What is SAP SRM?
SAP Supplier Relationship Management (SRM), which is a part of SAP Business Suite,
stands in the line with the most widely-used systems around the word. Its main purposes are to optimize
interaction with suppliers and to automate tender processing to the maximum extent.
Unauthorized access to the system can result in exposure of the company to
reputational risks and material losses. The most alarming is the fact that this system is accessible
through the Internet which makes it a perfect aim for remote attacks.
SAP SRM Security Risks
There are multiple risks related to SAP SRM systems. Some of them are listed
Having access to SAP SRM systems unfair competitors can find there all the data
about the prices and use it to reconsider their own pricing so as to win a tender. SAP Cfolders, which
is an application for document exchange in SAP SRM, typically contains both vulnerabilities and
misconfiguration issues. That makes it perfect for attackers as a means to access contractors’
documents. A highly predictable consequence of its exploitation is a theft of official pricing
information. Competitor’s documents can be completely removed from the systems or the information might
be manipulated to win a tender. We have successfully simulated this breach during penetration tests.
Theft of funds
Having access to the procurement system an attacker can falsify a payment order.
Once it’s accepted by a front company the money would be transferred to an unintended bank account.
Access to the procurement system can be misused to undermine a company’s
reputation. Breach of obligations, delayed payments and willful disregard of obligations – all of this
can be achieved by simply removing or substituting information coming from the company to the supplier
and vice versa.
SAP SRM Vulnerabilities
SAP SRM System uses SAP NetWeaver Application Server ABAP (AS ABAP) as the main
platform. Thus it is potentially exposed to all the vulnerabilities of the platform, which totals to
more than 1050. Plus, there are about 80 vulnerabilities specific to different modules of SAP SRM.
The typical examples of the SAP SRM vulnerabilities can be found in SAP Cfolders
application (SAP Security Note 1284360 and 1292875). Most vulnerabilities enable unauthorized access
with administrative rights to the documents stored inside the system.
How can our software be of help to ensure SAP SRM Security?
ERPScan Security Monitoring Suite for SAP contains a wide
range of checks aimed to discover security issues specific to SAP SRM Systems. The solution’s leading
position in the field has been confirmed by multiple awards. This is the only SAP SE-certified solution
on the market to identify, analyze and remediate all SAP security issues and to enable powerful
protection against cyber-attacks and fraud. It embraces all the three tiers of SAP security:
vulnerability management, source code review for custom programs and segregation of duties (SoD).