BC-eCATT Test-Report HTML - Digital Security · Testing authentication by JCO SAP table data...

Certificate SAP INTEGRATION CERTIFICATION

SAP AG hereby confirms that the interface software for the product

ERPSCAN Security Monitoring Suite 2.2

of the company ERPScan

has been certified for integration with SAP ECC 6.0 based on ICC Integration Assessment in SAP NetWeaver. This certificate confirms the existence of product features in accordance with SAP certification procedures. It does not guarantee that the product is error-free. The certification test is documented in report no. 23249713 and expires June 21, 2016.

Vendor Hardware: x86_64 platform Vendor Operating System: Ubuntu Linux SAP Test System: SAP NetWeaver 731 Used Integration Tools: none

This configuration meets the requirements for connecting ERPSCAN Security Monitoring Suite 2.2 to SAP NetWeaver. Certified Functions:

Identified Gateway port and Sytem number Testing authentication by JCO SAP table data transferred to ERPScan SAP profile and system parameters transferred to ERPScan SAP system check performed Running HTTP checks

Walldorf, June 21, 2013 Mr. Jürgen Bierlein, SAP AG SAP, R/3, and SAP NetWeaver are registered trademarks of SAP AG Germany. All other names are registered or unregistered trademarks of the individual firms. http://www.sap.com/icc

http://www.sap.com/icc

SAP Integration and Certification Center Page 1

Interface Certification ICC Integration Assessment Test Report Version 1.0 SAP Integration and Certification Center

ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION


© 2013 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. All other product and service names mentioned are the trademarks of their respective companies. Please refer to http://www.sap.com/corporate-en/legal/copyright/index.epx Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

http://www.sap.com/corporate-en/legal/copyright/index.epx

http://www.sap.com/corporate-en/legal/copyright/index.epx



Interface Certification #23249713 SAP Interface incl. Release: ICC Integration Assessment SAP Product incl. Release used for test: SAP NetWeaver 731 Hardware used for SAP test system: x86_64 platform Operating System of SAP test system: Windows 2008 R2

Name of Vendor: ERPScan Vendor Number (SAP internal): 12829449 Vendor Product Name: ERPSCAN Security Monitoring Suite Release Vendor Product: 2.2 Vendor Product Number (SAP internal): 9253890 Vendor Interface Software Name: Release Vendor Interface Software: Hardware used for Vendor Test System: x86_64 platform Operating System of Vendor Test System: Ubuntu Linux 12.04.2 LTS Tools used for the technical integration: none Certification Date: June 21, 2013 Expiration Date: June 21, 2016 Location: Walldorf Persons present - Vendor: Mr. Alexander Polyakov

Persons present - SAP: Mr. Jürgen Bierlein

Certified Functions: Identified Gateway port and Sytem number Testing authentication by JCO SAP table data transferred to ERPScan SAP profile and system parameters transferred to ERPScan SAP system check performed Running HTTP checks



1. Software Solution Provider (SSP) Information

Company and product information

SSP Name ERPScan

SAP Assigned SSP Number Prefilled with SAP data

SSP Product Name ERPSCAN Security Monitoring Suite

Version / Release of SSP Product 2.2

SAP Assigned Product Number Prefilled with SAP data

Interface Software Name ERPScan connector

Interface Software Version 2.0

Product web page http://www.erpscan.com

Which releases of the SAP Business Solutions are

supported by your software?

Check exactly one release. If your product

supports multiple releases, please fill out one

document per SAP release.

Please name the corresponding version of your

software.

SAP ECC 6.0 EHPAny

Corresp. version of your software: 2.2

SAP R/3 Enterprise 4.7

Corresp. version of your software:

other

Corresp. version of your software:

For which databases is your software available? MySQL is used for internal needs of the software

What operating system(s) does your software

support?

Linux x86, Linux x64, Windows X86, Windows

x64, Vendor product is written in Java and

therefore platform independent but there are

contraints regarding additional software e.g.

Tomcat. Vendor has a list of supported operating

systems.



2. Functional Overview

Supported Functions and Business Processes – General Description

Please give a broad overview

on the functionality and the

purpose of your product. You

should stress the benefits for

the customer in this section.

You may want to elaborate

why your product is

complementary to the SAP

Business Solution, if

applicable.

ERPScan Security Monitoring Suite for SAP is an innovative product for

integrated assessment of SAP platform security and standard compliance. The

system enables conducting complex security assessment while scanning SAP

servers for software vulnerabilities, misconfigurations, critical authorizations,

and performs assessment for compliance to current standards and best

practices including SAP best practices.

The current version of the scanner has the following functions:

Instrumentality for necessary data receive:

o Security configuration;

o Access Control;

o Vulnerabilities.

Instrumentality for received data analysis:

o Standard compliance;

o Risk analysis;

o Security metrics.

The key benefit of the system is in its ability not only to enhance security but

also to decrease TCO because of the benefits described below.

