The offer ranges from vulnerability scans to audits and penetration tests. However, which approach is the right one for what depends on individual result requirements.
When performing vulnerability scans, also known as vulnerability assessments, SAP systems are scanned automatically or semi-automatically for known vulnerabilities and the results are listed in a tabular report. In the simplest case, this can be a list of the security-relevant parameters of an SAP application server without subjecting them to an assessment. There is therefore no check as to whether the vulnerabilities can be exploited, as would be the case with a penetration test.
In addition, some of the identified vulnerabilities may be so-called "false positives", which are listed but do not pose a threat in the current system context or are system-related. Even if they are not checked for active threats, regular vulnerability scans are still necessary to ensure information security in general and should be repeated at regular intervals. In addition to incorrect parameterization of SAP application servers, a vulnerability scan also detects problems such as missing patches and outdated protocols, certificates and services.
Security and compliance audit
A security and compliance audit is a comprehensive and formal review of the security of a company's systems and security-relevant processes. An SAP audit is therefore a complete and thorough examination not only of physical attributes such as the security of the operating platform, the application server and the network architecture, but also the inspection and check of existing security concepts, for example on topics such as SAP authorizations or the handling of emergency users.
In terms of methodology, the audit involves carrying out a vulnerability scan. In addition, the results are evaluated in the context of the respective system environment and "false positives" are eliminated. The resulting recommendations for action to further secure the SAP systems are much more detailed and in-depth than is possible in a vulnerability scan report, and the informative value of a security and compliance audit with regard to securing SAP systems therefore goes far beyond this, as the results are also subjected to an evaluation, considered in the context of the system environment of the respective company and summarized in a detailed report. It is highly recommended that audits are carried out as initial preparation and after completion of hardening measures as well as in the context of a system or platform migration.
In contrast to vulnerability scans and audits, a penetration test, or pentest for short, attempts to actively exploit vulnerabilities. The automated vulnerability scan is contrasted with a procedure that requires both in-depth specialist knowledge and tools from different areas. A penetration test requires comprehensive planning with regard to the result to be achieved, the method to be applied and the tools to be used. The central goal of a pentest is to identify insecure business processes, incorrect security settings or other vulnerabilities that an attacker could exploit. For example, the transmission of unencrypted passwords, the reuse of default passwords and forgotten databases in which valid user credentials are stored can be uncovered. Pentests do not need to be performed as frequently as vulnerability scans, but it is advisable to repeat them at regular intervals.
Penetration tests should also be carried out by an external provider and not by internal employees. This ensures an objective perspective and avoids conflicts of interest. The external party should have extensive and in-depth experience in the field of information technology, preferably in the company's business area. The ability to apply abstract thinking and anticipate the behavior of threat actors, in addition to a focus on completeness and an understanding of how and why a company's environment could be compromised, is important for performing this service.
Identify weak points
In terms of holistic protection, the three methods result in the best possible protection against vulnerabilities at different intervals. Each test approach, from vulnerability scans to targeted penetration tests, is crucial for a comprehensive security strategy. However, the complexity of SAP applications makes it difficult to consistently adhere to proven security procedures - the sheer volume of logs generated is too large to be scanned manually. It therefore makes sense to rely on the support of external specialists such as Pathlock. In addition to security consulting, where compliance experts with the necessary know-how identify vulnerabilities even for pentests, they offer a range of automated scanning and threat detection solutions.