00:00:00: Good morning and welcome to part two of our Hacking & Defending SAP Applications webinar series, Clean Chord Dark Shadows attacks on BTP and ABAP custom
00:00:11: code.
00:00:12: My name is Leah And before I hand things over First, I want to point out the questions module within the On-Twenty-Four platform.
00:00:22: If you have questions please enter them at any point during this presentation and if time allows we will answer whatever question that can be asked in the end of our discussion.
00:00:31: You can always adjust the size of your media player on your own to make it bigger or smaller depending upon preference.
00:00:38: There is a video component for this webinar so you'll need to ensure the media players are large enough.
00:00:44: And finally, please note that this webinar is being recorded and the link will be sent to you.
00:00:50: With us today is JP Perez at Jagoyen on NAPSIS CTO.
00:00:55: JP will present two high-stakes threat scenarios in how to prevent them based on real world incidents.
00:01:02: with that.
00:01:02: JP can we start off?
00:01:06: Awesome.
00:01:06: thanks Leah.
00:01:07: thank everyone for joining really excited hacking and defending SAP applications.
00:01:16: We have a lot of content, not a lot time so I'll try to be as concrete that's possible.
00:01:24: we start navigating through the slides So in terms agenda will do.
00:01:29: quick intro on the docu-series on the third landscape Will talk about challenges extending todays SAP landscapes.
00:01:40: Then we'll go through live attack demos, real attacks scenarios and will navigate what to do.
00:01:49: We talk about protections remediation defense with close Q&A And hopefully that would give you a good perspective of the potential threats that custom applications face today.
00:02:05: All right So Why are we doing this?
00:02:10: Hacking and defending SAP applications, we're episode two now.
00:02:15: We started to do these because it's very important to start bridging.
00:02:21: the theory on practical defenses of SAP systems.
00:02:26: nowadays is even more the overall IT security community, SAP Security Community is not separated or isolated from that.
00:02:44: And it's important for defenders to be really empowered to defend at the speed of AI right?
00:02:52: So that's why It's important to see in real life what these type of threats look like and they should be doing In terms of securing their SAP applications.
00:03:03: Of course These docuseries are powered by the UNASIS Research Labs, which is this team of professionals with extensive experience on understanding threats risks vulnerabilities affecting ERP applications.
00:03:21: We have been reporting hundreds over a thousand already vulnerabilities to ERP vendors and yeah these unparalleled experiences a core aspect of these docuseries.
00:03:39: So the objectives is really to empower the defenders, uh...to be able to respond to this type of threats on time and with the right speed that it's required in todays completely new world Right?
00:03:57: This AI World is shifting the timelines significantly.
00:04:07: Before jumping into content, a word or two on Apsis Research Labs this team of professionals that is continuously monitoring on one side potential vulnerabilities, potential threats to SAP applications and other sites monitoring what threat actors do really bringing all of their knowledge to the Onapsis platform, two of our customers so they can timely respond to vulnerabilities and threats affecting SAP application.
00:04:41: If you think about some of them most critical vulnerabilities affecting SAP in the history of SAP applications Most have been reported undiscovered by the onapsis research labs which actually makes me very proud because this team is actively contributing to making SAP applications more secure, one vulnerability at a time.
00:05:07: So think about the contribution that we have been doing over time and that's why I'm very proud has being significant right?
00:05:18: And of course too our customers giving them the ability to detect and manage these risks even ahead a key to our customer base.
00:05:30: All right, let's go into todays topic the challenge of extending Today's SAP landscape and that is why they titled Right Clean Core Dark Clouds The ADA.
00:05:45: There Is A Strategy Pushed By SAP To Clean Core Which Is Good One.
00:05:54: We Upload All Of Them the initiatives that SAP is taking, historically SAP has been embracing secure by default.
00:06:07: The cloud and many other initiatives are a step forward in terms of security.
00:06:15: There's still a lot risk if customers think that by navigating through and embracing all of their latest technology they're going to get rid of the vulnerability and risks, that's not a reality.
00:06:32: The reality is customers still need to customize their applications.
00:06:38: That why many organizations are in rise on private cloud version as for with the ability to customize or extend.
00:06:52: And still, organizations need to be able to match their business processes through the technology they use.
00:06:58: That's true extensions on BTP, extensions on ABAP.
00:07:03: so there are realities that today it is much more broad than a number of options customers have to extend and customize.
00:07:13: So thats why its important understand.
00:07:16: this is something we need to address right?
