Many large businesses run SAP to manage their business operations and their customer relations. Security has become an increasingly critical priority due to the ongoing digitalization of society and the new opportunities that attackers exploit to achieve a system breach. Recent attacks related to corrupt data, stealing personal information and escalating privileges for remote code execution all highlight the new and varied entry points threat actors have taken advantage of. Attackers with the appropriate skills could be able to exploit specific SAP vulnerabilities to take full control of the SAP system and expose the critical information and processes of the company.

Among new SAP users and non-technical experts, there are multiple myths when it comes to SAP, like “SAP is a commercial product that delivers security by default.” The reality is that even after implementing the standard functionalities of an SAP solution, it is not secured by default.

Traditionally, companies were predominantly focused on the roles and profiles assigned to different users in the SAP system as the main control to improve the security in the SAP systems. However, this focus has been expanded beyond merely access control, and there are plenty of elements that need security factored in:

  • Access Management: In the SAP solutions, there are multiple ways to provide high privileges to users and to perform critical actions on the business processes, such as changing already created invoices, modifying existing purchase orders or trying to change the system configuration
  • Custom Code: According to best practices, it is better to build security in your code during the design process than waiting to have a breach.
  • Configuration: An SAP system has hundreds of different parameters that influence the configuration of the system and therefore its security. As such, most customers have included security as a key part in their SAP implementation projects.
  • Interface/integration with other systems: Interconnecting systems can be a dangerous activity if the security of both systems is not adequate and the connector is not configured properly.

IBM Security has defined a security framework featuring 13 layers that focus on the critical elements of the SAP stack. This framework uses a top-down approach, going from regulatory and compliance to the most technical details related to cybersecurity.

Figure 1: The 13 layers of SAP Security

Some years ago, the main activities on an SAP security project were focused on defining the appropriate roles and authorizations according to the Segregation of Duties matrix established by the customer or the best practices. However, those activities have been expanded to include the security of the DevOps and in the interfaces, consideration of encryption (at rest or in motion), performance vulnerability assessments, penetration testing and more.

A good starting point is to identify all the security aspects that could impact the SAP systems that are either running in a cloud environment or will be moved to a cloud environment. This activity evaluates the security considering the aforementioned 13 layers framework and combining the utilization of different assets to speed up the analysis.

These are some examples of the questions that will be answered during this analysis:

  • Are the integrations between the SAP ERP system and other internal and external systems secure?
  • Is the company monitoring the vulnerabilities in the SAP landscape? If so, is the company appropriately managing the vulnerabilities identified?
  • Is the company correctly assigning the users’ roles in the SAP landscape?
  • Is the configuration of the application layers of those SAP systems secure enough?

The final deliverable should be a detailed report including the security weaknesses and an action plan to mitigate the found risks.

This type of project is used to justify the security value behind the transformation program defined by the company and is utilized as a first step to start the security transformation in the SAP environment. After this activity, IBM offers different solutions to accelerate the security transformation and to manage the applications in a secure manner.

The key difference that sets IBM apart is that we analyze the client security posture from two different perspectives; we consider compliance and cybersecurity with the main objective of identifying all the weak flanks that could compromise the customer’s business.

Is your IT strategy considering the security of its SAP solutions? Is your company performing frequent reviews to assure that the SAP solutions have not been attacked or suffered a breach? How is your company managing the vulnerabilities identified in the internal or external audits? Learn how to best secure your SAP environments and get in touch with an expert to help you through your SAP security transformation today by accessing here.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…