Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:30 AM
Connect Directly
E-Mail vvv

Why We Need In-depth SAP Security Training

SAP and Oracle are releasing tons of patches every month, but are enterprises up to this complex task? I have my doubts.

One of the biggest cybersecurity surprises of note is the large number of breaches announced this year that, according to fact-finding at The Onapsis Research Labs, were exposed through SAP and other enterprise ERP systems.

A month ago, new evidence came to light about a high profile two-year-old breach at US Investigations Services (USIS), a contractor in charge of conducting federal background checks. The USIS breach made headlines because it was the first public proof that an SAP vulnerability was the origin of an attack leading to the theft of personal information about federal employees and contractors with access to classified intelligence.

Weeks later we heard about a new breach, this time directly against the Office of Personnel Management, compromising 4 million current and former federal employees’ personal information. Subsequent reports disclosed that the exposed information could be even more widespread. In a letter to OPM Director J. David Cox, national president of the American Federation of Government Employees (AFGE) claimed “Based on the sketchy information OPM has provided, we believe that the Central Personnel of Data File [CPDF] was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees.”

These are not isolated cases. And while I cannot confirm which kind of system OPM is using for the CPDF database, taking into account public information, most likely OPM is using an ERP-based system to hold and report federal employment statistics.

More concerning, the last weeks have shown that business-critical applications are rapidly becoming one of the most valuable targets for cybercriminals and cyberespionage. SAP and Oracle are releasing tons of patches every month, but are enterprises up to the task? As these enterprises contain complex infrastructures and patching and configuration are complex tasks, I have my doubts.

In order to properly secure these enterprise applications against these and other threats, many things need to happen within a company, among them:

  • a strict patch management process 
  • security and configurations change management processes, and 
  • a security threats monitoring program.

There are also many actors within the SAP security landscape, all of whom need to understand the latest cybersecurity risks affecting SAP systems. Four key issues for key players include:

IT Security & CISO
If you are part of the IT Security staff, or even the CISO, then you are probably familiar with feeling a lack of control around the security of your SAP landscapes. Understanding the risks and how to mitigate them is a powerful tool necessary for gaining visibility into the most critical systems of the company.

SAP BASIS Administrators
System configurations, implementation of patches, system upgrades and other tasks are very relevant from a security standpoint, as they could have a big impact to how secure the systems eventually are over time. It’s important to understand which of the changes or actions you apply on the systems could actually have negative impact in terms of security.

System Auditors
If you are an auditor, you should know that most of the big auditing firms are already including SAP cybersecurity as part of their audits. Understanding how to audit the technical layer will eventually become a requirement for security audits of SAP systems.

Penetration Testers
While doing external or internal penetration tests, and depending on the scope defined by your client, you will likely find SAP systems connected to the network. Because SAP systems are part of a complex scenario, you need to understand all components, and how each one could be vulnerable, depending on the patches and configurations that were applied. This will clearly define how successful an SAP penetration test would be.

[Learn more from JP about how to assess, exploit and defend SAP platforms during his training session on SAP-specific attacks and protection techniques, Black Hat 2015, Las Vegas August 3-4.]

Juan Pablo leads the research & development teams that keeps Onapsis on the cutting-edge of the business-critical application security market. He is responsible for the design, research and development of Onapsis' innovative software solutions, and helps manage the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Blog Voyage
Blog Voyage,
User Rank: Strategist
7/3/2015 | 2:51:32 AM
Very nice stuff. So technical but very nice.
User Rank: Apprentice
7/2/2015 | 6:15:39 AM

Read here you will be more satisfied
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...