This five-part blog series discusses the importance of building secure business-critical applications with application security testing. In part one, we shared that on-time application delivery often comes at the cost of secure development. Part two of our blog series explored how application security testing can eliminate blind spots when working with contractors and third-party developers. The third installment in our series covered testing code for errors to ensure it stays clean. In today’s blog post, we’re sharing how testing your code and transports helps you find errors and how to identify them earlier in the development cycle.
Changes to SAP production systems through SAP transports pose a high security risk if not managed properly. These potential “Trojan horses” sneak in malicious content or changes, providing a gateway for espionage, data theft, and data manipulation. The damage to an affected company can be considerable, but many companies are still unaware of the potential risks transports for SAP can hold. Additionally, conventional analysis tools are unable to easily identify the Trojans hidden in SAP transport files.
Reason 4: Prevent a Trojan Horse and Protect Against Vulnerable Code Transports
Business-critical applications like SAP contain critical and sensitive data that run enterprises, supporting financial systems, human capital management, supply chains, supplier relationships, and more. A vital component of custom development for SAP is the ability to transfer data from one SAP system to another, as well as from external applications and third-party software to SAP. These data transfers are handled by transports.
To look at the scale and complexity of transports, on average, 250 transports with up to 5,000 objects per SAP system are triggered every month. Large companies, which usually operate several hundred SAP systems, have an even greater number of transports.
Transports can be one of the easiest ways to introduce vulnerabilities, offering bad actors a way to exploit these systems. Transports may contain vulnerabilities that can be exploited and then that exploit will be imported along with the transport. Even simple changes through SAP transports may pose a high security risk since they can unwittingly introduce malicious content or changes into the environment, providing a gateway for data theft and data manipulation. These potential Trojan horses sneak in malicious content or changes, providing an opportunity for espionage, data theft, and data manipulation. Like the original Trojan horse, initially considered a gift, later discovered to hold a hidden threat, an SAP production system can also be threatened by what seems like an average transport. Malicious content hidden somewhere in the countless objects, settings, and tables of a transport request can move unnoticed into the SAP production system.
An additional risk factor can be developer authorization for pushing code changes. In order to complete tasks quickly and reliably, developers often have extensive authorizations. Oftentimes, even if this is not the case and restrictive authorizations are in place, they can ultimately bypass limitations and force almost any critical change by programming and executing custom ABAP commands and manipulating SAP transport requests to bring these changes into the production landscape. Without any malicious intent, these authorizations can also increase risk.
The Business Impact
Vulnerabilities hidden in transport requests can carry out serious attacks on SAP systems. However, many companies are still unaware of the potential dangers of transports for SAP security and conventional analysis tools are unable to identify the vulnerabilities hidden in SAP transport files. If a threat actor is able to gain access into SAP to manipulate, extract, or delete sensitive data, a company may suffer significant financial loss or reputation damage. Customer and employee data, invoices, quotes, and contracts can fall into the wrong hands, and product innovations can be copied and marketed by competitors.
The fact that transports can result in a threat to system availability also cannot be overlooked. Research from IDC shows that nearly two-thirds of IT decision makers estimate ERP application downtime could cost their organization over $50,000 per hour. For many organizations, SAP applications, and the data they contain, also fall under the purview of specific industry and governmental regulations, financial, and other compliance requirements. GDPR violations can result in severe fines in addition to downtime-associated loss of revenue.
A Better Approach: Onapsis Control for Transports
There’s a better way to perform application security testing for your business-critical applications, Onapsis Control. Onapsis Control enables application security testing, including transport inspection and automated code analysis specifically for SAP environments. Onapsis Control for Transports gives you the ability to manage and analyzing all transports, both historic and planned, for harmful content--whether that is intentional spying or data manipulation, or poor configuration that could lead to import errors or system downtime. Onapsis customers use Control for Transports to:
- Inspect and validate all transports and third-party updates prior to deploying to avoid outages and ensure stability and performance of SAP systems.
- Monitor and prevent security violations or unauthorized critical system changes due to transports, ensuring data is protected and system configurations adhere to corporate policies and regulatory requirements. Enforcing approval of out-of-band configuration changes is another benefit.
- Improve change management processes with insight into transport impact before deployment. This includes the ability to remediate issues before they are deployed into production to avoid costly and resource-intensive import errors.
For more information, download our whitepaper.