What is SAP Security?

An Overview of SAP Applications

Enterprise applications like ERP, SCM, CRM, SRM, PLM, HCM, BI and others support the essential business processes of the world’s largest commercial and governmental organizations, including supply chain, manufacturing, finance, sales and services, human resources and others. These applications are the crown jewels of their operation. SAP applications, including the latest S/4HANA suite, are widely deployed and used for critical operations worldwide by organizations in essential industries such as food distribution, medical device manufacturing, pharmaceuticals, and critical infrastructure including utilities, government and defense, and more 1 : 

  • SAP systems are used at more than 400,000 organizations globally 
  • SAP customers include 92% of the Forbes Global 2000 
  • 77% of the world’s transaction revenue touches an SAP system
  • More than 1,000 government and government-owned organizations around the world rely on SAP applications
  • Defense, paramilitary and homeland security organizations operate a significant and mission-critical SAP footprint

Given their importance to business-critical operations, SAP applications need to be secured with the proper tools and teams. But, unfortunately, that’s not often the case.

How to Close the Gaps in SAP Security

The security landscape for SAP applications has changed significantly in recent years. As SAP has focused more on the cloud, this has caused a significant shift in both the location and configuration of SAP systems from on-premise environments, to mixed landscapes, to running entirely in the cloud. This has presented challenges for the security teams responsible for securing these systems, and has compelled them to take a more holistic approach to risk management and security vulnerabilities. 

Most organizations employ defense-in-depth frameworks, which utilize multiple layers of security controls with the hope that if a vulnerability exists in one of the layers, the countermeasures in one or more of the other layers will protect against security breaches or unauthorized access. This includes deploying security at the perimeter, network, and endpoint levels using endpoint detection and response (EDR), network detection and response (NDR), and security information and event management (SIEM) tools. However, this layered approach has a fundamental flaw–it does not sufficiently protect the application layer.

Leveraging defense-in-depth strategies to protect business-critical applications has grown more complicated as modernization and digital transformation initiatives have eroded the perimeter. Enterprise applications like those offered by SAP and Oracle are increasingly moving away from on-premises into the cloud, or connecting to third-party services. Some are even becoming publicly accessible–all of these new industry standards increase exposure, interconnected risk, and the chances of exploitation. Vulnerabilities also exist within the layers in front of the application layer. If exploited, a threat actor could then potentially move laterally to infiltrate the application layer if it is not sufficiently protected. The challenge for organizations is how to preemptively detect vulnerabilities and prevent cyberattacks targeting critical data and systems. Despite the importance of data protection, these existing defense-in-depth solutions are not specifically focused on threats and vulnerabilities for business-critical applications. 

Traditional vulnerability management, threat detection and response, and application security testing tools solutions don’t provide security teams with real-time visibility into potential misuse or abuse of SAP systems, Oracle, and other SaaS  applications. They are ineffective at identifying a large number of application vulnerabilities, such as misconfiguration, overprivileged roles, or unapplied patches. Current detection and response tools are unable to detect potential threats to systems that may result in the exploitation of data subject to regulatory controls. Finally, application security testing for SAP can be challenging due to the lack of tools that support such testing in terms of not only components that are unique to SAP, but integrations with relevant development and change management environments. This means for most organizations, cybersecurity testing for SAP applications require manual reviews, which can be a time-consuming, error prone process.

Why Cyberattacks on SAP Applications Have Accelerated and Evolved

In the last few years, the pace at which attackers are exploiting vulnerabilities in business-critical applications has accelerated–SAP, Oracle, and other SaaS apps are more susceptible to cyberattacks than ever. Attackers are not only working faster, they are working smarter. The new methods used in cyberattacks can be a nightmare for those responsible for risk management and data protection.

Onapsis Research Labs, Onapsis’s threat intelligence team dedicated to identifying vulnerabilities and emerging, novel threats to critical enterprise systems, found conclusive evidence that attackers who have sophisticated knowledge of business-critical applications target and exploit unsecured SAP applications. This is achieved by using a variety of tactics, techniques, and procedures (TTPs)–not simply making brute-force attempts against the application. Our 2021 research report found over 400 confirmed exploitations including more than 100 hands-on attacks on organizations in less than a year. The compromised content included data and details from sales, HR, customer personally identifiable information (PII), engineering, intellectual property, and financial information. New, unprotected SAP applications provisioned in SAP cloud (IaaS) environments are being discovered and compromised in less than three hours, making the window for defenders small and stressing the need to “shift left” and ensure new business-critical applications are provisioned securely from day one.

