A partner account manager can help. Contact us today.
SAP Supplier Relationship Management (SRM), which is a part of SAP Business Suite, stands in the line with the most widely-used systems around the word. Its main purposes are to optimize interaction with suppliers and to automate tender processing to the maximum extent.
Unauthorized access to the system can result in exposure of the company to reputational risks and material losses. The most alarming is the fact that this system is accessible through the Internet which makes it a perfect aim for remote attacks.
There are multiple risks related to SAP SRM systems. Some of them are listed below.
Having access to SAP SRM systems unfair competitors can find there all the data about the prices and use it to reconsider their own pricing so as to win a tender. SAP Cfolders, which is an application for document exchange in SAP SRM, typically contains both vulnerabilities and misconfiguration issues. That makes it perfect for attackers as a means to access contractors’ documents. A highly predictable consequence of its exploitation is a theft of official pricing information. Competitor’s documents can be completely removed from the systems or the information might be manipulated to win a tender. We have successfully simulated this breach during penetration tests.
Having access to the procurement system an attacker can falsify a payment order. Once it’s accepted by a front company the money would be transferred to an unintended bank account.
Access to the procurement system can be misused to undermine a company’s reputation. Breach of obligations, delayed payments and willful disregard of obligations – all of this can be achieved by simply removing or substituting information coming from the company to the supplier and vice versa.
SAP SRM System uses SAP NetWeaver Application Server ABAP (AS ABAP) as the main platform. Thus it is potentially exposed to all the vulnerabilities of the platform, which totals to more than 1050. Plus, there are about 80 vulnerabilities specific to different modules of SAP SRM.
The typical examples of the SAP SRM vulnerabilities can be found in SAP Cfolders application (SAP Security Note 1284360 and 1292875). Most vulnerabilities enable unauthorized access with administrative rights to the documents stored inside the system.
ERPScan Security Monitoring Suite for SAP contains a wide range of checks aimed to discover security issues specific to SAP SRM Systems. The solution’s leading position in the field has been confirmed by multiple awards. This is the only SAP SE-certified solution on the market to identify, analyze and remediate all SAP security issues and to enable powerful protection against cyber-attacks and fraud. It embraces all the three tiers of SAP security: vulnerability management, source code review for custom programs and segregation of duties (SoD).