ERP needs no introduction and so is ERP security. However, let me start with some of the Myths & Realities about ERP security.
Some ERP Security Myths are:
- ERP is available only internally so there are no threats from internet.
- ERP Security is a Vendor Problem.
- ERP application is very specific and not known to attackers.
- ERP security is all about Segregation of Duties (SoD).
Actually the reality is:
- ERP is not really an internal application for major organizations. A simple google search will show thousands of ERP URLs available publicly. Moreover, attacking internally is relatively easy as attacker can carry Social Engineering, gain sensitive information; launch web attacks like XSS, CSRF etc.
- ERP security is not completely a Vendor Problem, as many of the security issues are because of implementation flaws, Misconfigurations, Human Factors, Patch Management, Policies and Processes and so on.
- ERP Security is widely talked about subject in most of the top conferences like Blackhat, RSA, DeepSec etc.
- SoD is only one of the aspects of ERP security. As per OWASP top 9 application issues, there are various other flaws that need to be tested related to ERP Security.
As a result, it is required to perform very specific, however comprehensive, security assessment of your ERP implementation. In the following section, we will describe some of the key security areas to cover as part of ERP penetration testing to provide complete coverage and less false positives.
Key Security Assessment Areas:
Comprehensive Penetration Testing and Auditing:
- Vulnerability assessment: Perform vulnerability assessment from various perspectives like black-box, Grey Box, White-box. It is required to verify implementation of various ERP Security Notes published.
- Misconfiguration Auditing: Perform comprehensive auditing of Misconfiguration that may lead to security vulnerabilities
- Verify and Audit Critical Access: Perform comprehensive checks related to accessing of the critical resources including web services, tables, RFC procedures and other critical objects in the system.
Free Research Report: How secure are the Security Products?
Source code security review:
Source code auditing of ERP implementation covering the following major assessment areas:
- Critical calls (System, DB, OS, Transactions, Tables, Reports)
- Missing and improper authority checks
- Performance tests
- Obsolete statements
Verification of Segregation of Duties (SoD) Modules:
- Critical privilege analysis (BASIS, HR, Expenditure, Inventory, industry solutions)
- Segregation of Duties analysis
- Role optimization
- Predefined and custom profiles
- CSV import/export of profiles and results