Many companies have been using SAP to manage their business processes for many years. It is therefore all the more astonishing that a surprisingly large number of these companies have not yet carried out a comprehensive security investigation of their SAP landscape.
SAP security is a highly complex area and requires a wide range of specialist knowledge. However, this knowledge is not available in all companies, especially when you look at medium-sized companies. Historically speaking, SAP systems were largely isolated from the outside world and therefore not the particular focus of hackers and organized crime. As a result, they were also not on the radar of IT security in companies.
NetWeaver laid the foundation for SAP web applications and external interfaces. As a result of SAP's efforts to move applications to the cloud, the attack surface continues to increase. During this transformation, many companies seem to have missed the point of adequately examining their SAP landscape for security or carrying out basic security.
We often talk to companies that have had at least some of their SAP systems examined through penetration tests. However, there are a few aspects to consider here: SAP products are based on a variety of proprietary technologies that cannot be fully investigated with current pentesting techniques, knowledge, and tools. It should also be borne in mind that a penetration test only examines security measures on a random basis and can in no way provide an overall picture of the risks. In addition, penetration tests are almost always carried out selectively on specific systems or applications and therefore do not provide any insights into the actually weakest link in the defense chain.
Unfortunately, an attacker can attack exactly this weakest link. This can be a poorly secured development system that has a highly privileged RFC connection to a production system. This can be a BSP application or an OData service that contains a backdoor. This could be a third-party application that has security vulnerabilities in its code. This could be a server or service exposed to the Internet that is not adequately patched. This can be an interface to a supplier that exposes sensitive internal data. And right now, this may also be an insufficiently secured cloud connection — this list is far from complete.
When you consider that chaos literally breaks out in many companies when an important SAP system comes to a standstill, it seems advisable to carry out comprehensive security analyses on a regular basis, which identify all weak links in the defense. However, these can only deliver reliable results if all SAP systems are actually examined. Because risks of system-to-system connections can only be identified if you examine both sides of such connections.
Cybercrime is now a successful business model. Ransomware and data theft have become common means of extortion. Inadequately secured SAP systems are therefore an extremely lucrative target for attackers. Companies that have not yet (completely) tested their SAP systems for security by experts are exposed to an increasing risk of losing control of some of these SAP systems or the data stored in them.