00:07:20: Thinkor is good Let's say the objective of getting there is good.
00:07:28: The reality that organizations still have a lot of customizations from their history, will continue to introduce customization and extensions because they need to extend and customize the core standard delivered by SAP as customers need to be able to properly secure that.
00:07:56: So a little bit of history here, if you have been running SAP for several years?
00:08:04: You're probably familiar with this.
00:08:07: extending or customizing SAP applications especially on-prem or even in private clouds has been something like these.
00:08:18: Of course there are some flavors but is really SD-ThirtyA, SEAD Eclipse ADT CDS creating workbench requests or transport requests.
00:08:33: Transporting from development to QA testing doing the proper testing and then moving into production.
00:08:42: so that's been a history of extending and customizing SAP applications with the majority of it being custom ABAP code delivered on top of standard SAP code.
00:09:03: Now, today extending SAP can be all what we saw which actually is still a lot of that customization extensions extending through Custom Code and ABAP on top of the standard, but then we have many other options as well.
00:09:25: We can extend on BTP the functionality that is provided for example in our S-FORHANA and we had different options with Fiori elements, Cap backends right?
00:09:39: On NodeJS Java Cloud Foundry supporting custom applications are integrated ABAP-based core.
00:09:51: We have many other alternatives to create and maintain custom code that version the code, those development pipelines.
00:10:05: so all of their new way of developing has been introduced in through SAP capabilities for extensions on BTP some also extending on ABAP, like ABAP Git and other capabilities.
00:10:22: But the reality is that now extending applications is much more than just a custom code right?
00:10:29: So you have some examples here of what it looks like still with classic abap our Z code that everyone is so familiar or custom namespaces that you may have in your organization.
00:10:47: But yeah, this is how it's growing and evolving.
00:10:52: And we believe that also with AI its going to continue evolve into even more options, more alternatives, more capabilities provided by SAP.
00:11:05: A little bit of who are the key players here?
00:11:14: Who are their personas let say involved in extending or customizing SAP, these are just some of them.
00:11:24: We have the business users for Fiori in-app extensibility which may not have any knowledge on SAP technology but yes and how to extend through Fiorin app extensivity really with their right knowledge from that business function.
00:11:44: then we had a classic ABAP developers developer on ABAP in the cloud.
00:11:51: We have the CAP developers for VTP applications, Fiori as well for UI-V HTML five applications.
00:12:00: and then we also integration developers right?
00:12:03: For the Cloud Integration Suite where you have developers creating those integrations between on-prem cloud private clouds, SaaS solutions a little bit all over.
00:12:16: So these are just some examples of who the users behind extending and customizing SAP.
00:12:25: we're going to be focusing on some of this not all of them because time doesn't allow but at the examples that we have will be touching upon some of his personas Just to wrap up a little introduction.
00:12:43: The securing the business is tougher than ever, right?
00:12:47: So talk about AI.
00:12:50: Talk about the cloud really... The environments that we have today in SAP customers are a really hybrid environment with a little bit of everything.
00:13:04: BTP on-prem private Cloud public Cloud SaaS solutions all of it integrated, with special needs for customizations and extensions that are being deployed on BTP or custom code in different places.
00:13:22: So really been able to secure that is challenging.
00:13:29: It was challenging the past but its becoming more difficult as complexity of SAP technology evolves.
00:13:38: so let's go into live attack demos.
00:13:42: We set up two specific demos highlighting two very different scenarios, the first scenario that we're going to see is really purely on ABAB.
00:13:55: We are gonna talk about a potentially malicious developer who's introducing potentially malicious code in ABAb custom code and runs it in an S for HANA system and we'll see a little bit of how it works in terms off, how that is modified introduced.
00:14:18: How that's triggered?
00:14:20: The other scenario is more on the BTP side right.
00:14:23: so its a PTP application extending an integrating with S-for-HANA system on premise connected through Cloud Connector.
00:14:35: there is here a little bit of all data exposed.
00:14:40: There's a little javascript, NodeJS running on Cloud Foundry and expose through PTP integrated as I mentioned to specific destination going into the SAP Cloud Connector.
00:14:57: All right!
00:15:01: The first demo is portraying well-intended developer.
00:15:07: this well-intended developer is someone creating an app on BTP.
00:15:14: This developer has experience, creating code in on BPP, NodeJS, some UI five different elements of these.
00:15:28: but the developer doesn't have a lot of background and security.
00:15:34: so while he's well intended to serve the requirements that were provided him, of him or her.
