Intro
Dear followers, this articles continues to cover Information Security aspects for your plans to use SAP NetWeaver platforms to expose your SAPUI5 applications. It covers the most popular vulnerabilities described in OWASP Top Ten (2017) manifest.
A6:2017 – Security Misconfiguration
SAP environments are maintained by SAP BASIS team, which is constantly implementing security notes & patches to ensure the hardening of SAP environments. Security notes are implemented from time to time to make sure systems are secured.
A7:2017 – Cross-Site Scripting (XSS)
Cross-site scripting is protected by CSRF token (built-in SAP standard mechanism to support HTTP request validations). Read more…
A8:2017 – Insecure Deserialization
- The only safe architectural pattern is not to accept serialized objects from untrusted sources or to use serialization mediums that only permit primitive data types.
- Back end API is structured with primitive data defined by ODATA consortium (EDM types)
- API calls are accepted only from trusted sources managed by the F5 appliance
A9:2017 – Using Components with Known Vulnerabilities
Front end application utilizes several components:
- SAP-delivered UI libraries (SAPUI5)
- GIS-delivered map JS libraries
SAPUI5 framework version is being upgraded from time to time to ensure activation of latest security features, and is controlled internally by BASIS team.
A10:2017 – Insufficient Logging & Monitoring
SAP NetWeaver Gateway provides monitoring capabilities on multiple layers:
- Incoming HTTP traffic logging on ICM level
- API call logging on SAP NetWeaver Gateway
- SAP System logs on SAP NetWeaver Gateway
- SAP System logs on SAP ECC