Leveraging CSA to React to Critical Risks
Written by JP Perez-Etchegoyen, CTO, Onapsis
On February 8th, 2022, SAP released its SAP Security Notes as part of the monthly cadence of releasing security patches. This last patch Tuesday was noteworthy due to the release of patches for critical, unauthenticated, HTTP exploitable vulnerabilities, dubbed “ICMAD” and identified by CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. These vulnerabilities, identified by the Onapsis Research Labs, as all critical vulnerabilities in SAP, are worth a deeper analysis as well as a timely reaction, because they may imply a direct risk to the business.
Last week, CSA published this blog explaining the nature of these vulnerabilities and this one is a follow-up, explaining how leveraging the CSA Top 20 Critical Controls for SAP Applications can help organizations be more prepared.
The reality is that we are talking about business applications, built on top of complex software and as such, we need to be prepared to react to diverse types of risk we may or may not be aware of. The question you might be asking yourself is: How can I be better prepared to react appropriately?
That is where CSA can help. In 2017, CSA initiated the Cloud ERP Working Group, aimed to provide guidance on critical controls recommended to protect business critical applications, regardless of whether your organization is in the cloud or in the process of getting there.
One of the largest projects of this working group was around the Top 20 Critical Controls, which is a list of controls organizations can implement to protect their business applications. When it comes to SAP Applications, the working group released the Top 20 Critical Controls for SAP Applications with the purpose of helping SAP customers. The control “APP03 - Security Vulnerabilities” covers this type of risks and provides an overview of the process that needs to be implemented to timely react to security vulnerabilities in the standard code of SAP Applications.
I recommend taking a look at the full list of controls so you can understand where your organization is in terms of securing the most important business applications. You can also reach out to the working group, and join our monthly calls, to contribute and learn about cybersecurity for ERP Applications.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.