Skip to Content
avatar image
Former Member

Concern on SAP Security

Hi All,


I have come across a research finding on the vulnerability of SAP installations, in the link below. How and what are you guys putting in place to countermeasure these threats.



http://www.theregister.co.uk/2015/05/08/sap_95_percent_vulnerable



We are the first client for SoH (SAP on HANA), however this finding says SAP is more vulnerable due to HANA.



Please share your how are SAP security considered.



Chezangla

Bhutan

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

3 Answers

  • Best Answer
    May 27, 2015 at 01:27 PM
    12

    As a matter of disclosure my firm partners with Onapsis, one of the vendors quoted in the article. That doesn't affect my position on this.

    Many, many SAP customers don't follow basic security guidance provided by SAP (which has been provided for years). Patching is important but even taking that out of the equation, following SAP's general guidance will have a significant positive effect on reduce the threat surface for most organisations.

    In my view there are 3 main reasons why customers don't follow SAP's guidance:

    #1. The SAP team don't know about it

    #2. The effort to implement is too great

    #3. SAP and infosec teams don't play nicely together

    #1 is inexcusable considering the wealth of information available. A lot of it is appetite where people tagged as "security" don't really see system security as their remit.

    #2 is an understandable concern but sometimes thinking outside the box can yield good results

    #3 is sad but it is slowly changing as awareness of SAP increases in the broader infosec community.

    With regards to HANA - it's relatively new tech & understandably there is less general security knowledge in that area & flaws will appear & get fixed by SAP. I am putting my neck on the line here but while we should be concerned with 0-days, I don't think they represent as much the risk to most organisations SAP implementations as failure to perform standard good-practice hardening at network, os, DB (incl HANA) and Application level.

    Add comment
    10|10000 characters needed characters exceeded

    • Hi,

      many authorization concepts is definitely an issue for many customers. Unfortunately, I don't think that there is a grand unifying authorization concept that can be applied to all various business applications. I have not seen concept used in SF but I doubt it's the one.

      Actually, I was more talking about secure development to minimize vulnerabilities. It seems to me that SAP did not have to face a big crisis as Microsoft where change was initiated by Bill Gates.The question is if that is by having good standards for development or it is just caused by attackers using other means to break into systems and infosec community is not really interested in SAP. These days they seem to be occupied by attacking cars, planes and other IoT devices. I think as usual the reality is somewhere in the middle. I think that is also the original question asked by Chezangla. Should we be worried about security of SAP products, especially HANA? I would say yes but panic is not going to help. So let's focus on stuff like patch management, regular vulnerability scans and so on.

      Cheers

  • May 20, 2015 at 08:35 AM

    Hi

    Vulnerabilities exist in every software.
    Not surprisingly, Hana have vulnerabilities too. Most of them are related to direct access with users or applications.
    If you are using SoH and have proper configuration those vulnerabilities aren’t applicable to you. But regular checking security patch day notes is always needed.

    Both guys from your research are doing software for mange/audit security in SAP.

    Their products can be used for Hana too, so they have interest to find new vulnerabilities.
    From one side you have many vulnerabilities found from other side all announced in notes were already patched, so the products are more and more matured.

    SAP is doing initiatives that can help you: security patch day, tools for development code security audits, monitors and configuration validators, security improvements for existing components and protocols, documentation …

    You can use partner solutions to cover your security management better (e.g. from your report speakers).

    But it's worth nothing if you can't update software and stuck with old release due to "business first' policy.

    Regards

    Przemek

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    May 29, 2015 at 05:23 AM

    Hi everyone here,

    Thanks for your responses, we did get insights into SAP security through this and we would consider all your points mentioned valid suggestions to work towards having a secured SAP landscape.

    Cheers

    Chezangla

    Add comment
    10|10000 characters needed characters exceeded