Solved: Concern on SAP Security

Former Member · ‎05-20-2015

Hi All,

I have come across a research finding on the vulnerability of SAP installations, in the link below. How and what are you guys putting in place to countermeasure these threats.

http://www.theregister.co.uk/2015/05/08/sap_95_percent_vulnerable

We are the first client for SoH (SAP on HANA), however this finding says SAP is more vulnerable due to HANA.

Please share your how are SAP security considered.

Chezangla

Bhutan

Former Member · ‎05-27-2015

As a matter of disclosure my firm partners with Onapsis, one of the vendors quoted in the article. That doesn't affect my position on this.

Many, many SAP customers don't follow basic security guidance provided by SAP (which has been provided for years). Patching is important but even taking that out of the equation, following SAP's general guidance will have a significant positive effect on reduce the threat surface for most organisations.

In my view there are 3 main reasons why customers don't follow SAP's guidance:

#1. The SAP team don't know about it

#2. The effort to implement is too great

#3. SAP and infosec teams don't play nicely together

#1 is inexcusable considering the wealth of information available. A lot of it is appetite where people tagged as "security" don't really see system security as their remit.

#2 is an understandable concern but sometimes thinking outside the box can yield good results

#3 is sad but it is slowly changing as awareness of SAP increases in the broader infosec community.

With regards to HANA - it's relatively new tech & understandably there is less general security knowledge in that area & flaws will appear & get fixed by SAP. I am putting my neck on the line here but while we should be concerned with 0-days, I don't think they represent as much the risk to most organisations SAP implementations as failure to perform standard good-practice hardening at network, os, DB (incl HANA) and Application level.

Private_Member_69416 · ‎05-20-2015

Hi

Vulnerabilities exist in every software.
Not surprisingly, Hana have vulnerabilities too. Most of them are related to direct access with users or applications.
If you are using SoH and have proper configuration those vulnerabilities aren’t applicable to you. But regular checking security patch day notes is always needed.

Both guys from your research are doing software for mange/audit security in SAP.

Their products can be used for Hana too, so they have interest to find new vulnerabilities.
From one side you have many vulnerabilities found from other side all announced in notes were already patched, so the products are more and more matured.

SAP is doing initiatives that can help you: security patch day, tools for development code security audits, monitors and configuration validators, security improvements for existing components and protocols, documentation …

You can use partner solutions to cover your security management better (e.g. from your report speakers).

But it's worth nothing if you can't update software and stuck with old release due to "business first' policy.

Regards

Przemek

Former Member · ‎05-27-2015

As a matter of disclosure my firm partners with Onapsis, one of the vendors quoted in the article. That doesn't affect my position on this.

Many, many SAP customers don't follow basic security guidance provided by SAP (which has been provided for years). Patching is important but even taking that out of the equation, following SAP's general guidance will have a significant positive effect on reduce the threat surface for most organisations.

In my view there are 3 main reasons why customers don't follow SAP's guidance:

#1. The SAP team don't know about it

#2. The effort to implement is too great

#3. SAP and infosec teams don't play nicely together

#1 is inexcusable considering the wealth of information available. A lot of it is appetite where people tagged as "security" don't really see system security as their remit.

#2 is an understandable concern but sometimes thinking outside the box can yield good results

#3 is sad but it is slowly changing as awareness of SAP increases in the broader infosec community.

With regards to HANA - it's relatively new tech & understandably there is less general security knowledge in that area & flaws will appear & get fixed by SAP. I am putting my neck on the line here but while we should be concerned with 0-days, I don't think they represent as much the risk to most organisations SAP implementations as failure to perform standard good-practice hardening at network, os, DB (incl HANA) and Application level.

Colleen · ‎05-27-2015

HI Alex

good summary on points but with part of the mix is also the resourcing of the team to be able to get across all of the issues and have the capacity.

As much as SAP is simplifying the user experience it creates a more complex environment for Security. So many components, authorisation and integration; different security models in each.

I still get frustrated to see security is lumped in with basis but also I don't think one security person can be an expert in all items security in the SAP landscape anymore. There's just too much to get across. It also means you have some security people who still think their job is just PFCG and SU01 then ignore everything else outside of that area but at the same time they go stick asterisk in a heap of S_* objects as they don't realise what they do.

HANA security is going to be interesting when it comes to design faults. But then again, it'll improve as the product matures and more people use it and learn from their mistakes.

Regards

Colleen

Former Member · ‎05-27-2015

Hi Colleen,

Good points & I agree. Capacity is always a challenge (though seems to be less of a challenge when execs are facing a damning audit report).

Capability is also a hot topic, I'm with you that no-one can be an expert at everything, rather I see the role of the practitioner as having sufficient breadth of understanding as to understand how it all fits together, what their role is within it & to be able to ask the right questions in the areas where we lack the detailed knowledge. This is so common in the general IT security industry yet seems to skip SAP teams so often (and historically SAP teams have pled special dispensation when the ITsec teams come knocking).

Cheers

p.s. have you seen hana auths yet?...fun times.

martin_voros · ‎05-27-2015

Hi,


Colleen Lee wrote

As much as SAP is simplifying the user experience it creates a more complex environment for Security. So many components, authorisation and integration; different security models in each.

I completely agree with this. Actually, i've been thinking about writing a blog about this exact issue with title "Not so simple". SAP pushes a message about simplicity but it does not seem to simplify the things for security. Maybe it is not a big change for big enterprises that already have complex landscapes. But for smaller companies that does not seem to be the case. For implementing Fiori apps you suddenly need to have an easy way of user provisioning to multiple systems as well as SSO. This may be a challenge for companies with limited SAP resources. On the other side someone could say good for us, more work.

