Report: most enterprise SAP installations have critical security issues
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
May 11, 2015
A new report recently issued reveals that an incredible 95 percent of enterprise SAP installations contain highly critical security vulnerabilities that could allow systems to be hijacked, researchers have found.
Researchers from SAP security tools vendor Onapsis say hackers can target the SAP installs to pivot from low to high integrity systems, execute admin privilege commands, and create J2EE backdoors.
To be sure, Onapsis chief executive Mariano Nunez says the 250,000 SAP customers are exposed for an average of 1 1/2 year from when vulnerabilities surface, with SAP taking some twelve months to develop security patches.
"The really big surprise is that SAP cyber security is falling through the cracks at most companies due to a responsibility gap between the SAP operations team and the IT security team,” Nunez says.
"The truth of the matter is that most patches applied are either not security-related, are late or introduce further security risks," he added.
The Boston research consultancy found that in 2014, SAP delivered about 391 security patches of which half were labelled high priority.
Nunez lay blame in part on SAP's 'HANA System' which he says is responsible for a whopping 450 percent increase in the number of security issues.
"This new trend is not only continuing, but exacerbating with SAP HANA-- positioned in the center of the SAP ecosystem where data stored in SAP platforms now must be protected both in the cloud and on-premise,” Nunez says.
The worst security vulnerabilities topped 9.5 out of a severity rating of 10 for four holes in SAP SQL Anywhere, followed by no less than eighteen holes rated 7.5 for Sybase ESP.
"We are not only speaking about the number of security vulnerabilities here, which is quite large, but also the criticality of these various issues," said ERPS-Can founder Alexander Polyakov.
Polyakov says SAP's closed customer-only support portal shows some 388 small patches dubbed 'security notes' released last year, up 7 percent since 2013.
"To be sure, SAP Security notes are actually small patches that usually close one or more security vulnerabilities in SAP applications found by third party companies and SAP's internal security team," he says.
In fact, the situation is probably substantially worse than this, according to Polyakov, considering the likelihood of several bugs introduced into custom SAP installations.
"If experienced SAP developers can still leave mistakes in their code, imagine what is happening with customized SAP programs, especially those outsourced to other companies. High competition between outsourcing companies drives them to minimise development time and resources, which usually impacts security," he added.
Polyakov has published a few whitepapers detailing common SAP security vulnerabilities, penetration testing guidelines, and their recommended defenses.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!