Report Claims SAP Apps Are Riddled With Flaws

Over 95% of SAP implementations are exposed to flaws which could lead to damaging data breaches, according to security vendor Onapsis – a claim the German ERP giant refutes.

The app security firm’s Onapsis Research Labs claims to have assessed hundreds of SAP installations and thousands of vulnerabilities to compile its research.

It said the three most common ways to hack into data stored in SAP apps are:

  • Pivoting between low and high security systems in order to execute “remote function modules” and nab customer info and card data.
  • Creating “backdoor users” in the SAP J2EE User Management Engine and then exploiting a flaw to access SAP Portals, Process Integration platforms and connected systems.
  • Accessing SAP database warehouses by executing OS commands under the privileges of a user, and exploiting vulnerabilities in the SAP RFC Gateway.

The situation is apparently being made worse by SAP’s slow reaction time to patching disclosed vulnerabilities.

Onapsis claimed patching windows average 18 months, adding that in 2014 a total of 391 security fixes were released, with almost half ranked as “high priority.”

“The big surprise is that SAP cybersecurity is falling through the cracks at most companies due to a ‘responsibility’ gap between the SAP operations team and the IT security team,” said Mariano Nunez, CEO of Onapsis, in a statement.

“The truth is that most patches applied are not security-related, are late or introduce further operational risk. Breaches are happening every day but still many CISOs don’t know because they don’t have visibility into their SAP applications.”

The vendor laid much of the blame at the door of relational database management system, HANA, which has witnessed a 450% increase in patches.

Onapsis urged CISOs to gain better visibility into their SAP environments in order to check which apps are most at risk, and then to implement continuous monitoring in order to keep installations secure and compliant.

It added that security leaders should detect and respond to “new threats, attacks or user behavior anomalies as indicators of compromise.”

SAP responded in a strongly worded statement sent to Infosecurity:

“SAP works closely with various external companies who specialize in securing SAP solutions. This includes Onapsis. The press release published by Onapsis is aimed at alienating SAP customers while promoting Onapsis’s own products. The assertion that over 95% of SAP systems were exposed to vulnerabilities is false.”

The German giant added that it implements “the highest degree of product safety” and has a comprehensive product security strategy based on three pillars – “prevent, react, detect.”

The statement continued:

“An important component of this strategy is the ‘Secure Software Development Lifecycle’ (S²DL) which provides a comprehensive framework of processes, guidelines, tools and staff training. Thus, we are able to ensure that security software is an integral component when it comes to the architecture, design and implementation of SAP solutions.”

What’s Hot on Infosecurity Magazine?