces<br><br />
5. Insecure configuration<br><br />
6. Unencrypted communication<br><br />
7. Access control and SoD<br><br />
8. Insecure trust relations<br><br />
9. Logging and monitoring<br><br />
<br />
== Links ==<br />
<br />
[EASSEC-PVAG-ABAP] THE SAP NETWEAVER ABAP PLATFORM VULNERABILITY ASSESSMENT GUIDE 2014<br />
http://erpscan.com/publications/the-sap-netweaver-abap-platform-vulnerability-assessment-guide/<br />
<br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov<br />
Nikolay Mesherin<br />
Kirill Nikitenkov</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Application_Vulnerability_Statistics&diff=172602Enterprise Application Vulnerability Statistics2014-04-13T23:00:56Z<p>Alexander: Created page with "==== Statistics ==== == Objective == This document is the first statistics report which will be repeated annually, showing tendencies and changes in Enterprise Business Ap..."</p>
<hr />
<div>==== Statistics ====<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually, showing tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document will show a result of statistical research in the business application security area made by ERPScan Research Group and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical those are and what kind of tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security because these applications store business data, and any vulnerability in these applications will cause a significant monetary loss. Nonetheless, people still don’t pay much attention to enterprise business application area, as we see during our and our collegues' researches and audits. Business applications are very large and complex systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. Overall security of Enterprise Business Application consists of different layers such as: <br />
<br />
• Network architecture security <br />
<br />
• OS security <br />
<br />
• Database security <br />
<br />
• Application security <br />
<br />
• Front-end security <br />
<br />
Each of the described layers may have their own vulnerabilities that can give an attacker full access to business data, even if other layers are fully secured. In this document, all the popular applications from described levels and their vulnerabilities will be shown. The purpose of this document is to increase awareness about business application security. <br />
<br />
== Links ==<br />
<br />
Surveys:<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmitry Chastukhin <br />
<br />
[https://www.owasp.org/images/6/6b/SAP_Security_in_figures_-_a_global_survey_2007-2011._OWASP-EAS.pdf SAP Security In Figures – A Global Survey 2007-2011]<br />
<br />
Links:<br />
<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov, Alexey Tyurin, Nikolay Mescherin, Kirill Nikitenkov, Dmitry Chastukhin, Dmitry Evdokimov<br />
<br />
<br><br />
<br />
== Contributors ==</div>Alexanderhttps://wiki.owasp.org/index.php?title=OWASP_Enterprise_Application_Security_Project&diff=172601OWASP Enterprise Application Security Project2014-04-13T22:58:59Z<p>Alexander: </p>
<hr />
<div>=== Main ===<br />
<br />
== Objective ==<br />
<br />
The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation, or sign-off of large scale (i.e. 'Enterprise') applications. <br />
<br />
== The purpose of the project ==<br />
<br />
Enterprise applications security is one of the major topics in overall security area because those applications control money and resources, and any security violation can result in significant money loss. The purpose of this project is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment. <br />
<br />
== Our Subprojects ==<br />
<br />
Here are our primary goals: <br />
<br />
1 Aware people about enterprise application security vulnerabilities by releasing annual statistics of enterprise business application security vulnerabilities. <br />
<br />
[[Enterprise Application Vulnerability Statistics]] <br />
<br />
2 Help companies to begin the assessment of enterprise applications <br />
<br />
[[Enterprise Application Security Vulnerability Assessment]] <br />
<br />
3 Help companies to securely develop and customize business applications<br />
<br />
[[Enterprise Application Security Development Issues]] <br />
<br />
4 Develop free tools for enterprise business applications assessment <br />
<br />
[[Enterprise Application Security Software]] <br />
<br />
== Project Roadmap ==<br />
<br />
Have a look at the [[OWASP Enterprise Application Security Project/Roadmp]] <br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP Enterprise Application Security Project | Project About}} <br />
<br />
<br><br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Enterprise Application Security Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Security_Software&diff=158523Enterprise Business Application Security Software2013-09-16T17:15:07Z<p>Alexander: </p>
<hr />
<div>==== Software ====<br />
<br />
== Objective ==<br />
<br />
Here, information on tools and services that can be used for assessment of business applications will be available. <br />
<br />
== Purpose ==<br />
<br />
The purpose of this area is to provide free tools that can help companies to assess the security of their business applications. <br />
<br />
<br><br />
<br />
== Intro ==<br />
<br />
== Main ==<br />
<br />
<br>[http://online.erpscan.com test SAPGUI Security Online]<br />
<br>[http://erpscan.com/products/erpscan-pentesting-tool/ SAP Pentesting Tool by ERPScan]<br />
<br>[http://erpscan.com/products/erpscan-webxml-checker/ ERPScan's web.xml checker]<br />
<br>[http://www.metasploit.com/modules/auxiliary/scanner/sap Metasploit modules for SAP Pentesting]<br />
<br />
== Links ==<br />
<br><br />
<br />
== Authors ==<br />
<br></div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Security_Development_Issues&diff=158522Enterprise Business Application Security Development Issues2013-09-16T17:13:59Z<p>Alexander: </p>
<hr />
<div><br />
=== Development Issues ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of program vulnerabilities that can be found in the source code of Enterprise Business applications and ERP systems. <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the developers of Enterprise Business software. Here, we will collect top software vulnerabilities in server side and frontend side that can exist in Business Applications. <br />
<br />
== Intro ==<br />
<br />
There are many different languages and technologies that can be used to develop business applications and write custom code such as ABAP for SAP, PeopleCode for PeopleSoft, X++ for Microsoft Dynamics, PL/SQL for Oracle EBS, LotusScript for Lotus and much, much more. Here, we will try to categorize them into 9 main areas filtered by criticality. <br />
<br />
== Main ==<br />
<br />
Crosslinks to CWE, SANS, OWASP and risks with descriptions will be added soon. <br />
<br />
== 9 most critical types of issues in source code (EASAD-9-2013) ==<br />
<br />
<br>1 Injections (code, SQL, OS)<br />
<br>2 Critical calls (to DB, to OS)<br />
<br>3 Missing or bad access control checks (missing auth checks)<br />
<br>4 Directory / path traversal (write, read, SMBRelay)<br />
<br>5 Modification of displayed content (XSS stored, XSS linked, JS/HTML injections)<br />
<br>6 Backdoors (hardcoded credentials)<br />
<br>7 Covert channels (sockets, HTTP calls, SSRFs)<br />
<br>8 Information disclosure (hardcoded users, passwords, debug information) <br />
<br>9 Obsolete statements (READ TABLE, kernel methods)<br />
<br />
<br />
<br />
== Links ==<br />
<br />
coming soon <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov<br />
<br />
Alexander Minozhenko<br />
<br />
Pavel Kuzmin</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Security_Development_Issues&diff=158521Enterprise Business Application Security Development Issues2013-09-16T17:13:28Z<p>Alexander: </p>
<hr />
<div><br />
=== Development Issues ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of program vulnerabilities that can be found in the source code of Enterprise Business applications and ERP systems. <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the developers of Enterprise Business software. Here, we will collect top software vulnerabilities in server side and frontend side that can exist in Business Applications. <br />
<br />
== Intro ==<br />
<br />
There are many different languages and technologies that can be used to develop business applications and write custom code such as ABAP for SAP, PeopleCode for PeopleSoft, X++ for Microsoft Dynamics, PL/SQL for Oracle EBS, LotusScript for Lotus and much, much more. Here, we will try to categorize them into 9 main areas filtered by criticality. <br />
<br />
== Main ==<br />
<br />
Crosslinks to CWE, SANS, OWASP and risks with descriptions will be added soon. <br />
<br />
== 9 most critical types of issues in source code (EASAD-9-2013) ==<br />
<br />
<br>1 Injections (code, SQL, OS)<br />
<br>2 Critical calls (to DB, to OS)<br />
<br>3 Missing or bad access control checks (missing auth checks)<br />
<br>4 Directory / path traversal (write, read, SMBRelay)<br />
<br>5 Modification of displayed content (XSS stored, XSS linked, JS/HTML injections)<br />
<br>6 Backdoors (hardcoded credentials)<br />
<br>7 Covert channels (sockets, HTTP calls, SSRFs)<br />
<br>8 Information disclosure (hardcoded users, passwords, debug information) <br />
<br>9 Obsolete statements (READ TABLE, kernel methods)<br />
<br />
<br />
<br />
== Links ==<br />
<br />
coming soon <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov<br />
Alexander Minozhenko<br />
Pavel Kuzmin</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Security_Implementation_Assessment&diff=158520Enterprise Business Application Security Implementation Assessment2013-09-16T17:09:10Z<p>Alexander: </p>
<hr />
<div>=== Implementation guides ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of secure implementation of Enterprise Business Applications and ERP systems. Here, we will mainly focus on security architecture and configuration threats because program errors are well described in the "Software vulnerabilities" topic.<br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the administrators of Business Application security and help them to start self-assessment of their systems to find the most critical violations. <br />
<br />
== Intro ==<br />
<br />
Enterprise Business Applications (like ERP, it is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. Every described layer may have its own vulnerabilities and misconfigurations that can give an attacker full access to business data, even if other layers are completely secured. <br />
<br />
All of the data was collected and categorized during our extensive experience of assessing the security of popular Business Applications such as SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications. <br />
<br />
== Main ==<br />
<br />
Overall security of Enterprise Business Application consists of different layers, including: <br><br />
• Network architecture security <br><br />
• OS security <br><br />
• Database security <br><br />
• Application security <br><br />
• Front-end security <br><br />
In this document, we will describe top 10 violations for every layer of Enterprise Business Applications that can be easily assessed and mitigated. <br />
<br />
<br />
[[Image:Dev2.png]] <br />
<br />
== Top 10 Network/Architecture issues - 2010 ==<br />
<br />
1 Lack of proper network filtration between EA and corporate network<br><br />
2 Lacking or vulnerable encryption between corporate network and EA network<br><br />
3 Lack of separation between Test, Dev, and Prod systems<<br><br />
4 Lack of encryption inside EA network<br><br />
5 Insecure trust relations between components<br><br />
6 Insecurely configured Internet-facing applications <br><br />
7 Vulnerable or default configuration of routers<br><br />
8 Lack of frontend access filtration<br><br />
9 Lacking or misconfigured IDS/IPS<br><br />
10 Insecure or inappropriate wireless comunications<br />
<br />
== Top 10 OS issues - 2010 ==<br />
<br />
1 Unnecessary enabled services<br><br />
2 Missing 3rd party software patches<br><br />
3 Insecure trust relations<br><br />
4 Universal OS passwords<br><br />
5 Missing OS patches<br><br />
6 Lacking or misconfigured network access control<br><br />
7 Lacking or misconfigured monitoring<br><br />
8 Insecure internal acces control <br><br />
9 Unencrypted remote access <br><br />
10 Lack of password lockout/complexity checks<br><br />
<br />
== Top 10 Database issues - 2010 ==<br />
<br />
1 Default passwords for DB access<br><br />
2 Lack of DB patch management<br><br />
3 Unnecessary enabled DB features <br><br />
4 Lack of password lockout/complexity checks<br><br />
5 Unencrypted sensitive data transport / data<br><br />
6 Lacking or misconfigured network access control<br><br />
7 Extensive user and group privileges<br><br />
8 Lacking or misconfigured audit<br><br />
9 Insecure trust relations<br><br />
10 Open additional interfaces<br />
<br />
== Top 10 Frontend issues - 2010 ==<br />
<br />
1 Vulnerable frontend applications<br><br />
2 Lack of server trust check<br><br />
3 Lack of encryption<br><br />
4 Autocomplete enabled in the browser <br><br />
5 Insecure browser scripting options<br><br />
6 Insecure configuration <br><br />
7 Insecure sortware distribution service<br><br />
8 Lack of AV software<br><br />
9 Password stored in configuration file<br><br />
10 Sensitive information storage<br />
<br />
== Top 9 Application issues - 2013 ==<br />
<br />
1. Lack of patch management<br><br />
2. Default passwords for application access<br><br />
3. Unnecessary enabled functionality<br><br />
4. Open remote management interfaces<br><br />
5. Insecure configuration<br><br />
6. Unencrypted communication<br><br />
7. Access control and SoD<br><br />
8. Insecure trust relations<br><br />
9. Logging and monitoring<br><br />
<br />
== Links ==<br />
<br />
[http://dsecrg.com ERP Security:Myths Problems Solutions] - by Alexander Polyakov and Ilya Medvedovsky<br />
<br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov<br />
Nikolay Mesherin<br />
Kirill Nikitenkov</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Vulnerability_Statistics&diff=158519Enterprise Business Application Vulnerability Statistics2013-09-16T17:01:34Z<p>Alexander: </p>
<hr />
<div>==== Statistics ====<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually, showing tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document will show a result of statistical research in the business application security area made by ERPScan Research Group and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical those are and what kind of tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security because these applications store business data, and any vulnerability in these applications will cause a significant monetary loss. Nonetheless, people still don’t pay much attention to enterprise business application area, as we see during our and our collegues' researches and audits. Business applications are very large and complex systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. Overall security of Enterprise Business Application consists of different layers such as: <br />
<br />
• Network architecture security <br />
<br />
• OS security <br />
<br />
• Database security <br />
<br />
• Application security <br />
<br />
• Front-end security <br />
<br />
Each of the described layers may have their own vulnerabilities that can give an attacker full access to business data, even if other layers are fully secured. In this document, all the popular applications from described levels and their vulnerabilities will be shown. The purpose of this document is to increase awareness about business application security. <br />
<br />
== Links ==<br />
<br />
Surveys:<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmitry Chastukhin <br />
<br />
[https://www.owasp.org/images/6/6b/SAP_Security_in_figures_-_a_global_survey_2007-2011._OWASP-EAS.pdf SAP Security In Figures – A Global Survey 2007-2011]<br />
<br />
Links:<br />
<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov, Alexey Tyurin, Nikolay Mescherin, Kirill Nikitenkov, Dmitry Chastukhin, Dmitry Evdokimov<br />
<br />
<br><br />
<br />
== Contributors ==</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Vulnerability_Statistics&diff=158518Enterprise Business Application Vulnerability Statistics2013-09-16T16:57:31Z<p>Alexander: </p>
<hr />
<div>==== Statistics ====<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually, showing tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document will show a result of statistical research in the business application security area made by ERPScan Research Group and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical those are and what kind of tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security because these applications store business data, and any vulnerability in these applications will cause a significant monetary loss. Nonetheless, people still don’t pay much attention to enterprise business application area, as we see during our and our collegues' researches and audits. Business applications are very large and complex systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. Overall security of Enterprise Business Application consists of different layers such as: <br />
• Network architecture security <br />
• OS security <br />
• Database security <br />
• Application security <br />
• Front-end security <br />
<br />
Each of the described layers may have their own vulnerabilities that can give an attacker full access to business data, even if other layers are fully secured. In this document, all the popular applications from described levels and their vulnerabilities will be shown. The purpose of this document is to increase awareness about business application security. <br />
<br />
== Links ==<br />
<br />
Surveys:<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmitry Chastukhin <br />
<br />
[https://www.owasp.org/images/6/6b/SAP_Security_in_figures_-_a_global_survey_2007-2011._OWASP-EAS.pdf SAP Security In Figures – A Global Survey 2007-2011]<br />
<br />
<br />
<br />
<br />
Links:<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov, Alexey Tyurin, Nikolay Mescherin, Kirill Nikitenkov, Dmitry Chastukhin, Dmitry Evdokimov<br />
<br />
<br><br />
<br />
== Contributors ==</div>Alexanderhttps://wiki.owasp.org/index.php?title=OWASP_Enterprise_Application_Security_Project&diff=158517OWASP Enterprise Application Security Project2013-09-16T16:48:11Z<p>Alexander: </p>
<hr />
<div>=== Main ===<br />
<br />
== Objective ==<br />
<br />
The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation, or sign-off of large scale (i.e. 'Enterprise') applications. <br />
<br />
== The purpose of the project ==<br />
<br />
Enterprise applications security is one of the major topics in overall security area because those applications control money and resources, and any security violation can result in significant money loss. The purpose of this project is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment. <br />
<br />
== Our Subprojects ==<br />
<br />
Here are our primary goals: <br />
<br />
1 Aware people about enterprise application security vulnerabilities by releasing annual statistics of enterprise business application security vulnerabilities. <br />
<br />
[[Enterprise Business Application Vulnerability Statistics]] <br />
<br />
2 Help companies to begin the assessment of enterprise applications <br />
<br />
[[Enterprise Business Application Security Implementation Assessment]] <br />
<br />
3 Help companies to securely develop and customize business applications<br />
<br />
[[Enterprise Business Application Security Development Issues]] <br />
<br />
4 Develop free tools for enterprise business applications assessment <br />
<br />
[[Enterprise Business Application Security Software]] <br />
<br />
== Project Roadmap ==<br />
<br />
Have a look at the [[OWASP Enterprise Application Security Project/Roadmp]] <br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP Enterprise Application Security Project | Project About}} <br />
<br />
<br><br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Enterprise Application Security Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Security_Implementation_Assessment&diff=158486Enterprise Business Application Security Implementation Assessment2013-09-15T21:53:37Z<p>Alexander: </p>
<hr />
