3 Vulnerability Management Challenges for SAP Applications (and How to Overcome Them)

Business-critical applications have never been more vulnerable. The increasing complexity and size of application environments, customization of individual apps, and growing backlogs of patches have left organizations with a larger number and greater variety of vulnerabilities to identify, understand, and act on. The exposure and risk of exploitation at the application layer is also greater now due to digital transformation initiatives, with many critical applications moving to the cloud, connecting to third-parties, or becoming publicly accessible. 

The level of sophistication in cyber attacks is increasing and threat actors are now able to narrowly and successfully target the applications that businesses use to run their everyday operations. There have been six US-CERT alerts specifically about business-critical applications since 2016 and two on SAP security risk. From mid-2020 until April 2021, Onapsis researchers recorded more than 300 successful exploit attempts on unprotected SAP applications. Our team found that there can be as little as 24 hours between the disclosure of a vulnerability and observable scanning by attackers looking for vulnerable systems, and just 72 hours before a functional exploit is available. These advanced threat actors were observed to patch the SAP vulnerabilities they exploited and reconfigure systems so they would go undetected by SAP administrators. This evolution of the threat landscape means organizations need strong vulnerability management programs around their business-critical SAP applications. 

Lack of Resources and Budget

Budgeting to staff the right cybersecurity team is essential, but there simply aren’t enough cybersecurity professionals to meet the market’s needs. More than 57% of organizations have been impacted by the cybersecurity skills shortage, and one of the top three areas of significant cybersecurity skills shortage is application security. With cyberattacks on business-critical applications like SAP only becoming more prevalent, this is a concerning reality.

Even a well-staffed team is challenged with limits on their valuable time. Complex security notes with multiple vulnerability patches and instructions and varying levels of severity are released on a monthly basis. This makes it extremely challenging especially for enterprises managing dozens of business-critical applications. Without a prioritization tool to help automate and streamline, these teams spend countless hours manually managing this process.

Lack of Visibility 

Visibility has always been the starting place for monitoring and protecting attack surfaces and valuable assets. Business-critical applications are typically managed by in-house IT teams who are focused more on performance and availability than security. This causes security teams to lack the visibility and context they need to identify vulnerabilities within these ecosystems and understand the risk they pose to the business. Security administrators are responsible for vulnerability management for the business, but their tools don’t cover business-critical applications and they often rely on application teams for remediation.

Knowing Where to Start

A lack of visibility and resources aren’t the only challenges, the applications themselves are also complex. Analyzing complex security notes and then prioritizing and implementing patches is challenging, especially for enterprises running multiple business-critical applications and systems. Manually managing patch implementation is a time-consuming and error-prone process. There isn’t an easy way to identify which systems are missing patches, or to prioritize patches and systems, which often leads either to a rushed process or one of deprioritization. This results in a growing backlog of patches. According to a Ponemon study, almost two-thirds of organizations have a backlog of application vulnerabilities1

Patch management is only one part of mitigating risk for business-critical applications. System configurations and user privileges or access rights are also potential sources of risk. Most organizations don’t have an easy way to assess these areas and validate if their applications are following best practices.  

Jumpstart Your SAP Vulnerability Management with Onapsis

Vulnerability management for business-critical applications like SAP can be a challenge for organizations, but with the right solution and approach, organizations can jumpstart the process and focus on protecting what matters most.

For the last decade, Onapsis has been protecting the world’s most critical enterprise resources. We’ve seen the challenges enterprises are facing to secure their business systems firsthand. To help organizations move more quickly and confidently to protect the critical applications powering their business, Onapsis is proud to announce a new offering designed to jumpstart the SAP vulnerability management process. Onapsis Assess Baseline is an easy-to-deploy, highly-targeted offering that focuses on the vulnerabilities aligned with the SAP Security Baseline, which is SAP’s recommended set of minimum security requirements for an organization’s SAP systems. Assess Baseline enables companies of any size to accelerate deployment and time-to-value by starting with a core, targeted set of vulnerabilities on their journey to ensure cybersecurity, compliance, and availability of their SAP applications before scaling to more advanced vulnerability management use cases with our Assess offering.  

Onapsis’s in-house team of experts is dedicated to our customers’ success, wherever you are in your business-application security journey. Let our team leverage their years of SAP and security expertise to help your organization secure what matters most today and establish a strategic plan for a more secure future state aligned to leading practices and industry-recognized standards. Talk to an expert today.

1Reducing Enterprise Application Security Risks: More Work Needs to Be Done