nCircle.com >> 360 Security

« cansecwest/core06 "Attacking the IPv6 Protocol" | Main | SCADAGard SIG To Be Established »

cansecwest/core06 "An hour of Rap and Comedy about SAP"

cansecwest/core06
Steve Lord
Title: An hour of Rap and Comedy about SAP

This guy was really funny. I’d pay to see him in a standup comedy act. For a minute there, I forgot I was at a technical conference.

The slides have been posted to the site:
http://cansecwest.com/slides06/csw06-lord.ppt

The HP failed implementation example he cites is frightening. Here again you have complexity as the enemy. Lets see, get all your business critical systems and make them dependent on a complicated and highly interdependant system that is too large to properly secure and if the project goes south, the business impact will be astronomical. That’s enough to get your hands sweaty and acid to flow in to your GI system.

I would compare it to being first in line for a synthetic nervous system that would replace the one I have in my body today. Lets get a team of people to perform the surgery who for the most part are not communicating well with each other on the game plan and if something goes wrong, all parties play the blame game while I am dead on the table. Whoa! That comparison sucked but you get the picture.

The front end of the presentation was all about the war stories of implementing a large complex Enterprise Application.

The middle of the presentation was a game show he hosted and got two people from the audience to answer multiple choice questions. Very entertaining.

The final section of the talk should have been called “Everything you need to know to exploit SAP but were afraid to ask” Lots of detailed examples in the format of a cookbook. I am sure there were some pen-testers in the audience that got a lot from this section.

I was happy to learn of an organization he is driving called:
OWASP-EAS: Enterprise Application Security
The goals are to:
Develop Requirement Guidelines
Develop Audit programs
Essentially, OWASP is great for web-based stuff but inappropriate for Enterprise Applications. OWASP-EAS satisfies this need. I totally agree and can’t wait for it. He is planning to launch in June so I am sure you’ll be able to Google on it then.

--tk

Posted on April 5, 2006 11:59 PM |

Comments (1)

Chris Walsh:

Dude -- that SAP deck was a riot. Thanks for the pointer.

Posted by Chris Walsh | April 9, 2006 8:40 PM

Posted on April 9, 2006 20:40

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on April 5, 2006 11:59 PM.

The previous post in this blog was cansecwest/core06 "Attacking the IPv6 Protocol".

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]