Wherever you look: SAP security gaps
Anyone who follows the news is increasingly stumbling across fatal security gaps in SAP applications that circulate on the Internet. Jaguar Land Rover (JLR) was probably the victim of a massive attack recently. But that's just the tip of the iceberg.
Almost every medium-sized and large company uses SAP to a certain extent. There are also public institutions, government agencies, NGOs and educational institutions. In addition to a bouquet of SAP applications, an SAP installation usually also includes in-house developments (customizing) and solutions from third-party providers. Many players are involved in SAP operations, both internal and external. Overall, operating SAP systems is a highly complex task that leaves plenty of room for security gaps.
Security gaps caused by SAP
SAP has a gigantic code base. As with any software, security errors creep in with SAP. Despite all internal efforts, SAP cannot completely avoid them. This is proven by the monthly “SAP Patch Day,” during which patches are published for vulnerabilities that were mostly found and reported by third parties.
As soon as such a patch is released, there are actors who create and publish or sell exploits for the underlying vulnerability. As a result, SAP customers can sometimes be attacked within hours. If the patches for such vulnerabilities are not applied promptly, there is an acute security risk. It seems that Jaguar Land Rover was probably not fast enough for a critical patch.
One associated risk is, of course, that someone finds a new SAP vulnerability but doesn't report it to SAP, but sells it. As a result, numerous customers would be potentially vulnerable.
But for some time now, it's not just the security gaps in SAP's software that can be dangerous to customers. SAP wants to transform itself into a cloud provider. More and more customers are choosing to hand over the operation of their SAP systems to SAP. I thought it would be safer. However, as our penetration tests show, this is not always the case. Especially since many RISE installations are not operated by SAP itself, but by partners who lack the necessary security know-how.
Customer security breaches
Every SAP customer must take care of a variety of security areas, their
to protect SAP landscape. This includes the correct allocation of administrative authorizations, network security, interfaces, in-house developments, system hardening or securing the SAP base, the secure operation of add-ons and, as mentioned above, patch management. It should also be borne in mind that external employees are very often used, especially for in-house developments. In any of these areas, you can make significant mistakes. Unfortunately, many companies lack the time, budget and know-how, but often also risk awareness, to adequately tackle this task. A penetration test often proves to be an eye-opener here. Even customers who work with automated tools often do not keep up with the mass of problems, especially when it comes to code.
Third-party security breaches
Since SAP software does not solve all problems, almost all customers also use third-party solutions. Unfortunately, many of these solutions — in some cases despite certification by SAP — have significant security gaps. One problem with this is, of course, that manufacturers often have insufficient safety knowledge. Another problem, however, is that customers usually do not notice these gaps. Customers often don't even know which third-party solutions are in use overall. Let alone on which systems and in which versions. How should companies protect themselves from supply chain attacks under these conditions?
Security breaches caused by auditors
Yes, there is even that. The auditor comes to the company, absolutely has to install his own software to carry out analyses and thus brings critical security gaps into the SAP landscape. This software often remains installed on the systems because the auditor will be back next year. We're not talking about small accounting firms here, but about the Big 4 caliber.
conclusion
SAP security is a highly complicated and complex area that only very few companies and organizations can cover comprehensively. In particular, there is a lack of security awareness, experts and a strategy. The resulting risks threaten the existence of many companies, especially in times of increasing cyber attacks.
