The global and independent platform for the SAP community.

Open Source in Enterprise - despite Log4J

SAP and the entire SAP community have been successfully using more and more open source for many years. The use of hundreds or thousands of different components by SAP customers will be the rule, not the exception, in 2022.
Ralf Meyer, Synomic
April 5, 2022
Open Source
avatar
This text has been automatically translated from German to English.

Without the rapidly growing number of open source software, neither SAP systems nor most modern companies would function today. Currently, the German Federal Office for Information Security (BSI) and the trade press - such as our E-3 magazine - are issuing a "red alert" warning about a serious security vulnerability in the widely used Log4J software. This gap is also critical because it not only allows hackers to penetrate company networks unnoticed, but also enables the installation of backdoors that are difficult (if not impossible) to detect and the installation of extensive malicious code in company systems. Even after a successful update of Log4J, this can then be used for criminal attacks much later and independently of this.

Even if this sounds like a theoretical risk to many, unfortunately many systems have already been attacked, successfully compromised and a great deal of damage done. Unlike SAP software, there are usually no automatic updates for open source software and no notes such as SAP Notes (SAP has created a special SAP Note for Log4J). To make matters worse, Log4J - like much open source software - is an integral and hidden part of many other components and solutions, making it difficult and costly to find.

It is important that the use of open source components in the company is regulated and monitored by a professional process. Special solutions, such as those from the Mannheim-based start-up VersionEye or Snyk from Israel, are available for this purpose. Both solutions not only know the current version of individual components, but can also monitor nested parts lists of open source components; in other words, they know where components have also been installed. In addition, these solutions provide other important information, such as quality (for example, update frequency or distribution), known security vulnerabilities and underlying license types. They can automatically warn developers when risks are identified or company standards are violated, such as when unapproved open source components are used.

As cyberattacks on companies and their value chains increase due to the ever more important, complex and constantly changing IT and SAP worlds, monitoring of the underlying infrastructure such as servers and networks is becoming increasingly important in addition to open source monitoring. Although this is even more complex than open source monitoring, it is still a good idea to start immediately and get a picture of the current risk situation in your own company. In addition to detailed information on the security situation, modern solutions such as LocateRisk from Darmstadt or the much older Security Scorecard from New York also provide a comparison with similar companies (peer group) so that you can measure where you currently stand in your own cyber security.

In addition, recommendations for fixing detected problems and improving one's own security situation are usually given. For example, LocateRisk offers a special service to detect and fix the current Log4J threat more quickly. It is important that the open source and infrastructure monitoring are as configuration-free and highly automated as possible, and that they can be integrated - if required - into already existing systems and dashboards.

Even though the current global supply chain disruptions were (mostly) not triggered by cyber security attacks but by the Covid 19 pandemic, among other things, this could change. Some corporations therefore already have their key suppliers monitored by cyber security monitoring solutions or require open source audits, such as SAP does for partners with solutions on the SAP price list.

avatar
Ralf Meyer, Synomic

Ralf Meyer is Managing Director of Synomic and co-founder of IA4SP.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.