If you have opened this article, you understand that SAP security and ERP Security in general deserves special considerations. Just look at the number of issued SAP Security Notes – more than 3500 of them released now. Also, more arguments provided in an article about ERP Vulnerability Management. Just to give you an idea: ERP systems contain special components, handle critical assets, and employ specific security controls.
The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.
In 2016, we covered a range variety of topics from the analysis of cybersecurity incidents associated with business applications to practical advises on how to secure your system. We decided to begin the new year with an overview of the most popular ERPScan’s blog posts of 2016.
On 13th of December 2016, SAP released its monthly critical patch update consisting of 31 patches. To help everyone who is engaged in SAP patching process, ERPScan research team conducted a detailed review of the released SAP Security notes, in addition to that we described SAP HANA Security patches implementation as SAP HANA issues are the most important in his patch day. This analysis would also be useful for companies providing SAP Vulnerability Assessment, SAP Security Audit, or SAP Penetration Testing. Read more..
In the wake of several high-profile incidents involving business applications over the outgoing year, there is an increasing focus on business software security. In this blog post, we gathered together the milestones of this topic for 2016.
The list of critical incidents and significant statistics is endless, but we decided to focus on 5 major facts:
1. The first-ever US-CERT alert on SAP Vulnerability;
2. Potential attacks against critical infrastructure via vulnerabilities in business applications;
3. The number of SAP Vulnerabilities identified per year is high; 4. SAP threat landscape has grown;
5. Oracle MICROS hack compromises data of 330,000 customer sites around the world.
The information about a 0-day SAP vulnerability was published on LinkedIn on October 28, 2016. A researcher disclosed details of the vulnerability in SAP system that he had identified and stated as 0-day. As it turns out, the vulnerability was already patched by SAP on 13th of September by SAP Note 2344524, so technically it’s not a 0-day vulnerability, but 0-day details of the vulnerability, so to speak. However, as it takes time to implement a patch, most of SAP users may be still susceptible to attack by this issue.