The global and independent platform for the SAP community.

IT security: super easy or super hard

Since 2012, there have been an increasing number of publicly disclosed and successful attacks on SAP systems. How has SAP security changed over the past ten years, how secure are SAP systems today, and what can we expect in 2019?
Frederik Weidemann, Virtual Forge
March 7, 2019
It Security
avatar
This text has been automatically translated from German to English.

At the latest since the gateway vulnerability presented at the Blackhat conference in 2007 (cf. VIDEO) has permanently changed the perception of SAP security. This vulnerability allows an attacker to create an administrator user with "SAP_ALL" permissions on SAP ERP and Abap systems without authentication.

The attacker then has full control and can view and manipulate any data. Despite the fact that this vulnerability has been known for so long, many ERP customers are still vulnerable to it and many other standard vulnerabilities in 2019. Why is that?

SAP security advisories cannot be directly compared with Microsoft Windows security updates because SAP follows the principle of backward compatibility in the Abap world. As a result, SAP always includes a switch in the notices if there is a risk that the patch will endanger existing functionality or availability at the customer's site.

Consequently, in these cases, importing alone is not sufficient; the customer must first perform the manual steps to activate the system. It is often the critical vulnerabilities that require this manual rework and thus unknowingly lead to insecure systems. This is also the case with the exemplary gateway vulnerability, against which a large number of customer systems are still vulnerable.

SAP changed its security strategy in 2009 and has since published 4256 SAP security advisories, of which more than 50 percent were published between 2010 and 2012. According to statements made at a TechEd, SAP examined the entire SAP standard with static code analysis for the first time at that time, which is said to have contributed to the above accumulation.

In 2010, the "SAP Security Patchday" was then introduced on the second Tuesday of each month. This means that the notices are now primarily only published in bundled form. As of 2012, it was introduced that security advisories are only delivered with support packages depending on their priority.

The 18-month rule must be observed as a matter of urgency: According to this rule, the import of security notices is only guaranteed in systems that are at a Support Package level that is not older than 18 months. Every customer therefore needs a regular Support Package import cycle in addition to an SAP security patch cycle.

While it is still possible to monitor SAP Notes, configurations and Support Package levels manually in a single-tier SAP system landscape, this becomes increasingly difficult or impossible in large and heterogeneous SAP landscapes. Here, it makes sense to monitor these tasks with an automated system. Both SAP and the free market offer various solutions here.

Will these challenges be solved in 2019 with S/4 and Hana? In the cloud, SAP performs infrastructure maintenance, but here the customer no longer has SAP GUI access and cannot perform any in-house developments in the core system.

Customers face new challenges here in hybrid architectures. With the growing complexity, it is often not clear where, how often, which data is stored and who has access to it.

This is especially true if the business department can activate additional services with a credit card, of which IT is initially unaware. Customers who use S/4 on-premise must continue to observe the issues mentioned above.

Even in 2019, a current S/4 1809 must be hardened after installation. Examples are the Security Audit Log, which is not activated in the standard, the protection against RFC call-back attacks, which is not activated, or the minimum password length of only 6 characters, which has been delivered since 1992.

The bottom line for 2019 is that customers are responsible for the security of their own data and will remain so. In recent years, there have been critical vulnerabilities in the SAP standard every year.

It is therefore still necessary to patch one's SAP systems promptly and to monitor the import. This applies to both used and unused components.

avatar
Frederik Weidemann, Virtual Forge

Frederik Weidemann, Chief Technical Evangelist at Virtual Forge.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.