Analysing Risks for the target organisation
The information security risk assessment practitioner visualises the current stance of business processes of a typical target organisation, classifies the mission-critical assets and associated cyber and business risks. The gathered information aids a penetration tester to decide the level, complexity, scope and the time required to perform penetration testing.
Classify the the vital assets in SAP target organisation
A usual manufacturing company’s infrastructure comprises of numerous business-critical apps and industry-specific modules. Some of the list of the applications which common for the majority of manufacturing enterprises:
• Enterprise Resource Planning (ERP)
• Manufacturing Execution System (MES)
• Asset Lifecycle Management (ALM)
• Manufacturing Integration (xMII)
• Other standard systems: HR, CRM, PLM, SRM, BI/BW, SCM
Some of these systems such as xMII or ALM can be connected with Industrial Control Systems (ICS/SCADA) or plant floor, so a single vulnerability in them may raise a business risk for the entire organisation.
Revealing SAP Platforms for the mission-critical infrastructure
SAP systems can be based on different platforms: ABAP, Java, or HANA.
The main SAP platform is SAP NetWeaver, the enabling foundation for SAP and non-SAP applications.
The significant parts of SAP NetWeaver are SAP NetWeaver Application Server (AS). SAP NetWeaver AS includes the application server ABAP and Java. The primary programming language for SAP NetWeaver Application Server platform is ABAP and Java respectively.
The most common vulnerabilities in the SAP xMII component (e.g., Reflected XSS vulnerability, directory traversal vulnerability).