When talking to customers and partners, I often hear that organizations are beginning to place more urgency on ensuring SAP application security. Given the growing trend of cyberattacks targeting enterprise resource planning (ERP) systems and the first ever Department of Homeland Security (DHS) U.S. Computer Emergency Readiness Team (US-CERT) alert for SAP business applications, companies need visibility into these implementations and appropriate security measures in place.

Many organizations are looking to move these complex ERP systems to cloud environments to increase efficiency, redefine business processes and promote flexibility. Although the SAP HANA security evolution started in 2011, refinement and maturity came with SAP HANA SP08, which was released in 2014. Initially positioned as the ultimate in-memory database for its products, it has been pushed more recently as a standalone platform.

SAP HANA Attacks on the Rise

While organizations can realize great efficiencies with SAP HANA, these systems are becoming attractive targets for cybercriminals because they store business-sensitive information and processes. In today’s world, most Fortune 1,000 companies rely on SAP for ERP. This single ERP system has become a critical lifeline to companies across all industries.

An intruder who breaches an SAP HANA platform can perform a variety of different attacks, including:

  • Espionage, in which attackers obtain customer, vendor and HR data, financial planning information, balances, profits, sales information, manufacturing recipes and more;
  • Sabotage, in which malicious actors paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information; and
  • Fraud, in which attackers modify financial information, tamper sales and purchase orders, create new vendors, alter vendor bank account numbers and more.

It is no wonder that critical security vulnerabilities in SAP HANA have been on the rise. To prepare customers for this threat, SAP released several versions of SAP HANA over the years, each with its own set of security features.

Timeline of the SAP HANA Security Evolution

Most critical vulnerabilities reside in earlier versions of SPS08 and SPS09. With that in mind, let’s review the SAP HANA security evolution.

  • May 2014: SAP HANA SPS08
    • Critical notes: The top three critical advisories for SPS08 are related to cross-site scripting (XSS) servers.
  • November 2014: SAP HANA SPS09
    • HANA introduced new capabilities including user/role management, encryption, antivirus software support and support for multitenant database containers.
    • Critical notes: Potential information disclosure relating to server information (2148854); SAP HANA secure configuration of internal communication (2165583); and potential remote code execution in HANA (2197428).
  • June 2015: SAP HANA SPS10
    • With this iteration of HANA, security professionals could control access channels for users. It also featured simplified certificate management for secure sockets layer (SSL), transport layer security (TLS) and single sign-on (SSO); automatic generation of public key infrastructure (PKI) and certificates for internal communication channels; and additional hardening options for multitenant database container isolation.
    • Critical notes: Potential termination of running processes triggered by IMPORT statement (2233136); log injection and missing size restriction in SAP HANA Extended Application Services Classic (XS) (2241978); potential information leakage using default SSFS master key in HANA (2183624); and communication encryption for HANA multitenant database containers does not work as expected (2233550).
  • November 2015: SAP HANA SPS11
    • SPS11 enabled analysts to view key change information and switch data encryption on. This version automatically changed initial SSFS master keys and extended SQL injection prevention support.
    • Critical notes: Missing communication security for SAP HANA daemon service (2293958).
  • May 2016: SAP HANA SPS12
    • Enhancements included authentication (disabling authentication mechanisms) and enhanced database trace information for authorization issues.
    • Critical notes: Information disclosure in the CCMS agent of SAP HANA (2347944); information disclosure in SAP HANA cockpit for offline administration (2351486); and information disclosure in SAP HANA XS classic user self-service (2394445).
  • November 2016: SAP HANA 2
    • SAP released SAP HANA 2.0, SP00, which featured Release Note (2380257), FAQ (2159014) and Cockpit Release Note (2380291).

A Patch Day Keeps Vulnerabilities Away

To ensure efficient protection, it is crucial to keep SAP HANA systems updated with the latest security notes and pay attention to those that are most critical. By establishing a monthly patch day, you can react quickly and apply mission-critical patches and corrections. The SAP Security Patch Day is on the second Tuesday of every month. The latest SAP HANA Advisories are useful to stay up to date with the latest threat intelligence.

Special Offer From IBM Security Services

You can also download the “Trends in SAP Cybersecurity” white paper. Ten qualified registrants will receive an opportunity to participate in a free, no obligation, confidential SAP Vulnerability Assessment Scan for up to five SAP systems (SAP SIDs covering ABAP stack, J2EE stack and HANA).

Download the complete White Paper: Trends in SAP Cybersecurity

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today