In the previous post, we dispelled some SAP Cybersecurity myths. Today we will discuss how SAP cybersecurity differs from traditional IT security. While usually security is security, no matter what one deals with, in SAP area there are some distinctive features. Four main differences between SAP (or any other enterprise business application) and traditional applications can be described by using four Cs.
SAP systems are very complex and complexity kills security. Just to give you an idea, demo installation of an SAP System requires 60 gigabytes on a hard drive. The latest version of SAP NetWeaver J2EE engine is shipped with 1200 preconfigured web services, and each has the same functionality as a small website. SAP is much more complex than any other application. Typical SAP system has about 1000 parameters, and most of them can affect security. When you install an SAP System, it goes with 20+ different services, each uses its own proprietary protocol and a set of configurations. Just imagine how many vulnerabilities can be found in such a multiparty system. And it’s only for NetWeaver ABAP Application Server, not speaking about that SAP provides at least five other platforms with a completely different set of functions, services, protocols, and even access control systems.
By the way, a few words about access control system. If you are aware of it, I can see it by your reaction even before starting this talk. In a nutshell, authorizations in SAP are like a small set of functionality one can execute. Each authorization has an activity, field, and value. For example, there is a special authorization to get access to tables, and this authorization can be associated with different types of activities such as read or write. Furthermore, there are different types of access, say, an access to a particular number of tables such as system or material tables. When you configure this single small part of access, it will be called authorization, then a set of authorizations is combined into a role, and a role, in its turn, is combined with a composite role. Finally, the role is assigned to a user. And there are thousands of different authorizations. But it is not the only opportunity; roles can be assigned to a profile and profile can be assigned to a user, as well. And above that system, we also have different types of users. For instance, reference users take access rights from real users but don’t store the information about access rights in their profile. Once again, it’s only about ABAP system. For other systems or even modules, there are other role models.
And another fact to prove the idea of SAP complexity. Traditional scanners provide about 40k security checks for all IT systems; in our SAP Security scanner, there are about 10 thousand checks for SAP only. So, you can imagine how complex SAP is and how SAP cybersecurity affects the state of security of a whole company.
SAP is not a typical software. It resembles a kind of framework. On top of this framework, companies develop applications to accomplish their requirements using ABAP, JAVA, and XSJS languages or some frameworks such as UI5 for HANA.
Our research revealed that in large organizations up to 50% customization are usually implemented. And it’s rather typical; customizations are a part of SAP. You can hardly find any SAP Implementation without customizations and new programs developed to automate one or another part of business. Those customizations may have vulnerabilities as any others applications. Those customizations are usually made by an internal development team, however now the number of companies that outsource this process to 3rd parties is growing. According to our Security Research, we usually find thousands of SAP vulnerabilities per system during the initial assessment. Although not all of them are highly critical, it is a sight that this area is a part of SAP cybersecurity should be considered seriously.
All SAP systems provide mission-critical functions. So, if something happens to them, companies are likely to lose millions of dollars. We speak not only about attacks but also about mistakes which can occur because of improper configuration or patching of SAP System. SAP Systems have many configuration parameters for backward compatibility with old and legacy systems. Some or those parameters may be insecure, but it’s not always easy to configure them properly without breaking some connection with a legacy system. Unfortunately, some administrators leave their systems unpatched, because they are simply scared that something goes wrong after updating.
Now we can say that this topic is less relevant than it was five years ago, but it remains important. SAP Security is a closed world, only a few people conduct in-depth research in this area and identify new vulnerabilities in SAP software regularly.
For years SAP Security used to be a synonym of Segregation of duties and SAP was like an unbreakable, solid, and secure application developed by Germans. In reality, it turned out that the security was based on the fact that no one had access to these applications and hackers were not interested in examining them. But gradually SAP applications have become more integrated into the infrastructure. At the same time, more researchers began to pay attention to these applications and their security. Nevertheless, any other system (for example, Windows) was on the hackers’ radar for years. All the simple vulnerabilities were identified and closed years ago, and like a human immune system, these became less prone to attacks. As for SAP, these applications have relatively recently become publicly available, so they are plagued with vulnerabilities which were closed in other applications years ago. Figuratively speaking, in terms of cybersecurity, SAP is like a child standing in the heart of Moroccan market crowded with pickpockets, tricksters, and other criminals.
Luckily, the situation is changing, and the level of SAP security awareness has increased significantly. However, security specialists now face another problem. Many guides, books, and documents from SAP are being published, so, it’s hard to choose the most relevant ones and especially ones containing information applicable to your business case.