How The Newly Released OWASP Top 10 Affects Your SAP Systems

OWASP imageAfter much review, and various release candidates, OWASP has released their new Top 10 that reflects what are generally considered to be the most critical security risks to web applications. The OWASP foundation is highly regarded and leverages feedback from the security community to ensure the Top 10 project reflects the most prevalent and impactful vulnerabilities. While the Top 10 is not an official regulation or standard, it is a very powerful awareness model and considered the primary standard for understanding and addressing web bugs.

What the Top 10 represents is not just specific types of security issues in web applications, but the security mindset you should have when approaching any business system, especially those business-critical systems that run large enterprises.

When considering the security of your SAP and Oracle systems, including those that are not accessed via a WebUI, the guidance provided by the OWASP Top 10 is extremely relevant. Following is a discussion of a selection of the Top 10 as they relate to ERP applications and SAP security. Check out the full list here

A2:2017 – Broken Authentication
Authentication is a key line of defense for any application. It is imperative to restrict access to users who are known (or assumed) to be good and limit the exposure of the application to hackers. As seen in the US-CERT published last year, the impact of authentication bypass, allowing an unauthenticated person access to a system, can be devastating.

A3:2017 – Sensitive Data Exposure
The power of enterprise ERP systems is their ability to interconnect with any system and process in the enterprise. Through these extensive RFC connections, automated processes and movement of data are able to take place and the heartbeat of the enterprise beats. If these connections are not properly secured, then this data, and the associated business decisions made based on that data, are at risk.

A5:2017 – Broken Access Control
Permission management in any large, complex solution is naturally challenging and having a broken access control model (or a non-existent model) is a critical security and business risk. If an organization solves authorization problems by simply adding more authorizations to a user/role without understanding the true need for that role, then the concept of control through authorization is moot. Even with a good authorization model, if authorization checks are not in place then users can access data or transactions that they are not expected to and accidentally or intentionally perform acts of fraud or sabotage.

A6:2017 – Security Misconfiguration
This might seem like security 101, but it is on this list for a reason. Misconfigurations that have a negative security impact are very common and the causes vary. Whether the contractor tasked with the system implementation lacks security experience, or a requirement in their statement of work surrounding the security of the system, or security notices from the vendor about newly discovered vulnerabilities in the originally released software have to be addressed through security based configuration changes. The vulnerability exploited in the US-CERT was addressed through a patch and configuration change. Without that change, systems were remotely exploitable by unauthenticated attackers.

In addition, security misconfigurations often reflect security blindness. Systems are misconfigured because no one monitors them to understand how their current configuration affects their security posture. It is important to identify changes that will best reduce the risk to that system and to the business overall.

A9:2017 – Using Components with Known Vulnerabilities
Along with A6, this represents the basic blocking and tackling of a security program. The key here is not that the organization has chosen to run a component with known security vulnerabilities (and in those cases where they have to for business reasons they need to be doing A10), but where the business is ignorant of the presence of these vulnerabilities.

As with Security Misconfiguration, this speaks to ‘security blindness’. The organization is almost certainly not including these ERP systems in their existing vulnerability management and security program. Most likely this is because traditional security tools do not ‘speak ERP’ and so are unable to evaluate these systems. As a result, these systems are a gap in the security map and understanding for the enterprise. Ironically, these same systems are the most critical to the enterprise and as such the enterprise should have the strongest understanding of the risks to these systems, not the weakest.

A10:2017 – Insufficient Logging & Monitoring
The key to logging is monitoring. And the key to monitoring is knowing what to log. Keeping logs because you think you should, but having no process by which those logs are evaluated, means those logs provide no value. For systems like ERP that businesses are reluctant to modify (including modifications to patch critical vulnerabilities), active monitoring is a critical control to offset the risk associated with the existence of this vulnerability. 

In addition, proper logging and monitoring can help mitigate the risks associated with A5 (Broken Access Control). If you require time to properly review and update the roles and rights across the enterprise with monitoring in place, you can detect abuse of access and provide a control until the underlying problem is addressed.

OWASP’s Importance to Cybersecurity
There is a reason why the OWASP Top 10 is such a defacto standard of security, despite OWASP not being a regulatory body. It is because the Top 10 represents the key areas in which most applications fail from a security point of view. So, conversely, it represents the key ways in which business applications are insecurely developed, deployed and exploited.

This security mindset was at the core of our thinking when Onapsis developed the first cybersecurity solution for SAP. It remains at the core of every decision we make to further extend the capabilities and value of OSP to those enterprises that rely on it to understand and address their compliance and risk issues relating to their ERP systems.

To learn more about how you can use the Onapsis Security Platform to increase the security of your ERP systems, please contact us.