Business benefits Reduction in expenses on the security assessment

Reduction in training expenses

Protection against remote hacker attacks

Protection against insider attacks



3. Business Processes

Business Processes and Their Implementation

The product is not intended to implement any business process. It’s a security scanner for

the SAP system itself, providing quick information on misconfiguration, patch

management,critical access rights and vulnerabilities. Also the product can be used to check if

the system complies with SAP and ISACA recommendations.

With the vendor product the customer has no option to use an exploit to get unprivileged access

to an SAP landscape.



4. Product Implementation

Programming Languages, Namespaces

What programming languages or tools do you use

to implement your product (multiple selections

possible)?

ABAP Development Workbench

C/C++

Java/J2EE/EE 5 (standalone Java app)

Microsoft .NET -

SQL-Tools

Provide name(s):

Others

Provide name(s): Adobe Flex,SAP JCo

Do you have SAP Software license? SAP Application developer license

SAP NetWeaver developer license

SAP Test and Demo license

Provide Installation number: 0020713771

If you use the ABAP Development Workbench,

do you develop in the customer namespace or do

you use a partner namespace?

Do you use the Add-On Assembly Kit (AAK) for

checking and delivering your software to

customers?

Customer namespace

Partner namespace. Please provide name:

ERPSCAN

yes no

Do you use your own tables within the R/3

database (which are not defined by using the R/3

data dictionary)?

yes no

Name tables and location:

Do you modify SAP programs? yes no

Do you use SAP NetWeaver Developer Studio? yes

SAP NetWeaver 7.0

SAP NetWeaver CE 7.1

no

Do you use the Java Development Infrastructure

(JDI)?

yes

Use namespace

no

For Java application (J2EE/EE 5)

Note: SAP currently doesn’t support JDK 6

Package EAR file to SAP SCA (Software

Component Archive) file

JDK version supported:

J2EE/ EE5 specifications adhere to:



6. Integration Technology

6.1 Use of SAP’s Integration Technologies

What SAP integration technologies do you use to integrate your product with the SAP Business

Solutions?

SAP Enterprise Services yes

SAP Business Application Programming

Interfaces (BAPIs):

yes

Remote Function Call (RFC): yes

If you use RFC, what type of functions do you

use?

SAP released RFCs

Self-developed RFCs

SAP Intermediate Documents (IDocs) via EDI or

Application Link Enabling (ALE).

yes

If you use IDocs, what type of IDocs do you use?

SAP released Idocs

Extended or self-developed IDocs

SAP Documented Interface, e.g. SAP BOR API,

or the SAP DBA monitoring interface:

yes

Please provide name of interface documentation:

SAP Internet Application Components (IACs) and

Internet Transaction Server (ITS) and / or other

internet enabling technologies:

yes

Business Transaction Events (BTEs, Open FI): yes

SAP Workflow: yes

SAP Automation for alternate front-ends

(intelligent terminal):

yes

Others (e.g. Batch Data Communication, Direct

Input, Data Migration Reports):

yes

Please provide details:

HTTP connections

SAP extensions (e.g. User Exits, Customer Exits,

Business Add-Ins (BADIs)):

yes



6.2 Complete List of Used ES / BAPIs / RFCs / IDocs / other SAP APIs

Please list all items of SAP integration

technologies in detail.

Example:

Enterprise Services:

User-friendly name / Technical Name

SupplierSimpleByNameAnd

AddressQueryResponse_In

(ECC_SUPPLIERSNAQR)

…

BAPIs:

SalesOrder.Simulate

SalesOrder.GetStatus

...

RFCs:

BANK_KEY_CHECK

...

IDocs/Message (from SAP):

ORDERS01/ORDERS

CREMAS01/CREMAS

...

IACs:

Available to Promise on the

Internet (SD-BF-AC)

…

SAP Standard Reports for data migration:

RIIBIP00

....

CMOD exit/enhancement:

CUBX0001-Configuration:

determine superior material

...

BADIs/BTEs:

BOM_UPDATE

...

Name of ES/BAPI/RFC/IDoc/Message/etc.

(Using the provided format for each type)

Status1

/ERPSCAN/ZRFC_READ_TABLE S

/ERPSCAN/ZGET_PROFILE_PAR S

SXPG_COMMAND_EXECUTE R

RFC_PING (Automaticaly while

using JCo function ping() )

N

/ERPSCAN/ZSYSTEM_RESET_RF

C_SERVER

S

R

R

R

R

R

R

R

R

R

R

R

R

R

R

R

R

R

R

R

R

R

R

R

1 R: Released, N: not released, S: self developed



7. Performance

SAP requires the vendor to provide what the performance capabilities are and demonstrate that performance and

overall quality will meet the operational requirements of the product.

7.1 Performance and Scalability

Please give a description of the

architecture and design of the product,

including performance and scalability.