00:15:44: The reality is that unknowingly this developer is introducing specific vulnerabilities that could expose the entire application and we'll see that these could also expose the backend applications as well right?
00:16:02: This is what it looks like.
00:16:04: The app itself is a fury, really the look and feel of other SAP applications that's using SAP libraries, SAP technology to serve their UI as well.
00:16:20: And this is what he looks like both the application on the attack demo we are going see.
00:16:26: so they're.
00:16:28: the application is on BTP in Cloud Foundry.
00:16:32: The attacker is going to log in into the application, he's gonna see that there are different vulnerabilities.
00:16:41: It's got to be able to see some of those weaknesses and potentially exploit those weaknesses ultimately connecting into their backend system.
00:16:51: for ease or simplicity we're connecting directly to a back-end system And now you could tell me okay but they original applications go through cloud connectors.
00:16:59: so thats true.
00:17:02: Potentially, it could be possible also to go through CloudConnector but it adds some complexity.
00:17:08: For the sake of simplicity we are doing this A, compromising the BTP application and then through that compromise navigating into the backend system which would be on-prem And these users should be sitting in a network place that allows for both connections.
00:17:30: So let's go with the demo and I'm gonna be explaining what you are seeing on your screen.
00:17:41: So the user is connecting to the PTP app, right?
00:17:48: This user is accessing this specific link.
00:17:52: authenticating into a system is Sean Brennan.
00:17:57: He has a user in his system navigating through different capabilities.
00:18:02: there's a directory as you may have in other places, an employee directory pulling data from the backend SAP showing you different colleagues of this person.
00:18:14: But there's also a profile here right?
00:18:18: So they user is looking at information that...of his own profile for example compensation and also employment data, the vial.
00:18:29: so now their users sees them.
00:18:32: hey if I modify this parameter, what's happening?
00:18:36: Okay.
00:18:37: So modifying the specific parameter provided by the application.
00:18:41: these user is now able to see compensation from other users which he absolutely should not.
00:18:48: for example they CEO compensation right in this case looking at his personal data as well.
00:18:56: that wasn't available through employee directory.
00:18:59: Now there are a possibility to modify the BIO if you are able to see their profile.
00:19:08: Now deploying specific payload on the BEO, specific bio they user can now change behavior of application because it's cross-site scripting right?
00:19:23: This information could be exfiltrated through this cross site script that is permanent and installed.
00:19:30: so anyone looking at profile so he could change for all of the different profiles and could compromise this specific session off those target users with a stored cross-site scripting.
00:19:48: Now, that's one attack that an attacker can perform.
00:19:52: This other attack here realized there is this export base leap.
00:19:59: So you could export the information of your salary, like the deductions and all that information.
00:20:07: So exporting that could yield some potential insights right?
00:20:16: The user is exporting his own payslip Sam Brennan.
00:20:21: he's actually looking at his pay slip okay this is a salary netpay but also realized that in the same functionality, he could introduce other characters.
00:20:37: That could yield another vulnerability and this is a common injection vulnerability.
00:20:43: The common injection could be abused to exfiltrate internal information of those BTP services And use that actually abuse one of their BTPs.
00:20:57: This is a client ID, Client Secret for specific service that is the destination service.
00:21:05: Now with that information this attacker could now exfit trade credentials that are stored on that destination service and he's actually has a Python script for doing that.
00:21:22: Voila!
00:21:23: So now the information of a specific destination is provided to this malicious attacker, right?
00:21:33: So now these information could be used to go back that backend system and connect it an access.
00:21:44: Information that can be available for specific user which a technical user use to bridge between the BTP on the backend systems.
00:21:56: in this case It really depends on the authorizations that are provided to this user, but we'll see.
00:22:04: once they use it is able to connect which.
00:22:08: The user was able to collect and he's providing those credentials of course a secure credential secured password configured there very strong.
00:22:20: But through their views off these service?
00:22:27: Now, the attacker is logging into a system.
00:22:31: And now it's all up to the credentials of that user right?
00:22:35: So now its accessing BP transaction but could be other transactions like SE-Sixteen to navigate business tables.
00:22:45: in this case we are just looking at users here too But these could potentially anyone on on the system, right?
00:22:55: Any table that is authorized to be seen.
00:22:59: And then let's continue with this session.
00:23:05: hopefully you can go back to slides.
00:23:08: so what happened here?
00:23:11: some renon junior security analyst.
00:23:14: this user was able to connect to a BTP and access their different functionalities legitimately available to this user, but then through different vulnerabilities.