<div>=== Implementation guides ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of secure implementation of Enterprise Business Applications and ERP systems. Here, we will mainly focus on security architecture and configuration threats because program errors are well described in the "Software vulnerabilities" topic.<br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the administrators of Business Application security and help them to start a self-assessment of their systems and find the most critical violations. <br />
<br />
== Intro ==<br />
<br />
Enterprise Business Applications (like ERP, it is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. Every described layer may have its own vulnerabilities and misconfigurations that can give attacker full access to business data even if other layers are completely secured. <br />
<br />
All the data was collected and categorized during our big practice of assessing the security of popular Business Applications such as SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications. <br />
<br />
== Main ==<br />
<br />
Overall security of Enterprise Business Application consists of different layers, including: <br><br />
• Network architecture security <br><br />
• OS security <br><br />
• Database security <br><br />
• Application security <br><br />
• Front-end security <br><br />
In this document, we will describe top 10 violations on every layer of Enterprise Business Application that can be easily assessed and mitigated. <br />
<br />
<br />
[[Image:Dev2.png]] <br />
<br />
== Top 10 Network/Architecture issues - 2010 ==<br />
<br />
1 Lack of proper network filtration between EA and Corporate network<br><br />
2 Lack or vulnerable encryption between corp net and EA Network<br><br />
3 Lack of separation between Test, Dev, and Prod system<<br><br />
4 Lack of encryption inside EA Network<br><br />
5 Insecure trusted relations between components<br><br />
6 Insecurely configured Internet facing applications <br><br />
7 Vulnerable / default configuration of routers<br><br />
8 Lack of frontend access filtration<br><br />
9 Lack or misconfigured monitoring IDS/IPS<br><br />
10 Insecure/unappropriate wireless comunications<br />
<br />
== Top 10 OS issues - 2010 ==<br />
<br />
1 Unnecessary enabled services<br><br />
2 Missing 3rd party software patches<br><br />
3 Insecure trust relations<br><br />
4 Universal OS passwords<br><br />
5 Missing OS patches<br><br />
6 Lacking or misconfigured network access control<br><br />
7 Lacking or misconfigured monitoring<br><br />
8 Insecure internal acces control <br><br />
9 Unencrypted remote access <br><br />
10 Lack of password lockout/complexity checks<br><br />
<br />
== Top 10 Database issues - 2010 ==<br />
<br />
1 Default passwords for DB access<br><br />
2 Lack of DB patch management<br><br />
3 Unnecessary enabled DB features <br><br />
4 Lack of password lockout/complexity checks<br><br />
5 Unencrypted sensitive data transport / data<br><br />
6 Lack or misconfigured network acess control<br><br />
7 Extensive user and group privileges<br><br />
8 Lacking or misconfigured audit<br><br />
9 Insecure trust relations<br><br />
10 Open additional interfaces<br />
<br />
== Top 9 Application issues - 2013 ==<br />
<br />
1. Lack of patch management<br><br />
2. Default Passwords for application access<br><br />
3. Unnecessary enabled functionality<br><br />
4. Open remote management interfaces<br><br />
5. Insecure configuration<br><br />
6. Unencrypted communication<br><br />
7. Access control and SOD<br><br />
8. Insecure trust relations<br><br />
9. Logging and Monitoring<br><br />
<br />
<br />
<br />
== Top 10 Frontend issues - 2010 ==<br />
<br />
1 Vulnerable frontend applications<br><br />
2 Lack of server trust check<br><br />
3 Lack of encryption<br><br />
4 Autocomplete enabled in the browser <br><br />
5 Insecure browser scripting options<br><br />
6 Insecure configuration <br><br />
7 Insecure sortware distribution service<br><br />
8 Lack of AV software<br><br />
9 Password stored in configuration file<br><br />
10 Sensitive information storage<br />
<br />
== Links ==<br />
<br />
[http://dsecrg.com ERP Security:Myths Problems Solutions] - by Alexander Polyakov and Ilya Medvedovsky<br />
<br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov<br />
Nikolay Mesherin<br />
Kirill Nikitenkov</div>Alexanderhttps://wiki.owasp.org/index.php?title=OWASP_Enterprise_Application_Security_Project&diff=158484OWASP Enterprise Application Security Project2013-09-15T21:33:24Z<p>Alexander: </p>
<hr />
<div>=== Main ===<br />
<br />
== Objective ==<br />
<br />
The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation or sign-off of large scale (i.e. 'Enterprise') applications. <br />
<br />
== The purpose of the project ==<br />
<br />
Enterprise applications security is one of the major topics in overall security area because those applications control money and resources, and any security violation can result in significant money loss. The purpose of this project is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment. <br />
<br />
== Our Subprojects ==<br />
<br />
Here are our primary goals: <br />
<br />
1 Aware people about enterprise application security vulnerabilities by releasing annual statistics of enterprise business application security vulnerabilities. <br />
<br />
[[Enterprise Business Application Vulnerability Statistics]] <br />
<br />
2 Help companies to begin assessment of enterprise applications <br />
<br />
[[Enterprise Business Application Security Implementation Assessment]] <br />
<br />
3 Help companies to securely develop and customize business applications<br />
<br />
[[Enterprise Business Application Security Development Issues]] <br />
<br />
4 Develop free tools for Enterprise business applications assessment <br />
<br />
[[Enterprise Business Application Security Software]] <br />
<br />
== Project Roadmap ==<br />
<br />
Have a look at the [[OWASP Enterprise Application Security Project/Roadmp]] <br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP Enterprise Application Security Project | Project About}} <br />
<br />
<br><br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Enterprise Application Security Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Security_Implementation_Assessment&diff=158483Enterprise Business Application Security Implementation Assessment2013-09-15T21:33:13Z<p>Alexander: Created page with "=== Implementation guides === == Objective == This document will describe different areas of secure implementation of Enterprise Business Applications and ERP systems. Her..."</p>
<hr />
<div>=== Implementation guides ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of secure implementation of Enterprise Business Applications and ERP systems. Here, we will mainly focus on security architecture and configuration threats because program errors are well described in the "Software vulnerabilities" topic.<br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the administrators of Business Application security and help them to start a self-assessment of their systems and find the most critical violations. <br />
<br />
== Intro ==<br />
<br />
Enterprise Business Applications (like ERP, it is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. Every described layer may have its own vulnerabilities and misconfigurations that can give attacker full access to business data even if other layers are completely secured. <br />
<br />
All the data was collected and categorized during our big practice of assessing the security of popular Business Applications such as SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications. <br />
<br />
== Main ==<br />
<br />
Overall security of Enterprise Business Application consists of different layers, including: <br><br />
• Network architecture security <br><br />
• OS security <br><br />
• Database security <br><br />
• Application security <br><br />
• Front-end security <br><br />
In this document, we will describe top 10 violations on every layer of Enterprise Business Application that can be easily assessed and mitigated. <br />
<br />
<br />
[[Image:Dev2.png]] <br />
<br />
== Top 10 Network/Architecture issues ==<br />
<br />
1 Lack of proper network filtration between EA and Corporate network<br><br />
2 Lack or vulnerable encryption between corp net and EA Network<br><br />
3 Lack of separation between Test, Dev, and Prod system<<br><br />
4 Lack of encryption inside EA Network<br><br />
5 Insecure trusted relations between components<br><br />
6 Insecurely configured Internet facing applications <br><br />
7 Vulnerable / default configuration of routers<br><br />
8 Lack of frontend access filtration<br><br />
9 Lack or misconfigured monitoring IDS/IPS<br><br />
10 Insecure/unappropriate wireless comunications<br />
<br />
== Top 10 OS issues ==<br />
<br />
1 Unnecessary enabled services<br><br />
2 Missing 3rd party software patches<br><br />
3 Insecure trust relations<br><br />
4 Universal OS passwords<br><br />
5 Missing OS patches<br><br />
6 Lacking or misconfigured network access control<br><br />
7 Lacking or misconfigured monitoring<br><br />
8 Insecure internal acces control <br><br />
9 Unencrypted remote access <br><br />
10 Lack of password lockout/complexity checks<br><br />
<br />
== Top 10 Database issues ==<br />
<br />
1 Default passwords for DB access<br><br />
2 Lack of DB patch management<br><br />
3 Unnecessary enabled DB features <br><br />
4 Lack of password lockout/complexity checks<br><br />
5 Unencrypted sensitive data transport / data<br><br />
6 Lack or misconfigured network acess control<br><br />
7 Extensive user and group privileges<br><br />
8 Lacking or misconfigured audit<br><br />
9 Insecure trust relations<br><br />
10 Open additional interfaces<br />
<br />
== Top 10 Application issues ==<br />
<br />
1 Lack of patch management<br><br />
2 Default passwords for application access<br><br />
3 SoD conficts<br><br />
4 Unnecessary enabled application features <br><br />
5 Open remote management interfaces<br><br />
6 Lack of password lockout/complexity checks<br><br />
7 Insecure options <br><br />
8 Unecrypted communications<br><br />
9 Insecure trust relations<br><br />
10 Guest access<br />
<br />
== Top 10 Frontend issues ==<br />
<br />
1 Vulnerable frontend applications<br><br />
2 Lack of server trust check<br><br />
3 Lack of encryption<br><br />
4 Autocomplete enabled in the browser <br><br />
5 Insecure browser scripting options<br><br />
6 Insecure configuration <br><br />
7 Insecure sortware distribution service<br><br />
8 Lack of AV software<br><br />
9 Password stored in configuration file<br><br />
10 Sensitive information storage<br />
<br />
== Links ==<br />
<br />
[http://dsecrg.com ERP Security:Myths Problems Solutions] - by Alexander Polyakov and Ilya Medvedovsky<br />
<br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov<br />
Nikolay Mesherin<br />
Kirill Nikitenkov</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Security_Development_Issues&diff=158474Enterprise Business Application Security Development Issues2013-09-15T20:44:12Z<p>Alexander: </p>
<hr />
<div><br />
=== Development Issues ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of program vulnerabilities that can be found in source code of Enterprise Business applications and ERP systems. <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the developers of Enterprise Business software. Here, we will collect top software vulnerabilities in server side and frontend side that can exist in Business Applications. <br />
<br />
== Intro ==<br />
<br />
There are many different languages and technologies that can be used to develop business applications and write costom code such as ABAP for SAP, PeopleCode for PeopleSoft,X++ for Microsoft Dynamics, PL/SQL for Oracle EBS, LotusScript for Lotus and much much more. Here, we will try to categorize them into 9 main areas filtered by criticality. <br />
<br />
== Main ==<br />
<br />
Crosslinks to CWE, SANS, OWASP and risks with descriptions will be added soon. <br />
<br />
== 9 most critical types of issues in source code (EASAD-9-2013) ==<br />
<br />
<br>1 injections (Code sql os)<br />
<br>2 critical calls (to db to os )<br />
<br>3 missing or bad access control checks (miss auth checks )<br />
<br>4 directory/path traversal (write, read, smbrelay)<br />
<br>5 Modification of displayed content (XSS stored, linked, js/html injections)<br />
<br>6 backdoors (hardcoded credentials)<br />
<br>7 covert channels (sockets, http calls, ssrf's, )<br />
<br>8 information disclose (hardcoded users, passwords, debug information, <br />
<br>9 obsolete statements ( READ TABLE, kernel methods,….)<br />
<br />
<br />
<br />
== Links ==<br />
<br />
coming soon <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov<br />
Alexander Minojenko<br />
Pavel Kuzmin</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Security_Development_Issues&diff=158473Enterprise Business Application Security Development Issues2013-09-15T20:42:38Z<p>Alexander: </p>
<hr />
<div><br />
=== Development Issues ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of program vulnerabilities that can be found in source code of Enterprise Business applications and ERP systems. <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the developers of Enterprise Business software. Here, we will collect top software vulnerabilities in server side and frontend side that can exist in Business Applications. <br />
<br />
== Intro ==<br />
<br />
There are many different languages and technologies that can be used to develop business applications and write costom code such as ABAP for SAP, PeopleCode for PeopleSoft,X++ for Microsoft Dynamics, PL/SQL for Oracle EBS, LotusScript for Lotus and much much more. Here, we will try to categorize them into 9 main areas filtered by criticality. <br />
<br />
== Main ==<br />
<br />
Crosslinks to CWE, SANS, OWASP and risks with descriptions will be added soon. <br />
<br />
== 9 most critical types of issues in source code (EASAD-9-2013) ==<br />
<br />
1 injections (Code sql os)<br />
2 critical calls (to db to os )<br />
3 missing or bad access control checks (miss auth checks )<br />
4 directory/path traversal (write, read, smbrelay)<br />
5 Modification of displayed content (XSS stored, linked, js/html injections)<br />
6 backdoors (hardcoded credentials)<br />
7 covert channels (sockets, http calls, ssrf's, )<br />
8 information disclose (hardcoded users, passwords, debug information, <br />
9 obsolete statements ( READ TABLE, kernel methods,….)<br />
<br />
<br />
<br />
== Links ==<br />
<br />
coming soon <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov<br />
Alexander Minojenko<br />
Pavel Kuzmin</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Security_Development_Issues&diff=158472Enterprise Business Application Security Development Issues2013-09-15T20:36:07Z<p>Alexander: Created page with " === Development of guides === == Objective == This document will describe different areas of program vulnerabilities that can be found in Enterprise Business applications..."</p>
<hr />
<div><br />
=== Development of guides ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of program vulnerabilities that can be found in Enterprise Business applications and ERP systems. <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the developers of Enterprise Business software. Here, we will collect top software vulnerabilities in server side and frontend side that can exist in Business Applications. <br />
<br />
== Intro ==<br />
<br />
There are many different languages and technologies that can be used to develop business applications and write costom code. Here, we will try to categorize it first by dividing into Server and Client side. Top 10 list of vulnerabilities for both areas will be shown. <br />
<br />
== Main ==<br />
<br />
Crosslinks to CWE SANS OWASP and risks with descriptions will be added soon. <br />
<br />
[[Image:Dev1.png|484x290px]] <br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
== Top 10 Server vulnerabilities (EASAD) ==<br />
<br />
1 XSS<br><br />
2 Improper Access Control<br><br />
3 Information disclosure<br><br />
4 Command/code injection in proprietary language<br><br />
5 SQL Injection <br><br />
6 Missing Encryption of Sensitive Data<br><br />
7 Buffer overflows <br><br />
8 Path traversal<br><br />
9 CSRF <br><br />
10 Use of a Broken or Risky Cryptographic Algorithm<br />
<br />
== Top 10 Frontend vulnerabilities (EASFD) ==<br />
<br />
1 Buffer overflows (ActiveX)<br><br />
2 Exposed Dangerous Method or Function (ActiveX)<br><br />
3 Insecure scripting server access <br><br />
4 File handling Frontend vulnerabilities<br><br />
5 Use of a Broken or Risky Cryptographic Algorithm<br><br />
6 Cleartext Storage of Sensitive Information<br><br />
7 Use of hard-coded password<br><br />
8 Lack of integrity checking for front-end application<br><br />
9 Cleartext Transmission of Sensitive Information<br><br />
10 Vulnerable remote services<br />
<br />
== Links ==<br />
<br />
coming soon <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (ERPScan Research Group) <br><br />
Mikhail Markevich <br><br />
Dmitry Evdokimov (ERPScan Research Group) <br><br />
Alexey Sintsov (ERPScan Research Group)</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Vulnerability_Statistics&diff=158471Enterprise Business Application Vulnerability Statistics2013-09-15T20:33:19Z<p>Alexander: </p>
<hr />
<div>==== Statistics ====<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually with showing tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document we will show a result of statistical research in the Business Application security area made by DSECRG and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical are those and what tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security as these applications store business data and any vulnerability in these applications will cause a significant monetary loss. Nonetheless people still don’t pay much attention to Enterprise Business Application area as we see during our and our collegues research and audit data. Business applications are very large and complex systems that consists of different components such as Database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Overall security of Enterprise Business Application consists of different layers such as: • Network architecture security • Os security • Database security • Application security • Front-end security <br />
<br />
Every described layer may have their own vulnerabilities that can give attacker full access to business data even if other layers are fully secured. In this document all the popular applications from described levels and their vulnerabilities vill be shown. The purpose of this document to Increase awareness of Business Application security. <br />
<br />
== Links ==<br />
<br />
Surveys:<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmityy Chastuhin <br />
<br />
[https://www.owasp.org/images/6/6b/SAP_Security_in_figures_-_a_global_survey_2007-2011._OWASP-EAS.pdf SAP Security In Figures – A Global Survey 2007-2011]<br />
<br />
<br />
<br />
<br />
Links:<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov, Alexey Tuyrin, Nikolay Mescherin, Kirill Nikitenkov, Dmitriy Chastuhin, Dmitriy Evdokimov<br />
<br />
<br><br />
<br />
== Contributors ==</div>Alexanderhttps://wiki.owasp.org/index.php?title=OWASP_Enterprise_Application_Security_Project&diff=158470OWASP Enterprise Application Security Project2013-09-15T20:30:59Z<p>Alexander: </p>
<hr />
<div>=== Main ===<br />
<br />
== Objective ==<br />
<br />
The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation or sign-off of large scale (i.e. 'Enterprise') applications. <br />
<br />
== The purpose of the project ==<br />
<br />
Enterprise applications security is one of the major topics in overall security area because those applications control money and resources, and any security violation can result in significant money loss. The purpose of this project is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment. <br />
<br />
== Our Subprojects ==<br />
<br />
Here are our primary goals: <br />
<br />
1 Aware people about enterprise application security vulnerabilities by releasing annual statistics of enterprise business application security vulnerabilities. <br />
<br />
[[Enterprise Business Application Vulnerability Statistics]] <br />
<br />
2 Help companies to begin assessment of enterprise applications <br />
<br />
[[Enterprise Business Application Security Implementation Assessment]] <br />
<br />
3 Help companies to securely develop and customize business applications<br />
<br />
[[Enterprise Business Application Security Development Issues]] <br />
<br />
