What is SAP Security (and Why Does It Matter?)
Originally published by Onapsis here.
An Overview of SAP Applications
Business-critical applications such as ERP, SCM, CRM, SRM, PLM, HCM, BI and others support essential business functions and processes of the world’s largest commercial and governmental organizations, including supply chain, manufacturing, finance, sales and services, human resources and others. These applications are the crown jewels of their operation. SAP applications are widely deployed and used for critical operations worldwide by organizations in essential industries such as food distribution, medical device manufacturing, pharmaceuticals, critical infrastructure including utilities, government and defense and more:
- SAP software is used at more than 400,000 organizations globally
- SAP customers include 92% of the Forbes Global 2000
- 77% of the world’s transaction revenue touches an SAP system
- More than 1,000 government and government-owned organizations around the world rely on SAP software
- Defense, paramilitary and homeland security organizations operate a significant and mission-critical SAP footprint
Given their importance to business-critical operations, SAP applications need to be secured with the proper tools and teams. But, unfortunately, that’s not often the case.
Current Gaps in SAP Security
The security landscape for SAP applications has changed significantly in recent years. As SAP has focused more on the cloud, this has caused a significant shift in both the location and configuration of SAP technologies from on-premise environments, to mixed landscapes, to running entirely in the cloud. This has presented challenges for the teams responsible for securing these systems.
Most organizations employ defense-in-depth frameworks, which utilize multiple layers of security controls with the hope that if a vulnerability exists in one of the layers, the countermeasures in one or more of the other layers will deliver the necessary security. This includes deploying security at the perimeter, network, and endpoint levels using endpoint detection and response (EDR), network detection and response (NDR), and security information and event management (SIEM) tools. However, this layered approach has a fundamental flaw–it does not sufficiently protect the application layer.
Leveraging defense-in-depth strategies to protect business-critical applications has grown more complicated as modernization and digital transformation initiatives have eroded the perimeter. SAP and Oracle applications are increasingly moving off-premises into the cloud, or connecting to third-party services. Some are even becoming publicly accessible–all of these increase exposure, interconnected risk, and the chances of exploitation. Vulnerabilities also exist within the layers in front of the application layer. If exploited, a threat actor could then potentially move laterally to infiltrate the application layer if it is not sufficiently protected. The challenge for organizations is how to preemptively detect vulnerabilities and prevent cyberattacks targeting critical data and systems. Yet these existing defense-in-depth solutions are not specifically focused on threats and vulnerabilities for business-critical applications.
Traditional vulnerability management, threat detection and response, and application security testing tools solutions don’t provide security teams with visibility into potential misuse or abuse of SAP, Oracle, and other SaaS applications. They are ineffective at identifying a large number of application vulnerabilities, such as misconfiguration, overprivileged roles, or unapplied patches. Current detection and response tools are unable to detect potential threats to systems that may result in the exploitation of data subject to regulatory controls. Finally, application security testing for SAP can be challenging due to the lack of tools that support such testing in terms of not only components that are unique to SAP, but integrations with relevant development and change management environments. This means for most organizations, security testing for SAP means manual security reviews, which can be a time-consuming, error prone process.
The Evolution of Cyberattacks on SAP Applications
In the last few years, the pace at which attackers are exploiting vulnerabilities in business-critical applications has accelerated–SAP, Oracle, and other SaaS apps are more appealing to cybercriminals than ever. Attackers are not only working faster, they are working smarter. Onapsis Research Labs, Onapsis’s threat intelligence team, found conclusive evidence that attackers who have sophisticated knowledge of business-critical applications target and exploit unsecured SAP applications. This is achieved by using a variety of tactics, techniques, and procedures (TTPs)–not simply making brute-force attempts against the application. Our 2021 research report found over 400 confirmed exploitations including more than 100 hands-on attacks on organizations in less than a year. The compromised content included data and details from sales, HR, customer personally identifiable information (PII), engineering, intellectual property, and financial information. New unprotected SAP applications provisioned in cloud (IaaS) environments are being discovered and compromised in less than three hours, making the window for defenders small and stressing the need to “shift left” and ensure new business-critical applications are provisioned securely from day one.
Onapsis Research Labs also discovered that there can be as little as 24 hours between the disclosure of a vulnerability and observable scanning by attackers looking for vulnerable systems, and just 72 hours before a functional exploit is available. What is particularly alarming from these findings is that many of these software exploits are well-known and have mitigations and/or patches widely available to mitigate the risk, they simply weren’t implemented. As a result, the U.S. Department of Homeland Security has issued six alerts to date about cyber attacks targeting business-critical enterprise systems, including SAP. A defense-in-depth strategy of layers of security around business-critical applications can be rendered ineffective by an attacker who knows the application well enough to exploit its vulnerabilities, and it can have a serious impact on the business.