00:23:27: This user was able to see compensation for other users information potentially for all.
00:23:35: the users attack through cross-site scripting and their profiles also export based.
00:23:44: his own base leap back through abusing of that he.
00:23:49: these use could common injection vulnerability, X-field trading information of the destination service and internal secrets of their BTP destination services.
00:24:06: X field trade those credentials and connect back to the backend system using the credentials.
00:24:13: so this is a hypothetical scenario that it's possible if there are vulnerabilities introduced and not really properly assessed in this BTP application.
00:24:30: Some examples of some of these vulnerabilities, I mentioned cross-site scripting.
00:24:35: there was also an anonymous access to an exposed API.
00:24:39: that is also possible depending on how the system is configured OS command injection.
00:24:44: so here you have a example of on axis control identifying the exact code and how it should be fixed.
00:24:57: So this is, the other part of these.
00:25:00: we'll see some demos on how to address these vulnerabilities but there are.
00:25:06: these examples highlight some of their vulnerabilities identified by Anapsis control.
00:25:13: Okay now a different perspective right?
00:25:16: On the first one was so completely legitimate developer that was well-intended, but introduced vulnerabilities on the system without unknowingly.
00:25:30: So this second scenario is a developer who has the malicious intent to compromise his system.
00:25:39: he had some level of privileges But these attackers want to ensure that potentially something malicious can happen or some elevated access could happen in production for example.
00:25:53: All right, this scenario is different.
00:25:57: we are now in the world of traditional ABAP code.
00:26:02: so this a report Z vendor master review completely valid reports requested by AP back office users who need to run it before month end.
00:26:18: analyzing potentially duplicated block vendors, missing tax IDs all coming from table LFA one.
00:26:28: The requirements for executing this report are valid.
00:26:31: you can execute it through transaction code GVMR or SE-ThirtyEight.
00:26:37: with the execution of the program name there is a specific role Only grants a very limited number of authorizations.
00:26:50: LFL, LFA-I GRP S program ST code.
00:26:54: nothing high privileged or really critical beyond what needs to be provided and this is the diagram right.
00:27:05: so The end user which we are going see uses these reports legitimately.
00:27:14: Nothing out of the ordinary But then we'll see how a developer modifies this report.
00:27:21: This reports ends up going all the way to production and potentially abused by the developer with access to it, will see what impact of that?
00:27:34: All right.
00:27:38: Demo two... Okay there you go We're back on track!
00:27:46: the scenario where we have ABAP code, someone is Mary Rogers.
00:27:57: It's an AP user who periodically runs this report.
00:28:03: it's a completely legit report that was requested to the ABAP development team with their rights specific requirements right?
00:28:14: So they're report fulfills all of those.
00:28:21: This report is pre-executed, everything normal nothing out of the ordinary.
00:28:25: But there's another user that is a developer that is connecting to their system and has privileges too.
00:28:35: develop right?
00:28:36: So in this case we have the developer that it not authorized.
00:28:43: do any like execute transaction BP or SCO one.
00:28:48: This developer has only developer rights in this system, which can modify code.
00:28:55: Ultimately these codes will end up going to production and we can see the Bendo Master Review.
00:29:03: it's like why was created.
00:29:08: what is doing?
00:29:09: there are authorization checks In their.
00:29:15: There is access to table LFA-one and doing some filtering presentation to the user.
00:29:25: It's a very simple report, but this developer has a very extensive knowledge of ABAP so he has specific code that can be added at the end of their reports completely altering the behavior.
00:29:48: So in this case, we see it's adding some OK codes.
00:29:55: Some specific processing depending on the OK code that were providing and
00:30:03: its
00:30:03: somehow working with USRBF-II.
00:30:09: That is basically a user buffer table right?
00:30:13: You don't need to understand exactly what it is but you you'll see the impact.
00:30:18: So this is basically tampering with a session of the user, so they develop or execute their code and when these new codes executing X access it's just name could be anything additional authorizations were added to use a buffer.
00:30:41: now This user that wasn't able to access SUC one is now able to access it.
00:30:50: But interestingly enough, if we look at his roles... We see that he has developer roles.
00:30:56: He had the role of executing this specific report but nothing else Shouldn't be able to use SCS-O-one or transaction BP for example.
00:31:09: All those things shouldn't be authorized.
00:31:12: and what you are seeing?
00:31:17: report RS-USR-COOC, which is part of SUIM.
00:31:22: What an auditor would use?