4 Develop free tools for Enterprise business applications assessment <br />
<br />
[[Enterprise Business Application Security Software]] <br />
<br />
== Project Roadmap ==<br />
<br />
Have a look at the [[OWASP Enterprise Application Security Project/Roadmp]] <br />
<br />
=== Statistics ===<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually including tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document will show the results of statistical research in the Business Application security area made by ERPscan Research Group and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical those are and what tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM, and others are one of the major topics within the field of computer security as these applications store business data, and any vulnerability in these applications will cause a significant monetary loss. Nonetheless, people still do not pay much attention to Enterprise Business Application, judging by our and our collegues' research and assessment data. <br />
Business applications are very large and complex systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. <br />
Overall security of an Enterprise Business Application consist of different layers, such as: <br><br />
• Network architecture security <br><br />
• OS security <br><br />
• Database security <br><br />
• Application security <br><br />
• Front-end security <br><br />
<br />
Every described layer may have its own vulnerabilities that can give attacker full access to business data even if other layers are completely secured. In this document, all the popular applications from described levels and their vulnerabilities will be shown. The purpose of this document is to increase awareness of Business Application security. <br />
<br />
== Links ==<br />
<br />
Surveys:<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmitry Chastukhin <br />
<br />
[https://www.owasp.org/images/6/6b/SAP_Security_in_figures_-_a_global_survey_2007-2011._OWASP-EAS.pdf SAP Security In Figures – A Global Survey 2007-2011]<br />
<br />
Links:<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov, Alexey Tyurin, Dmitry Chastukhin, Dmitry Evdokimov (ERPScan Research Group) <br />
<br />
<br />
<br />
=== Development of guides ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of program vulnerabilities that can be found in Enterprise Business applications and ERP systems. <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the developers of Enterprise Business software. Here, we will collect top software vulnerabilities in server side and frontend side that can exist in Business Applications. <br />
<br />
== Intro ==<br />
<br />
There are many different languages and technologies that can be used to develop business applications and write costom code. Here, we will try to categorize it first by dividing into Server and Client side. Top 10 list of vulnerabilities for both areas will be shown. <br />
<br />
== Main ==<br />
<br />
Crosslinks to CWE SANS OWASP and risks with descriptions will be added soon. <br />
<br />
[[Image:Dev1.png|484x290px]] <br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
== Top 10 Server vulnerabilities (EASAD) ==<br />
<br />
1 XSS<br><br />
2 Improper Access Control<br><br />
3 Information disclosure<br><br />
4 Command/code injection in proprietary language<br><br />
5 SQL Injection <br><br />
6 Missing Encryption of Sensitive Data<br><br />
7 Buffer overflows <br><br />
8 Path traversal<br><br />
9 CSRF <br><br />
10 Use of a Broken or Risky Cryptographic Algorithm<br />
<br />
== Top 10 Frontend vulnerabilities (EASFD) ==<br />
<br />
1 Buffer overflows (ActiveX)<br><br />
2 Exposed Dangerous Method or Function (ActiveX)<br><br />
3 Insecure scripting server access <br><br />
4 File handling Frontend vulnerabilities<br><br />
5 Use of a Broken or Risky Cryptographic Algorithm<br><br />
6 Cleartext Storage of Sensitive Information<br><br />
7 Use of hard-coded password<br><br />
8 Lack of integrity checking for front-end application<br><br />
9 Cleartext Transmission of Sensitive Information<br><br />
10 Vulnerable remote services<br />
<br />
== Links ==<br />
<br />
coming soon <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (ERPScan Research Group) <br><br />
Mikhail Markevich <br><br />
Dmitry Evdokimov (ERPScan Research Group) <br><br />
Alexey Sintsov (ERPScan Research Group) <br />
<br />
<br />
<br />
=== Implementation guides ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of secure implementation of Enterprise Business Applications and ERP systems. Here, we will mainly focus on security architecture and configuration threats because program errors are well described in the "Software vulnerabilities" topic.<br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the administrators of Business Application security and help them to start a self-assessment of their systems and find the most critical violations. <br />
<br />
== Intro ==<br />
<br />
Enterprise Business Applications (like ERP, it is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. Every described layer may have its own vulnerabilities and misconfigurations that can give attacker full access to business data even if other layers are completely secured. <br />
<br />
All the data was collected and categorized during our big practice of assessing the security of popular Business Applications such as SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications. <br />
<br />
== Main ==<br />
<br />
Overall security of Enterprise Business Application consists of different layers, including: <br><br />
• Network architecture security <br><br />
• OS security <br><br />
• Database security <br><br />
• Application security <br><br />
• Front-end security <br><br />
In this document, we will describe top 10 violations on every layer of Enterprise Business Application that can be easily assessed and mitigated. <br />
<br />
<br />
[[Image:Dev2.png]] <br />
<br />
== Top 10 Network/Architecture issues ==<br />
<br />
1 Lack of proper network filtration between EA and Corporate network<br><br />
2 Lack or vulnerable encryption between corp net and EA Network<br><br />
3 Lack of separation between Test, Dev, and Prod system<<br><br />
4 Lack of encryption inside EA Network<br><br />
5 Insecure trusted relations between components<br><br />
6 Insecurely configured Internet facing applications <br><br />
7 Vulnerable / default configuration of routers<br><br />
8 Lack of frontend access filtration<br><br />
9 Lack or misconfigured monitoring IDS/IPS<br><br />
10 Insecure/unappropriate wireless comunications<br />
<br />
== Top 10 OS issues ==<br />
<br />
1 Unnecessary enabled services<br><br />
2 Missing 3rd party software patches<br><br />
3 Insecure trust relations<br><br />
4 Universal OS passwords<br><br />
5 Missing OS patches<br><br />
6 Lacking or misconfigured network access control<br><br />
7 Lacking or misconfigured monitoring<br><br />
8 Insecure internal acces control <br><br />
9 Unencrypted remote access <br><br />
10 Lack of password lockout/complexity checks<br><br />
<br />
== Top 10 Database issues ==<br />
<br />
1 Default passwords for DB access<br><br />
2 Lack of DB patch management<br><br />
3 Unnecessary enabled DB features <br><br />
4 Lack of password lockout/complexity checks<br><br />
5 Unencrypted sensitive data transport / data<br><br />
6 Lack or misconfigured network acess control<br><br />
7 Extensive user and group privileges<br><br />
8 Lacking or misconfigured audit<br><br />
9 Insecure trust relations<br><br />
10 Open additional interfaces<br />
<br />
== Top 10 Application issues ==<br />
<br />
1 Lack of patch management<br><br />
2 Default passwords for application access<br><br />
3 SoD conficts<br><br />
4 Unnecessary enabled application features <br><br />
5 Open remote management interfaces<br><br />
6 Lack of password lockout/complexity checks<br><br />
7 Insecure options <br><br />
8 Unecrypted communications<br><br />
9 Insecure trust relations<br><br />
10 Guest access<br />
<br />
== Top 10 Frontend issues ==<br />
<br />
1 Vulnerable frontend applications<br><br />
2 Lack of server trust check<br><br />
3 Lack of encryption<br><br />
4 Autocomplete enabled in the browser <br><br />
5 Insecure browser scripting options<br><br />
6 Insecure configuration <br><br />
7 Insecure sortware distribution service<br><br />
8 Lack of AV software<br><br />
9 Password stored in configuration file<br><br />
10 Sensitive information storage<br />
<br />
== Links ==<br />
<br />
[http://dsecrg.com ERP Security:Myths Problems Solutions] - by Alexander Polyakov and Ilya Medvedovsky <br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (ERPScan Research Group)<br />
Mikhail Markevich <br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP Enterprise Application Security Project | Project About}} <br />
<br />
<br><br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Enterprise Application Security Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Vulnerability_Statistics_2009&diff=141466Enterprise Business Application Vulnerability Statistics 20092012-12-26T16:44:05Z<p>Alexander: </p>
<hr />
<div>== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually, showing tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
In this document, we will show the results of statistical research in the Business Application security area made by ERPScan Research Group and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical they are and what kind of tendencies we see.<br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM are one of the major topics within the field of computer security because these applications store business data, and any vulnerability in them will cause significant monetary loss. Nonetheless, people still don’t pay much attention to Enterprise Business Application area, as we see during our and our colleagues' research and audits. Business applications are very large and complex systems that consist of different components such as Database server, Front-end, Web server, Application server, and other parts. Also, those systems rely on various hardware and software that can have their own vulnerabilities. The overall security of Enterprise Business Application consists of different layers, such as:<br><br />
• Network architecture security;<br><br />
• OS security;<br><br />
• Database security;<br><br />
• Application security;<br><br />
• Front-end security.<br />
<br />
Every described layer may have its own vulnerabilities that can give attackers full access to business data even if other layers are fully secured.<br />
In this document, all popular applications from the described levels and their vulnerabilities will be shown. The purpose of this document to increase awareness of Business Application security.<br />
<br />
== Links ==<br />
<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmitry Chastukhin <br />
<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities]<br />
<br />
Annual report coming soon...<br />
<br />
== Authors==<br />
<br />
<br />
Alexander Polyakov (ERPScan Research Group)<br><br />
Dmitry Chastukhin (ERPScan Research Group)<br><br />
Dmitry Evdokimov (ERPScan Research Group)<br />
<br />
<br />
== Contributors==<br />
<br />
Leodid Kats (dsec.ru)<br><br />
Olga Yurova (dsec.ru)</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Vulnerability_Statistics_2009&diff=141465Enterprise Business Application Vulnerability Statistics 20092012-12-26T16:43:18Z<p>Alexander: </p>
<hr />
<div>== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually, showing tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
In this document, we will show the results of statistical research in the Business Application security area made by ERPScan Research Group and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical they are and what kind of tendencies we see.<br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM are one of the major topics within the field of computer security because these applications store business data, and any vulnerability in them will cause significant monetary loss. Nonetheless, people still don’t pay much attention to Enterprise Business Application area, as we see during our and our colleagues' research and audits. Business applications are very large and complex systems that consist of different components such as Database server, Front-end, Web server, Application server, and other parts. Also, those systems rely on various hardware and software that can have their own vulnerabilities. The overall security of Enterprise Business Application consists of different layers, such as:<br><br />
• Network architecture security<br><br />
• Os security<br><br />
• Database security<br><br />
• Application security<br><br />
• Front-end security.<br />
<br />
Every described layer may have its own vulnerabilities that can give attackers full access to business data even if other layers are fully secured.<br />
In this document, all popular applications from the described levels and their vulnerabilities will be shown. The purpose of this document to increase awareness of Business Application security.<br />
<br />
== Links ==<br />
<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmitry Chastukhin <br />
<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities]<br />
<br />
Annual report comming soon...<br />
<br />
== Authors==<br />
<br />
<br />
Alexander Polyakov (ERPScan Research Group)<br><br />
Dmitry Chastukhin (ERPScan Research Group)<br><br />
Dmitriy Evdokimov (ERPScan Research Group)<br />
<br />
<br />
== Contributors==<br />
<br />
Leodid Kats (dsec.ru)<br><br />
Olga Yurova (dsec.ru)</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Vulnerability_Statistics_2009&diff=141464Enterprise Business Application Vulnerability Statistics 20092012-12-26T16:43:03Z<p>Alexander: </p>
<hr />
<div>== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually, showing tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
In this document, we will show the results of statistical research in the Business Application security area made by ERPScan Research Group and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical they are and what kind of tendencies we see.<br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM are one of the major topics within the field of computer security because these applications store business data, and any vulnerability in them will cause significant monetary loss. Nonetheless, people still don’t pay much attention to Enterprise Business Application area, as we see during our and our colleagues' research and audits. Business applications are very large and complex systems that consist of different components such as Database server, Front-end, Web server, Application server, and other parts. Also, those systems rely on various hardware and software that can have their own vulnerabilities. The overall security of Enterprise Business Application consists of different layers, such as:<br><br />
• Network architecture security<br><br />
• Os security<br><br />
• Database security<br><br />
• Application security<br><br />
• Front-end security.<br />
<br />
Every described layer may have its own vulnerabilities that can give attackers full access to business data even if other layers are fully secured.<br />
In this document, all popular applications from the described levels and their vulnerabilities will be shown. The purpose of this document to increase awareness of Business Application security.<br />
<br />
== Links ==<br />
<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmitry Chastukhin <br />
<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities]<br />
<br />
Annual report comming soon...<br />
<br />
== Authors==<br />
<br />
<br />
Alexander Polyakov (ERPScan Research Group)<br><br />
Dmitry Chastukhin (ERPScan Research Group)<br><br />
Dmitriy Evdokimov (ERPScan Research Group)<br />
<br />
<br />
== Contributors==<br />
<br />
Leodid Kats (dsec.ru)<br />
Olga Yurova (dsec.ru)</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Vulnerability_Statistics_2009&diff=141463Enterprise Business Application Vulnerability Statistics 20092012-12-26T16:42:39Z<p>Alexander: </p>
<hr />
<div>== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually, showing tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
In this document, we will show the results of statistical research in the Business Application security area made by ERPScan Research Group and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical they are and what kind of tendencies we see.<br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM are one of the major topics within the field of computer security because these applications store business data, and any vulnerability in them will cause significant monetary loss. Nonetheless, people still don’t pay much attention to Enterprise Business Application area, as we see during our and our colleagues' research and audits. Business applications are very large and complex systems that consist of different components such as Database server, Front-end, Web server, Application server, and other parts. Also, those systems rely on various hardware and software that can have their own vulnerabilities. The overall security of Enterprise Business Application consists of different layers, such as:<br><br />
• Network architecture security<br><br />
• Os security<br><br />
• Database security<br><br />
• Application security<br><br />
• Front-end security.<br />
<br />
Every described layer may have its own vulnerabilities that can give attackers full access to business data even if other layers are fully secured.<br />
In this document, all popular applications from the described levels and their vulnerabilities will be shown. The purpose of this document to increase awareness of Business Application security.<br />
<br />
== Links ==<br />
<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmitry Chastukhin <br />
<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities]<br />
<br />
Annual report comming soon...<br />
<br />
== Authors==<br />
<br />
<br />
Alexander Polyakov (ERPScan Research Group)<br />
Dmitry Chastukhin (ERPScan Research Group)<br />
Dmitriy Evdokimov (ERPScan Research Group)<br />
<br />
<br />
== Contributors==<br />
<br />
Leodid Kats (dsec.ru)<br />
Olga Yurova (dsec.ru)</div>Alexanderhttps://wiki.owasp.org/index.php?title=OWASP_Enterprise_Application_Security_Project/Roadmp&diff=141462OWASP Enterprise Application Security Project/Roadmp2012-12-26T16:37:40Z<p>Alexander: </p>
<hr />
<div>*'''Primary goals''':<br />
#Aware people about EA security vulnerabilities by releasing annual (later, quarterly) statistics of enterprise application security vulnerabilities,<br />
#Help companies to begin EA assessment by creating a guideline for assessing EA security, <br />
#Create a report of top 10 vulnerabilities or a similar report for EA,<br />
#Publish a free tools for EA assessment.<br />
<br />
*'''Project Roadmap''' (as mentioned above):<br />
#Create a dashboard with high level overview,<br />
#Create a dashboard about security assessment,<br />
#Create links to other guidelines,<br />
#Publish statistical reports annually,<br />
#Create OWASP EAS Top 10 vulnerabilities page, <br />
#Finish our first security assessment tool.</div>Alexanderhttps://wiki.owasp.org/index.php?title=OWASP_Enterprise_Application_Security_Project&diff=141240OWASP Enterprise Application Security Project2012-12-17T17:03:51Z<p>Alexander: </p>
<hr />
<div>=== Main ===<br />
<br />
== Objective ==<br />
<br />
The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation or sign-off of large scale (i.e. 'Enterprise') applications. <br />
<br />
== The purpose of the project ==<br />
<br />
Enterprise applications security is one of the major topics in overall security area because those applications control money and resources, and any security violation can result in significant money loss. The purpose of this project is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment. <br />
<br />
== Our Subprojects ==<br />
<br />
Here are our primary goals: <br />
<br />
1 Aware people about enterprise application security vulnerabilities by releasing annual statistics of enterprise business application security vulnerabilities. <br />
<br />
Subproject [[Enterprise Business Application Vulnerability Statistics]] <br />
<br />
[[Projects/OWASP Enterprise Application Security Project|Statistics]] <br />
<br />
2 Help companies to begin assessment of enterprise applicatios by creating Subproject [[Enterprise Business Application Security Implementation Assessment Guide]] <br />
<br />