The Business Impact of Unsecured SAP Systems
Exploits targeting SAP application misconfigurations and vulnerabilities can allow attackers to take full control of vulnerable systems without the need to have a valid user ID and password—compromising IT controls for access control and user authorization. These attacks may be launched from both inside and outside the corporate network.
If an attacker is able to gain access to an unprotected SAP system, the business impact could be critical. Successful exploitation of a vulnerable SAP system would allow an attacker to perform several malicious activities, including:
- Steal PII from employees, customers, and suppliers
- Read, modify, or delete financial records
- Change banking details
- Administer purchasing processes
- Disrupt critical business operations by corrupting data, shutting processes down completely, or deploying ransomware
- Delete or modify traces, logs, and other files
For many organizations, SAP applications are under the purview of specific industry and governmental regulations, financial and other compliance requirements. This means that the presence of vulnerabilities in SAP applications that could allow unauthenticated access may constitute a deficiency in IT controls for data privacy (e.g., GDPR), financial reporting (e.g., SOX), or industry-specific regulations (e.g., PCI-DSS). Any enforced controls that are bypassed via exploitation of these vulnerabilities may cause regulatory and compliance deficiencies over critical areas.
Violating compliance regulations can lead to fines, business disruption, productivity and revenue loss, and reputation damage that can have long-lasting consequences. Downtime from exploited vulnerabilities in applications and custom code can also cost millions of dollars. In 2020, the average cost from lost business due to a data breach was $1.5 million. Enforcing security and compliance standards is the best way to avoid this fallout from security incidents of this nature.
Six Best Practices to Secure SAP Applications
1. Security hardening of SAP applications
By implementing a security-by-design approach, relevant security aspects are integrated from the first design phase onwards. This is essential to eliminating blindspots and keeping an organization’s business-critical applications secure, available, and compliant. This approach makes it possible to create a blueprint with security considerations at the forefront and thus avoid complications and risks later on.
A strong cyber security framework is a good start, including one that integrates leading practices and technologies that enable organizations to continuously detect and monitor their core business systems long past implementation. One option is the SAP Security Baseline, which defines how to keep SAP systems secure. The NIST Cybersecurity Framework can also provide a handy way for establishing a baseline. An important part of the NIST Cybersecurity Framework is the focus on the application security layer, which, as noted above, has become a target for attackers. Organizations may also have industry-specific or country-specific regulatory compliance processes that provide a means for a baseline.
2. Timely patch management
Given the frequency and volume of patch releases, complexity of the patching process, and size of application landscapes, organizations have the potential to face a growing backlog of patches. A manual patch management process can be error prone; there isn’t an easy way to identify which systems are missing which patches, which missing patches to prioritize, and whether or not patches were applied. Consider this: critical SAP vulnerabilities are being weaponized less than 72 hours after a patch is released. But, the time from when a vulnerability is found to when a patch is deployed is a lot longer; the average time to apply, test, and fully deploy a patch is 97 days. Having an automated patch management process can minimize the risk of critical vulnerabilities and protect the business’ most important assets.
3. Point-in-time vulnerability assessment
A vulnerability assessment aims to uncover vulnerabilities and recommends the appropriate mitigation or remediation to reduce or remove the risks. Organizations should employ a comprehensive SAP vulnerability management tool that can provide automated assessments, descriptions of severity and business impact, and step-by-step remediation instructions to enable teams to prioritize remediation efforts and address issues before they can negatively impact the application.
4. Continuous monitoring of vulnerabilities and threats
The challenge for organizations is how to preemptively detect vulnerabilities and prevent cyberattacks targeting critical data and systems. Organizations should employ a threat detection and response tool for SAP applications that can provide visibility into potential threats facing an organization’s most critical assets and accelerate the incident response process.
5. Secure custom code
Organizations need a way to ensure they are writing high quality and secure code. Additionally, this code will be brought into the organization environment via transports. Organizations also need a way to check that the transports aren’t going to introduce security, performance, or compliance issues. Unaddressed issues in the custom code and transports used to create, maintain, and update the applications can disrupt operations and interfere with the ongoing delivery of updates. An application security testing solution can replace these time-consuming and error prone automatic remediation for common code errors, enabling organizations to build security into development processes to find and fix issues as quickly as possible.
6. Seek and use targeted threat intelligence to stay ahead of zero-day threats
Timely, impactful threat intelligence programs can provide insightful information about current TTPs used by threat actors. They can also provide early alerts about new ransomware campaigns as well as actionable intelligence for security teams responsible for designing and implementing security controls.
 SAP website
 Ponemon Cost of a Data Breach Report 2020
 The Third Annual Study on the State of Endpoint Security Risk, Ponemon Institute LLC, Publication Date: January 2020
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.