00:31:24: and if we look at the user profiles nothing out of the ordinary right?
00:31:31: So all of their authorizations that are granted through the roles this user legitimately has.
00:31:39: however We just saw he executed SCO one.
00:31:42: so there's something else.
00:31:44: they're on that.
00:31:44: something else because In the user buffer, he has all authorizations.
00:31:50: So now their user is accessing transaction BP for maintaining business partners.
00:31:57: so it's looking at existing business partner vendors in this case and what these users are going to do.
00:32:09: his gonna search for specific vendors navigating through them so that there is a certain pattern.
00:32:18: Okay, let's access this one and he's actually going to payment
00:32:26: transaction.".
00:32:27: So that said bank account then these vendor is actually being paid on?
00:32:34: Never modified other than when the vendor was created.
00:32:38: Now accessing that modifying the bank account, potentially the bank key or other details.
00:32:47: He's putting his own bank accounts and now if of course in history we see another change.
00:32:57: so this was actually modified into master records.
00:33:03: So every time that vendor is paid This user will get that payment.
00:33:13: Now, the last part is this user executed another OK code which cleaned their use of buffer from what was added before.
00:33:22: So now they used it doesn't have any more privileges to access SU-Zero one or BP?
00:33:30: Or any other transaction at that point right.
00:33:32: so when he shows us that for a small period time completely untraceably these users got high privileges.
00:33:43: So now going back to the slides, what happened was that this malicious developer got SAP.
00:33:53: all could access any business data.
00:33:55: As I mentioned too you logged into Sforhana run that specific modified reports or program and then accessed a specific OK code.
00:34:11: after that, anything could happen completely and traceably from a permissions perspective.
00:34:17: From an audit perspective the backdoor is really okay code calling specific code that is inserting into the user buffer.
00:34:31: so this it's very technical form on the A website but That was technically possible right?
00:34:40: The reality when you have access to modify ABAP code, anything can happen.
00:34:45: This is just one example.
00:34:47: this developer could have hidden the code in many different ways to avoid being detected as malicious right?
00:34:57: To the eyes of potentially a reviewer like Could be doing different applying different techniques to make it really not been detected.
00:35:07: that's why It's important to have automation at the detection level, so these type of things can be properly identified.
00:35:20: This is an example of control identifying some of the issues that this report had and if you think about it was just one report with many different vulnerabilities in it.
00:35:35: now If you extrapolate to potentially functionality, many reports made transactions.
00:35:46: Function modules, BAP is the different elements that you could be creating and maintaining over time.
00:35:54: That's a significantly large attack surface right?
00:36:00: All right so what should we go about it?
00:36:08: how can we address this all?
00:36:11: That's where we kick in, right?
00:36:16: There is many ways you could prevent this from happening.
00:36:20: You can automate security and compliance testing... ...you can correct errors while typing when this actually being created.. ..you can prevent vulnerabilities on development phase rather than on production.
00:36:37: once the code is in production You can train developers to secure develop, right?
00:36:43: To introduce a code.
00:36:45: It can ensure compliance with strict regulations and of course all this saving time money while improving quality and security.
00:36:58: How is our product on abscess control which performs all the things that are heads achieving All of these things I mentioned before?
00:37:08: integrate into your development processes into your development pipelines, also able to assess production code.
00:37:16: I have some demos for this.
00:37:21: very quickly too.
00:37:23: show you what it looks like in reality when you need to address securing custom code.
00:37:31: so In these case What we are seeing is basically the Bundable report, part of a specific transport request.
00:37:44: This was when they develop or created
00:37:45: this
00:37:46: and was transporting it to PA and ultimately transported into production.
00:37:52: what you are seeing?
00:37:53: that there is the transport being stopped by control saying no these has vulnerabilities or ill-intended developers from introducing vulnerabilities, which is not the majority of cases.
00:38:13: But we know that's possible and there are examples where that happened.
00:38:20: so preventing someone introducing a vulnerability on purpose through change management process with control being able to assist you.
00:38:33: then Now, the second demo that I wanted to highlight here is on the BTP side.
00:38:41: You may be using a business application studio.
00:38:45: you maybe creating different components, JavaScript, different elements of your BTP applications.
00:38:55: while doing that you can use control to identify specific vulnerabilities.
00:38:59: this is cross-site scripting vulnerability.
00:39:03: sorry that is introduced in one of the JavaScript elements, and you can see why your typing... The results are changing from one vulnerability to two vulnerabilities.