3 Help software companies to improve security of their solutions by creating Subproject [[Enterprise Business Application Security Vulnerability Testing Guide v1]] <br />
<br />
4 Develop free tools for Enterprise business applicatioons assessment <br />
<br />
Subproject [[Enterprise Business Application Security Software]] <br />
<br />
== Project Roadmap ==<br />
<br />
Have a look at the [[OWASP Enterprise Application Security Project/Roadmp]] <br />
<br />
<br />
<br />
=== Statistics ===<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually including tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document will show the results of statistical research in the Business Application security area made by ERPscan Research Group and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical those are and what tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM, and others are one of the major topics within the field of computer security as these applications store business data, and any vulnerability in these applications will cause a significant monetary loss. Nonetheless, people still do not pay much attention to Enterprise Business Application, judging by our and our collegues' research and assessment data. <br />
Business applications are very large and complex systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. <br />
Overall security of an Enterprise Business Application consist of different layers, such as: <br><br />
• Network architecture security <br><br />
• OS security <br><br />
• Database security <br><br />
• Application security <br><br />
• Front-end security <br><br />
<br />
Every described layer may have its own vulnerabilities that can give attacker full access to business data even if other layers are completely secured. In this document, all the popular applications from described levels and their vulnerabilities will be shown. The purpose of this document is to increase awareness of Business Application security. <br />
<br />
== Links ==<br />
<br />
Surveys:<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmitry Chastukhin <br />
<br />
[https://www.owasp.org/images/6/6b/SAP_Security_in_figures_-_a_global_survey_2007-2011._OWASP-EAS.pdf SAP Security In Figures – A Global Survey 2007-2011]<br />
<br />
Links:<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov, Alexey Tyurin, Dmitry Chastukhin, Dmitry Evdokimov (ERPScan Research Group) <br />
<br />
<br />
<br />
=== Development of guides ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of program vulnerabilities that can be found in Enterprise Business applications and ERP systems. <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the developers of Enterprise Business software. Here, we will collect top software vulnerabilities in server side and frontend side that can exist in Business Applications. <br />
<br />
== Intro ==<br />
<br />
There are many different languages and technologies that can be used to develop business applications and write costom code. Here, we will try to categorize it first by dividing into Server and Client side. Top 10 list of vulnerabilities for both areas will be shown. <br />
<br />
== Main ==<br />
<br />
Crosslinks to CWE SANS OWASP and risks with descriptions will be added soon. <br />
<br />
[[Image:Dev1.png|484x290px]] <br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
== Top 10 Server vulnerabilities (EASAD) ==<br />
<br />
1 XSS<br><br />
2 Improper Access Control<br><br />
3 Information disclosure<br><br />
4 Command/code injection in proprietary language<br><br />
5 SQL Injection <br><br />
6 Missing Encryption of Sensitive Data<br><br />
7 Buffer overflows <br><br />
8 Path traversal<br><br />
9 CSRF <br><br />
10 Use of a Broken or Risky Cryptographic Algorithm<br />
<br />
== Top 10 Frontend vulnerabilities (EASFD) ==<br />
<br />
1 Buffer overflows (ActiveX)<br><br />
2 Exposed Dangerous Method or Function (ActiveX)<br><br />
3 Insecure scripting server access <br><br />
4 File handling Frontend vulnerabilities<br><br />
5 Use of a Broken or Risky Cryptographic Algorithm<br><br />
6 Cleartext Storage of Sensitive Information<br><br />
7 Use of hard-coded password<br><br />
8 Lack of integrity checking for front-end application<br><br />
9 Cleartext Transmission of Sensitive Information<br><br />
10 Vulnerable remote services<br />
<br />
== Links ==<br />
<br />
coming soon <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (ERPScan Research Group) <br><br />
Mikhail Markevich <br><br />
Dmitry Evdokimov (ERPScan Research Group) <br><br />
Alexey Sintsov (ERPScan Research Group) <br />
<br />
<br />
<br />
=== Implementation guides ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of secure implementation of Enterprise Business Applications and ERP systems. Here, we will mainly focus on security architecture and configuration threats because program errors are well described in the "Software vulnerabilities" topic.<br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the administrators of Business Application security and help them to start a self-assessment of their systems and find the most critical violations. <br />
<br />
== Intro ==<br />
<br />
Enterprise Business Applications (like ERP, it is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. Every described layer may have its own vulnerabilities and misconfigurations that can give attacker full access to business data even if other layers are completely secured. <br />
<br />
All the data was collected and categorized during our big practice of assessing the security of popular Business Applications such as SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications. <br />
<br />
== Main ==<br />
<br />
Overall security of Enterprise Business Application consists of different layers, including: <br><br />
• Network architecture security <br><br />
• OS security <br><br />
• Database security <br><br />
• Application security <br><br />
• Front-end security <br><br />
In this document, we will describe top 10 violations on every layer of Enterprise Business Application that can be easily assessed and mitigated. <br />
<br />
<br />
[[Image:Dev2.png]] <br />
<br />
== Top 10 Network/Architecture issues ==<br />
<br />
1 Lack of proper network filtration between EA and Corporate network<br><br />
2 Lack or vulnerable encryption between corp net and EA Network<br><br />
3 Lack of separation between Test, Dev, and Prod system<<br><br />
4 Lack of encryption inside EA Network<br><br />
5 Insecure trusted relations between components<br><br />
6 Insecurely configured Internet facing applications <br><br />
7 Vulnerable / default configuration of routers<br><br />
8 Lack of frontend access filtration<br><br />
9 Lack or misconfigured monitoring IDS/IPS<br><br />
10 Insecure/unappropriate wireless comunications<br />
<br />
== Top 10 OS issues ==<br />
<br />
1 Unnecessary enabled services<br><br />
2 Missing 3rd party software patches<br><br />
3 Insecure trust relations<br><br />
4 Universal OS passwords<br><br />
5 Missing OS patches<br><br />
6 Lacking or misconfigured network access control<br><br />
7 Lacking or misconfigured monitoring<br><br />
8 Insecure internal acces control <br><br />
9 Unencrypted remote access <br><br />
10 Lack of password lockout/complexity checks<br><br />
<br />
== Top 10 Database issues ==<br />
<br />
1 Default passwords for DB access<br><br />
2 Lack of DB patch management<br><br />
3 Unnecessary enabled DB features <br><br />
4 Lack of password lockout/complexity checks<br><br />
5 Unencrypted sensitive data transport / data<br><br />
6 Lack or misconfigured network acess control<br><br />
7 Extensive user and group privileges<br><br />
8 Lacking or misconfigured audit<br><br />
9 Insecure trust relations<br><br />
10 Open additional interfaces<br />
<br />
== Top 10 Application issues ==<br />
<br />
1 Lack of patch management<br><br />
2 Default passwords for application access<br><br />
3 SoD conficts<br><br />
4 Unnecessary enabled application features <br><br />
5 Open remote management interfaces<br><br />
6 Lack of password lockout/complexity checks<br><br />
7 Insecure options <br><br />
8 Unecrypted communications<br><br />
9 Insecure trust relations<br><br />
10 Guest access<br />
<br />
== Top 10 Frontend issues ==<br />
<br />
1 Vulnerable frontend applications<br><br />
2 Lack of server trust check<br><br />
3 Lack of encryption<br><br />
4 Autocomplete enabled in the browser <br><br />
5 Insecure browser scripting options<br><br />
6 Insecure configuration <br><br />
7 Insecure sortware distribution service<br><br />
8 Lack of AV software<br><br />
9 Password stored in configuration file<br><br />
10 Sensitive information storage<br />
<br />
== Links ==<br />
<br />
[http://dsecrg.com ERP Security:Myths Problems Solutions] - by Alexander Polyakov and Ilya Medvedovsky <br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (ERPScan Research Group)<br />
Mikhail Markevich <br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP Enterprise Application Security Project | Project About}} <br />
<br />
<br><br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Enterprise Application Security Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]</div>Alexanderhttps://wiki.owasp.org/index.php?title=OWASP_Enterprise_Application_Security_Project&diff=141239OWASP Enterprise Application Security Project2012-12-17T17:02:04Z<p>Alexander: </p>
<hr />
<div>=== Main ===<br />
<br />
== Objective ==<br />
<br />
The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation or sign-off of large scale (i.e. 'Enterprise') applications. <br />
<br />
== The purpose of the project ==<br />
<br />
Enterprise applications security is one of the major topics in overall security area because those applications control money and resources, and any security violation can result in significant money loss. The purpose of this project is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment. <br />
<br />
== Our Subprojects ==<br />
<br />
Here are our primary goals: <br />
<br />
1 Aware people about enterprise application security vulnerabilities by releasing annual statistics of enterprise business application security vulnerabilities. <br />
<br />
Subproject [[Enterprise Business Application Vulnerability Statistics]] <br />
<br />
[[Projects/OWASP Enterprise Application Security Project|Statistics]] <br />
<br />
2 Help companies to begin assessment of enterprise applicatios by creating Subproject [[Enterprise Business Application Security Implementation Assessment Guide]] <br />
<br />
3 Help software companies to improve security of their solutions by creating Subproject [[Enterprise Business Application Security Vulnerability Testing Guide v1]] <br />
<br />
4 Develop free tools for Enterprise business applicatioons assessment <br />
<br />
Subproject [[Enterprise Business Application Security Software]] <br />
<br />
<br><br />
<br />
== Project Roadmap ==<br />
<br />
Have a look at the [[OWASP Enterprise Application Security Project/Roadmp]] <br />
<br />
<br />
<br />
=== Statistics ===<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually including tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document will show the results of statistical research in the Business Application security area made by ERPscan Research Group and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical those are and what tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM, and others are one of the major topics within the field of computer security as these applications store business data, and any vulnerability in these applications will cause a significant monetary loss. Nonetheless, people still do not pay much attention to Enterprise Business Application, judging by our and our collegues' research and assessment data. <br />
Business applications are very large and complex systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. <br />
Overall security of an Enterprise Business Application consist of different layers, such as: <br />
• Network architecture security <br><br />
• OS security <br><br />
• Database security <br><br />
• Application security <br><br />
• Front-end security <br><br />
<br />
Every described layer may have its own vulnerabilities that can give attacker full access to business data even if other layers are completely secured. In this document, all the popular applications from described levels and their vulnerabilities will be shown. The purpose of this document is to increase awareness of Business Application security. <br />
<br />
== Links ==<br />
<br />
Surveys:<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmitry Chastukhin <br />
<br />
[https://www.owasp.org/images/6/6b/SAP_Security_in_figures_-_a_global_survey_2007-2011._OWASP-EAS.pdf SAP Security In Figures – A Global Survey 2007-2011]<br />
<br />
Links:<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov, Alexey Tyurin, Dmitry Chastukhin, Dmitry Evdokimov (ERPScan Research Group) <br />
<br />
<br />
<br />
=== Development of guides ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of program vulnerabilities that can be found in Enterprise Business applications and ERP systems. <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the developers of Enterprise Business software. Here, we will collect top software vulnerabilities in server side and frontend side that can exist in Business Applications. <br />
<br />
== Intro ==<br />
<br />
There are many different languages and technologies that can be used to develop business applications and write costom code. Here, we will try to categorize it first by dividing into Server and Client side. Top 10 list of vulnerabilities for both areas will be shown. <br />
<br />
== Main ==<br />
<br />
Crosslinks to CWE SANS OWASP and risks with descriptions will be added soon. <br />
<br />
[[Image:Dev1.png|484x290px]] <br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
== Top 10 Server vulnerabilities (EASAD) ==<br />
<br />
1 XSS<br />
2 Improper Access Control<br />
3 Information disclosure<br />
4 Command/code injection in proprietary language<br />
5 SQL Injection <br />
6 Missing Encryption of Sensitive Data<br />
7 Buffer overflows <br />
8 Path traversal<br />
9 CSRF <br />
10 Use of a Broken or Risky Cryptographic Algorithm<br />
<br />
== Top 10 Frontend vulnerabilities (EASFD) ==<br />
<br />
1 Buffer overflows (ActiveX )<br />
2 Exposed Dangerous Method or Function (ActiveX)<br />
3 Insecure scripting server access <br />
4 File handling Frontend vulnerabilities<br />
5 Use of a Broken or Risky Cryptographic Algorithm<br />
6 Cleartext Storage of Sensitive Information<br />
7 Use of Hard-coded Password<br />
8 Lack of integrity checking for front-end application<br />
9 Cleartext Transmission of Sensitive Information<br />
10 Vulnerable remote services<br />
<br />
== Links ==<br />
<br />
coming soon <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (ERPScan Research Group) <br />
Mikhail Markevich <br />
Dmitry Evdokimov (ERPScan Research Group) <br />
Alexey Sintsov (ERPScan Research Group) <br />
<br />
<br />
<br />
=== Implementation guides ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of secure implementation of Enterprise Business Applications and ERP systems. Here, we will mainly focus on security architecture and configuration threats because program errors are well described in the "Software vulnerabilities" topic.<br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the administrators of Business Application security and help them to start a self-assessment of their systems and find the most critical violations. <br />
<br />
== Intro ==<br />
<br />
Enterprise Business Applications (like ERP, it is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. Every described layer may have its own vulnerabilities and misconfigurations that can give attacker full access to business data even if other layers are completely secured. <br />
<br />
All the data was collected and categorized during our big practice of assessing the security of popular Business Applications such as SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications. <br />
<br />
== Main ==<br />
<br />
Overall security of Enterprise Business Application consists of different layers, including: <br />
• Network architecture security <br />
• OS security <br />
• Database security <br />
• Application security <br />
• Front-end security <br />
In this document, we will describe top 10 violations on every layer of Enterprise Business Application that can be easily assessed and mitigated. <br />
<br />
<br />
[[Image:Dev2.png]] <br />
<br />
== Top 10 Network/Architecture issues ==<br />
<br />
1 Lack of proper network filtration between EA and Corporate network<br />
2 Lack or vulnerable encryption between corp net and EA Network<br />
3 Lack of separation between Test, Dev, and Prod system<<br />
4 Lack of encryption inside EA Network<br />
5 Insecure trusted relations between components<br />
6 Insecurely configured Internet facing applicatins <br />
7 Vulnerable / default configuration of routers<br />
8 Lack of frontend access filtration<br />
9 Lack or misconfigured monitoring IDS/IPS<br />
10 Insecure/unappropriate wireless comunications<br />
<br />
== Top 10 OS issues ==<br />
<br />
1 Unnecessary enabled services<br />
2 Missing 3rd party software patches<br />
3 Insecure trust relations<br />
4 Universal OS passwords<br />
5 Missing OS patches<br />
6 Lacking or misconfigured network access control<br />
7 Lacking or misconfigured monitoring<br />
8 Insecure internal acces control <br />
9 Unencrypted remote access <br />
10 Lack of password lockout/complexity checks<br><br />
<br />
== Top 10 Database issues ==<br />
<br />
1 Default passwords for DB access<br />
2 Lack of DB patch management<br />
3 Unnecessary enabled DB features <br />
4 Lack of password lockout/complexity checks<br />
5 Unencrypted sensitive data transport / data<br />
6 Lack or misconfigured network acess control<br />
7 Extensive user and group privileges<br />
8 Lacking or misconfigured audit<br />
9 Insecure trust relations<br />
10 Open additional interfaces<br />
<br />
== Top 10 Application issues ==<br />
<br />
1 Lack of patch management<br />
2 Default passwords for application access<br />
3 SoD conficts<br />
4 Unnecessary enabled application features <br />
5 Open remote management interfaces<br />
6 Lack of password lockout/complexity checks<br />
7 Insecure options <br />
8 Unecrypted communications<br />
9 Insecure trust relations<br />
10 Guest access<br />
<br />
== Top 10 Frontend issues ==<br />
<br />
1 Vulnerable frontend applications<br />
2 Lack of server trust check<br />
3 Lack of encryption<br />
4 Autocomplete enabled in the browser <br />
5 Insecure browser scripting options<br />
6 Insecure configuration <br />
7 Insecure sortware distribution service<br />
8 Lack of AV software<br />
9 Password stored in configuration file<br />
10 Sensitive information storage<br />
<br />
== Links ==<br />
<br />
[http://dsecrg.com ERP Security:Myths Problems Solutions] - by Alexander Polyakov and Ilya Medvedovsky <br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (ERPScan Research Group)<br />
Mikhail Markevich <br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP Enterprise Application Security Project | Project About}} <br />
<br />
<br><br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Enterprise Application Security Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]</div>Alexanderhttps://wiki.owasp.org/index.php?title=OWASP_Enterprise_Application_Security_Project&diff=141238OWASP Enterprise Application Security Project2012-12-17T17:01:45Z<p>Alexander: </p>
<hr />
<div>=== Main ===<br />
<br />
== Objective ==<br />
<br />
The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation or sign-off of large scale (i.e. 'Enterprise') applications. <br />
<br />
== The purpose of the project ==<br />
<br />
Enterprise applications security is one of the major topics in overall security area because those applications control money and resources, and any security violation can result in significant money loss. The purpose of this project is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment. <br />
<br />
== Our Subprojects ==<br />
<br />
Here are our primary goals: <br />
<br />
1 Aware people about enterprise application security vulnerabilities by releasing annual statistics of enterprise business application security vulnerabilities. <br />
<br />
Subproject [[Enterprise Business Application Vulnerability Statistics]] <br />
<br />
[[Projects/OWASP Enterprise Application Security Project|Statistics]] <br />
<br />
