IT security: super easy or super hard

At the latest since the gateway vulnerability presented at the Blackhat conference in 2007 (cf. VIDEO) has permanently changed the perception of SAP security. This vulnerability allows an attacker to create an administrator user with "SAP_ALL" permissions on SAP ERP and Abap systems without authentication.

The attacker then has full control and can view and manipulate any data. Despite the fact that this vulnerability has been known for so long, many ERP customers are still vulnerable to it and many other standard vulnerabilities in 2019. Why is that?

SAP security advisories cannot be directly compared with Microsoft Windows security updates because SAP follows the principle of backward compatibility in the Abap world. As a result, SAP always includes a switch in the notices if there is a risk that the patch will endanger existing functionality or availability at the customer's site.

Consequently, in these cases, importing alone is not sufficient; the customer must first perform the manual steps to activate the system. It is often the critical vulnerabilities that require this manual rework and thus unknowingly lead to insecure systems. This is also the case with the exemplary gateway vulnerability, against which a large number of customer systems are still vulnerable.

SAP changed its security strategy in 2009 and has since published 4256 SAP security advisories, of which more than 50 percent were published between 2010 and 2012. According to statements made at a TechEd, SAP examined the entire SAP standard with static code analysis for the first time at that time, which is said to have contributed to the above accumulation.

In 2010, the "SAP Security Patchday" was then introduced on the second Tuesday of each month. This means that the notices are now primarily only published in bundled form. As of 2012, it was introduced that security advisories are only delivered with support packages depending on their priority.

The 18-month rule must be observed as a matter of urgency: According to this rule, the import of security notices is only guaranteed in systems that are at a Support Package level that is not older than 18 months. Every customer therefore needs a regular Support Package import cycle in addition to an SAP security patch cycle.

While it is still possible to monitor SAP Notes, configurations and Support Package levels manually in a single-tier SAP system landscape, this becomes increasingly difficult or impossible in large and heterogeneous SAP landscapes. Here, it makes sense to monitor these tasks with an automated system. Both SAP and the free market offer various solutions here.

Will these challenges be solved in 2019 with S/4 and Hana? In the cloud, SAP performs infrastructure maintenance, but here the customer no longer has SAP GUI access and cannot perform any in-house developments in the core system.

Customers face new challenges here in hybrid architectures. With the growing complexity, it is often not clear where, how often, which data is stored and who has access to it.

This is especially true if the business department can activate additional services with a credit card, of which IT is initially unaware. Customers who use S/4 on-premise must continue to observe the issues mentioned above.

Even in 2019, a current S/4 1809 must be hardened after installation. Examples are the Security Audit Log, which is not activated in the standard, the protection against RFC call-back attacks, which is not activated, or the minimum password length of only 6 characters, which has been delivered since 1992.

The bottom line for 2019 is that customers are responsible for the security of their own data and will remain so. In recent years, there have been critical vulnerabilities in the SAP standard every year.

It is therefore still necessary to patch one's SAP systems promptly and to monitor the import. This applies to both used and unused components.