Onapsis Research Labs also discovered that there can be as little as 24 hours between the disclosure of a vulnerability and observable scanning by attackers looking for these vulnerabilities, and just 72 hours before a functional exploit is available. What is particularly alarming from these findings is that many of these software exploits are well-known and have mitigations and/or security patches widely available to mitigate the risk, they simply weren’t implemented. As a result, the U.S. Department of Homeland Security has issued six alerts to date about cyber attacks targeting business-critical enterprise systems, including SAP. A defense-in-depth strategy of layers of security around business-critical applications can be rendered ineffective by an attacker who knows the application well enough to exploit its vulnerabilities, and it can have a serious impact on the business.

When SAP Security Falls Short: How Cyberattacks Can Impact Your Business

Exploits targeting SAP environment misconfigurations and vulnerabilities can allow attackers to take full control of vulnerable systems without the need to have a valid user ID and password—compromising IT controls for access control and user authentication. These cyberattacks may be launched from both inside and outside the corporate network, potentially compromising SAP user accounts and their associated permissions. 

If an attacker is able to gain access to an unprotected SAP system, business processes could be disrupted and the business impact could be critical. Successful exploitation of a vulnerable SAP system would allow an attacker to perform several malicious activities, including:

  • Steal sensitive data from employees, customers, and suppliers
  • Read, modify, or delete financial records
  • Change banking details 
  • Administer purchasing processes
  • Disrupt critical business operations by corrupting SAP data, shutting down processes and modules completely, or deploying ransomware
  • Delete or modify traces, logs, and other files

For many organizations, SAP applications are under the purview of specific industry and governmental regulations, financial and other compliance requirements. This means that the presence of vulnerabilities in SAP applications that could allow unauthenticated access may constitute a deficiency in IT controls for data privacy (e.g., GDPR), financial reporting (e.g., SOX), or industry-specific regulations (e.g., PCI-DSS). Any enforced controls that are bypassed via exploitation of these vulnerabilities may cause regulatory and compliance deficiencies over critical areas. 

Violating compliance regulations can lead to fines, business disruption, productivity and revenue loss, and reputation damage that can have long-lasting consequences. Downtime from exploited vulnerabilities in your SAP environment and custom code can also cost millions of dollars. In 2020, the average cost from lost business due to a data breach was $1.5 million 2 . Enforcing governance, risk management, and compliance (GRC) standards is the best way to avoid this fallout from security incidents of this nature.

Six GRC Best Practices to Secure SAP Applications

1. Security hardening of SAP applications

By implementing a security-by-design approach, relevant security aspects are integrated from the first design phase. Security-by-design eliminates blindspots and keeping an organization’s business-critical applications secure, available, and compliant. This approach makes it possible to create a blueprint with security considerations at the forefront and thus avoid complications and risks later on. 

A strong cybersecurity framework is a good start, including one that integrates leading practices and technologies that enable organizations to continuously detect and monitor their core business systems long past implementation. One option is the SAP Security Baseline, which defines how to keep SAP systems secure. The NIST Cybersecurity Framework can also provide a handy way for establishing a baseline. An important part of the NIST Cybersecurity Framework is the focus on the application security layer, which, as noted above, has become a target for attackers. Organizations may also have industry-specific or country-specific regulatory compliance processes, such as the protection of personal data, that provide a means for a baseline. 

2. Timely patch management

Given the frequency and volume of patch releases, complexity of the patching process, and size of application landscapes, organizations have the potential to face a growing backlog of patches. A manual patch management process can be error prone; there isn’t an easy way to identify which systems are missing which security patches, which missing patches to prioritize, and whether or not patches were applied. Consider this: critical SAP vulnerabilities are being weaponized less than 72 hours after a security patch is released. But, the time from when a vulnerability is found to when a patch is deployed is a lot longer; the average time to apply, test, and fully deploy a patch is 97 days 3 . Having an automated patch management process can minimize the risk of critical vulnerabilities and protect the business’ most important assets.