2 Help companies to begin assessment of enterprise applicatios by creating Subproject [[Enterprise Business Application Security Implementation Assessment Guide]] <br />
<br />
3 Help software companies to improve security of their solutions by creating Subproject [[Enterprise Business Application Security Vulnerability Testing Guide v1]] <br />
<br />
4 Develop free tools for Enterprise business applicatioons assessment <br />
<br />
Subproject [[Enterprise Business Application Security Software]] <br />
<br />
<br><br />
<br />
== Project Roadmap ==<br />
<br />
Have a look at the [[OWASP Enterprise Application Security Project/Roadmp]] <br />
<br />
<br />
<br />
=== Statistics ===<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually including tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document will show the results of statistical research in the Business Application security area made by ERPscan Research Group and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical those are and what tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM, and others are one of the major topics within the field of computer security as these applications store business data, and any vulnerability in these applications will cause a significant monetary loss. Nonetheless, people still do not pay much attention to Enterprise Business Application, judging by our and our collegues' research and assessment data. <br />
Business applications are very large and complex systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. <br />
Overall security of an Enterprise Business Application consist of different layers, such as: <br />
• Network architecture security </br><br />
• OS security </br><br />
• Database security </br><br />
• Application security </br><br />
• Front-end security </br><br />
<br />
Every described layer may have its own vulnerabilities that can give attacker full access to business data even if other layers are completely secured. In this document, all the popular applications from described levels and their vulnerabilities will be shown. The purpose of this document is to increase awareness of Business Application security. <br />
<br />
== Links ==<br />
<br />
Surveys:<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmitry Chastukhin <br />
<br />
[https://www.owasp.org/images/6/6b/SAP_Security_in_figures_-_a_global_survey_2007-2011._OWASP-EAS.pdf SAP Security In Figures – A Global Survey 2007-2011]<br />
<br />
Links:<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov, Alexey Tyurin, Dmitry Chastukhin, Dmitry Evdokimov (ERPScan Research Group) <br />
<br />
<br />
<br />
=== Development of guides ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of program vulnerabilities that can be found in Enterprise Business applications and ERP systems. <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the developers of Enterprise Business software. Here, we will collect top software vulnerabilities in server side and frontend side that can exist in Business Applications. <br />
<br />
== Intro ==<br />
<br />
There are many different languages and technologies that can be used to develop business applications and write costom code. Here, we will try to categorize it first by dividing into Server and Client side. Top 10 list of vulnerabilities for both areas will be shown. <br />
<br />
== Main ==<br />
<br />
Crosslinks to CWE SANS OWASP and risks with descriptions will be added soon. <br />
<br />
[[Image:Dev1.png|484x290px]] <br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
== Top 10 Server vulnerabilities (EASAD) ==<br />
<br />
1 XSS<br />
2 Improper Access Control<br />
3 Information disclosure<br />
4 Command/code injection in proprietary language<br />
5 SQL Injection <br />
6 Missing Encryption of Sensitive Data<br />
7 Buffer overflows <br />
8 Path traversal<br />
9 CSRF <br />
10 Use of a Broken or Risky Cryptographic Algorithm<br />
<br />
== Top 10 Frontend vulnerabilities (EASFD) ==<br />
<br />
1 Buffer overflows (ActiveX )<br />
2 Exposed Dangerous Method or Function (ActiveX)<br />
3 Insecure scripting server access <br />
4 File handling Frontend vulnerabilities<br />
5 Use of a Broken or Risky Cryptographic Algorithm<br />
6 Cleartext Storage of Sensitive Information<br />
7 Use of Hard-coded Password<br />
8 Lack of integrity checking for front-end application<br />
9 Cleartext Transmission of Sensitive Information<br />
10 Vulnerable remote services<br />
<br />
== Links ==<br />
<br />
coming soon <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (ERPScan Research Group) <br />
Mikhail Markevich <br />
Dmitry Evdokimov (ERPScan Research Group) <br />
Alexey Sintsov (ERPScan Research Group) <br />
<br />
<br />
<br />
=== Implementation guides ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of secure implementation of Enterprise Business Applications and ERP systems. Here, we will mainly focus on security architecture and configuration threats because program errors are well described in the "Software vulnerabilities" topic.<br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the administrators of Business Application security and help them to start a self-assessment of their systems and find the most critical violations. <br />
<br />
== Intro ==<br />
<br />
Enterprise Business Applications (like ERP, it is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. Every described layer may have its own vulnerabilities and misconfigurations that can give attacker full access to business data even if other layers are completely secured. <br />
<br />
All the data was collected and categorized during our big practice of assessing the security of popular Business Applications such as SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications. <br />
<br />
== Main ==<br />
<br />
Overall security of Enterprise Business Application consists of different layers, including: <br />
• Network architecture security <br />
• OS security <br />
• Database security <br />
• Application security <br />
• Front-end security <br />
In this document, we will describe top 10 violations on every layer of Enterprise Business Application that can be easily assessed and mitigated. <br />
<br />
<br />
[[Image:Dev2.png]] <br />
<br />
== Top 10 Network/Architecture issues ==<br />
<br />
1 Lack of proper network filtration between EA and Corporate network<br />
2 Lack or vulnerable encryption between corp net and EA Network<br />
3 Lack of separation between Test, Dev, and Prod system<<br />
4 Lack of encryption inside EA Network<br />
5 Insecure trusted relations between components<br />
6 Insecurely configured Internet facing applicatins <br />
7 Vulnerable / default configuration of routers<br />
8 Lack of frontend access filtration<br />
9 Lack or misconfigured monitoring IDS/IPS<br />
10 Insecure/unappropriate wireless comunications<br />
<br />
== Top 10 OS issues ==<br />
<br />
1 Unnecessary enabled services<br />
2 Missing 3rd party software patches<br />
3 Insecure trust relations<br />
4 Universal OS passwords<br />
5 Missing OS patches<br />
6 Lacking or misconfigured network access control<br />
7 Lacking or misconfigured monitoring<br />
8 Insecure internal acces control <br />
9 Unencrypted remote access <br />
10 Lack of password lockout/complexity checks<br><br />
<br />
== Top 10 Database issues ==<br />
<br />
1 Default passwords for DB access<br />
2 Lack of DB patch management<br />
3 Unnecessary enabled DB features <br />
4 Lack of password lockout/complexity checks<br />
5 Unencrypted sensitive data transport / data<br />
6 Lack or misconfigured network acess control<br />
7 Extensive user and group privileges<br />
8 Lacking or misconfigured audit<br />
9 Insecure trust relations<br />
10 Open additional interfaces<br />
<br />
== Top 10 Application issues ==<br />
<br />
1 Lack of patch management<br />
2 Default passwords for application access<br />
3 SoD conficts<br />
4 Unnecessary enabled application features <br />
5 Open remote management interfaces<br />
6 Lack of password lockout/complexity checks<br />
7 Insecure options <br />
8 Unecrypted communications<br />
9 Insecure trust relations<br />
10 Guest access<br />
<br />
== Top 10 Frontend issues ==<br />
<br />
1 Vulnerable frontend applications<br />
2 Lack of server trust check<br />
3 Lack of encryption<br />
4 Autocomplete enabled in the browser <br />
5 Insecure browser scripting options<br />
6 Insecure configuration <br />
7 Insecure sortware distribution service<br />
8 Lack of AV software<br />
9 Password stored in configuration file<br />
10 Sensitive information storage<br />
<br />
== Links ==<br />
<br />
[http://dsecrg.com ERP Security:Myths Problems Solutions] - by Alexander Polyakov and Ilya Medvedovsky <br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (ERPScan Research Group)<br />
Mikhail Markevich <br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP Enterprise Application Security Project | Project About}} <br />
<br />
<br><br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Enterprise Application Security Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]</div>Alexanderhttps://wiki.owasp.org/index.php?title=OWASP_Enterprise_Application_Security_Project&diff=141237OWASP Enterprise Application Security Project2012-12-17T17:00:07Z<p>Alexander: </p>
<hr />
<div>=== Main ===<br />
<br />
== Objective ==<br />
<br />
The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation or sign-off of large scale (i.e. 'Enterprise') applications. <br />
<br />
== The purpose of the project ==<br />
<br />
Enterprise applications security is one of the major topics in overall security area because those applications control money and resources, and any security violation can result in significant money loss. The purpose of this project is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment. <br />
<br />
== Our Subprojects ==<br />
<br />
Here are our primary goals: <br />
<br />
1 Aware people about enterprise application security vulnerabilities by releasing annual statistics of enterprise business application security vulnerabilities. <br />
<br />
Subproject [[Enterprise Business Application Vulnerability Statistics]] <br />
<br />
[[Projects/OWASP Enterprise Application Security Project|Statistics]] <br />
<br />
2 Help companies to begin assessment of enterprise applicatios by creating Subproject [[Enterprise Business Application Security Implementation Assessment Guide]] <br />
<br />
3 Help software companies to improve security of their solutions by creating Subproject [[Enterprise Business Application Security Vulnerability Testing Guide v1]] <br />
<br />
4 Develop free tools for Enterprise business applicatioons assessment <br />
<br />
Subproject [[Enterprise Business Application Security Software]] <br />
<br />
<br><br />
<br />
== Project Roadmap ==<br />
<br />
Have a look at the [[OWASP Enterprise Application Security Project/Roadmp]] <br />
<br />
<br />
<br />
=== Statistics ===<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually including tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document will show the results of statistical research in the Business Application security area made by ERPscan Research Group and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical those are and what tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM, and others are one of the major topics within the field of computer security as these applications store business data, and any vulnerability in these applications will cause a significant monetary loss. Nonetheless, people still do not pay much attention to Enterprise Business Application, judging by our and our collegues' research and assessment data. <br />
Business applications are very large and complex systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. <br />
Overall security of an Enterprise Business Application consist of different layers, such as: <br />
• Network architecture security <br />
• OS security <br />
• Database security <br />
• Application security <br />
• Front-end security <br />
<br />
Every described layer may have its own vulnerabilities that can give attacker full access to business data even if other layers are completely secured. In this document, all the popular applications from described levels and their vulnerabilities will be shown. The purpose of this document is to increase awareness of Business Application security. <br />
<br />
== Links ==<br />
<br />
Surveys:<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmitry Chastukhin <br />
<br />
[https://www.owasp.org/images/6/6b/SAP_Security_in_figures_-_a_global_survey_2007-2011._OWASP-EAS.pdf SAP Security In Figures – A Global Survey 2007-2011]<br />
<br />
Links:<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov, Alexey Tyurin, Dmitry Chastukhin, Dmitry Evdokimov (ERPScan Research Group) <br />
<br />
<br />
<br />
=== Development of guides ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of program vulnerabilities that can be found in Enterprise Business applications and ERP systems. <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the developers of Enterprise Business software. Here, we will collect top software vulnerabilities in server side and frontend side that can exist in Business Applications. <br />
<br />
== Intro ==<br />
<br />
There are many different languages and technologies that can be used to develop business applications and write costom code. Here, we will try to categorize it first by dividing into Server and Client side. Top 10 list of vulnerabilities for both areas will be shown. <br />
<br />
== Main ==<br />
<br />
Crosslinks to CWE SANS OWASP and risks with descriptions will be added soon. <br />
<br />
[[Image:Dev1.png|484x290px]] <br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
== Top 10 Server vulnerabilities (EASAD) ==<br />
<br />
1 XSS<br />
2 Improper Access Control<br />
3 Information disclosure<br />
4 Command/code injection in proprietary language<br />
5 SQL Injection <br />
6 Missing Encryption of Sensitive Data<br />
7 Buffer overflows <br />
8 Path traversal<br />
9 CSRF <br />
10 Use of a Broken or Risky Cryptographic Algorithm<br />
<br />
== Top 10 Frontend vulnerabilities (EASFD) ==<br />
<br />
1 Buffer overflows (ActiveX )<br />
2 Exposed Dangerous Method or Function (ActiveX)<br />
3 Insecure scripting server access <br />
4 File handling Frontend vulnerabilities<br />
5 Use of a Broken or Risky Cryptographic Algorithm<br />
6 Cleartext Storage of Sensitive Information<br />
7 Use of Hard-coded Password<br />
8 Lack of integrity checking for front-end application<br />
9 Cleartext Transmission of Sensitive Information<br />
10 Vulnerable remote services<br />
<br />
== Links ==<br />
<br />
coming soon <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (ERPScan Research Group) <br />
Mikhail Markevich <br />
Dmitry Evdokimov (ERPScan Research Group) <br />
Alexey Sintsov (ERPScan Research Group) <br />
<br />
<br />
<br />
=== Implementation guides ===<br />
<br />
== Objective ==<br />
<br />
This document will describe different areas of secure implementation of Enterprise Business Applications and ERP systems. Here, we will mainly focus on security architecture and configuration threats because program errors are well described in the "Software vulnerabilities" topic.<br />
<br />
== Purpose ==<br />
<br />
The purpose of this document is to increase awareness of the administrators of Business Application security and help them to start a self-assessment of their systems and find the most critical violations. <br />
<br />
== Intro ==<br />
<br />
Enterprise Business Applications (like ERP, it is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. Every described layer may have its own vulnerabilities and misconfigurations that can give attacker full access to business data even if other layers are completely secured. <br />
<br />
All the data was collected and categorized during our big practice of assessing the security of popular Business Applications such as SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications. <br />
<br />
== Main ==<br />
<br />
Overall security of Enterprise Business Application consists of different layers, including: <br />
• Network architecture security <br />
• OS security <br />
• Database security <br />
• Application security <br />
• Front-end security <br />
In this document, we will describe top 10 violations on every layer of Enterprise Business Application that can be easily assessed and mitigated. <br />
<br />
<br />
[[Image:Dev2.png]] <br />
<br />
== Top 10 Network/Architecture issues ==<br />
<br />
1 Lack of proper network filtration between EA and Corporate network<br />
2 Lack or vulnerable encryption between corp net and EA Network<br />
3 Lack of separation between Test, Dev, and Prod system<<br />
4 Lack of encryption inside EA Network<br />
5 Insecure trusted relations between components<br />
6 Insecurely configured Internet facing applicatins <br />
7 Vulnerable / default configuration of routers<br />
8 Lack of frontend access filtration<br />
9 Lack or misconfigured monitoring IDS/IPS<br />
10 Insecure/unappropriate wireless comunications<br />
<br />
== Top 10 OS issues ==<br />
<br />
1 Unnecessary enabled services<br />
2 Missing 3rd party software patches<br />
3 Insecure trust relations<br />
4 Universal OS passwords<br />
5 Missing OS patches<br />
6 Lacking or misconfigured network access control<br />
7 Lacking or misconfigured monitoring<br />
8 Insecure internal acces control <br />
9 Unencrypted remote access <br />
10 Lack of password lockout/complexity checks<br><br />
<br />
== Top 10 Database issues ==<br />
<br />
1 Default passwords for DB access<br />
2 Lack of DB patch management<br />
3 Unnecessary enabled DB features <br />
4 Lack of password lockout/complexity checks<br />
5 Unencrypted sensitive data transport / data<br />
6 Lack or misconfigured network acess control<br />
7 Extensive user and group privileges<br />
8 Lacking or misconfigured audit<br />
9 Insecure trust relations<br />
10 Open additional interfaces<br />
<br />
== Top 10 Application issues ==<br />
<br />
1 Lack of patch management<br />
2 Default passwords for application access<br />
3 SoD conficts<br />
4 Unnecessary enabled application features <br />
5 Open remote management interfaces<br />
6 Lack of password lockout/complexity checks<br />
7 Insecure options <br />
8 Unecrypted communications<br />
9 Insecure trust relations<br />
10 Guest access<br />
<br />
== Top 10 Frontend issues ==<br />
<br />
1 Vulnerable frontend applications<br />
2 Lack of server trust check<br />
3 Lack of encryption<br />
4 Autocomplete enabled in the browser <br />
5 Insecure browser scripting options<br />
6 Insecure configuration <br />
7 Insecure sortware distribution service<br />
8 Lack of AV software<br />
9 Password stored in configuration file<br />
10 Sensitive information storage<br />
<br />
== Links ==<br />
<br />
[http://dsecrg.com ERP Security:Myths Problems Solutions] - by Alexander Polyakov and Ilya Medvedovsky <br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (ERPScan Research Group)<br />
Mikhail Markevich <br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP Enterprise Application Security Project | Project About}} <br />
<br />
<br><br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Enterprise Application Security Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]</div>Alexanderhttps://wiki.owasp.org/index.php?title=User:Alexander&diff=141187User:Alexander2012-12-15T13:10:56Z<p>Alexander: </p>
<hr />
<div>A father of ERPScan Security Scanner for SAP. Organizer of ZeroNights deep-technical security conference. His expertise covers security of enterprise business-critical software like ERP, CRM, SRM, banking and processing software. He is the manager of OWASP-EAS (OWASP subproject), a well-known security expert of the enterprise applications of such vendors as SAP and Oracle, who published a significant number of the vulnerabilities found in the applications of these vendors with acknowledgements from SAP. He is the writer of multiple whitepapers and surveys devoted to information security research in SAP like "SAP Security in figures". Alexander were invited to speak and train at international conferences such as BlackHat, RSA, HITB and 30 others around globe as well as in internal workshops for SAP and fortune 500 companies.</div>Alexanderhttps://wiki.owasp.org/index.php?title=OWASP_Enterprise_Application_Security_Project&diff=141186OWASP Enterprise Application Security Project2012-12-15T13:02:13Z<p>Alexander: </p>
<hr />
<div>==== Main ====<br />
<br />
== Objective ==<br />
<br />
