Enterprise SAP applications are high-value targets for hackers

Enterprise SAP applications are high-value targets for hackers; they are mission-critical business operations and contain large amounts of highly valuable, sensitive, and confidential data. With cybercrime increasing and penalties for companies not securing their systems effectively increasing, threats like ransomware and credential theft have emerged as major concerns for organisations.

However, delays in applying security patches and failure to identify and rectify configuration errors and custom code vulnerabilities put many SAP systems, company executives and directors at risk.

ASIC, the Australian corporate watchdog, has recently announced they will be holding company directors accountable for security breaches where lack of corporate due diligence can be shown.

Therefore, it is imperative that SAP teams find ways to eliminate as much risk as possible and quickly.

The three most common SAP system risks

SAP security patch application delays

Unpatched systems are far and away the highest reason for SAP systems remaining vulnerable. SAP regularly releases patches to close off new and recently identified SAP security vulnerabilities; however, in a March 2022 SAPinsider research report, 47% of surveyed SAP customers report being behind in their security patch application — SAPinsider Benchmark Report – Cybersecurity Threats to SAP Systems.

There are several reasons for this.

Many don’t have the time and resources to set up a regular cadence, and most fear breaking something and disrupting the stability of production systems.  

However, with executives and Boards now directly accountable for security failures, budgets for additional resources to overcome time and resource limitations should be available.  There are also tools available to assess the potential impact of security patch application. If utilised, SAP teams can better target post-application testing to minimise the risk of system disruption.

SAP configuration errors

Configuration issues like outdated or poorly configured SAPRouter, SAP Web Dispatcher, Internet Communication Manager, and SAP Gateway technologies present problems for SAP enterprise organisations.

Other configuration-related issues include publicly exposed services that can be accessed without requiring authentication, unprotected or insufficiently secured access to administration services and unencrypted communication.

There are many others.

Unfortunately, identifying all the vulnerable areas manually is almost impossible, although most of the obvious and critical vulnerabilities can be with enough time and expertise.

SAP custom code vulnerabilities

SAP enterprise customers use extensive SAP ABAP custom code for their SAP applications to meet specific business needs.

This custom code often contains vulnerabilities such as injection flaws in ABAP commands, potential URL redirect issues, missing content checks during HTTP uploads, and read access to sensitive and write access to sensitive data in databases. Unauthorised use of user credentials can provide hacker access through these various avenues.

Implementing enforceable protocols to ensure developments are clean and don’t contain known vulnerabilities to minimise security risk is important.

For post-development, tools such as SAP Code Vulnerability Analyser (CVA) can scan and identify areas of potential concern.

SAP security tools

Many tools are available to help SAP teams get on top and stay on top of their SAP systems security.

From security patch impact assessment tools to reduce the risk of applying SAP security patches to ABAP code analysis tools to identify hidden vulnerabilities, SAP teams have access to specialised software to support their SAP security efforts.

However, this, too, can be daunting.

From native SAP tools such as SAP Code Vulnerability Analyzer (CVA) to well credentialled third-party software such as smarterSec , the selection is broad and there are application variables. Identifying and selecting SAP security tools can look like quite a project; however, if taken in bite-size pieces, targeted selection and implementation can quickly improve an SAP system’s security profile.

We can help

Leg Up Software are experts in SAP IT operational and infrastructure software automation solutions, including those to support the SAP team’s security aspirations.

We know the SAP operations and infrastructure automation solutions landscape and have already done the legwork identifying the best solutions for most SAP security applications.

We have excellent relationships with many software vendors and can negotiate an evaluation process that best suits your circumstances and budget.

Why not set up a time to get the conversation started by putting something in our calendar?

Make time to talk with Rick

Alternatively, to learn more about IT automation for SAP teams, see www.legupsoftware.com/solutions