Many large businesses run SAP to manage their business operations and their customer relations. Security has become an increasingly critical priority due to the ongoing digitalization of society and the new opportunities that attackers exploit to achieve a system breach. Recent attacks related to corrupt data, stealing personal information and escalating privileges for remote code execution all highlight the new and varied entry points threat actors have taken advantage of. Attackers with the appropriate skills could be able to exploit specific SAP vulnerabilities to take full control of the SAP system and expose the critical information and processes of the company.

Among new SAP users and non-technical experts, there are multiple myths when it comes to SAP, like “SAP is a commercial product that delivers security by default.” The reality is that even after implementing the standard functionalities of an SAP solution, it is not secured by default.

Traditionally, companies were predominantly focused on the roles and profiles assigned to different users in the SAP system as the main control to improve the security in the SAP systems. However, this focus has been expanded beyond merely access control, and there are plenty of elements that need security factored in:

  • Access management: In the SAP solutions, there are multiple ways to provide high privileges to users and to perform critical actions on the business processes, such as changing already created invoices, modifying existing purchase orders or trying to change the system configuration
  • Custom code: According to best practices, it is better to build security in your code during the design process than waiting to have a breach.
  • Configuration: An SAP system has hundreds of different parameters that influence the configuration of the system and therefore its security. As such, most customers have included security as a key part in their SAP implementation projects.
  • Interface/integration with other systems: Interconnecting systems can be a dangerous activity if the security of both systems is not adequate and the connector is not configured properly.

IBM Security has defined a security framework featuring 13 layers that focus on the critical elements of the SAP stack. This framework uses a top-down approach, going from regulatory and compliance to the most technical details related to cybersecurity.

Figure 1: The 13 layers of SAP Security

Some years ago, the main activities on an SAP security project were focused on defining the appropriate roles and authorizations according to the Segregation of Duties matrix established by the customer or the best practices. However, those activities have been expanded to include the security of the DevOps and in the interfaces, consideration of encryption (at rest or in motion), performance vulnerability assessments, penetration testing and more.

A good starting point is to identify all the security aspects that could impact the SAP systems that are either running in a cloud environment or will be moved to a cloud environment. This activity evaluates the security considering the aforementioned 13 layers framework and combining the utilization of different assets to speed up the analysis.

These are some examples of the questions that will be answered during this analysis:

  • Are the integrations between the SAP ERP system and other internal and external systems secure?
  • Is the company monitoring the vulnerabilities in the SAP landscape? If so, is the company appropriately managing the vulnerabilities identified?
  • Is the company correctly assigning the users’ roles in the SAP landscape?
  • Is the configuration of the application layers of those SAP systems secure enough?

The final deliverable should be a detailed report including the security weaknesses and an action plan to mitigate the found risks.

This type of project is used to justify the security value behind the transformation program defined by the company and is utilized as a first step to start the security transformation in the SAP environment. After this activity, IBM offers different solutions to accelerate the security transformation and to manage the applications in a secure manner.

The key difference that sets IBM apart is that we analyze the client security posture from two different perspectives; we consider compliance and cybersecurity with the main objective of identifying all the weak flanks that could compromise the customer’s business.

Is your IT strategy considering the security of its SAP solutions? Is your company performing frequent reviews to assure that the SAP solutions have not been attacked or suffered a breach? How is your company managing the vulnerabilities identified in the internal or external audits? Learn how to best secure your SAP environments and get in touch with an expert to help you through your SAP security transformation today by accessing here.

More from Application Security

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today