The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation or sign-off of large scale (ie 'Enterprise') applications. <br />
<br />
== Project purpose ==<br />
<br />
Enterprise applications security is one of the major topics in overall security area because those applications controls money and resources and every security violation can result a significant money loss. Purpose of this project is to aware people about enterprise application security problems and create a guidelines and tools for enterprise application security assessment. <br />
<br />
== Our Subprojects ==<br />
<br />
Here are our primary goals: <br />
<br />
1 Aware people about enterprise applicatio security vulnerabilities by making an Annual statistics of enterprise business application security vulnerabilities. <br />
<br />
Subproject [[Enterprise Business Application Vulnerability Statistics]] <br />
<br />
[[Projects/OWASP Enterprise Application Security Project|Statistics]] <br />
<br />
2 Help companies to begin assessment of enterprise applicatios by creating a <br />
<br />
Subproject [[Enterprise Business Application Security Implementation Assessment Guide]] <br />
<br />
3 Help software companies to improve security of their solutions by creating a <br />
<br />
Subproject [[Enterprise Business Application Security Vulnerability Testing Guide v1]] <br />
<br />
4 Develop a free tools for Enterprise business applicatioons assessment <br />
<br />
Subproject [[Enterprise Business Application Security Software]] <br />
<br />
<br><br />
<br />
== Project Roadmap ==<br />
<br />
Have a look at the [[OWASP Enterprise Application Security Project/Roadmp]] <br />
<br />
==== Statistics ====<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually with showing tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document we will show a result of statistical research in the Business Application security area made by DSECRG and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical are those and what tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security as these applications store business data and any vulnerability in these applications will cause a significant monetary loss. Nonetheless people still don’t pay much attention to Enterprise Business Application area as we see during our and our collegues research and audit data. Business applications are very large and complex systems that consists of different components such as Database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Overall security of Enterprise Business Application consists of different layers such as: • Network architecture security • Os security • Database security • Application security • Front-end security <br />
<br />
Every described layer may have their own vulnerabilities that can give attacker full access to business data even if other layers are fully secured. In this document all the popular applications from described levels and their vulnerabilities vill be shown. The purpose of this document to Increase awareness of Business Application security. <br />
<br />
== Links ==<br />
<br />
Surveys:<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmityy Chastuhin <br />
<br />
[https://www.owasp.org/images/6/6b/SAP_Security_in_figures_-_a_global_survey_2007-2011._OWASP-EAS.pdf SAP Security In Figures – A Global Survey 2007-2011]<br />
<br />
Links:<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov, Alexey Tuyrin, Dmitriy Chastuhin, Dmitriy Evdokimov (DSecRG) <br />
<br />
<br><br />
<br />
== Contributors ==<br />
<br />
<br />
==== Development guides ====<br />
<br />
== Objective ==<br />
<br />
This document we will describe different areas of programm vulnerabilities that can be found in Enterprise Business applications and ERP systems. <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document to Increase awareness for Developers of Enterprise business application software. Here we will collect top software vulnerabilities in server site and frontend side that can exist in Business applications. <br />
<br />
== Intro ==<br />
<br />
There are many different languages and technologies that can be used for developing business applications and writing a costom code. Here we will try to categorize it firstly by dividing into Server and Client site. Top 10 list of vulnerabilities for both areas will be shown. <br />
<br />
<br><br />
<br />
== Main ==<br />
<br />
Crosslinks to CWE SANS OWASP and risks with descriptions will be added soon. <br />
<br />
[[Image:Dev1.png|484x290px]] <br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
== Top 10 Server vulnerabilities (EASAD) ==<br />
<br />
<br>1 XSS<br>2 Improper Access Control <br>3 Information disclosure <br>4 Command/code injection in proprietary language<br>5 SQL Injection <br>6 Missing Encryption of Sensitive Data<br>7 Buffer overflows <br>8 Path traversal<br>9 CSRF <br>10 Use of a Broken or Risky Cryptographic Algorithm<br><br />
<br />
== Top 10 Frontend vulnerabilities (EASFD) ==<br />
<br />
1 Buffer overflows (ActiveX )<br>2 Exposed Dangerous Method or Function (ActiveX)<br>3 Insecure scripting server access <br>4 File handling Frontend vulnerabilities<br>5 Use of a Broken or Risky Cryptographic Algorithm<br>6 Cleartext Storage of Sensitive Information<br>7 Use of Hard-coded Password<br>8 Lack of integrity checking for front-end application<br>9 Cleartext Transmission of Sensitive Information<br>10 Vulnerable remote services<br><br />
<br />
<br><br />
<br />
== Links ==<br />
<br />
cooming soon <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (DSecRG) Mikhail Markevich Dmitriy Evdokimov (DSecRG) Alexey Sintsov (DSecRG) <br />
<br />
<br><br />
<br />
== Contributors ==<br />
<br />
==== Implementation guides ====<br />
<br />
== Objective ==<br />
<br />
This document we will describe different areas of Secure implementation of g Enterprise Business Applications and ERP systems. Here we will mainly focus on security architecture and configuration threads because pragramm errors are well described in "Software vulnerabilities" topic <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document to Increase awareness for Administrators of Business Application security and help them to start a beginning self-assessment of their systems and find a most critical violations. <br />
<br />
== Intro ==<br />
<br />
Enterprise Business Applications (Like ERP - is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consists of different components such as database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Every described layer may have their own vulnerabilities and misconfigurations that can give attacker full access to business data even if other layers are fully secured. <br />
<br />
All information was collected and catecorized during our big practice of security assessing Popular business applications Like in SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications. <br />
<br />
<br><br />
<br />
== Main ==<br />
<br />
Overall security of Enterprise Business Application consists of different layers such as: • Network architecture security • Os security • Database security • Application security • Front-end security In this document we will Describe top 10 violations on every layer of Enterprise Business Application that can be easily assessed and mitigated. <br />
<br />
<br><br />
<br />
[[Image:Dev2.png]] <br />
<br />
== Top 10 Network/Architecture issues ==<br />
<br />
1 Lack of proper network filtration between EA and Corporate network<br>2 Lack or vulnerable encryption between corp net and EA Network<br>3 Lack of separation between Test Dev and Prod system<br>4 Lack of encryption inside EA Network<br>5 Insecure trusted realations between components<br>6 Insecure configured Internet facing applicatins <br>7 Vulnerable / default configured Routers<br>8 lack of frontend access filtration<br>9 Lack or misconfigured monitoring IDS/IPS<br>10 Insecure/unappropriate wireless comunications<br><br />
<br />
== Top 10 OS issues ==<br />
<br />
1 Unnecessary Enabled services<br>2 Missing 3rd party software patches<br>3 Insecure trust relations<br>4 Universal OS passwords<br>5 Missing OS patches<br>6 Lack or misconfigured network acess control<br>7 Lack or misconfigured monitoring<br>8 Insecure internal acces control <br>9 Unencrypted remote access <br>10 Lack of password lockout/complexiry checks<br><br />
<br />
== Top 10 Database issues ==<br />
<br />
1 Default passwords for DB access<br>2 Lack of DB patch management<br>3 unnecessary Enabled DB features <br>4 lack of password lockout/complexiry checks<br>5 Unencrypted sensitive data transport / data<br>6 Lack or misconfigured network acess control<br>7 Extensive user and group privileges<br>8 lack or misconfigured audit<br>9 Insecure trust relations<br>10 Open additional interfaces<br><br />
<br />
== Top 10 Application issues ==<br />
<br />
1 Lack of patch management<br>2 Default Passwords for application access<br>3 SOD conficts<br>4 Unnecessary Enabled Application features <br>5 Open Remote mngmt interfaces<br>6 lack of password lockout/complexity checks<br>7 Insecure options <br>8 Unecrypted cominications<br>9 Insecure trust relations<br>10 Guest access<br><br />
<br />
== Top 10 Frontend issues ==<br />
<br />
1 Vulnerable Frontend applications<br>2 Lack of server trust check<br>3 Lack of encryption<br>4 Aotocomplete browser <br>5 Insecure Browser scripting options<br>6 Insecure configuration <br>7 Insecure sortware distribution service<br>8 Lack of AV software<br>9 Password storing in configuration file<br>10 Sensitive information storage<br><br />
<br />
== Links ==<br />
<br />
[http://dsecrg.com ERP Security:Myths Problems Solutions] - by Alexander Polyakov and Ilya Medvedovskiy <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (DSecRG)<br />
<br />
&nbsp;<br />
<br />
Mikhail Markevich <br />
<br />
<br><br />
<br />
== Contributors ==<br />
<br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP Enterprise Application Security Project | Project About}} <br />
<br />
<br><br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Enterprise Application Security Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]</div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Security_Software&diff=141185Enterprise Business Application Security Software2012-12-15T13:01:09Z<p>Alexander: </p>
<hr />
<div>==== Software ====<br />
<br />
== Objective ==<br />
<br />
Here will be given information on a tools and services that can be used for assessment of business applications <br />
<br />
== Purpose ==<br />
<br />
The purpose of this area is to provide free tools that can help companies to assess security of their business applications. <br />
<br />
<br><br />
<br />
== Intro ==<br />
<br />
== Main ==<br />
<br />
<br>[http://online.erpscan.com test SAPGUI Security Online]<br />
<br>[http://erpscan.com/products/erpscan-pentesting-tool/ SAP Pentesting Tool by ERPScan]<br />
<br>[http://erpscan.com/products/erpscan-webxml-checker/ ERPScan's web.xml checker]<br />
<br>[http://www.metasploit.com/modules/auxiliary/scanner/sap Metasploit modules for SAP Pentesting]<br />
<br />
== Links ==<br />
<br />
<br />
<br><br />
<br />
== Authors ==<br />
<br></div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Security_Software&diff=141184Enterprise Business Application Security Software2012-12-15T13:00:03Z<p>Alexander: </p>
<hr />
<div>==== Software ====<br />
<br />
== Objective ==<br />
<br />
Here will be given information on a tools and services that can be used for assessment of business applications <br />
<br />
== Purpose ==<br />
<br />
The purpose of this area is to provide free tools that can help companies to assess security of their business applications. <br />
<br />
<br><br />
<br />
== Intro ==<br />
<br />
== Main ==<br />
<br />
<br>[http://online.erpscan.com test SAPGUI Security Online]<br />
<br>[http://erpscan.com/products/erpscan-pentesting-tool/ test SAP Pentesting Tool by ERPScan]<br />
<br>[http://erpscan.com/products/erpscan-webxml-checker/ test SAP web.xml with ERPScan webxml checker]<br />
<br>[http://www.metasploit.com/modules/auxiliary/scanner/sap Metasploit modules for SAP Pentesting]<br />
<br />
== Links ==<br />
<br />
<br />
<br><br />
<br />
== Authors ==<br />
<br></div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Security_Software&diff=141183Enterprise Business Application Security Software2012-12-15T12:53:29Z<p>Alexander: Created page with "==== Software ==== == Objective == Here will be given information on a tools and services that can be used for assessment of business applications == Purpose == The pu..."</p>
<hr />
<div>==== Software ====<br />
<br />
== Objective ==<br />
<br />
Here will be given information on a tools and services that can be used for assessment of business applications <br />
<br />
== Purpose ==<br />
<br />
The purpose of this area is to provide free tools that can help companies to assess security of their business applications. <br />
<br />
<br><br />
<br />
== Intro ==<br />
<br />
== Main ==<br />
<br />
<br>[http://erpscan.com You can help us to test ERPSCAN Online] <br />
<br />
== Links ==<br />
<br />
[http://erpscan.com] <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov<br />
Alexey Sintsov <br />
Dmitriy Evdokimov <br />
Dmitriy Chastuhin<br />
<br />
<br></div>Alexanderhttps://wiki.owasp.org/index.php?title=Enterprise_Business_Application_Vulnerability_Statistics&diff=141182Enterprise Business Application Vulnerability Statistics2012-12-15T12:51:01Z<p>Alexander: Created page with "==== Statistics ==== == Objective == This document is the first statistics report which will be repeated annually with showing tendencies and changes in Enterprise Busines..."</p>
<hr />
<div>==== Statistics ====<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually with showing tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document we will show a result of statistical research in the Business Application security area made by DSECRG and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical are those and what tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security as these applications store business data and any vulnerability in these applications will cause a significant monetary loss. Nonetheless people still don’t pay much attention to Enterprise Business Application area as we see during our and our collegues research and audit data. Business applications are very large and complex systems that consists of different components such as Database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Overall security of Enterprise Business Application consists of different layers such as: • Network architecture security • Os security • Database security • Application security • Front-end security <br />
<br />
Every described layer may have their own vulnerabilities that can give attacker full access to business data even if other layers are fully secured. In this document all the popular applications from described levels and their vulnerabilities vill be shown. The purpose of this document to Increase awareness of Business Application security. <br />
<br />
== Links ==<br />
<br />
Surveys:<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmityy Chastuhin <br />
<br />
[https://www.owasp.org/images/6/6b/SAP_Security_in_figures_-_a_global_survey_2007-2011._OWASP-EAS.pdf SAP Security In Figures – A Global Survey 2007-2011]<br />
<br />
Links:<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov, Alexey Tuyrin, Dmitriy Chastuhin, Dmitriy Evdokimov (DSecRG) <br />
<br />
<br><br />
<br />
== Contributors ==</div>Alexanderhttps://wiki.owasp.org/index.php?title=OWASP_Enterprise_Application_Security_Project&diff=141181OWASP Enterprise Application Security Project2012-12-15T12:48:52Z<p>Alexander: </p>
<hr />
<div>==== Main ====<br />
<br />
== Objective ==<br />
<br />
The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation or sign-off of large scale (ie 'Enterprise') applications. <br />
<br />
== Project purpose ==<br />
<br />
Enterprise applications security is one of the major topics in overall security area because those applications controls money and resources and every security violation can result a significant money loss. Purpose of this project is to aware people about enterprise application security problems and create a guidelines and tools for enterprise application security assessment. <br />
<br />
== Our Subprojects ==<br />
<br />
Here are our primary goals: <br />
<br />
1 Aware people about enterprise applicatio security vulnerabilities by making an Annual statistics of enterprise business application security vulnerabilities. <br />
<br />
Subproject [[Enterprise Business Application Vulnerability Statistics]] <br />
<br />
[[Projects/OWASP Enterprise Application Security Project|Statistics]] <br />
<br />
2 Help companies to begin assessment of enterprise applicatios by creating a <br />
<br />
Subproject [[Enterprise Business Application Security Implementation Assessment Guide]] <br />
<br />
3 Help software companies to improve security of their solutions by creating a <br />
<br />
Subproject [[Enterprise Business Application Security Vulnerability Testing Guide v1]] <br />
<br />
4 Develop a free tools for Enterprise business applicatioons assessment <br />
<br />
Subproject [[Enterprise Business Application Security Software]] <br />
<br />
<br><br />
<br />
== Project Roadmap ==<br />
<br />
Have a look at the [[OWASP Enterprise Application Security Project/Roadmp]] <br />
<br />
==== Statistics ====<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually with showing tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document we will show a result of statistical research in the Business Application security area made by DSECRG and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical are those and what tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security as these applications store business data and any vulnerability in these applications will cause a significant monetary loss. Nonetheless people still don’t pay much attention to Enterprise Business Application area as we see during our and our collegues research and audit data. Business applications are very large and complex systems that consists of different components such as Database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Overall security of Enterprise Business Application consists of different layers such as: • Network architecture security • Os security • Database security • Application security • Front-end security <br />
<br />
Every described layer may have their own vulnerabilities that can give attacker full access to business data even if other layers are fully secured. In this document all the popular applications from described levels and their vulnerabilities vill be shown. The purpose of this document to Increase awareness of Business Application security. <br />
<br />
== Links ==<br />
<br />
Surveys:<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmityy Chastuhin <br />
<br />
[https://www.owasp.org/images/6/6b/SAP_Security_in_figures_-_a_global_survey_2007-2011._OWASP-EAS.pdf SAP Security In Figures – A Global Survey 2007-2011]<br />
<br />
Links:<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov, Alexey Tuyrin, Dmitriy Chastuhin, Dmitriy Evdokimov (DSecRG) <br />
<br />
<br><br />
<br />
== Contributors ==<br />
<br />
<br />
==== Development guides ====<br />
<br />
== Objective ==<br />
<br />
This document we will describe different areas of programm vulnerabilities that can be found in Enterprise Business applications and ERP systems. <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document to Increase awareness for Developers of Enterprise business application software. Here we will collect top software vulnerabilities in server site and frontend side that can exist in Business applications. <br />
<br />
== Intro ==<br />
<br />
There are many different languages and technologies that can be used for developing business applications and writing a costom code. Here we will try to categorize it firstly by dividing into Server and Client site. Top 10 list of vulnerabilities for both areas will be shown. <br />
<br />
<br><br />
<br />
== Main ==<br />
<br />
Crosslinks to CWE SANS OWASP and risks with descriptions will be added soon. <br />
<br />
[[Image:Dev1.png|484x290px]] <br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
== Top 10 Server vulnerabilities (EASAD) ==<br />
<br />
<br>1 XSS<br>2 Improper Access Control <br>3 Information disclosure <br>4 Command/code injection in proprietary language<br>5 SQL Injection <br>6 Missing Encryption of Sensitive Data<br>7 Buffer overflows <br>8 Path traversal<br>9 CSRF <br>10 Use of a Broken or Risky Cryptographic Algorithm<br><br />
