The global and independent platform for the SAP community.
Mag 22-03, Open Source Column

Open Source in Enterprise - despite Log4J

SAP and the entire SAP community have been successfully using more and more open source for many years. The use of hundreds or thousands of different components by SAP customers will be the rule, not the exception, in 2022.
Ralf Meyer, Synomic
April 5, 2022
Content:
Open Source
avatar
This text has been automatically translated from German to English.

Without the rapidly growing number of open source software, neither SAP systems nor most modern companies would function today. Currently, the German Federal Office for Information Security (BSI) and the trade press - such as our E-3 magazine - are issuing a "red alert" warning about a serious security vulnerability in the widely used Log4J software. This gap is also critical because it not only allows hackers to penetrate company networks unnoticed, but also enables the installation of backdoors that are difficult (if not impossible) to detect and the installation of extensive malicious code in company systems. Even after a successful update of Log4J, this can then be used for criminal attacks much later and independently of this.

Even if this sounds like a theoretical risk to many, unfortunately many systems have already been attacked, successfully compromised and a great deal of damage done. Unlike SAP software, there are usually no automatic updates for open source software and no notes such as SAP Notes (SAP has created a special SAP Note for Log4J). To make matters worse, Log4J - like much open source software - is an integral and hidden part of many other components and solutions, making it difficult and costly to find.

It is important that the use of open source components in the company is regulated and monitored by a professional process. Special solutions, such as those from the Mannheim-based start-up VersionEye or Snyk from Israel, are available for this purpose. Both solutions not only know the current version of individual components, but can also monitor nested parts lists of open source components; in other words, they know where components have also been installed. In addition, these solutions provide other important information, such as quality (for example, update frequency or distribution), known security vulnerabilities and underlying license types. They can automatically warn developers when risks are identified or company standards are violated, such as when unapproved open source components are used.

As cyberattacks on companies and their value chains increase due to the ever more important, complex and constantly changing IT and SAP worlds, monitoring of the underlying infrastructure such as servers and networks is becoming increasingly important in addition to open source monitoring. Although this is even more complex than open source monitoring, it is still a good idea to start immediately and get a picture of the current risk situation in your own company. In addition to detailed information on the security situation, modern solutions such as LocateRisk from Darmstadt or the much older Security Scorecard from New York also provide a comparison with similar companies (peer group) so that you can measure where you currently stand in your own cyber security.

In addition, recommendations for fixing detected problems and improving one's own security situation are usually given. For example, LocateRisk offers a special service to detect and fix the current Log4J threat more quickly. It is important that the open source and infrastructure monitoring are as configuration-free and highly automated as possible, and that they can be integrated - if required - into already existing systems and dashboards.

Even though the current global supply chain disruptions were (mostly) not triggered by cyber security attacks but by the Covid 19 pandemic, among other things, this could change. Some corporations therefore already have their key suppliers monitored by cyber security monitoring solutions or require open source audits, such as SAP does for partners with solutions on the SAP price list.

avatar
Ralf Meyer, Synomic

Ralf Meyer is Managing Director of Synomic and co-founder of IA4SP.


All articles of the author

Write a comment

The Hackett Group has recognized Esker in the area of C2C Receivables

Rackspace Technology launches UK Sovereign Services

August-Wilhelm Scheer Institute and BAD Gesundheitsvorsorge und Sicherheitstechnik: The future of healthcare

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.