The system’s architecture is based on cross-platform development, multi-user model, and thin client. User-friendly

client-server architecture, the thin client based on Adobe Flex, allows managing the scanner without installing any

additional software, using any browser that supports Flash, while multi-platform server engine developed on Java

enables operation on any OS.

Scan scheme

To receive data from an SAP server, the scanner uses a special ERPScan account, which is created in every client

beforehand with the rights to read a set of tables needed for

the analysis. Data is transferred from the server via RFC using standard functional modules. After that, the system

processes the received data with respect to various criteria and creates reports.

Architecture

The system consists of the following components: Server:

· DBMS (MySQL); · Application server (Apache Tomcat);

· Static WEB server (Nginx). Client:

· Any browser which supports Flash.

Interaction with the server is implemented via HTTP using

any browser that supports Flash. The server can be installed on any OS that supports Java.

The recommended operating systems are Windows XP/7 and

Linux Ubuntu.

7.2 Quality Assurance

Please give a

description of

your internal

Quality

Assurance

procedures to

assure that the

interface

design and

performance

consistently

conform to

specified

requirements.

The quality assurance process in ERPSCAN is based on the best world standards like ISO. The

implemented system of quality management and control over the project is carried out as

follows:



Project supervisor

Software engineers

Deployment manager

Quality assurance

manager

Quality assurance

engineer

Beta-testers

Project manager

Development Quality assurance dept.

Do you have a

test plan?

yes

Please attach here Test Plan.pdf

no

Please explain:

Do you have a

test report?

yes

Please attach here Test report.pdf

no

Please explain:

Do you have a

benchmark

study?

yes

Please attach here benchmark.pdf

no

Please explain:



8. Product Integration Test-Drive Preparation

To certify your integration, SAP requires the following documentation to be e-mailed to the assigned SAP

consultant a week before the Test-Drive day, or to be present at the Test-Drive day as the latest.

8.1 Available Documentation

Functional Documentation yes

Installation Documentation yes

Maintenance Documentation yes

End User Documentation yes

You should describe, how the final test of your product integration can be done during a Test-Drive at

SAP. The test cases should show the usage of all above listed integration technologies and APIs. SAP will

ask you, to initiate maximum tracing capabilities to verify the used calls. You should prepare the

necessary test data in the SAP test&demo systems before testing.

8.2 Describe test steps to be executed during Test-Drive

1 Enumerating open ports and System Numbers on scanned IP Identified Gateway port

and System number

2 Testing authentication by JCO ping() Authentication successful.

User exists in the system.

3 /ERPSCAN/ZRFC_READ_TABLE checks executed /ERPSCAN/ZRFC_REA

D_TABLE function

successfully executed at

SAP and data transferred

to ERPScan.

4 /ERPSCAN/ZGET_PROFILE_PAR checks executed /ERPSCAN/ZGET_PRO

FILE_PAR function

successfully executed at

SAP and system

parameters transferred to

ERPScan.

5 SXPG_CALL_SYSTEM checks executed SXPG_CALL_SYSTEM

function successfully

executed at SAP and data

from files transferred to

ERPScan.

6 Creating the project in the scanner

Project successfully

created

7 Running HTTP checks for ICF services HTTP GET requests

were sent to SAP ICF

and responses

transferred to ERPScan

8 Running HTTP with delays

HTTP GET requests

were sent to SAP ICF

with time delays and

responses transferred to



ERPScan

Test Result 8.2.1:

Test Result 8.2.2:



Test Result 8.2.3:

Test Result 8.2.4:



Test Result 8.2.5:

Test Result 8.2.6:



Test Result 8.2.7:

Test Result 8.2.8:

SAP requires to includee the performance load testing during Test Drive. These performance load test

cases will determine if the product can handle a pre-defined number of users or amount of data without

running out of resources or having transactions suffer excessive delay.



8.3 Describe performance load test steps to be executed during Test-Drive

8.3.1 Running the scan process directed to the SAP system. During the scan the resources

on a SAP server are monitored

The scan process

requires minimal

system resources

8.3.2 Running the scan process directed to the SAP system. During the scan network traffic

between SAP server and ERPScan server is monitored

No excessive

traffic is monitored

Test Result 8.3.1:



Test Result 8.3.2:

9. Additional Comments

Please feel free to add comments here regarding e.g. special techniques you use.

10. Vendor Confirmation

Vendor states that by following the guidelines of the ICC Integration Assessment or ICC

Integration Guide, only the integration technologies listed in this document and in the Technical

Product Profile are used in the described interface software.

Certification is only valid for the SAP release and vendor product release noted in this document;

in the event of SAP component or third-party product release changes SAP offers re-certification

of the interface software.

General Remarks:

Product certified yes no conditional

BC-eCATT Test-Report HTML - Digital Security · Testing authentication by JCO SAP table data...

Documents

Transcript of BC-eCATT Test-Report HTML - Digital Security · Testing authentication by JCO SAP table data...