Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

3 Vulnerability Management Challenges for SAP Applications (and How to Overcome Them)

Published 06/23/2022

3 Vulnerability Management Challenges for SAP Applications (and How to Overcome Them)

This blog was originally published by Onapsis here.

Written by Maaya Alagappan, Social Media and Content Strategist, Onapsis.

Business-critical applications have never been more vulnerable. The increasing complexity and size of application environments, customization of individual apps, and growing backlogs of patches have left organizations with a larger number and greater variety of vulnerabilities to identify, understand, and act on. The exposure and risk of exploitation at the application layer is also greater now due to digital transformation initiatives, with many critical applications moving to the cloud, connecting to third-parties, or becoming publicly accessible.

The level of sophistication in cyber attacks is increasing and threat actors are now able to narrowly and successfully target the applications that businesses use to run their everyday operations. There have been six US-CERT alerts specifically about business-critical applications since 2016 and two on SAP security risk. From mid-2020 until April 2021, Onapsis researchers recorded more than 300 successful exploit attempts on unprotected SAP applications. Our team found that there can be as little as 24 hours between the disclosure of a vulnerability and observable scanning by attackers looking for vulnerable systems, and just 72 hours before a functional exploit is available. These advanced threat actors were observed to patch the SAP vulnerabilities they exploited and reconfigure systems so they would go undetected by SAP administrators. This evolution of the threat landscape means organizations need strong vulnerability management programs around their business-critical SAP applications.

Lack of Resources and Budget

Budgeting to staff the right cybersecurity team is essential, but there simply aren’t enough cybersecurity professionals to meet the market’s needs. More than 57% of organizations have been impacted by the cybersecurity skills shortage, and one of the top three areas of significant cybersecurity skills shortage is application security. With cyberattacks on business-critical applications like SAP only becoming more prevalent, this is a concerning reality.

Even a well-staffed team is challenged with limits on their valuable time. Complex security notes with multiple vulnerability patches and instructions and varying levels of severity are released on a monthly basis. This makes it extremely challenging especially for enterprises managing dozens of business-critical applications. Without a prioritization tool to help automate and streamline, these teams spend countless hours manually managing this process.

Lack of Visibility

Visibility has always been the starting place for monitoring and protecting attack surfaces and valuable assets. Business-critical applications are typically managed by in-house IT teams who are focused more on performance and availability than security. This causes security teams to lack the visibility and context they need to identify vulnerabilities within these ecosystems and understand the risk they pose to the business. Security administrators are responsible for vulnerability management for the business, but their tools don’t cover business-critical applications and they often rely on application teams for remediation.

Knowing Where to Start

A lack of visibility and resources aren’t the only challenges, the applications themselves are also complex. Analyzing complex security notes and then prioritizing and implementing patches is challenging, especially for enterprises running multiple business-critical applications and systems. Manually managing patch implementation is a time-consuming and error-prone process. There isn’t an easy way to identify which systems are missing patches, or to prioritize patches and systems, which often leads either to a rushed process or one of deprioritization. This results in a growing backlog of patches. According to a Ponemon study, almost two-thirds of organizations have a backlog of application vulnerabilities1.

Patch management is only one part of mitigating risk for business-critical applications. System configurations and user privileges or access rights are also potential sources of risk. Most organizations don’t have an easy way to assess these areas and validate if their applications are following best practices.

Share this content on your favorite social network today!