Cheers

Former Member · ‎05-27-2015

I completely agree with this.

Security researchers also are good "ombudsmen" in the ecosystem and very necessary, but 0-days are often overkills as long as the config is correct and default installation values can always be improved for new installations.

Right first time is always better.

Personally (as a vulnerability researcher) I have found that it is more difficult to find real hacks which take complete control of the system. So SAP is doing a good job in the product development integration with security input.

When a bug does appear, then there are a myriad of other conditions in the customer scenario and patch levels and config which contribute to it being a real problem with high impact / easy / high probability / remote without authentication.... or internal by the DB admin who 0-days his own system.

I don't mean to be flippant here as I take security very seriously, but some hype is also marketing.

Cheers,

Julius

Former Member · ‎05-28-2015

SAP certainly want to get complexity away from the user, and even the administrator.

That is a bad omen for the developer as there is a load more of IF THEN ELSE. So auth relevant IF THEN ELSE is even worse and needs to tie it to something which is a context and a reliable proposal and visibility...

--> SU24 and menu objects for on-site backend authorizations based on job roles.

Also nothing new (bar some odd things which PFCG does not support yet or organizations which tick differently an need 10 special task roles because the head of accounting is also a developer in small organizations, etc..)

Cheers,

Julius

Colleen · ‎05-28-2015

HI Martin

I wrote a careers focussed blog/rant on this topic. I probably could have analysed it differently for the security space but it was more around skill set. It also only scratches the surface of security skills.

I was also thinking about the smaller/leaner organisation who only have 1 person doing security (or it's the basis or the functional people jumping in and taking a stab at it)

Regards

Colleen

martin_voros · ‎05-28-2015


Julius von dem Bussche wrote:

I completely agree with

Personally (as a vulnerability researcher) I have found that it is more difficult to find real hacks which take complete control of the system. So SAP is doing a good job in the product development integration with security input.

I am not sure I can fully agree with this. Just a simple XSS with a bit of social engineering can give you admin access and from there it usually escalates pretty quickly. I also believe that SAP benefits from its weirdness. I have seen a presenatition about hacking mainframes. I swear you could just swap mainframe for SAP and you would get the same issues. A complex legacy system designed ages ago that nobody understands. There are many bugs but nobody is looking at them. A good example is a recent issue with compression algorithms in SAP. These types of issues have been found in open source implementations years ago. Nobody just bothered to look at SAP. To be fair in house implementation can save you as well as we have seen in case of many SSL issues.

Also worrying part is a response time from SAP. Based on my experience it is months. SAP will have to step up their game for their SaaS solutions. Honestly, maybe they already did, I just do not have any visibility.

Regarding HANA I do not have any data so it is hard for me to judge. But I can imagine that security is not one of the top priorities when SAP is rushing to get new product to market. Microsoft is a good example how a company can significantly improve development process from security perspective. But it is important to understand that it required a memo from CEO.

Cheers

Former Member · ‎05-28-2015

Perhaps I am just getting old then and am not completely with it anymore.. 🙂

That security researchers are getting better at the proprietary SAP world and more systematically combing through possible vulnerabilities is clear and also constructive to the process of improving security in SAP.

But the statement that SAP security is declining or the process in SAP is not improving certainly incorrect. Or the persons making these claims are talking to the wrong people and coming to conclusions which serve their marketing interests more than anything else. There certainly are a few of these around in the market but luckily most customers see through it.

A process which however still not settled into something which works nicely is the security notes implementation. One very seldom encounters a well patched system unless they happen to have recently performed an upgrade...

Cheers,

Julius

Former Member · ‎05-28-2015


Martin Voros wrote:





Regarding HANA I do not have any data so it is hard for me to judge. But I can imagine that security is not one of the top priorities when SAP is rushing to get new product to market.

Martin,

I can understand your sentiment, and I suspect that anyone who struggled through early SolMan, which was just about entirely lacking in security, might feel that way. SAP has bought and rebranded as theirs numerous software packages with so many different authorization concepts, I agree with Colleen that it is just about impossible for any one person to be expert on all of it. I took up this issue with Vishal at TechEd 2007 and never did get a response that I was happy with; now he is gone and here we all are, still challenged by supporting all the myriad of authorization concepts in our organizations' SAP landscapes.

However, I have to say that the little I have learned about security in SuccessFactors gives me hope that SAP is headed in a new direction. If they can extend that user-attribute based rule concept of security to other solutions, perhaps eventually it will be simpler for security, too.

Regards,

Gretchen

martin_voros · ‎05-28-2015

Hi,

many authorization concepts is definitely an issue for many customers. Unfortunately, I don't think that there is a grand unifying authorization concept that can be applied to all various business applications. I have not seen concept used in SF but I doubt it's the one.

Actually, I was more talking about secure development to minimize vulnerabilities. It seems to me that SAP did not have to face a big crisis as Microsoft where change was initiated by Bill Gates.The question is if that is by having good standards for development or it is just caused by attackers using other means to break into systems and infosec community is not really interested in SAP. These days they seem to be occupied by attacking cars, planes and other IoT devices. I think as usual the reality is somewhere in the middle. I think that is also the original question asked by Chezangla. Should we be worried about security of SAP products, especially HANA? I would say yes but panic is not going to help. So let's focus on stuff like patch management, regular vulnerability scans and so on.

Cheers

Former Member · ‎05-29-2015

Hi everyone here,

Thanks for your responses, we did get insights into SAP security through this and we would consider all your points mentioned valid suggestions to work towards having a secured SAP landscape.

Cheers

Chezangla