<br />
== Top 10 Frontend vulnerabilities (EASFD) ==<br />
<br />
1 Buffer overflows (ActiveX )<br>2 Exposed Dangerous Method or Function (ActiveX)<br>3 Insecure scripting server access <br>4 File handling Frontend vulnerabilities<br>5 Use of a Broken or Risky Cryptographic Algorithm<br>6 Cleartext Storage of Sensitive Information<br>7 Use of Hard-coded Password<br>8 Lack of integrity checking for front-end application<br>9 Cleartext Transmission of Sensitive Information<br>10 Vulnerable remote services<br><br />
<br />
<br><br />
<br />
== Links ==<br />
<br />
cooming soon <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (DSecRG) Mikhail Markevich Dmitriy Evdokimov (DSecRG) Alexey Sintsov (DSecRG) <br />
<br />
<br><br />
<br />
== Contributors ==<br />
<br />
==== Implementation guides ====<br />
<br />
== Objective ==<br />
<br />
This document we will describe different areas of Secure implementation of g Enterprise Business Applications and ERP systems. Here we will mainly focus on security architecture and configuration threads because pragramm errors are well described in "Software vulnerabilities" topic <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document to Increase awareness for Administrators of Business Application security and help them to start a beginning self-assessment of their systems and find a most critical violations. <br />
<br />
== Intro ==<br />
<br />
Enterprise Business Applications (Like ERP - is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consists of different components such as database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Every described layer may have their own vulnerabilities and misconfigurations that can give attacker full access to business data even if other layers are fully secured. <br />
<br />
All information was collected and catecorized during our big practice of security assessing Popular business applications Like in SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications. <br />
<br />
<br><br />
<br />
== Main ==<br />
<br />
Overall security of Enterprise Business Application consists of different layers such as: • Network architecture security • Os security • Database security • Application security • Front-end security In this document we will Describe top 10 violations on every layer of Enterprise Business Application that can be easily assessed and mitigated. <br />
<br />
<br><br />
<br />
[[Image:Dev2.png]] <br />
<br />
== Top 10 Network/Architecture issues ==<br />
<br />
1 Lack of proper network filtration between EA and Corporate network<br>2 Lack or vulnerable encryption between corp net and EA Network<br>3 Lack of separation between Test Dev and Prod system<br>4 Lack of encryption inside EA Network<br>5 Insecure trusted realations between components<br>6 Insecure configured Internet facing applicatins <br>7 Vulnerable / default configured Routers<br>8 lack of frontend access filtration<br>9 Lack or misconfigured monitoring IDS/IPS<br>10 Insecure/unappropriate wireless comunications<br><br />
<br />
== Top 10 OS issues ==<br />
<br />
1 Unnecessary Enabled services<br>2 Missing 3rd party software patches<br>3 Insecure trust relations<br>4 Universal OS passwords<br>5 Missing OS patches<br>6 Lack or misconfigured network acess control<br>7 Lack or misconfigured monitoring<br>8 Insecure internal acces control <br>9 Unencrypted remote access <br>10 Lack of password lockout/complexiry checks<br><br />
<br />
== Top 10 Database issues ==<br />
<br />
1 Default passwords for DB access<br>2 Lack of DB patch management<br>3 unnecessary Enabled DB features <br>4 lack of password lockout/complexiry checks<br>5 Unencrypted sensitive data transport / data<br>6 Lack or misconfigured network acess control<br>7 Extensive user and group privileges<br>8 lack or misconfigured audit<br>9 Insecure trust relations<br>10 Open additional interfaces<br><br />
<br />
== Top 10 Application issues ==<br />
<br />
1 Lack of patch management<br>2 Default Passwords for application access<br>3 SOD conficts<br>4 Unnecessary Enabled Application features <br>5 Open Remote mngmt interfaces<br>6 lack of password lockout/complexity checks<br>7 Insecure options <br>8 Unecrypted cominications<br>9 Insecure trust relations<br>10 Guest access<br><br />
<br />
== Top 10 Frontend issues ==<br />
<br />
1 Vulnerable Frontend applications<br>2 Lack of server trust check<br>3 Lack of encryption<br>4 Aotocomplete browser <br>5 Insecure Browser scripting options<br>6 Insecure configuration <br>7 Insecure sortware distribution service<br>8 Lack of AV software<br>9 Password storing in configuration file<br>10 Sensitive information storage<br><br />
<br />
== Links ==<br />
<br />
[http://dsecrg.com ERP Security:Myths Problems Solutions] - by Alexander Polyakov and Ilya Medvedovskiy <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (DSecRG)<br />
<br />
&nbsp;<br />
<br />
Mikhail Markevich <br />
<br />
<br><br />
<br />
== Contributors ==<br />
<br />
==== Software ====<br />
<br />
== Objective ==<br />
<br />
Here will be given information on a tools and services that can be used for assessment of business applications <br />
<br />
== Purpose ==<br />
<br />
The purpose of this area is to provide free tools that can help companies to assess security of their business applications. <br />
<br />
<br><br />
<br />
== Intro ==<br />
<br />
== Main ==<br />
<br />
<br>[http://erpscan.com You can help us to test ERPSCAN Online] <br />
<br />
== Links ==<br />
<br />
[http://erpscan.com] <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov<br />
Alexey Sintsov <br />
Dmitriy Evdokimov <br />
Dmitriy Chastuhin<br />
<br />
<br><br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP Enterprise Application Security Project | Project About}} <br />
<br />
<br><br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Enterprise Application Security Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]</div>Alexanderhttps://wiki.owasp.org/index.php?title=File:SAP_Security_in_figures_-_a_global_survey_2007-2011._OWASP-EAS.pdf&diff=141180File:SAP Security in figures - a global survey 2007-2011. OWASP-EAS.pdf2012-12-15T12:46:17Z<p>Alexander: The purpose of this report. is to show a high level view of SAP Security in figures so that the problem area is not just theoretically comprehensible but based on actual numbers and metrics – from the information about the number of found issues and the</p>
<hr />
<div>The purpose of this report. is to show a high level view of SAP Security in figures so that the problem area is not just theoretically comprehensible but based on actual numbers and metrics – from the information about the number of found issues and their popularity to the number of vulnerable systems, all acquired as a result of a global scan.</div>Alexanderhttps://wiki.owasp.org/index.php?title=OWASP_Enterprise_Application_Security_Project&diff=141176OWASP Enterprise Application Security Project2012-12-15T11:44:46Z<p>Alexander: </p>
<hr />
<div>==== Main ====<br />
<br />
== Objective ==<br />
<br />
The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation or sign-off of large scale (ie 'Enterprise') applications. <br />
<br />
== Project purpose ==<br />
<br />
Enterprise applications security is one of the major topics in overall security area because those applications controls money and resources and every security violation can result a significant money loss. Purpose of this project is to aware people about enterprise application security problems and create a guidelines and tools for enterprise application security assessment. <br />
<br />
== Our Subprojects ==<br />
<br />
Here are our primary goals: <br />
<br />
1 Aware people about enterprise applicatio security vulnerabilities by making an Annual statistics of enterprise business application security vulnerabilities. <br />
<br />
Subproject [[Enterprise Business Application Vulnerability Statistics]] <br />
<br />
[[Projects/OWASP Enterprise Application Security Project|Statistics]] <br />
<br />
2 Help companies to begin assessment of enterprise applicatios by creating a <br />
<br />
Subproject [[Enterprise Business Application Security Implementation Assessment Guide]] <br />
<br />
3 Help software companies to improve security of their solutions by creating a <br />
<br />
Subproject [[Enterprise Business Application Security Vulnerability Testing Guide v1]] <br />
<br />
4 Develop a free tools for Enterprise business applicatioons assessment <br />
<br />
Subproject [[Enterprise Business Application Security Software]] <br />
<br />
<br><br />
<br />
== Project Roadmap ==<br />
<br />
Have a look at the [[OWASP Enterprise Application Security Project/Roadmp]] <br />
<br />
==== Statistics ====<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually with showing tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document we will show a result of statistical research in the Business Application security area made by DSECRG and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical are those and what tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security as these applications store business data and any vulnerability in these applications will cause a significant monetary loss. Nonetheless people still don’t pay much attention to Enterprise Business Application area as we see during our and our collegues research and audit data. Business applications are very large and complex systems that consists of different components such as Database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Overall security of Enterprise Business Application consists of different layers such as: • Network architecture security • Os security • Database security • Application security • Front-end security <br />
<br />
Every described layer may have their own vulnerabilities that can give attacker full access to business data even if other layers are fully secured. In this document all the popular applications from described levels and their vulnerabilities vill be shown. The purpose of this document to Increase awareness of Business Application security. <br />
<br />
== Links ==<br />
<br />
Surveys:<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmityy Chastuhin <br />
<br />
[http://erpscan.com/wp-content/uploads/2012/06/SAP-Security-in-figures-a-global-survey-2007-2011-final.pdfSAP Security In Figures – A Global Survey 2007-2011]<br />
<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov, Alexey Tuyrin, Dmitriy Chastuhin, Dmitriy Evdokimov (DSecRG) <br />
<br />
<br><br />
<br />
== Contributors ==<br />
<br />
<br />
==== Development guides ====<br />
<br />
== Objective ==<br />
<br />
This document we will describe different areas of programm vulnerabilities that can be found in Enterprise Business applications and ERP systems. <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document to Increase awareness for Developers of Enterprise business application software. Here we will collect top software vulnerabilities in server site and frontend side that can exist in Business applications. <br />
<br />
== Intro ==<br />
<br />
There are many different languages and technologies that can be used for developing business applications and writing a costom code. Here we will try to categorize it firstly by dividing into Server and Client site. Top 10 list of vulnerabilities for both areas will be shown. <br />
<br />
<br><br />
<br />
== Main ==<br />
<br />
Crosslinks to CWE SANS OWASP and risks with descriptions will be added soon. <br />
<br />
[[Image:Dev1.png|484x290px]] <br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
== Top 10 Server vulnerabilities (EASAD) ==<br />
<br />
<br>1 XSS<br>2 Improper Access Control <br>3 Information disclosure <br>4 Command/code injection in proprietary language<br>5 SQL Injection <br>6 Missing Encryption of Sensitive Data<br>7 Buffer overflows <br>8 Path traversal<br>9 CSRF <br>10 Use of a Broken or Risky Cryptographic Algorithm<br><br />
<br />
== Top 10 Frontend vulnerabilities (EASFD) ==<br />
<br />
1 Buffer overflows (ActiveX )<br>2 Exposed Dangerous Method or Function (ActiveX)<br>3 Insecure scripting server access <br>4 File handling Frontend vulnerabilities<br>5 Use of a Broken or Risky Cryptographic Algorithm<br>6 Cleartext Storage of Sensitive Information<br>7 Use of Hard-coded Password<br>8 Lack of integrity checking for front-end application<br>9 Cleartext Transmission of Sensitive Information<br>10 Vulnerable remote services<br><br />
<br />
<br><br />
<br />
== Links ==<br />
<br />
cooming soon <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (DSecRG) Mikhail Markevich Dmitriy Evdokimov (DSecRG) Alexey Sintsov (DSecRG) <br />
<br />
<br><br />
<br />
== Contributors ==<br />
<br />
==== Implementation guides ====<br />
<br />
== Objective ==<br />
<br />
This document we will describe different areas of Secure implementation of g Enterprise Business Applications and ERP systems. Here we will mainly focus on security architecture and configuration threads because pragramm errors are well described in "Software vulnerabilities" topic <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document to Increase awareness for Administrators of Business Application security and help them to start a beginning self-assessment of their systems and find a most critical violations. <br />
<br />
== Intro ==<br />
<br />
Enterprise Business Applications (Like ERP - is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consists of different components such as database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Every described layer may have their own vulnerabilities and misconfigurations that can give attacker full access to business data even if other layers are fully secured. <br />
<br />
All information was collected and catecorized during our big practice of security assessing Popular business applications Like in SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications. <br />
<br />
<br><br />
<br />
== Main ==<br />
<br />
Overall security of Enterprise Business Application consists of different layers such as: • Network architecture security • Os security • Database security • Application security • Front-end security In this document we will Describe top 10 violations on every layer of Enterprise Business Application that can be easily assessed and mitigated. <br />
<br />
<br><br />
<br />
[[Image:Dev2.png]] <br />
<br />
== Top 10 Network/Architecture issues ==<br />
<br />
1 Lack of proper network filtration between EA and Corporate network<br>2 Lack or vulnerable encryption between corp net and EA Network<br>3 Lack of separation between Test Dev and Prod system<br>4 Lack of encryption inside EA Network<br>5 Insecure trusted realations between components<br>6 Insecure configured Internet facing applicatins <br>7 Vulnerable / default configured Routers<br>8 lack of frontend access filtration<br>9 Lack or misconfigured monitoring IDS/IPS<br>10 Insecure/unappropriate wireless comunications<br><br />
<br />
== Top 10 OS issues ==<br />
<br />
1 Unnecessary Enabled services<br>2 Missing 3rd party software patches<br>3 Insecure trust relations<br>4 Universal OS passwords<br>5 Missing OS patches<br>6 Lack or misconfigured network acess control<br>7 Lack or misconfigured monitoring<br>8 Insecure internal acces control <br>9 Unencrypted remote access <br>10 Lack of password lockout/complexiry checks<br><br />
<br />
== Top 10 Database issues ==<br />
<br />
1 Default passwords for DB access<br>2 Lack of DB patch management<br>3 unnecessary Enabled DB features <br>4 lack of password lockout/complexiry checks<br>5 Unencrypted sensitive data transport / data<br>6 Lack or misconfigured network acess control<br>7 Extensive user and group privileges<br>8 lack or misconfigured audit<br>9 Insecure trust relations<br>10 Open additional interfaces<br><br />
<br />
== Top 10 Application issues ==<br />
<br />
1 Lack of patch management<br>2 Default Passwords for application access<br>3 SOD conficts<br>4 Unnecessary Enabled Application features <br>5 Open Remote mngmt interfaces<br>6 lack of password lockout/complexity checks<br>7 Insecure options <br>8 Unecrypted cominications<br>9 Insecure trust relations<br>10 Guest access<br><br />
<br />
== Top 10 Frontend issues ==<br />
<br />
1 Vulnerable Frontend applications<br>2 Lack of server trust check<br>3 Lack of encryption<br>4 Aotocomplete browser <br>5 Insecure Browser scripting options<br>6 Insecure configuration <br>7 Insecure sortware distribution service<br>8 Lack of AV software<br>9 Password storing in configuration file<br>10 Sensitive information storage<br><br />
<br />
== Links ==<br />
<br />
[http://dsecrg.com ERP Security:Myths Problems Solutions] - by Alexander Polyakov and Ilya Medvedovskiy <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (DSecRG)<br />
<br />
&nbsp;<br />
<br />
Mikhail Markevich <br />
<br />
<br><br />
<br />
== Contributors ==<br />
<br />
==== Software ====<br />
<br />
== Objective ==<br />
<br />
Here will be given information on a tools and services that can be used for assessment of business applications <br />
<br />
== Purpose ==<br />
<br />
The purpose of this area is to provide free tools that can help companies to assess security of their business applications. <br />
<br />
<br><br />
<br />
== Intro ==<br />
<br />
== Main ==<br />
<br />
<br>[http://erpscan.com You can help us to test ERPSCAN Online] <br />
<br />
== Links ==<br />
<br />
[http://erpscan.com] <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov<br />
Alexey Sintsov <br />
Dmitriy Evdokimov <br />
Dmitriy Chastuhin<br />
<br />
<br><br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP Enterprise Application Security Project | Project About}} <br />
<br />
<br><br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Enterprise Application Security Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]</div>Alexanderhttps://wiki.owasp.org/index.php?title=OWASP_Enterprise_Application_Security_Project/Roadmp&diff=139103OWASP Enterprise Application Security Project/Roadmp2012-11-09T09:18:47Z<p>Alexander: </p>
<hr />
<div>*'''Primary goals''':<br />
#Aware people about EA security vulnerabilities by releasing annual (later, quarterly) statistics of enterprise application security vulnerabilities,<br />
#Help companies to begin EA assessment by creating a guideline for assessing EA security, <br />
#Create a report of top 10 vulnerabilities or a similar report for EA,<br />
#Publish a free tools for EA assessment,<br />
<br />
*'''Project Roadmap''' (as mentioned above):<br />
#Create a dashboard with high level overview,<br />
#Create a dashboard about security assessment,<br />
#Create links to other guidelines,<br />
#Publish statistical reports annually,<br />
#Create OWASP EAS Top 10 vulnerabilities page, <br />
#Finish our first security assessment tool.</div>Alexanderhttps://wiki.owasp.org/index.php?title=User:Alexander&diff=139102User:Alexander2012-11-09T09:02:20Z<p>Alexander: </p>
<hr />
<div>Alexander Polyakov aka @sh2kerr, CTO at ERPSCAN, head of DSecRG and architect of ERPSCAN Security scanner for SAP. His expertise covers security of enterprise business-critical software like ERP, CRM, SRM, RDBMS, banking and processing software. He is the manager of OWASP-EAS (OWASP subproject), a well-known security expert of the enterprise applications of such vendors as SAP and Oracle, who published a significant number of vulnerabilities found in the applications of these vendors. He is the author of multiple whitepapers devoted to information security research, and the author of the book "Oracle Security Through the Eyes of the Auditor: Attack and Defense" (in Russian). He is also one of the contributors to Oracle with Metasploit project. Alexander spoke at the international conferences like BlackHat, RSA, Defcon, HITB, InfoSecurity. Co-organizer of the ZeroNights conference and the PCI DSS Russia conference, held in Moscow, Russia.</div>Alexanderhttps://wiki.owasp.org/index.php?title=OWASP_Enterprise_Application_Security_Project&diff=91272OWASP Enterprise Application Security Project2010-10-12T12:57:35Z<p>Alexander: </p>
<hr />
<div>==== Main ====<br />
<br />
== Objective ==<br />
<br />
The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation or sign-off of large scale (ie 'Enterprise') applications. <br />
<br />
== Project purpose ==<br />
<br />
Enterprise applications security is one of the major topics in overall security area because those applications controls money and resources and every security violation can result a significant money loss. Purpose of this project is to aware people about enterprise application security problems and create a guidelines and tools for enterprise application security assessment. <br />
