Re: Info about Pen Testing - how to tackle complexity?

[Petr.Kazil () eap nl]

> I've started, 8 years ago, by reading from start to end the accumulated
> volumes of "Hacking Exposed". Just by understanding past exploits, you 
can
> see the various vectors of intrusion [...]

You inspired me to put another kind of learning problem to the list that 
we're struggling with at the moment. I would appreciate your thoughts on 
this subject. A few weeks ago the following question popped up in our 
IT-Audit team and we'll have to do something about it:

- What are the technical security risks of SAP infrastructures?

We're lucky that we have access to the SAP online documentation with a lot 
of security guides, but still we're faced with the following problems:

- How to get a grip on hundreds of pages of documentation?
- How to get a grip on all the different components of SAP with all the 
possible network interactions and functionalities (webservers, application 
servers, application firewalls, databases, portals, middleware)?

And maybe more important:

- How to interpret the SAP security guides that seem to imply that 
installing Unix / Oracle more or less "out of the box" doesn't seem to 
endanger the SAP installation? (Broadly stated - the guides concentrate on 
passwords of the most sensitive accounts and don't say much about any 
other hardening.)

On the one hand we're skeptical that such a huge infrastructure can be 
made safe, but we're positively overwhelmed by the size of it all. We 
think that this problem with understanding huge, complex, modern business 
infrastructures may not be limited to our little team. I don't know if the 
classic approach - find a bug and exploit it - can help us with getting a 
grip on the overall security issues. There are relatively few SAP-hacking 
sources on the Internet, but does that mean that SAP is safe or that no 
one tries hacking SAP?

This problem of complexity is not limited to SAP I think. The same kind of 
complexity is found in Oracle Application server, all the modules, 
web-services, portals and Java stuff.

I'm sorry for the long and vague post, but I'm still trying to find the 
best way into this huge new field. And to do it in the leftover time 
between other commitments :-)

Greetings, Petr Kazil


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------