How well protected are your SAP systems? After all, your most valuable data are stored there. And not only that, attackers are increasingly targeting enterprise resource planning (ERP) systems.
There are three reasons that make it worthwhile for hackers to target SAP systems. First, there is the technology. An SAP system is incredibly complex. The SAP business suite consists of almost 400 million lines of code; the new S/4 HANA® solution already contains more than 200 million lines of code. These numbers are astonishing, but considering that SAP offers almost any aspect of a full-fledged IT infrastructure, they can be put into perspective.
The point is that within this complex world, there are numerous security-related settings. It is the responsibility of every customer to set these settings correctly. Just take the example of security patches. Implementing them every month is not always easy or even feasible. To mention just one hindrance, a productive system, if required by security not, cannot easily be restarted. That opens up a gateway for attackers who, of course, know about the vulnerabilities as soon as the security notes are published.
Some studies suggest that up to 95 per cent of all SAP systems are vulnerable
A second reason that makes it attractive to attack SAP systems are custom applications. Almost every customer uses this option. In fact, an SAP system contains an average of two million lines of customer-specific code. The customer is responsible for this code, not SAP. Our analysis of more than 370 customer systems shows that within this custom code base there is about one critical vulnerability per 1,000 lines of code.
The third way to attack an SAP system is through the so-called transport management system, a feature unique for SAP systems. Checking the contents of these transports before implementation is difficult. And this is exactly where the weak point of the transport system lies; attackers can easily “spoil” transports by inserting defective code or safety-critical settings.
So there are a number of reasons and possibilities to penetrate an SAP system. But what does the reality look like? After all, in theory, there are even more ways to penetrate a corporate network using other components than an ERP system. With awareness about cybersecurity rising in recent years, most companies have actually upgraded and fully protected their IT infrastructure.
However, SAP systems are the inglorious exception. Some studies suggest that up to 95 per cent of all SAP systems are vulnerable. Time to counteract. But what is the best approach?
There are a few things to look out for when investing in SAP security solutions. The first point to consider is automation. Just because SAP is incredibly complex, you will only be able to discover and eliminate a small part of the security gaps if you do everything manually.
Solutions which automate these tasks are well known; vulnerability assessment solutions can check and monitor security-relevant settings, code scanners check applications for programming errors. In both cases, care should be taken that the security checks are as comprehensive as possible.
Good guidance can be found in the guidelines drawn up and used by auditing firms. An example is the audit guideline of the German-speaking SAP user group DSAG, which lists several hundred security-related checks.
Finally, the chosen solution should be extensible and content regularly updated. This ensures that industry-specific or even customer-specific tests can be integrated without any problems and new threat scenarios are also included in the solution. If you consider these points to secure your SAP system landscape, you are prepared for the future.
