First SAP Security guideline for IT Security people

Palo Alto, CA – April 15, 2014 The ERPScan company has released a Security Guide for configuring SAP’s ABAP based solutions.

ERP, CRM, SRM, HR, and Business Intelligence systems as well as other critical applications are of a great importance and always deal with processes which are critical for business – purchases, payment, logistics, HR, product management, financial planning, etc. All information stored in Business Application systems is sensitive, and any unauthorized access to this information can cause a huge damage and even interruption of business. According to the report by the Association of Certified Fraud Examiners (ACFE), in 2012, organizations’ losses caused by internal fraud (IT-frauds) has reached 5 % of annual revenue.

Today, business applications are extremely popular solutions, that is why but a few companies with more than 1000 employees can be found which do not use at least one such application. SAP AG is a main player in this field, having about 251000 customers worldwide, including 86 % of Fortune 500 companies. This is why we choose SAP ABAP based business applications to be the first system to release a guideline about security enhancement.

There is a common problem that security managers usually do not understand SAP security at all and it’s a huge work for them to dive into this area. But they need it badly, because if something happens within SAP, it will be their responsibility. Unfortunately they still don’t have a detailed guideline to help them understand SAP security in one piece. There are hundreds of different guidelines from the official SAP site for secure configuration of each and every component, but it’s always hard to concentrate and decide where exactly you need to focus in the first place. On the other hand, there are guides from different groups like ISACA and DSAG, which are good, but are mostly about internal access control and dependent on the company’s structure, which means that additional SAP knowledge is needed to work with them.
Our main goal was to give traditional security guys, penetration testers, and security consulters a simple but complete guide, like SANS or NIST recommendations. So, finally, we made it and created a complete guide of 33 most critical issues for configuring SAP NetWeaver ABAP Application Server.

– Alexander Polyakov, CTO of ERPScan

The authors concentrated their efforts on making the guideline as brief as possible but at the same time the one to cover the most critical threats for each area. This approach is the main objective of the guide, and the intention of the research team was not to create just another list of issues with no explanation why a particular issue was (or was not) included in the final list, but to prepare a document that may be handy not only for SAP security experts. At the same time, the development of the most complete guide would be a never-ending story due to thousands of SAP configuration checks available for a typical system without taking into account specific role-based access and in-house applications. As a result, the guideline includes 33 major checks that must be implemented in the first place and can be applied to any system, regardless of its settings and custom parameters. It is also important that these checks are equally applicable to production systems and those of testing and development.

Guidelines are available via this link

About ERPScan
ERPScan is an award-winning company honored as the Most innovative security company by Global Excellence Awards, the leading SAP AG partner in discovering and solving security vulnerabilities by number of reported issues. ERPScan is engaged in the research of ERP and business application security, particularly SAP, and the development of SAP system security monitoring, compliance, and cybercrime prevention software. Besides, the company renders consulting services for secure configuration, development, and implementation of SAP systems, which are used by SAP AG and Fortune 500 companies.

About SAP
Headquartered in Walldorf, Germany, with locations in more than 130 countries, SAP AG is the world leader in enterprise software and software-related services. SAP applications and services enable more than 251,000 customers to operate profitably, adapt continuously, and grow sustainably.