<br />
== Our Subprojects ==<br />
<br />
Here are our primary goals: <br />
<br />
1 Aware people about enterprise applicatio security vulnerabilities by making an Annual statistics of enterprise business application security vulnerabilities. <br />
<br />
Subproject [[Enterprise Business Application Vulnerability Statistics 2009]] <br />
<br />
[[Projects/OWASP Enterprise Application Security Project|Statistics]] <br />
<br />
2 Help companies to begin assessment of enterprise applicatios by creating a <br />
<br />
Subproject [[Enterprise Business Application Security Implementation Assessment Guide]] <br />
<br />
3 Help software companies to improve security of their solutions by creating a <br />
<br />
Subproject [[Enterprise Business Application Security Vulnerability Testing Guide v1]] <br />
<br />
4 Develop a free tools for Enterprise business applicatioons assessment <br />
<br />
Subproject [[Enterprise Business Application Security Software]] <br />
<br />
<br><br />
<br />
== Project Roadmap ==<br />
<br />
Have a look at the [[OWASP Enterprise Application Security Project/Roadmp]] <br />
<br />
==== Statistics ====<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually with showing tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document we will show a result of statistical research in the Business Application security area made by DSECRG and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical are those and what tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security as these applications store business data and any vulnerability in these applications will cause a significant monetary loss. Nonetheless people still don’t pay much attention to Enterprise Business Application area as we see during our and our collegues research and audit data. Business applications are very large and complex systems that consists of different components such as Database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Overall security of Enterprise Business Application consists of different layers such as: • Network architecture security • Os security • Database security • Application security • Front-end security <br />
<br />
Every described layer may have their own vulnerabilities that can give attacker full access to business data even if other layers are fully secured. In this document all the popular applications from described levels and their vulnerabilities vill be shown. The purpose of this document to Increase awareness of Business Application security. <br />
<br />
== Links ==<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmityy Chastuhin <br />
<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
Annual report comming soon... <br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (DSecRG) Dmitriy Chastuhin (DSecRG) Dmitriy Evdokimov (DSecRG) <br />
<br />
<br><br />
<br />
== Contributors ==<br />
<br />
Leodid Kats (dsec.ru) Olga Yurova (dsec.ru) <br />
<br />
==== Development guides ====<br />
<br />
== Objective ==<br />
<br />
This document we will describe different areas of programm vulnerabilities that can be found in Enterprise Business applications and ERP systems. <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document to Increase awareness for Developers of Enterprise business application software. Here we will collect top software vulnerabilities in server site and frontend side that can exist in Business applications. <br />
<br />
== Intro ==<br />
<br />
There are many different languages and technologies that can be used for developing business applications and writing a costom code. Here we will try to categorize it firstly by dividing into Server and Client site. Top 10 list of vulnerabilities for both areas will be shown. <br />
<br />
<br><br />
<br />
== Main ==<br />
<br />
Crosslinks to CWE SANS OWASP and risks with descriptions will be added soon. <br />
<br />
[[Image:Dev1.png|484x290px]] <br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
== Top 10 Server vulnerabilities (EASAD) ==<br />
<br />
<br>1 XSS<br>2 Improper Access Control <br>3 Information disclosure <br>4 Command/code injection in proprietary language<br>5 SQL Injection <br>6 Missing Encryption of Sensitive Data<br>7 Buffer overflows <br>8 Path traversal<br>9 CSRF <br>10 Use of a Broken or Risky Cryptographic Algorithm<br><br />
<br />
== Top 10 Frontend vulnerabilities (EASFD) ==<br />
<br />
1 Buffer overflows (ActiveX )<br>2 Exposed Dangerous Method or Function (ActiveX)<br>3 Insecure scripting server access <br>4 File handling Frontend vulnerabilities<br>5 Use of a Broken or Risky Cryptographic Algorithm<br>6 Cleartext Storage of Sensitive Information<br>7 Use of Hard-coded Password<br>8 Lack of integrity checking for front-end application<br>9 Cleartext Transmission of Sensitive Information<br>10 Vulnerable remote services<br><br />
<br />
<br><br />
<br />
== Links ==<br />
<br />
cooming soon <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (DSecRG) Mikhail Markevich Dmitriy Evdokimov (DSecRG) Alexey Sintsov (DSecRG) <br />
<br />
<br><br />
<br />
== Contributors ==<br />
<br />
==== Implementation guides ====<br />
<br />
== Objective ==<br />
<br />
This document we will describe different areas of Secure implementation of g Enterprise Business Applications and ERP systems. Here we will mainly focus on security architecture and configuration threads because pragramm errors are well described in "Software vulnerabilities" topic <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document to Increase awareness for Administrators of Business Application security and help them to start a beginning self-assessment of their systems and find a most critical violations. <br />
<br />
== Intro ==<br />
<br />
Enterprise Business Applications (Like ERP - is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consists of different components such as database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Every described layer may have their own vulnerabilities and misconfigurations that can give attacker full access to business data even if other layers are fully secured. <br />
<br />
All information was collected and catecorized during our big practice of security assessing Popular business applications Like in SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications. <br />
<br />
<br><br />
<br />
== Main ==<br />
<br />
Overall security of Enterprise Business Application consists of different layers such as: • Network architecture security • Os security • Database security • Application security • Front-end security In this document we will Describe top 10 violations on every layer of Enterprise Business Application that can be easily assessed and mitigated. <br />
<br />
<br><br />
<br />
[[Image:Dev2.png]] <br />
<br />
== Top 10 Network/Architecture issues ==<br />
<br />
1 Lack of proper network filtration between EA and Corporate network<br>2 Lack or vulnerable encryption between corp net and EA Network<br>3 Lack of separation between Test Dev and Prod system<br>4 Lack of encryption inside EA Network<br>5 Insecure trusted realations between components<br>6 Insecure configured Internet facing applicatins <br>7 Vulnerable / default configured Routers<br>8 lack of frontend access filtration<br>9 Lack or misconfigured monitoring IDS/IPS<br>10 Insecure/unappropriate wireless comunications<br><br />
<br />
== Top 10 OS issues ==<br />
<br />
1 Unnecessary Enabled services<br>2 Missing 3rd party software patches<br>3 Insecure trust relations<br>4 Universal OS passwords<br>5 Missing OS patches<br>6 Lack or misconfigured network acess control<br>7 Lack or misconfigured monitoring<br>8 Insecure internal acces control <br>9 Unencrypted remote access <br>10 Lack of password lockout/complexiry checks<br><br />
<br />
== Top 10 Database issues ==<br />
<br />
1 Default passwords for DB access<br>2 Lack of DB patch management<br>3 unnecessary Enabled DB features <br>4 lack of password lockout/complexiry checks<br>5 Unencrypted sensitive data transport / data<br>6 Lack or misconfigured network acess control<br>7 Extensive user and group privileges<br>8 lack or misconfigured audit<br>9 Insecure trust relations<br>10 Open additional interfaces<br><br />
<br />
== Top 10 Application issues ==<br />
<br />
1 Lack of patch management<br>2 Default Passwords for application access<br>3 SOD conficts<br>4 Unnecessary Enabled Application features <br>5 Open Remote mngmt interfaces<br>6 lack of password lockout/complexity checks<br>7 Insecure options <br>8 Unecrypted cominications<br>9 Insecure trust relations<br>10 Guest access<br><br />
<br />
== Top 10 Frontend issues ==<br />
<br />
1 Vulnerable Frontend applications<br>2 Lack of server trust check<br>3 Lack of encryption<br>4 Aotocomplete browser <br>5 Insecure Browser scripting options<br>6 Insecure configuration <br>7 Insecure sortware distribution service<br>8 Lack of AV software<br>9 Password storing in configuration file<br>10 Sensitive information storage<br><br />
<br />
== Links ==<br />
<br />
[http://dsecrg.com ERP Security:Myths Problems Solutions] - by Alexander Polyakov and Ilya Medvedovskiy <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (DSecRG)<br />
<br />
&nbsp;<br />
<br />
Mikhail Markevich <br />
<br />
<br><br />
<br />
== Contributors ==<br />
<br />
==== Software ====<br />
<br />
== Objective ==<br />
<br />
Here will be given information on a tools and services that can be used for assessment of business applications <br />
<br />
== Purpose ==<br />
<br />
The purpose of this area is to provide free and commercial tools that can help companies to assess security of their business applications. <br />
<br />
<br><br />
<br />
== Intro ==<br />
<br />
== Main ==<br />
<br />
Currently we are on the beta testing stage of free online service that cen be used to assess security of SAP Frontend. <br />
<br />
<br>[http://erpscan.com You can help us to test ERPSCAN Online] <br />
<br />
== Links ==<br />
<br />
[http://erpscan.com] - by DSECRG <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (DSecRG) <br />
<br />
Alexey Sintsov (DSecRG) <br />
<br />
Dmitriy Evdokimov (DSecRG) Dmitriy Chastuhin (DSecRG) <br />
<br />
<br><br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP Enterprise Application Security Project | Project About}} <br />
<br />
<br><br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Enterprise Application Security Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]</div>Alexanderhttps://wiki.owasp.org/index.php?title=OWASP_Enterprise_Application_Security_Project&diff=91271OWASP Enterprise Application Security Project2010-10-12T12:46:31Z<p>Alexander: </p>
<hr />
<div>==== Main ====<br />
<br />
== Objective ==<br />
<br />
The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation or sign-off of large scale (ie 'Enterprise') applications. <br />
<br />
== Project purpose ==<br />
<br />
Enterprise applications security is one of the major topics in overall security area because those applications controls money and resources and every security violation can result a significant money loss. Purpose of this project is to aware people about enterprise application security problems and create a guidelines and tools for enterprise application security assessment. <br />
<br />
== Our Subprojects ==<br />
<br />
Here are our primary goals: <br />
<br />
1 Aware people about enterprise applicatio security vulnerabilities by making an Annual statistics of enterprise business application security vulnerabilities. <br />
<br />
Subproject [[Enterprise Business Application Vulnerability Statistics 2009]] <br />
<br />
[[Projects/OWASP Enterprise Application Security Project|Statistics]] <br />
<br />
2 Help companies to begin assessment of enterprise applicatios by creating a <br />
<br />
Subproject [[Enterprise Business Application Security Implementation Assessment Guide]] <br />
<br />
3 Help software companies to improve security of their solutions by creating a <br />
<br />
Subproject [[Enterprise Business Application Security Vulnerability Testing Guide v1]] <br />
<br />
4 Develop a free tools for Enterprise business applicatioons assessment <br />
<br />
Subproject [[Enterprise Business Application Security Software]] <br />
<br />
<br><br />
<br />
== Project Roadmap ==<br />
<br />
Have a look at the [[OWASP Enterprise Application Security Project/Roadmp]] <br />
<br />
==== Statistics ====<br />
<br />
== Objective ==<br />
<br />
This document is the first statistics report which will be repeated annually with showing tendencies and changes in Enterprise Business Application Security area. <br />
<br />
== Purpose ==<br />
<br />
This document we will show a result of statistical research in the Business Application security area made by DSECRG and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical are those and what tendences we see. <br />
<br />
== Intro ==<br />
<br />
Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security as these applications store business data and any vulnerability in these applications will cause a significant monetary loss. Nonetheless people still don’t pay much attention to Enterprise Business Application area as we see during our and our collegues research and audit data. Business applications are very large and complex systems that consists of different components such as Database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Overall security of Enterprise Business Application consists of different layers such as: • Network architecture security • Os security • Database security • Application security • Front-end security <br />
<br />
Every described layer may have their own vulnerabilities that can give attacker full access to business data even if other layers are fully secured. In this document all the popular applications from described levels and their vulnerabilities vill be shown. The purpose of this document to Increase awareness of Business Application security. <br />
<br />
== Links ==<br />
<br />
[http://dsecrg.com Business applications vulnerability statistics 2009 and future trends] - Presentation by Dmitry Evdokimov and Dmityy Chastuhin <br />
<br />
[http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a SAP SDN page with latest vulnerabilities] <br />
<br />
[http://www.oracle.com/security/critical-patch-update.html Oracle Secalert CPU page with latest vulnerabilities] <br />
<br />
Annual report comming soon... <br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (DSecRG) Dmitriy Chastuhin (DSecRG) Dmitriy Evdokimov (DSecRG) <br />
<br />
<br><br />
<br />
== Contributors ==<br />
<br />
Leodid Kats (dsec.ru) Olga Yurova (dsec.ru) <br />
<br />
==== Development guides ====<br />
<br />
== Objective ==<br />
<br />
This document we will describe different areas of programm vulnerabilities that can be found in Enterprise Business applications and ERP systems. <br />
<br />
== Purpose == <br />
<br />
The purpose of this document to Increase awareness for Developers of Enterprise business application software. Here we will collect top software vulnerabilities in server site and frontend side that can exist in Business applications. <br />
<br />
== Intro ==<br />
<br />
There are many different languages and technologies that can be used for developing business applications and writing a costom code. Here we will try to categorize it firstly by dividing into Server and Client site. Top 10 list of vulnerabilities for both areas will be shown. <br />
<br />
<br><br />
<br />
== Main ==<br />
<br />
Crosslinks to CWE SANS OWASP and risks with descriptions will be added soon. <br />
<br />
[[Image:Vulns1]][[File:Dev1.png]]<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
<br><br />
<br />
== Top 10 Server vulnerabilities ==<br />
<br />
<br>1 XSS<br>2 Improper Access Control <br>3 Information disclosure <br>4 Command/code injection in proprietary language<br>5 SQL Injection <br>6 Missing Encryption of Sensitive Data<br>7 Buffer overflows <br>8 Path traversal<br>9 CSRF <br>10 Use of a Broken or Risky Cryptographic Algorithm<br><br />
<br />
== Top 10 Frontend vulnerabilities ==<br />
<br />
1 Buffer overflows (ActiveX )<br>2 Exposed Dangerous Method or Function (ActiveX)<br>3 Insecure scripting server access <br>4 File handling Frontend vulnerabilities<br>5 Use of a Broken or Risky Cryptographic Algorithm<br>6 Cleartext Storage of Sensitive Information<br>7 Use of Hard-coded Password<br>8 Lack of integrity checking for front-end application<br>9 Cleartext Transmission of Sensitive Information<br>10 Vulnerable remote services<br><br />
<br />
<br><br />
<br />
== Links ==<br />
<br />
cooming soon <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (DSecRG) Mikhail Markevich Dmitriy Evdokimov (DSecRG) Alexey Sintsov (DSecRG) <br />
<br />
<br><br />
<br />
== Contributors ==<br />
<br />
==== Implementation guides ====<br />
<br />
== Objective ==<br />
<br />
This document we will describe different areas of Secure implementation of g Enterprise Business Applications and ERP systems. Here we will mainly focus on security architecture and configuration threads because pragramm errors are well described in "Software vulnerabilities" topic <br />
<br />
== Purpose ==<br />
<br />
The purpose of this document to Increase awareness for Administrators of Business Application security and help them to start a beginning self-assessment of their systems and find a most critical violations. <br />
<br />
== Intro ==<br />
<br />
Enterprise Business Applications (Like ERP - is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consists of different components such as database server, Front-end, Web server, Application server and other parts. Also those systems lay on different Hardware and software that can have their own vulnerabilities. Every described layer may have their own vulnerabilities and misconfigurations that can give attacker full access to business data even if other layers are fully secured. <br />
<br />
All information was collected and catecorized during our big practice of security assessing Popular business applications Like in SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications. <br />
<br />
<br><br />
<br />
== Main ==<br />
<br />
Overall security of Enterprise Business Application consists of different layers such as: • Network architecture security • Os security • Database security • Application security • Front-end security In this document we will Describe top 10 violations on every layer of Enterprise Business Application that can be easily assessed and mitigated. <br />
<br />
<br><br />
<br />
[[Image:Vulns1]][[File:Dev2.png]]<br />
<br />
== Top 10 Network/Architecture issues ==<br />
<br />
== Top 10 OS issues ==<br />
<br />
== Top 10 Database issues ==<br />
<br />
== Top 10 Application issues ==<br />
<br />
== Top 10 Frontend issues ==<br />
<br />
== Links ==<br />
<br />
[http://dsecrg.com ERP Security:Myths Problems Solutions] - by Alexander Polyakov and Ilya Medvedovskiy <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (DSecRG) Mikhail Markevich <br />
<br />
<br><br />
<br />
== Contributors ==<br />
<br />
==== Software ====<br />
<br />
== Objective ==<br />
<br />
Here will be given information on a tools and services that can be used for assessment of business applications <br />
<br />
== Purpose ==<br />
<br />
The purpose of this area is to provide free and commercial tools that can help companies to assess security of their business applications. <br />
<br />
<br><br />
<br />
== Intro ==<br />
<br />
== Main ==<br />
<br />
Currently we are on the beta testing stage of free online service that cen be used to assess security of SAP Frontend. <br />
<br />
<br>[http://erpscan.com You can help us to test ERPSCAN Online] <br />
<br />
== Links ==<br />
<br />
[http://erpscan.com] - by DSECRG <br />
<br />
<br><br />
<br />
== Authors ==<br />
<br />
Alexander Polyakov (DSecRG) <br />
<br />
Alexey Sintsov (DSecRG) <br />
<br />
Dmitriy Evdokimov (DSecRG) Dmitriy Chastuhin (DSecRG) <br />
<br />
<br><br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP Enterprise Application Security Project | Project About}} <br />
<br />
<br><br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Enterprise Application Security Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]</div>Alexanderhttps://wiki.owasp.org/index.php?title=File:Dev2.png&diff=91270File:Dev2.png2010-10-12T12:44:16Z<p>Alexander: </p>
<hr />
<div></div>Alexanderhttps://wiki.owasp.org/index.php?title=File:Dev1.png&diff=91269File:Dev1.png2010-10-12T12:43:43Z<p>Alexander: </p>
<hr />
<div></div>Alexander