Today’s post is the last in the series of articles about XSS vulnerabilities in SAP systems. The previous parts describe how to prevent XSS in SAP NetWeaver ABAP and SAP NetWeaver J2EE.

XSS is one of the most popular vulnerabilities and its effect can range from a petty nuisance to a significant security risk, depending on the sensitivity of the data. In SAP products, 628 XSS vulnerabilities were discovered that is almost 22%…

From the developer’s perspective

For AS Java, the encoding is available as tc_sec_csi.jar. There is a static class and an interface which provides the encodings for HTML/XML, JavaScript, CSS and URL. Also it is available to use methods of public class StringUtils (com.sap.security.core.server.csi.util.StringUtils):

• escapeScriptEndTag(String pStr) - Prepare a string to be used for a javascript…

We continue our series of posts giving a review of one of the most frequent vulnerability which affects a lot of SAP modules: cross-site scripting, or XSS. Today's post describes how to protect SAP NetWeaver ABAP from XSS.

From the developer’s perspective

For all generic Web applications where you accept input parameters, you must use encoding methods provided by the ICF handler. The implementation of the encoding is…

Oracle PeopleSoft applications are quite complex and consist of many components, so does their security. While there is almost no research on PS security, successful attacks against such systems happen from time to time. That’s why we decided to start a series of articles about some aspects of PS security.

These applications are designed to address the most complex business requirements. They…

Hello, dear readers! Today I would like to talk about Oracle Security.

On August 11, Mary Ann – Oracle's CSO - published an incredibly shocking post about security researchers which was promptly deleted (either by herself or somebody else). The post was discussed by multiple resources such as…

Chevening.JPG

Please cascade to your teams please Tata Consultancy Services (BSE: 532540, NSE: TCS), the leading IT services, consulting and business solutions organization, is a partner with the Foreign & Commonwealth Office (FCO) of the UK Government and created the Chevening-TCS Scholarship on Cyber Policy for professionals in diverse fields from India. This is the…

This year’s study examines the costs incurred by 36 Indian companies in 12 industry sectors after those companies experienced the loss or theft of protected personal data and then had to notify breach victims and/or regulators as required by laws and business…

Governance, Risk and Compliance is sometimes a managerial step or a mandatory step to adhere with regulations & maintain compliant systems. It widely helps in Risk Management.

Some of the major components of IT GRC are:

1. IT Policy Management
2. IT Risk Management
3. Compliance Management
4. Threat & Vulnerability Management
5. Vendor Risk Management
6. Incident…

The intent of using IT Governance Risk Compliance (IT GRC) tools and capabilities is to report and manage IT Risks. We will study the critical platform capabilities for IT GRC Tools.

Critical Platform Capabilities In IT GRC…

What Is Bad USB?

The phenomenon of using the USB for malicious intent can be termed as Bad USB. USB Thumb Drives are the last considerations of malicious intent. However, if manipulated, they can takeover almost everything.

Some interesting demonstrations have been done at Black Hat conference by 2 highly regarded security researchers.

( …

Free/Opensource Tools -

• IT GRC Asset Management
  
  Some functions can be used for technical controls to policy enforcement
  
  OTRS http://www.otrs.com/en/
  
  Redmine http://www.redmine.org/
  
  Mantis http://www.mantisbt.org/
• IT GRC Risk Management-
  
  GLPI …

Today, while working on github, I landed upon an amazing curated list of information on Application Security, covering from fundamentals to programming. The most amazing part was the love demonstration of hacking a website.

Do check this out: https://github.com/paragonie/awesome-appsec

SAP has released the monthly critical patch update for August 2015. This patch update closes 22 vulnerabilities in SAP products, 15 have high priority, some of them belong to the SAP HANA security area. The most popular vulnerability is Cross Site Scripting (XSS). This month, three critical vulnerabilities found by ERPScan researchers Dmitry…

Hello, dear readers, recently we have finished our series of articles on how to Secure SAP Systems from XXS vulnerabilities. Having a great success with the previous series, I decided to launch another series of articles called “SAP Security for CISOs”. However, you don’t need to be a CISO to benefit from reading these…

No doubt you had heard about Chrysler’s recall of affected cars as it appeared in all the top media. You’ll be even more surprised if you see how many recalls happened because of technical issues in recent months. But there is something that we may miss beyond the headlines, some important potential sabotage vectors may happen or are even happening now to increase these…