3. Point-in-time vulnerability assessment

A vulnerability assessment aims to uncover vulnerabilities and recommends the appropriate mitigation or remediation to reduce or remove the risks. Organizations should employ a comprehensive SAP vulnerability management tool that can provide automated assessments, descriptions of severity and business impact, and step-by-step remediation instructions to enable teams to prioritize remediation efforts and address issues before they can negatively impact the application.

4. Continuous monitoring of vulnerabilities and threats

The challenge for organizations is how to preemptively detect vulnerabilities and prevent cyberattacks targeting critical data and systems. Organizations should employ a threat detection and response tool for SAP applications that can provide visibility into potential threats facing an organization’s most critical assets and optimize the incident response process. 

5. Secure custom code

Organizations need a way to ensure they are writing high quality and secure code. Additionally, this code will be brought into the organization environment via transports. Organizations also need a way to check that the transports aren’t going to introduce security, performance, or compliance issues. Unaddressed issues in the custom code and transports used to create, maintain, and update the applications can disrupt operations and interfere with the ongoing delivery of updates. An application security testing solution like a code vulnerability analyzer can replace these time-consuming and error prone automatic remediation for common code errors, enabling organizations to build security into development processes to find and fix issues as quickly as possible. 

6. Seek and use targeted threat intelligence to stay ahead of zero-day threats

Timely, impactful threat intelligence programs can provide insightful information about current TTPs used by threat actors. They can also provide early alerts about new ransomware campaigns as well as actionable intelligence for security teams responsible for designing and implementing security controls.

Organizations should also consider obtaining relevant security certifications to demonstrate their commitment to protecting SAP environments

SAP Security Solutions: The Onapsis Platform 

Onapsis Assess for Vulnerability Management: Onapsis Assess uniquely provides focused and comprehensive vulnerability management for SAP applications. It provides deep visibility into the entire application landscape, automated assessments with detailed solutions, and descriptions of associated risk and business impact. Organizations gain an accurate understanding of risk within their critical SAP systems so they can make empowered decisions on how to respond, reduce investigation and remediation times, and achieve greater risk reduction with less effort. Onapsis Assess aligns InfoSec and IT teams with the visibility and context they need to quickly act on vulnerabilities that pose the greatest risk to the business. 

Onapsis Control for Application Security Testing: Onapsis Control provides application security testing for SAP applications, including the ability to review internal or third-party created custom code and transports, and automatic remediation for common code errors. It provides automated assessments, integrations with development environments and change management systems, and step-by-step remediation instructions so application teams can identify and fix issues as quickly as possible. Organizations gain automation and prioritization capabilities so they can reduce investigation and remediation times, accelerate development efforts, and meet project timelines. Onapsis Control empowers teams to identify and fix issues as quickly as possible – before they negatively impact SAP system security, compliance, performance, or availability throughout the application lifecycle. 

Onapsis Defend for Threat Detection and Response: Onapsis Defend enables continuous threat monitoring, detection, and response for SAP applications whether hosted in the cloud, hybrid or on premises environments. It leverages intelligent research-based alerts to grant security teams visibility into unauthorized changes, misuse, or cyberattacks targeting these applications as well as zero-day threat protection, based on the threat intelligence from Onapsis Research Labs. Security Operations Center (SOC) and Incident Response Teams can automatically monitor for more than 2,000 threat indicators as well as create custom alarms that include in-depth threat intelligence, detailed explanation of business risk, and contextual attack notifications. Integrations with best-in-class SIEMs, custom workflows, and notifications accelerate root cause analysis and improve incident response times. 

Watch SAPInsider’s Executive Virtual Roundtable with Onapsis’s Shane MacDonald and SAPInsider’s Rizal Ahmed on how you play a vital role in protecting your business applications.

1https://www.sap.com/ documents/2017/04/4666ecdd-b67c0010-82c7-eda71af511fa.html
2Ponemon Cost of a Data Breach Report 2020
3The Third Annual Study on the State of Endpoint Security Risk Ponemon Institute LLC Publication Date: January 2020