SAP Security awareness is constantly increasing. First of all, at the BlackHat's Pwnie Awards, on August 6, the vulnerability in SAP Compression algorithm won the first prize for the best Server-Side vulnerability. This is the second time SAP vulnerability is highlighted at the Pwnie awards. In 2013, the issue in SAP Router identified by ERPScan's Researcher was also nominated for the best server-side vulnerability.
The vulnerability which got the first prize in the recent award affects almost every SAP system exept new SAP systems such as SAP Mobile and SAP HANA. But it's still too early to rejoice. This Wednesday we will publish some details of critical vulnerability in SAP Afaria MDM solution as a preview to our scheduled presentation at the Hacker Halted conference in September.
SAP vulnerabilities became pretty common nowadays and it attracts different analysts and associations' attention . For example, KuppingerCole – European Analyst agency focused on IAM and GRC research, has published the guide about SAP Security called Leadership Brief: SAP Security Priorities - Identifying the priorities for securing your SAP infrastructure and maintaining appropriate security is a continuous business and governance challenge.
This guide provides recommendations for decision makers how to properly define SAP Security strategy in organizations. The essential idea is that companies should have a 360-degree view on SAP Security and take into account all aspects of SAP security going beyond SoD.
SAP Security covers all aspects of enterprise security from the system and network level to user and access management, the business processes and their respective governance. Maintaining proper security for such a vital IT infrastructure requires a 360-degree approach for baseline security
Earlier in July KuppingerCole's analysts published Leadership Compass about Access Control/Access Governance for SAP environments where they highlighted top vendors in this area.
Top associations, known for taking significant steps in SAP Security awareness, such as ISACA, DSAG and EAS-SEC released new documents.
Last week ISACA released the 4th edition of their book Security, Audit and Control Features SAP ERP. The previous version was published in 2009. Some updates include detailed security guides for assessing different SAP business Processes. We were waiting for ISACA's updates since 2009.
Earlier in May, DSAG – German SAP User Group updated their documents about SAP Security Assessment (the previous version was in 2012), the most detailed guide for SAP Security analysis.
EAS-SEC.org – organization focused on Business Application security awareness and known for their annual research called "SAP Security in Figures", has recently published an analysis of USIS breach using SAP vulnerability in collaboration with ERPScan.
Finally, SAP Security market has some significant changes, such as recent EY's acquisition of Integrc, the world's largest SAP GRC specialist providing consulting and managed services to many leading multinational companies. The deal was completed on Monday 3 August 2015 following the announcement of a conditional agreement on 22 June.