James Thew - Fotolia
SAP customers may have been a little unnerved by recent reports of security vulnerabilities in SAP systems, but they now have a new way to assess and deal with SAP security issues.
Onapsis Inc., a cybersecurity vendor that focuses on SAP and Oracle enterprise systems, has unveiled Onapsis Business Risk Illustration (BRI), a program that enables organizations to assess security vulnerabilities in SAP systems. Onapsis BRI analyzes SAP security issues associated with applications, systems and custom code, according to the company.
SAP and other enterprise ERP systems are rich targets for cybercriminals, because they contain much of an organization's most valuable data, and organizations are often too lax about regularly applying software security patches to the systems. The SAP systems' vulnerabilities got attention in May, when the U.S. Department of Homeland Security issued a US-CERT alert concerning 10KBLAZE, an exploit that targets "unsecure configurations of SAP components," according to the report.
SAP security issues need more attention
SAP security is a serious issue that's not getting enough attention, according to Jason Fruge, chief information security officer at Fossil Group Inc., a global firm based in Richardson, Texas, that designs and manufactures several watch brands.
Fossil Group has run an SAP implementation for 16 years, with mission-critical applications that run the company's HR management, payroll, manufacturing, repair centers and distribution centers, Fruge said.
"If SAP was to go down, we would stop operations. There's just nothing we could do without it," Fruge said. "It maintains all of our customer history, as well as our internal employment information. So, this is [a] really critical application in the company."
One of the problems with maintaining SAP security is standard IT event management and patching tools aren't geared for SAP systems, and the vulnerabilities can be niche and specialized at the SAP application layer, according to Fruge. So, getting the resources to address SAP vulnerabilities begins with understanding the problems.
Opening up SAP leads to vulnerabilities
Fruge turned to Onapsis BRI, which indicated vulnerabilities that could cause significant financial and operational damage existed. SAP is also becoming more vulnerable now, because it's being opened up to the internet through UI apps like Fiori.
The BRI assessment models how an unauthorized entity can enter an SAP system and identifies where the specific vulnerabilities are, Fruge said. The initial analysis was completed in a couple of hours and was done on Fossil Group's production environment, which meant no valuable time was lost shutting the system down for testing.
Fruge said a mistake many organizations make is they focus their security efforts on compliance with regulatory efforts such as Sarbanes-Oxley and may miss other critical SAP security issues.
"[In order to comply with Sarbanes-Oxley], you need to make sure your financial systems are secure from a roles perspective, like what users allowed to do what," Fruge said. "But that doesn't say anything about how frequently you need to maintain the security patching capability. There's really no prescription for security. It requires a thoughtful approach that says, 'What does my asset landscape look like, and where are my most important assets and my least important assets?'"
Identifying key SAP security issues
Onapsis BRI provides organizations access to its security teams who probe SAP systems for vulnerabilities, according to the company. The Onapsis teams mimic attackers' behavior to identify the organization's target SAP systems and detect vulnerabilities such as weaknesses in custom code or misconfigurations. SAP applications and systems are then rated on Onapsis' Business Application Risk Maturity Model, which provides a six-stage scale of risk maturity from healthy to high-risk.
Onapsis BRI can identify several SAP application or system vulnerabilities, according to the company, including the following:
- the 10KBLAZE exploit, identified in the US-CERT AA19-122A alert, which allows a remote entity to access SAP applications through the SAP Message Server;
- the Invoker Servlet vulnerability, identified in US-CERT Alert TA16-132A, which allows SAP applications to be compromised via a web browser;
- SAP Gateway configuration issues that allow attackers to perform sensitive operations that can access information in SAP systems; and
- vulnerabilities in custom code that organizations create for their own SAP processes.