A partner account manager can help. Contact us today.
Nowadays, SAP cybersecurity is in the public eye. Nonetheless, this topic attracted researchers’ attention almost 10 years ago. SAP Security experts delivered numerous presentations on SAP cybersecurity covering a wide range of subjects, from various attacks on ERP systems, SAP HANA, SAP Mobile solutions to specific issues related to Oil and Gas or Manufacturing industries. However, when it comes to securing a real SAP environment, nobody is in charge of the security of the most critical system elements.
To help SAP customers solve this difficulty, ERPScan releases a comprehensive research of SAP Security each year. The annual report provides a high-level overview of the topic. As SAP Security is complex in itself, so the research takes into account different perspective, namely SAP Product Security, SAP Implementation Security, and SAP Security Awareness.
Nonetheless, it doesn’t mean that the number of the issues has dropped too. SAP now fixes multiple vulnerabilities in one patch while 3 years ago each patch addressed a particular one. The new approach simplifies patching process since system administrators need to implement a fewer number of updates. However, it complicates analysis and correlation with CVE, as SAP doesn’t provide any public information about how many vulnerabilities every patch fixes.
Because of cloud and mobile technologies, new SAP Systems became more exposed to the Internet and thus every vulnerability identified in these services can affect thousands of multinationals (just remember that 90% of the Fortune 2000 companies use SAP). If any of these vulnerabilities is exploited by a hacker, the world's economy will face dreadful consequences. For example, the latest reported issues in SAP Mobile affect more than a million of mobile devices and SAP HANA vulnerability affects 6000+ SAP HANA users.
Without a doubt, cybersecurity level varies from module to module. According to our study, the most vulnerable products are CRM, EP, and SRM. However, one shouldn’t underestimate vulnerabilities affecting SAP HANA and SAP Mobile apps. The traditional SAP modules like ones mentioned before were introduced about two dozens of years ago, but the first vulnerabilities were discovered just several years ago, i.e. SAP HANA and SAP Mobile apps attracted researchers’ (and, unfortunately, hackers’) attention quicker than the traditional ones.
SAP has a set of products designed for particular industries. More than 160 vulnerabilities have been detected in the Industry solutions. The most susceptible types of industry solutions are SAP for Banking, Retail, Advertising Management, Automotive, and Utilities.
It is increasing especially in countries, which are unaware of SAP Cybersecurity. Almost 36000 SAP Systems were identified including different services vulnerable to cyberattacks. Most of those services (69%) should not be exposed directly to the Internet.
We stated in 2013 that the interest in SAP platform security was growing exponentially. We predicted that SAP systems could become a target both for direct attacks (e. g. APT) and for mass exploitation because a range of simply exploitable and widely installed services accessible from the Internet. Since 2013, we have witnessed 4 major cyber incidents related to SAP Security.
Numerous unnecessarily exposed services are implemented in countries where wide adoption of new technologies takes place (such as USA, India, and China).
Countries where the highest number of SAP Security presentations were delivered (namely, the USA, Germany, and the Netherlands) are characterized by more secure SAP system installations than countries where SAP researchers did not present their studies. ERPScan is proud to be invited to speak in 25 different countries across 6 continents including such places as Cyprus, Kuwait, Hungary, etc. Hopefully, it somehow helped to increase SAP Security awareness worldwide.
While the number of publicly available SAP Services is growing, the number of systems with high-critical vulnerabilities in easily accessible services presented in the previous report has decreased, we hope, not least due to our previous SAP Security in Figures research released in 2013. However, new issues with equal criticality were described in this report.