SAP BASIS

Problem

One of the main problems of SAP security is the complexity of the system. Time management is a critical task, especially because of the inconsistency of the documentation that is sometimes either scarce or copious. The complexity is further amplified when new-found SAP vulnerabilities are rectified by installing additional options that come with their own set of parameters. This alters relations between settings, creates lengthy manuals for specialists to interpret if they need to fix a system. On top of that, about 50% of an average SAP system is customized, which results in even more problems on top of typical configurations. With the standard system configuration that spans over 10,000 security-related options, an array of advanced configurations along with critical access rights for various objects like transactions, tables, RFC procedures, and a hundred other web interfaces for system access.

With the enormous line-up of configuration jobs and dozens of servers required for a typical infrastructure, ensuring security could take a long time. Even if initial hiccups are taken care of, additional source code security risks and customized programs developed by third-party developers need to be protected and controlled from backdoors and errors.

Lastly, it is about Segregation of Duties and access control since SAP departments spend time on analyzing risks related to access control.

Solution

ERPScan Smart Cybersecurity Platform for SAP can significantly simplify tasks by continuous monitoring of SAP systems security against all types of issues such as vulnerabilities, misconfigurations, insecure connections, access control, and Segregation of Duties for every available system and helping to remediate them.

The main issue with SAP Security is that usually a Security team just sends a list of bugs to an SAP team, which leads to various conflicts. Our aim is not to simply point at a vulnerability but to help them to remediate issues. That is why ERPScan provides a Security team with a description of every vulnerability along with high-level risk description, step by step remediation guide with alternative options in case a particular methods turned out to be inefficient. Other features risk, responsible person, and links to additional information (from books, guides, and other sources) are provided as well. Moreover, we automate these tasks.

There are the following tools that are available in Protection module:

  • Code Corrections – for vulnerabilities in custom code our tool automatically creates code corrections that can be applied in SAP by BASIS team.
  • Virtual Patches – in addition to code corrections, which may take time to be approved, we automatically generate virtual patches on the fly in the form of attack signatures into IDS/IPS systems.
  • 0-Day protection – Our Research team is constantly researching SAP and finding new 0-day vulnerabilities, the information about which can be exported from our database into IDS/IPS system for it to be protected from them.

Benefits:

  • Automate routine by identifying 10000+ vulnerabilities and misconfigurations across all types of SAP platforms (from ABAP to HANA), Systems, and Industry solutions;
  • Save time on automatic corrections and virtual patches for vulnerabilities;
  • Deeply analyze 4000 SAP Security Notes using the unique combination of whitebox and blackbox checks and their priorities for a complete focus on the important ones, thereby decreasing downtime during updates;
  • Decrease integration costs by using our 100%-agentless technology which does not require to configure SAP.