Difference between revisions of "Enterprise Business Application Security Implementation Assessment"

From OWASP
Jump to: navigation, search
(Created page with "=== Implementation guides === == Objective == This document will describe different areas of secure implementation of Enterprise Business Applications and ERP systems. Her...")
 
Line 28: Line 28:
 
[[Image:Dev2.png]]  
 
[[Image:Dev2.png]]  
  
== Top 10 Network/Architecture issues  ==
+
== Top 10 Network/Architecture issues - 2010 ==
  
 
1 Lack of proper network filtration between EA and Corporate network<br>
 
1 Lack of proper network filtration between EA and Corporate network<br>
Line 41: Line 41:
 
10 Insecure/unappropriate wireless comunications
 
10 Insecure/unappropriate wireless comunications
  
== Top 10 OS issues ==
+
== Top 10 OS issues - 2010  ==
  
 
1 Unnecessary enabled services<br>
 
1 Unnecessary enabled services<br>
Line 54: Line 54:
 
10 Lack of password lockout/complexity checks<br>
 
10 Lack of password lockout/complexity checks<br>
  
== Top 10 Database issues ==
+
== Top 10 Database issues - 2010  ==
  
 
1 Default passwords for DB access<br>
 
1 Default passwords for DB access<br>
Line 67: Line 67:
 
10 Open additional interfaces
 
10 Open additional interfaces
  
== Top 10 Application issues ==
+
== Top 9 Application issues - 2013 ==
  
1 Lack of patch management<br>
+
1. Lack of patch management<br>
2 Default passwords for application access<br>
+
2. Default Passwords for application access<br>
3 SoD conficts<br>
+
3. Unnecessary enabled functionality<br>
4 Unnecessary enabled application features <br>
+
4. Open remote management interfaces<br>
5 Open remote management interfaces<br>
+
5. Insecure configuration<br>
6 Lack of password lockout/complexity checks<br>
+
6. Unencrypted communication<br>
7 Insecure options <br>
+
7. Access control and SOD<br>
8 Unecrypted communications<br>
+
8. Insecure trust relations<br>
9 Insecure trust relations<br>
+
9. Logging and Monitoring<br>
10 Guest access
+
  
== Top 10 Frontend issues ==
+
 
 +
 
 +
== Top 10 Frontend issues - 2010  ==
  
 
1 Vulnerable frontend applications<br>
 
1 Vulnerable frontend applications<br>
Line 96: Line 97:
  
 
[http://dsecrg.com ERP Security:Myths Problems Solutions] - by Alexander Polyakov and Ilya Medvedovsky
 
[http://dsecrg.com ERP Security:Myths Problems Solutions] - by Alexander Polyakov and Ilya Medvedovsky
+
 
  
 
== Authors  ==
 
== Authors  ==

Revision as of 16:53, 15 September 2013

Contents

Implementation guides

Objective

This document will describe different areas of secure implementation of Enterprise Business Applications and ERP systems. Here, we will mainly focus on security architecture and configuration threats because program errors are well described in the "Software vulnerabilities" topic.

Purpose

The purpose of this document is to increase awareness of the administrators of Business Application security and help them to start a self-assessment of their systems and find the most critical violations.

Intro

Enterprise Business Applications (like ERP, it is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. Every described layer may have its own vulnerabilities and misconfigurations that can give attacker full access to business data even if other layers are completely secured.

All the data was collected and categorized during our big practice of assessing the security of popular Business Applications such as SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications.

Main

Overall security of Enterprise Business Application consists of different layers, including:
• Network architecture security
• OS security
• Database security
• Application security
• Front-end security
In this document, we will describe top 10 violations on every layer of Enterprise Business Application that can be easily assessed and mitigated.


Dev2.png

Top 10 Network/Architecture issues - 2010

1 Lack of proper network filtration between EA and Corporate network
2 Lack or vulnerable encryption between corp net and EA Network
3 Lack of separation between Test, Dev, and Prod system<
4 Lack of encryption inside EA Network
5 Insecure trusted relations between components
6 Insecurely configured Internet facing applications
7 Vulnerable / default configuration of routers
8 Lack of frontend access filtration
9 Lack or misconfigured monitoring IDS/IPS
10 Insecure/unappropriate wireless comunications

Top 10 OS issues - 2010

1 Unnecessary enabled services
2 Missing 3rd party software patches
3 Insecure trust relations
4 Universal OS passwords
5 Missing OS patches
6 Lacking or misconfigured network access control
7 Lacking or misconfigured monitoring
8 Insecure internal acces control
9 Unencrypted remote access
10 Lack of password lockout/complexity checks

Top 10 Database issues - 2010

1 Default passwords for DB access
2 Lack of DB patch management
3 Unnecessary enabled DB features
4 Lack of password lockout/complexity checks
5 Unencrypted sensitive data transport / data
6 Lack or misconfigured network acess control
7 Extensive user and group privileges
8 Lacking or misconfigured audit
9 Insecure trust relations
10 Open additional interfaces

Top 9 Application issues - 2013

1. Lack of patch management
2. Default Passwords for application access
3. Unnecessary enabled functionality
4. Open remote management interfaces
5. Insecure configuration
6. Unencrypted communication
7. Access control and SOD
8. Insecure trust relations
9. Logging and Monitoring


Top 10 Frontend issues - 2010

1 Vulnerable frontend applications
2 Lack of server trust check
3 Lack of encryption
4 Autocomplete enabled in the browser
5 Insecure browser scripting options
6 Insecure configuration
7 Insecure sortware distribution service
8 Lack of AV software
9 Password stored in configuration file
10 Sensitive information storage

Links

ERP Security:Myths Problems Solutions - by Alexander Polyakov and Ilya Medvedovsky


Authors

Alexander Polyakov Nikolay Mesherin Kirill Nikitenkov