00:39:19: And then if you remove a comment out again, it becomes zero again.
00:39:28: That's how real-time these controls when you are using Business Application Studio or any development environment, control supports most of the widely used development environments to develop on BTP but also on ABAP code as well.
00:39:48: There we have information about the vulnerability how to solve it and all that is part of control right there at the hands.
00:40:00: The other element, and just to close the loop is how this integrates into the Anapsys platform as well.
00:40:11: I show you control product integrates in to transform management system at the hands of your developers when they are creating code.
00:40:21: You can also assess repositories, you can access productive environments, you could assess your entire code base with the on-appsys platform as well.
00:40:32: As part of those capabilities off their control product line, right?
00:40:38: So it could be a gig repository or an AVAP asset.
00:40:44: all that UI five and everything is possible through really integrating visibility in existing vulnerabilities to the on appsys platform.
00:40:58: so that was just really close the loop on, okay if I have the Nazis platform and control how do i look that uh all in the same place.
00:41:06: well.
00:41:07: That's one part of how you had their right level of visibility into your existing potential vulnerabilities in your call.
00:41:18: And this is the UI for have been using for the vulnerabilities in code kernel, configurations on integrations authorizations all of the other elements.
00:41:45: That's just a last demo that I had prepared for you Just going back to the slides and wrapping up because we are running out of time.
00:41:56: This is The objecting of control is really giving you the ability to make all of their developers able to develop secure code, right?
00:42:09: Develop a code that's basically compliant with your policies and blocking any type potentially vulnerable codes at quality gate, right?
00:42:27: In QA or even at the hands of your developers.
00:42:32: At the IDE in business application studio using Eclipse, using any type development environment you use and with that we have some time for questions.
00:42:47: so back to you Lea
00:42:50: Oh great thank you so much JP.
00:42:51: this is awesome.
00:42:52: I think people are really going Appreciate this, and the videos were really helpful just to see all of us in action.
00:43:01: So we did have a lot questions that came in but I think we're pretty close at time so i may ask you one of them.
00:43:09: here goes This is question.
00:43:12: The final question are they first?
00:43:14: and final question our SAP footprint Is twenty years old?
00:43:18: And give millions of lines of custom ABAP
00:43:21: code.
00:43:22: At rest If we run an automated scan of all that legacy code, we're terrified at getting hit with thousands and false positives.
00:43:30: We don't have the resources to fix.
00:43:33: how do we prioritize what actually matters?
00:43:38: That's a great question.
00:43:38: I'm not any easy problem to solve right.
00:43:42: so if you are sitting on it on a ton off potentially vulnerable custom code there is risk they'll write so that that custom called.
00:43:52: In the past, we have seen many incidents driven by situations like that.
00:43:58: Insecure reports, insecure code can be used from an issues perspective.
00:44:08: It's all about prioritizing.
00:44:10: First is being able to have a right level of visibility and being able prioritize those critical issues.
00:44:17: first and foremost that's right there a compliance violation for many of the major compliance mandates.
00:44:27: Then it is about stop the bleeding, so make sure you don't introduce additional vulnerabilities.
00:44:34: put these type of controls at the hands of your developers So you stopped any additional vulnerabilities to be introduced and then prioritizing.
00:44:45: what do we have with help for prioritizing that, right?
00:44:51: It's not the same if you have a missing authorization at specific code than if we had let us say common injection flow available to many users in a code that is available too many uses.
00:45:09: So there are some type of prioritization they need make and it's process, right security isn't one-and-one.
00:45:17: So you mitigate the introduction of additional risks.
00:45:23: You analyze the exposure, you have your prioritized demonstratical risk and then introduce potentially automated fix right?
00:45:34: There's other capabilities that allow to close some of those risks without they need to involve significant manual effort with a lot automation.
00:45:45: thats possible today.
00:45:46: so As you see, it looks like a simple question but has many, many caveats.
00:45:54: It's not an easy problem to solve and the good part is that there are solutions
00:46:02: for those elements right?
00:46:05: Great thank you so much JP for answering my questions.
00:46:09: we're slightly over time.
00:46:11: I'm just going to wrap things up here.
00:46:14: For any other questions in chat will be reaching out individually.
00:46:18: Just a brief reminder to everyone listening that this session has been recorded and the link for their recording will be emailed to you.
00:46:25: With that, thanks again to JP for providing valuable insights into how you can eliminate vulnerable and malicious code across the BTP and ABAP spectrum.
00:46:36: Thanks so much.
00:46:36: everybody have great day!