I had a chance to see presentation and live demo of ERPScan – automated SAP scanning solution, and it made quite an impression on me. ERPScan has interesting scanning features. The most spectacular, in my opinion, is ability to run exploits for found vulnerabilities directly from the scanner.
Some other pleasant things:
- You can add tags to the scanning tasks. Seems useful when you have hundreds of different tasks
- You can check account, that will be used for credentialed scanning and in the same window will be shown minimal information about the system
- You can change or even accept risk level for vulnerabilities and misconfigured user accounts
- You can mark vulnerability as false positive and you can attach comments to it
- You can associate vulnerability with email of responsible system administrator and he will get messages about this vulnerability
I was pleased to see a nice form of report – automatically generated PowerPoint presentation for C-level executives with diagrams, animation, etc.
Interesting feature “Threat Map”, unfortunately I haven’t seen it in live demonstration.
“Threat Map functionality can save your time by providing you with an information about how systems are interconnected, you can eventually use it for privilege escalation and pivoting.”
ERPScan can also patch vulnerable systems automatically. I haven’t seen how it works in real life, but it’s intriguing.
I haven’t found any real cons yet. Of course it would be better to use universal vulnerability scanner, not only for the SAP. But on the other hand, this specialization allows ERPScan team to achieve good results.
Another pretty specific need for me is managing scanner via API. ERPScan developers say that API support will be released later. It is certainly possible to make regular scan, and take the results from the shared folder, but it is not that cool.
And the solution is not cheap. I will not say the cost, because I do not really know, but it is not Nessus level at all. =)
(pictures from the public sources)